Releasing Attributes for Science!

Slides:



Advertisements
Similar presentations
Innovation through participation eduGAIN federation operator training eduGAIN interfederation service /18 Valter Nordh, NORDUnet / GU 1.
Advertisements

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
REQUESTING TRANSCRIPTS Student Training Presentation.
EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.
SWITCHaai Team Federated Identity Management.
EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck
Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.
SWITCHaai Team Introduction to Shibboleth.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
FIM, , Nijmegen CLARIN: status of FIM Dieter Van Uytvanck 1.
Supporting Are we ready? REFEDS, Oct 2013 Ann Harding
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
How eduGAIN can help education: a real life story Sabita Behari Product Manager TNC14.
Networks ∙ Services ∙ People TNC 2016, Prague Alice Through the Looking Glass Science DMZ goes above the network 13 June
Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Innovation through participation Data Protection Code of Conduct (DP CoC) TNC2013 conference, 4 June 2013 Mikael Linden, CSC – IT Center for Science
Introduction to AAI Services
CoCo and R&S in the UK federation
Americans with Disabilities Act (ADA) Training for Faculty
WLCG Update Hannah Short, CERN Computer Security.
Cross-sector and user-centric AAI
The Policy Puzzle Many groups and (proposed) policies, but leaving many open issues AARC “NA3” is tackling a sub-set of these “Levels of Assurance” –
Mechanisms of Interfederation
AARC Update What’s been happening in AARC which matters for GÉANT
YOUTH POLICY TOOLBOX PHILIPPINES
eduTEAMS platform for collaboration Niels Van Dijk
eduTEAMS – Current status & Future Plans
Tutorial for 21Classes.com
Identity Federations - Overview
Identity Management and Authorization
Federated Identity Management for Researchers (FIM4R)
GÉANT 4-2 JRA3 T1 Something with Federations and Campus VC
CLARIN Federated Identity Vision
GÉANT International Networking and Collaboration
Americans with Disabilities Act (ADA) Training for Faculty
GEANT Code of Conduct and REFEDS Research and Scholarship compared
AARC2 JRA1 Nicolas Liampotis
Minimal Level of Assurance (LoA)
Identity Management and Authorization
GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –
InAcademia Simple Validation Service Niels van Dijk
Shibboleth Implementation in EZproxy
GÉANT 4-2 JRA3 T1 and T2 Federations and Campus (CaFe) e-Infrastructures and Service Providers (RASP) Daniela Pöhn JRA3 T1 LRZ/DFN-AAI Technology Exchange.
Leveraging the IGTF authentication fabric for research
AARC Blueprint Architecture and Pilots
OIDC Federation for Infrastructures
eduPersonAffiliation semantics – a spin-off of eduGAIN policy
Björn Erik Abt :: Paul Scherrer Institut
Community AAI with Check-In
Moving forward with assurance
Hands-On: FSA Assessments For Foreign Schools
Shibboleth 2.0 IdP Training: Introduction
Privacy & Interfederation
Baseline Expectations for Trust in Federation
Towson University Store
GEANT Data protection Code of Conduct 2.0 REFEDS meeting 16 June 2019
What is InAcademia? An affiliation validation service
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Releasing Attributes for Science! Why does this seem so difficult? Lukas Hämmerle / SWITCH Task Leader eduGAIN Service Development eResearch and Service Providers NORDUnet 2016 Conference, Helsinki 20. September 2016

eduGAINs Problems over Time Solved: 38 of 44 production federations are fully connected to eduGAIN. New federations directly start in eduGAIN! Insufficient Federation Coverage Almost solved: More than 50% of all IdPs of production federations world wide are in eduGAIN. Move from Opt-In to Opt-Out helped a lot! Insufficient IdP Coverage Insufficient Attribute Release To be solved: ... with help by some of you Insufficient FIM know-how, Level of Assurance, .... 2011 2012 2013 2014 2015 2016

Why is attribute release topic important? In 2012 only few services (<100) were in eduGAIN (chicken and egg problem) From 2013 to 2016, Enabling Users task worked many small and large research communities to bring their services into eduGAIN ➔ More SPs in eduGAIN However, often research communities are frustrated because their services don't get attributes of users! Attributes

« Now can LIGO have some attributes please? » Is it easier to proof that gravitational waves exist than getting attributes? « Now can LIGO have some attributes please? » -- Scott Koranda, lead architect for the LIGO Identity and Access Management 12. 2.2016 (just after discovery of gravitational waves)

Why is it (apparently) even hard for some IdPs to release unpersonal information to services used by researchers? « For the record, we would love to use affiliation attribute(s) if they were released by a reasonable number of IdPs which is not the case! » -- Jozef Misutka, CLARIN Project, 16.3.2015 ("staff", "student", "faculty", "affiliate",... ) This is unpersonal quite generic information!?

(Alleged) No. 1 cause for attribute release issue «... because of data protection/legal compliance/our data protection officer!» Really?

Is Data Protection argument just a flimsy excuse? « I'm still to see any evidence that legal compliance is actually the issue, rather than a convenient excuse to cover some other barrier. "becos Data Protection" has a very long history of being (ab)used in that way » -- Andrew Cormack, Chief Regulatory Adviser Janet, 30.6.2016

Are we making too much fuss about attribute release? Is federated login (and attribute release) so different compared to a user sending an email via his university mail server to a research service where he needs to get access? If you have an opinion on this? Read more and contribute on https://docs.google.com/document/d/1xkB3NY8MFY91g-LV8BtoX5HZBl9BZgrH_3-Nxj9sR04/edit And how about these public phone books that some universities have for their staff/researchers? Are these ok? Was consent retrieved from staff?

What can SP Admins do to mitigate the attribute release issue? Some "Hackarounds" What can SP Admins do to mitigate the attribute release issue?

Mitigation Strategy for SPs: Live with it and inform IdP admin Show nice error message and inform user's IdP Instructions (for Shibboleth) and Screencast: https://wiki.edugain.org/How_to_configure_Shibboleth_SP_attribute_checke r Still better than "Access Denied" Also allows tracking (across several SPs) IdPs that don't release attributes Example: CLARIN's LINDAT service https://lindat.mff.cuni.cz/services/aaggreg/ ➔ SPs have better things to do than convince their user's IdP (in foreign countries) to release attributes to their service...

Mitigation Strategy for SPs: Join all federations Join all relevant national federations Because attribute release is better if your SP are local federation compared to have the SPs accessible eduGAIN Does not scale Example: "CLARIN SP Federation", publishers ➔ Unnecessary overhead on all sides for paper work, metadata registration, metadata updates, policy compliance, ...

Does every large research community have to join all federations worldwide to get some attributes? «We need 100% IdP coverage per country. We cannot negotiate with 1'000 IdPs individually! We need a fully working solution. Today.» -- Dieter Van Uytvanck, CLARIN Project, 11.2.2014

Mitigation Strategy for SPs: Don't use eduGAIN Research communities start own silo (own user management) Especially large projects can afford this Rely on Google/Facebook Connect/... LIGO started allowing users with eduGAIN account to use social identities Ask user to provide information about himself (directly or via one of the above) ➔ Do we want that researchers rather use services from commercial companies that care much less about data privacy aspects?

Why doing federation at all? « If federation is not about trustworthy attributes (and/or identity), i.e., if self-asserted data is actually good enough for SPs, why bother with federation? » -- Peter Schober, ACOnet Identity Federation, 30.6.2016: Self-asserted data = Ask the user to fill in a form with data that he provides...!?

It's not the SP's problem to solve attribute release! What can Federation Operators do to solve the Attribute Release problem?

Different Federation Architecture = Different Challenge Full-mesh Federations 80% of federations Technical and policy challenges Hub&Spoke Federations 20% of federations Only policy challenge (hub always gets super set of attributes)

What are the Release Options? ... fixed set of attributes to every SP ... only attributes that SP requests ... attributes based on ECs (CoCo/R&S, recommended good middle way!) ... only if federation operator approved attribute release ... only if IdP approves (each) SP ... nothing unless there is a bilateral contractual agreement Very tolerant and potentially legally dangerous Very restrictive and user unfriendly

➔ R&S/CoCo are efficient way to solve attribute release issue! Entity Categories: Scalable and Convenient Method for Attribute Release Easy to create attribute release rules with Entity Categories (EC): Allow releasing attributes to services that meet EC's requirements SPs flagged in SAML2 metadata Provide trust (and warm fuzzy feeling) 2 international ECs in use: REFEDS Research & Scholarship GÉANT Data Protection Code of Conduct ➔ R&S/CoCo are efficient way to solve attribute release issue!

Entity Categories Adoption in eduGAIN Over Time Very slow adoption  R&S a bit faster Current stats: https://wiki.refeds.org/display/ENT/Entity+Category+Usage

Federation R&S and CoCo Europe-wide Adoption in eduGAIN Stats from 9.9.2016: 38 Federations 2176 IdPs Federations supporting CoCo: 15 (42%) Federations supporting R&S: 16 (42%) IdPs supporting CoCo: 91 (4.1%) IdPs supporting R&S: 130 (6.0%) ◼︎ No EC support  ◼︎ R&S Support  ◼︎ CoCo support  ◼︎ CoCo+R&S Support 

Federation R&S and CoCo Worldwide Adoption in eduGAIN ◼︎ No EC support  ◼︎ R&S Support  ◼︎ CoCo support  ◼︎ CoCo+R&S Support 

Important Factor for Attribute Release: User Consent! Increases transparency (and thus trust) for user! e-Learning admins don't like user consent: "makes (first) login too complicated" (Academic) Discussions: Informed consent vs free consent Allowing user to decide on optional attributes has its own risks Therefore rather use: All or nothing consent. ➔ Recommendation: Use and advocate user consent: "Small" annoyance for Data Privacy pragmatists/unconcerned (=huge majority of users) but sufficient to please data privacy fanatics.

So why are there still federations with attribute release issues? Some IdPs are but probably some federation operators also have to do their home work yet.

What is there to fear for releasing attributes if the user wants to access a research/education service? 11 years of production SWITCHaai operation and 9 years of participation in GÉANT project (building eduGAIN): No cases known to me were organisation was sued for release of attributes in federation/eduGAIN! ... but I know of many problems and complaints regarding attribute release in the context of eduGAIN! ➔ Who could sue anyway over which "damage"? Staff members? Students? Even if user consent was in place?

Mitigation Strategy for non-green Federation Operators : Start doing your job! Support R&S and CoCo-based Attribute Release for your IdPs Need help? Use AARC Attribute Release Training material: Introduce mechanisms/documentation that allow IdP admins to easily configure attribute release and set reasonable (not too restrictive) defaults! Invite your IdPs to take an attribute release test (links at end of slide sets)

Recommendations As Hub&Spoke federation: Implement User Consent (WAYF.dk did a good job there) Tear down unnecessary policy walls that hinder scalable attribute release! As Full Mesh federation: Provide recommendations/guides to implement User Consent at IdP Shibboleth 3 as well as SSP have (built-in) support for attribute release consent Provide documentation and training (i.e. AARC material) on attribute release Motivate IdPs to Support R&S/CoCo-based attribute release Don't be a chicken! Most users want login to just work. User consent to please the (very) few privacy fundamentalists

... and now there certainly are some comments 

Experience with R&S and CoCo support in SWITCHaai No attribute release issues in SWITCHaai (even before CoCo and R&S) with pragmatic approach: Attribute release as easy as possible for IdPs (web interface in federation registry) Reasonable defaults that can be changed at any time by IdP admins. It just works (provided SP properly declare which attributes are needed) SWITCHaai introduced R&S , CoCo based attribute release support in 2014. Initial default for eduGAIN SPs was to release minimum R&S and release all required CoCo attributes. Since August 2016 default is to release full R&S set. IdP admins can change default via web at any time. None did. No complaints. Attributes just flow.

Future and Outlook Looking through the crystal ball: Attribute issue will vanish in next 2 years... must vanish... otherwise eduGAIN will vanish. Is this a risk? Yes, but other technologies (OpenID Connect) probably would suffer from same problem Unless maybe user consent and attribute release are so conveniently built-in and easy to use

Attribute Release Tests CLARIN: https://lindat.mff.cuni.cz/services/aaggreg/ CERN: https://sso-check.cern.ch/ SWITCH: (not suitable for all federations) https://aai-viewer.switch.ch/interfederation-test/ Official eduGAIN Attribute Release Check (Q4 2016)

Preview of eduGAIN Attribute Release Check:

Preview of eduGAIN Attribute Release Check: All results will be public Preview of eduGAIN Attribute Release Check: All results will be public! Every user can take the test! as

CERN Attribute Release Check

CLARIN LINDAT Attribute Release Check:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.