InAcademia Simple Validation Service Niels van Dijk

Slides:



Advertisements
Similar presentations
Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
Advertisements

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Toward the Clouds, Together ! Collaboration effort of European NRENs in Cloud Computing Branko Radojević, Deputy Director, CARNet/GEANT TF-MSP Budapest,
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt
Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
How eduGAIN can help education: a real life story Sabita Behari Product Manager TNC14.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Networks ∙ Services ∙ People Mandeep Saini AARC/CORBEL Workshop Collaborative Organisation Platform as a Service June 1, 2016, Paris Product.
Innovation through participation Data Protection Code of Conduct (DP CoC) TNC2013 conference, 4 June 2013 Mikael Linden, CSC – IT Center for Science
Introduction to AAI Services
GDPR support tool GN4-2 JRA4 T2 Radovan Igliar TF-GDPR, Berlin
Cross-sector and user-centric AAI
Azure Active Directory - Business 2 Consumer
Mechanisms of Interfederation
EGI Updates Check-in Matthew Viljoen – EGI Foundation
Federation made simple
User Community Driven Development in Trust and Identity
InAcademia.org Simple affiliation validation for Academia
eduTEAMS platform for collaboration Niels Van Dijk
eduTEAMS – Current status & Future Plans
Identity Federations - Overview
Future Ideas: Federation and Integration
AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
S2 and Contracts Online (COL)
An AAI solution for collaborations at scale
GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –
ESA Single Sign On (SSO) and Federated Identity Management
Microsoft Services Provider License Agreement Program reference card
NextGen Access Control Platform
Update - Security Policies
AARC Blueprint Architecture and Pilots
Office 365 Identity Management
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
Matthew Levy Azure AD B2B vs B2C Matthew Levy
Community AAI with Check-In
Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.
Verifying student status with
eIDAS-enabled Student Mobility
What is InAcademia? An affiliation validation service
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Microsoft Virtual Academy
Presentation transcript:

InAcademia Simple Validation Service Niels van Dijk InAcademia lead, GN4-1 SA5 Technical Product Manager, SURFnet Groningen Declaration Network meeting May 18, 2016 – Capetown

Academic Affiliation and Federations Many Services (want to) provide benefits or discounts for members of Academia (Student/Employee) And a federated (SAML) login with the (eduPerson)Affiliation attribute can be used to validate membership of the academic community. However: Joining a federation has several obstacles (policies and contracts) Implementing SAML and doing federation is not easy Interfederation is even harder Upfront cost, but no customers A lot of work, while the service only needs the Affiliation, which is pretty low risk in the data protection spectrum The mechanism for transferring user affiliation within a SAML federation is well understood.

Example use cases for Affiliation validation Discount at web shops One-time discount, e.g., at Telco (GN3plus SA7 mobile procurement) ‘Free’ access to generic cloud service: Microsoft, Apple, Adobe Online reservations for Theatres and Sports accommodations on Student Campuses Validate affiliation on relevant ‘Social’ platforms such as Mendeley, ResearchGate, LinkedIn, etc. Lightweight validation for research services such as ORCID Although these are provided as examples, real world examples of these exist currently, and SAML federation as we currently operate it did not provide a sufficient solution.

InAcademia - a Simple validation Service What would make affiliation validation easier? Services get most attributes from user (self asserted) Only affiliation must come from the Home Organisation Query a single, centralised service to confirm affiliation A user ‘proves’ affiliation by authentication with home IdP A simple protocol can be used by the Services Validation service accessible for all eduGAIN IdPs The policy barrier for using should be low Service pays a small transaction fee Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

InAcademia - Simplified overview SAML world (eduGAIN) IdP = Identity Providers (Institutional) SP = Service provider Attributes OpenID Connect OP = OpenID Connect OpenID Provider RP = Relying Party Claims InAcademia Flow: Service gets attributes directly from user Service queries a single, centralised service, the “InAcademia Simple validation Service” (SvS) to confirm affiliation A simple, well understood, protocol (OpenID Connect) can be used to query SvS The policy barrier for using SvS is low The user ‘proves’ his/her affiliation at SvS which is under control of the federations / NRENs SvS is connected to eduGAIN Authentication at home IdP delivers requested affiliation (SAML) SvS interprets the affiliation and answers the Service, but SvS never directly delivers attribute value to the requesting Service User gets discount Service pays a small transaction fee

eduGAIN SAML world (eduGAIN) IdP = Identity Providers (Institutional) SP = Service provider Attributes OpenID Connect OP = OpenID Connect OpenID Provider RP = Relying Party Claims InAcademia Flow: Service gets attributes directly from user Service queries a single, centralised service, the “InAcademia Simple validation Service” (SvS) to confirm affiliation A simple, well understood, protocol (OpenID Connect) can be used to query SvS The policy barrier for using SvS is low The user ‘proves’ his/her affiliation at SvS which is under control of the federations / NRENs SvS is connected to eduGAIN Authentication at home IdP delivers requested affiliation (SAML) SvS interprets the affiliation and answers the Service, but SvS never directly delivers attribute value to the requesting Service User gets discount Service pays a small transaction fee

InAcademia - Supported scopes Description Affiliation Scopes Based on [1], [2] affiliated This person is affiliated to the institution (Student, Employee). Affiliation value is not revealed. employee Institutional workers whose primary role is teaching or research and workers other than teachers or researchers student A student at the institution alum An alumnus at the institution Identifier Scopes (not the SAML persistent ID) persistent A persistent identifier, unique for this person, on a per RP, per IdP basis transient A transient identifier, which is unique for each transaction So we have seen the highlevel setup and information flows. Next I will give you some insight into what information gets transferred. In openidconnect these are called Claims. InAcademia only allows specific claims to be queried by a Service. [1] http://www.geant.net/service/eduGAIN/resources/Documents/GN3-11-012%20eduGAIN_attribute_profile-05%2012%202013.pdf [2] http://www.terena.org/activities/refeds/docs/ePSAcomparison_0_13.pdf

InAcademia - Supported claims Description Claims (Optional) country What is the country of the users home institution? -> Deducted from Country of IdP domain What is the domain name of the institution of the user? -> SchacHomeOrganisation attribute Examples: scope=affiliated scope=affiliated transient scope=affiliated persistent scope=affiliated persistent & claim = country scope=student persistent & claim = country domain

InAcademia – Validation flow SAML world (eduGAIN) IdP = Identity Providers (Institutional) SP = Service provider Attributes OpenID Connect OP = OpenID Connect OpenID Provider RP = Relying Party Claims InAcademia Flow: Service gets attributes directly from user Service queries a single, centralised service, the “InAcademia Simple validation Service” (SvS) to confirm affiliation A simple, well understood, protocol (OpenID Connect) can be used to query SvS The policy barrier for using SvS is low The user ‘proves’ his/her affiliation at SvS which is under control of the federations / NRENs SvS is connected to eduGAIN Authentication at home IdP delivers requested affiliation (SAML) SvS interprets the affiliation and answers the Service, but SvS never directly delivers attribute value to the requesting Service User gets discount Service pays a small transaction fee

Legal & Privacy considerations Technical measures for dealing with personal data: InAcademia supports eduGAIN Code of Conduct InAcademia requests pseudonymous id and affiliation from IdP InAcademia sends (different) pseudonymous identifier and affiliation confirmation to Service All transactions are atomic: No user data stored, consent always asked, no SSO All consent logging is stored pseudonymously (SHA512) Transaction data is aggregated immediately Two legal models for InAcademia, in relation to how the contracts are arranged Direct legal responsibility: Broker Just passing data: Gateway

Scenario 1: InAcademia ‘Broker’ InAcademia ‘Broker’: InAcademia engages in contracts with services InAcademia is a Service Provider in the local Federation (via eduGAIN) Even if InAcademia supports eduGAIN, there is no legal ground to process data coming from an Institution Consent from an end user suffices here, but must be given freely. That cannot be guaranteed for all services Solution is a (two party) contract between Home Institution and InAcademia. Scales poorly….

Scenario 2: InAcademia ‘Gateway’ InAcademia ‘Gateway’: InAcademia facilitates data transfer Contract between Service and Home Institution – or its representatives: NRENs, Federations, Procurement Org., GÉANT, etc Contract should at minimum contain clauses from eduGAIN CoCo InAcademia is now (only) the technical transfer mechanism, handling personal data on behalf of Home Institution Requires good support for connecting services Investigate opt-in vs opt-out for Home Organisations

Cost and Benefit: “The numbers game” InAcademia platform is nimble and has all characteristics to scale well If support is routed through NRENs / Federations operational cost is expected to be low Benefit As this service does not directly benefit Institutions, it should be self sustaining A ‘pay per use’ model is proposed where an initially low transaction fee gradually increases, in relation to transaction frequency No or low fees for research services within community Support from NRENs/GÉANT is required for a few years to allow InAcademia reach a point where it can sustain itself

InAcademia - Recap For Identity Providers, Federations and NRENs SAML based, connected via eduGAIN Two profiles that have minimal, ‘low risk’ attribute requirements No personal data stored at service One connection with many Services that are high value to users, but low effort for IdP A pricing model which creates a revenue stream to sustain InAcademia upon success For Services OpenID Connect interface towards Service, no SAML required No need to deal with (inter) federation Simplified Policy, compatible with eduGAIN CoCo The pricing model allows new Services to enter the market easily One connection with many trusted Identity Providers Allows Procurement to collaborate on pan EU scale as it provides a safe, secure and privacy preserving gateway to (potentially) all end users in Academia

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.