Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.

Campus Based Authentication &Campus Based Authentication &TheThe

ProjectProject

Presented By:Presented By:

Tim CameronTim CameronNational Council of Higher Education Loan ProgramsNational Council of Higher Education Loan Programs

The Meteor StoryThe Meteor Story

What is Meteor?What is Meteor?

Web-based network for aggregated real-time Web-based network for aggregated real-time inquiry of financial aid informationinquiry of financial aid information

One stop, online web serviceOne stop, online web service Collaborative effort of the FFELP communityCollaborative effort of the FFELP community Freely available software and access to the Freely available software and access to the

networknetwork Customization options are availableCustomization options are available

In the beginning….In the beginning….

Pre-Meteor Environment (1980’s & 1990’s)Pre-Meteor Environment (1980’s & 1990’s)Lenders, Guarantors, Servicers, Schools and Lenders, Guarantors, Servicers, Schools and

others all offered independent web servicesothers all offered independent web servicesRequired multiple loginsRequired multiple loginsLow level of security: Low level of security:

Many required only SSN and DOB to access Many required only SSN and DOB to access financial aid award data!financial aid award data!

In the beginning….In the beginning….

Department of Education Modernization Department of Education Modernization PlansPlansPerformance Based Organization approved Performance Based Organization approved

with Higher Education Amendments in 1998with Higher Education Amendments in 1998Modernization BlueprintModernization Blueprint

Released September 30, 1999Released September 30, 1999 Second Edition - 2000Second Edition - 2000 Third Edition – 2001Third Edition – 2001 Fourth Edition – 2002 Fourth Edition – 2002

In the beginning….In the beginning….

FFELP Providers SolutionFFELP Providers SolutionSpring 2000: CEO meeting sponsored by Spring 2000: CEO meeting sponsored by

NCHELPNCHELPCritical decisions:Critical decisions:

Create an information network to provide Create an information network to provide aggregated financial aid information.aggregated financial aid information.

Foundation PrinciplesFoundation PrinciplesOpen SourceOpen SourceOpen CollaborationOpen CollaborationFreely AvailableFreely AvailableControlled Participation NetworkControlled Participation Network

Increasing Importance for Increasing Importance for Access to Distributed Access to Distributed

DatabasesDatabases

Legislative ChangesLegislative Changes

Ensuring Continued Access to Student Ensuring Continued Access to Student

Loans Act (ECASLA)Loans Act (ECASLA) Loan Participation Purchase Program Loan Participation Purchase Program Loan Purchase Commitment ProgramLoan Purchase Commitment Program

Growth of Split ServicingGrowth of Split Servicing

Student used multiple lender/guarantor Student used multiple lender/guarantor combos to take advantage of benefitscombos to take advantage of benefits

Student consolidated while in-schoolStudent consolidated while in-school Student transferred to a new schoolStudent transferred to a new school School switched from FDLP to FFELP or vice School switched from FDLP to FFELP or vice

versaversa Lender suspended student loan offeringsLender suspended student loan offerings

Impact to BorrowerImpact to Borrower

Payment schedule complicationsPayment schedule complications Multiple payment due datesMultiple payment due dates Differing payment amountsDiffering payment amounts Multiple payment methods Multiple payment methods Potential loss of extended repayment optionsPotential loss of extended repayment options

Deferment and forbearance complicationsDeferment and forbearance complications Inconsistent deferment documentation standardsInconsistent deferment documentation standards Inconsistent forbearance period maximumsInconsistent forbearance period maximums

Coping with the ImpactCoping with the Impact

Each of these inconveniences is easily Each of these inconveniences is easily overcome so long as the borrower knows overcome so long as the borrower knows who their lenders/servicers are and how to who their lenders/servicers are and how to

get in touch with them.get in touch with them.

Meteor TodayMeteor Today

14 Points of access to the Network14 Points of access to the Network20 Data providers20 Data providersSchool Authentication AgentsSchool Authentication AgentsSeveral custom implementationsSeveral custom implementations

Meteor Participant TypesMeteor Participant Types

Organizations that implement the Meteor Organizations that implement the Meteor softwaresoftwareAccess Providers (AP)Access Providers (AP)Authentication Agents (AA)Authentication Agents (AA)Data Providers (DP)Data Providers (DP) Index Providers (IP)Index Providers (IP)

The Meteor ProcessThe Meteor Process

One

Two

Access Provider

Data Providers

Student/Borrower or

Financial Aid Professional

orAccess Provider Representative

orLender Three

Index Provider

UsersFederated

AuthenticationProcess

Each participant is required to register, sign a Each participant is required to register, sign a participation agreement, and submit policies and participation agreement, and submit policies and procedures surrounding their authentication procedures surrounding their authentication process.process.

The Meteor Team Leads review the policies and The Meteor Team Leads review the policies and procedures and assign a Level of Assuranceprocedures and assign a Level of Assurance

Meteor uses a centralized LDAP server to contain:Meteor uses a centralized LDAP server to contain:• Public keys of all participantsPublic keys of all participants

• Network status information (active, pending, suspended)Network status information (active, pending, suspended)

• Contact InformationContact Information

The Meteor RegistryThe Meteor Registry

Meteor Authentication Meteor Authentication Objectives & ProcessObjectives & Process

Provide a flexible, easy to implement Provide a flexible, easy to implement authentication system.authentication system.

Ensure compliance with the Gramm-Leach-Ensure compliance with the Gramm-Leach-Bliley Act (GLBA), federal guidelines, and Bliley Act (GLBA), federal guidelines, and applicable state privacy lawsapplicable state privacy laws..

Assure data owners that only appropriately Assure data owners that only appropriately authenticated end users have access to data.authenticated end users have access to data.

Ensure compliance to participant organizations Ensure compliance to participant organizations internal security and privacy guidelines.internal security and privacy guidelines.

Meteor’s Authentication Meteor’s Authentication ObjectivesObjectives

The Meteor Authentication The Meteor Authentication ModelModel

Each Access Provider uses their existing Each Access Provider uses their existing authentication model (single sign-on)authentication model (single sign-on)

Meteor levels of assurance are assigned at Meteor levels of assurance are assigned at registrationregistration

Meteor Level 3 complies with the NIST Meteor Level 3 complies with the NIST Level 2Level 2

User is required to provide an ID and a User is required to provide an ID and a shared secret. shared secret.

Assignment and delivery of shared secret Assignment and delivery of shared secret must be secure.must be secure.

Assignment of shared secret is based on Assignment of shared secret is based on validated information.validated information.

Reasonable assurances that the storage of Reasonable assurances that the storage of the IDs and shared secrets are secure.the IDs and shared secrets are secure.

Meteor’s Authentication Meteor’s Authentication RequirementsRequirements

Access provider must ensure appropriate Access provider must ensure appropriate authentication for each end user and provide authentication for each end user and provide traceability back to that usertraceability back to that user

Access provider must provide authentication policy to Access provider must provide authentication policy to central authoritycentral authority

Access provider must provide central authority with Access provider must provide central authority with 30 day advance notice of changes to authentication 30 day advance notice of changes to authentication policypolicy

Access provider must agree to appropriate use of Access provider must agree to appropriate use of datadata

Meteor’s Authentication Meteor’s Authentication RequirementsRequirements

End user authenticates at access provider End user authenticates at access provider site or through a Meteor approved third site or through a Meteor approved third party Authentication Agentparty Authentication Agent

Access provider creates authentication Access provider creates authentication assertion (SAML)assertion (SAML)

Access provider signs authentication Access provider signs authentication assertion with digital certificateassertion with digital certificate

The Meteor Authentication The Meteor Authentication ProcessProcess

Role of end userRole of end userSocial Security NumberSocial Security NumberAuthentication Process IDAuthentication Process IDLevel of AssuranceLevel of AssuranceOpaque IDOpaque IDOrganization ID and TypeOrganization ID and Type

SAML Assertion AttributesSAML Assertion Attributes

Meteor and the National Meteor and the National Student Clearinghouse: Student Clearinghouse:

Campus Based Campus Based AuthenticationAuthentication

Campus Based AuthenticationCampus Based Authentication

Schools that have entered into an Schools that have entered into an electronic services agreement with the electronic services agreement with the Clearinghouse will act as Authentication Clearinghouse will act as Authentication Agents.Agents.

Students campus issued credentials will Students campus issued credentials will be utilized to access Meteor and other be utilized to access Meteor and other Clearinghouse services via Student Self-Clearinghouse services via Student Self-Service Web siteService Web site

The National Student The National Student Clearinghouse Student Self-Clearinghouse Student Self-

ServiceServiceMeteor is integrated into the Meteor is integrated into the

Clearinghouse’s Student Self-Service Clearinghouse’s Student Self-Service ApplicationApplication

For schools that wish to provide students For schools that wish to provide students with Meteor access, Meteor loan detail is with Meteor access, Meteor loan detail is incorporated into the LoanLocator displayincorporated into the LoanLocator display

What’s Next?What’s Next?

Online Award Letter PilotOnline Award Letter Pilot

Will serve as a debt management tool Will serve as a debt management tool Borrowing history presented BEFORE a new award is Borrowing history presented BEFORE a new award is

acceptedaccepted

Ensures that borrower is aware of the potential Ensures that borrower is aware of the potential impact of increasing his aggregate loan(s) impact of increasing his aggregate loan(s) amountamount Total current outstandingTotal current outstanding New total outstanding with the addition of the new loanNew total outstanding with the addition of the new loan Repayment scenarios based on aggregatesRepayment scenarios based on aggregates

For More Information….For More Information…. Interactive Web Site Launched Interactive Web Site Launched

www.MeteorNetwork.org Audio presentationAudio presentation Interactive demonstration version of the Interactive demonstration version of the

softwaresoftwareLink to the Meteor project siteLink to the Meteor project site

Project DocumentationProject Documentationwww.NCHELP.org/Meteor.htm Implementation InformationImplementation InformationCurrent Provider ListCurrent Provider ListUser Guide and other documentationUser Guide and other documentation

Tim CameronTim CameronNCHELPNCHELPMeteor Project Manager Meteor Project Manager [email protected]

Contact InformationContact Information