SELF SERVICE INTERFACE CODE OF CONNECTION

Transcription

1 SELF SERVICE INTERFACE CODE OF CONNECTION Definitions SSI Administration User Identity Management System Identity Provider Service Policy Enforcement Point (or PEP) SAML Security Patch Smart Card Token Supported Web Browser TLS means for a User a person nominated to create and manage SSI user accounts for User Personnel. means an information system used in the provision of an Identity Provider Service. means a Service that authenticates that an individual user is who they purport to be for the purposes of access control. means a logical place or point in a network at the boundary of two systems at which security policy decisions for access control are enforced to ensure that those two systems are Separated. means Security Assertion Markup Language (an open, published framework for exchanging security authentication and authorisation information between an Identity Provider Service and the Self- Service Interface). means a software change intended to address a particular vulnerability or weakness in the security of a system a USB Token, compliant with the US Federal Personal Identity Verification Interoperable standard means Internet Explorer versions 9, 10 and 11, and a minimum of 2 other browsers as listed, and as updated from time to time, on the DCC Website. means transport layer security. Self Service Interface Code of Connection 1

2 W3C WCAG AA means the World Wide Web Consortium s (W3C) Web Content Accessibility Guidelines (WCAG) for making content accessible. AA is one of three conformance levels. Self Service Interface Code of Connection 2

3 1 SELF-SERVICE INTERFACE CODE OF CONNECTION 1.1 These provisions apply to the DCC and any User seeking to access information described in Section H8.16 of the Code. General Obligations 1.2 The DCC and each User shall inform each other of the contact details of one or more persons working for their respective organisations for the purposes of communications associated with the use of the Self-Service Interface. The following information shall be provided in relation to each such person (and subsequently kept up to date by the Party or the DCC): (d) contact name; contact ; contact telephone number; and contact address. And any other contact details as may be reasonably required by the DCC or the User from time to time. Restrictions on Physical Connections 1.3 Each User shall only access the Self-Service Interface over a DCC Gateway Connection. Connection Mechanisms 1.4 Each User shall secure the connection between their User Personnel s browsers and their Policy Enforcement Point in order to protect against the threat of session hijacking or cookie compromise within their environment. 1.5 The DCC shall provide access to the Self-Service Interface to each User using a Supported Web Browser with a minimum screen resolution of 1280x1024 using a URL as defined in the Self-Service Interface Design Specification. 1.6 The DCC shall provide reasonable notice to Users of changes to the list of Supported Web Browsers. Self Service Interface Code of Connection 3

4 Establishment of Transport Security 1.7 Each User: shall establish a TLS session to secure the transport layer connection to the Self-Service Interface and shall do so in accordance with the Self-Service Interface Design Specification; shall use a DCCKI Infrastructure Certificate to establish the TLS session; and may obtain a DCCKI Infrastructure Certificate in accordance with the DCCKI RAPP. Technical Infrastructure 1.8 The DCC shall ensure that the URL and/or the IP addresses of the Self-Service Interface shall remain constant. 1.9 The DCC shall provide a SAML-capable Identity Provider Service for the purpose of authentication of User Personnel of Users to the Self Service Interface Each User may use an Identity Provider Service that is not the DCC s Identity Provider Service for the purpose of authentication its User Personnel to the Self- Service Interface Each User shall provide details of its authentication arrangements, providing the following information: identity provider <External IDP/ DCC IDP>; and Identity provider - <External IDP URL> and shall inform the DCC if the details change. Use of DCC Identity Provider Service 1.12 Each User using the DCC Identity Provider Service shall follow the processes set out in the DCCKI RAPP to obtain User Personnel Certificates for its User Personnel accessing the Self-Service Interface. Self Service Interface Code of Connection 4

5 1.13 Each User that elects to use the DCC s Identity Provider Service shall permit the DCC to install Private Keys associated with User Personnel Authentication Certificates issued to each User Personnel on the User Personnel s browser key store in accordance with the DCCKI RAPP Each User that elects to use the DCC s Identity Management System shall create, modify or remove accounts for its User Personnel on the Self-Service Interface, save that in the case of accounts for SSI Administration User, the DCC shall create, modify or remove the accounts Each User that elects to use the DCC s Identity Management System shall: follow the processes set out in the DCCKI RAPP to request creation of a SSI Administration User accounts; and be provided by the DCC with Smart Card Tokens for the purpose of authentication of SSI Administration Users to the Self-Service Interface The DCC shall permit the use of Identity Provider products which conform to the Identity Provider requirements according to the Self-Service Interface Design Specification, and shall not endorse the use of any particular Identity Provider product The DCC shall provide an Identity Management system that shall, pursuant to clause 1.23, store secure cookies on each User Personnel s browser(s) to validate login sessions and shall ensure that they do not include storage of information that permits personal identification. Self Service Interface Code of Connection 5

6 Use of an Identity Provider Service that is not the DCC Identity Provider Service 1.18 Each User that elects to use an Identity Provider Service that is not the DCC s Identity Provider Service: shall sign SAML assertion authenticating its User Personnel with a DCCKI Infrastructure Certificate; may obtain a DCCKI Infrastructure Certificate in accordance with the DCCKI RAPP; shall provide mapping of roles within the Identity Management System that the User is using to the roles available within the Self-Service Interface Each User that elects to use an Identity Provider Service that is not the DCC s Identity Provider Service shall ensure that the SAML assertions are applied to authorised access requests prior to establishing a TLS session between its Policy Enforcement Point and the DCC s Policy Enforcement Point Each User shall, where it elects to use an Identity Provider Service that is not the DCC s Identity Provider Service, ensure that the SAML tokens provided by the User shall comply with SAML Standards set out in the Self-Service Interface Design Specification The DCC shall regard, where each User elects to operate its own Identity Provider Service, an authentic signature on the SAML token for a User as confirmation that the User has appropriately performed verification, validation, role assignment and authentication of its User. Interface Usage 1.22 Each User shall only use the Self-Service Interface for interactive human use via a web browser, and shall not use systems to operate the interface by use of automation tools Each User consents to the storage of cookies within its web browsers cookie store by the Self-Service Interface, for the purposes of identification and to assist in server side performance caching. Self Service Interface Code of Connection 6

7 1.24 Each User consents to the recording and storage of details that they make available to the DCC through SAML authentication and request parameters for the purposes of auditing, diagnostics and capacity planning Each User agrees to the recording and storage of requests processed by the Self- Service Interface for the purposes of auditing, diagnostics and capacity planning The DCC shall ensure that the Self-Service Interface complies with the W3C Web Content Accessibility Guidelines at an AA conformance level ( W3C WCAG AA ) The DCC shall log all requests processed by the Self-Service Interface for auditing purposes. Logged information includes data such as the User Personnel s organisation, the User Personnel s username, the URL requested and any inputs provided The DCC shall make reports in accordance with the Self-Service Interface Design Specification, in relation to each User, based on the Self-Service Interface audit logs, available to that User on request, via the Service Desk The DCC shall create and use cookies only in accordance with the Cookie Policy section of the Self-Service Interface Design Specification Prior to first use, each User shall estimate and notify the DCC of their estimated use of the Self-Service Interface and shall notify the DCC of any material changes: (d) Maximum total active User Personnel accounts Maximum number of User Personnel concurrently accessing the Self- Service Interface Average Activity (requests/hour/account) Maximum peak activity (requests/hour/account) The average and maximum peak activity estimates are for an assumed operating period of 8am to 8pm. Self Service Interface Code of Connection 7