The Rise of Federations…Almost Everywhere

Topics Federation Basics Drivers Components International and pulic sector developments InCommon and its uses Next steps for federations Peering, confederation, and similar issues Support for collaboration and virtual organizations Development of other aspects of the attribute ecosystem Libraries and federations in the US Issues and opportunities Next steps

Middleware vision in one slide Build a campus/enterprise core middleware infrastructure that Serves the overall enterprise IT environment, providing business drivers and institutional investment for sustainability and scalability Is designed from the start to support the research and instructional missions Implies consistent approaches and common practices across campuses and internationally Build, plumb, and replumb the tools of research on top of that emergent infrastructure Domain-specific middleware (grids, sensor nets, etc) Common collaboration tools (video, protected wikis, shared calendaring, audioconferencing, etc.)

Federated identity Leveraging enterprise identity management beyond the enterprise Creates general purpose interrealm trust fabrics Standards (SAML) and open source (Shibboleth) well aligned and gaining broad adoption Persistent and broad R&E federations in many countries now

Drivers Campuses want to allow their community to use their local credentials to access external partners in academia, government, businesses, etc. Relying Parties want to use campus authn For economies Not another sso to incorporate into the app Avoid much of the costs of account management For scaling in users Interest is tempered by legal considerations, policy considerations, and unintended disruptive economic consequences

Uses - Content To protect IPR (the JSTOR incident…) To open up markets Popular content – Ruckus, CDigix, etc MS Scholarly content – Google, OCLC WorldCat Scope of IdM may be an issue

Services Student travel, charitable giving, web learning and testing, plagiarism testing service, etc. Allure for alumni services and other internal businesses Student loans, student testing, graduate school admissions, etc. The Teragrid

Government NSF Fastlane Grant Submission Dept of Agriculture Permits Social Security NIH Dept of Ed

Components of Federation Federating Software Federation operator and metadata Participants Policies on identity management Policies on privacy Shared set of attributes, including LOA Legal agreements among participants Management and governance (Peering, economics,…)

International Federations Widespread in Europe (over 15 countries), emergent in Australia, nascent in Asia. The UK federation ( already has over five million active users and intends to grow to all of higher ed, K-12 and further education. Used for academic content access, research support, national level services, etc Clear needs for peering; some need for confederation or dynamic relationships.

Public sector federations cio.com/story.php?id= State-based among health agencies (NY), presenting a SSO to citizens (Washington), etc. GSA EAuthentication NSF, NIH, and the Dept of Ed… State university federations - Texas, California, Maryland, etc InCommon

UTexas Federation Apps Project Tracking (CHA) Monthly Financial Reporting (BUD) TIXX (GOV) UT Plane (ADM) Compliance Training (ADM) Research Projects Tracking (ACA) Academic Affairs Jobs (ACA) Degree Programs (ACA) Grad Registration (ACA) System Administration Wireless (OTIS) Legal Tracking (OGC) Parking Management (APS) Signature Authority (APS) Bid Specification (OFPC) Project Time Reporting (OFPC) Student Couponing (UT Austin) Online Education via Blackboard (UTHSCH) Board of Regents Agenda (BOR) 12/06 Budget Change Request (BUD) 12/06 UTANOP (BUD) 12/06

InCommon US R&E Federation Members join a 501(c)3 Addresses legal, LOA, shared attributes, business proposition, etc issues Approximately 50 members and growing A low percentage of national Shib use…

InCommon Members 2/27/07 Case Western Reserve University Clemson University Cornell University Dartmouth Duke University Florida State University Georgetown University Miami University New York University Ohio University Penn State Stanford University Stony Brook University SUNY Buffalo The Ohio State University The University of Chicago University of Alabama at Birmingham University of California, Irvine University of California, Los Angeles University of California, Merced University of California, Office of the President University of California, Riverside University of California, San Diego University of Maryland University of Maryland Baltimore County University of Maryland, Baltimore University of Rochester University of Southern California University of Virginia University of Washington University of Wisconsin - Madison Cdigix EBSCO Publishing Elsevier ScienceDirect Houston Academy of Medicine - Texas Medical Center Library Internet2 JSTOR Napster, LLC OCLC OhioLink - The Ohio Library & Information Network ProtectNetwork Symplicity Corporation Thomson Learning, Inc. Turnitin WebAssign

Key aspects of InCommon Federating software Shib 1.2+ (other possibilities in the future) Shared attributes and schema eduPerson right now Levels of authentication POP (participant operational practices) InCommon Bronze and Silver will map to LOA 1 & 2 Management Steering committee of members IT executives Operations staffed by Internet2

Shibboleth Shib 1.3 widely deployed; 1.2 still common Along the way, other capabilities added: ADFS compatibility for WS-Fed, (MS $) Eauthentication certification (with waiver form:)) Shib 2.0 completes the SAML+Shib integration More compatible with COTS SAML 2.0 products than they are with each other A Shib/SAML to TCP/IP analogy isn’t bad; Shib adds multi-party federation support through metadata, ARPS, etc. Also eases support for n-tier, non-web and other capabilities Alpha in April

The Shibboleth 2.0 Sidebar Support for the attribute ecosystem attribute handling, including policy, in both SP and IdP designed to be reusable for other protocols (eg CardSpace) sets stage for further work on multiple attribute sources, reputation management, etc. All Java SP (in addition to current Java/Apache), easing integration for some applications Trust management PKI still seems too hard, even at the simpler enterprise level Supports a broad set of trust choices – CA’s, certs, plain keys, managing site metadata (naming, acquisition, validating) A product of years of painful experience

InCommon Management/Governance Steering Committee of campus/vendor CIO’s and policy people – sets policies for membership, business model, etc. Technical advisory committee - Sets common member standards for attributes (eduPerson 2.0), identity management good practices, etc.

InCommon Uses Access control to content Popular content – Ruckus, CDigix, etc Scholarly content – Google, OCLC WorldCat Downloads – Microsoft Access to external services Student travel, charitable giving, web learning and testing, plagiarism testing service, etc. Allure for alumni services and other internal businesses Student loans, student testing, graduate school admissions, etc. Access to national services The National Science Digital Library The Teragrid pilot

Inter-federation key issues Peering, peering, peering At what size of the globe? Confederation, overlapping, leveraged Tightly coupled autonomous federations How do vertical sectors relate? How to relate to a government federation? On what policy issues to peer and how? Legal framework Treaties? Indemnification? Adjudication How to technically implement Wide variety of scale issues WAYF functionality Virtual organization support

Virtual Organizations The big team science efforts, and smaller collaborations across a broad set of disciplines with real resources to be managed seriously Have their own IdM issues Collaboration tools Domain science identity management Today’s solutions are non-existent, insecure or widely despised… Could leverage federated identity for both ease of use and better security

Peering Parameters: LOA Attribute mapping Legal structures Liability Adjudication Metadata VO Support Economics Privacy

VOs plumbed to federations

The Attribute Ecosystem We now understand, we think, an overall “attribute ecosystem” Shibboleth is the real-time transport of attributes from an IdP to an SP for an authorization decision Other, “compile-time” means are used to ship attributes from sources of authority to IdP Or to the SP, or to the various middlemen (portals, proxies, etc.) And a user needs to be manage all of this

Libraries and Shib in the US Not the driver that it is overseas Content acquisition at local versus national levels Poor communication between campus IT management and library management Many universities have Shib in some form of deployment; very few use it for library content access Preference of patron db for authentication and authorization over central directory services Failure of Internet2 to publicize the many hybrid models available (eg IP address on campus, Shib for off campus, with or without SSO)

Libraries and Shib in the US Misunderstandings on Shibboleth and privacy Shibboleth is privacy preserving Institutions and users can change that “Extra step” of authentication Confusion about the relationship of federations and licenses Shibboleth is not worth the work since some form of IP address control will always be needed Too many publishers Additional features not worth the work

The “Stepping Up” Group University of Chicago, Penn State University, UCSD, and the University of Maryland System Library Consortium InCommon-library-services Identity issues in technology, user experience, policy, and practices for access to external licensed resources (Identify opportunities for value-added services that leverage infrastructure) Report back…

First thoughts… Internal SP’s Different policies for walk-ins and remote People not in the institutional db – paid alumni… PKI management in trust Students working as RA’s and proxies for faculty Looking up ARP’s for various SP

Opportunities Integration with repositories NITLE and its offerings… NSDL type collaborations Collaboration tool platforms New joint licensing possibilities