Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect

Federations JISC funded organisations or projects will probably already use Athens (in some form) –have agreed to T&Cs for usage of the Athens service –is current requirement for Athens Athens Federation setup to support the Shib-Athens gateway Connection to the gateway for production use will require strict compliance with the T&Cs –membership of the Athens UK Federation –organisations will be listed in the Athens WAYF and membership lists Organisations wishing to evaluate and test the service may join the Athens Touchstone Federation –can only gain access to test resources through the gateway

Athens Touchstone Federation Purpose: –Primary aim is to provide capability for IdPs and SPs to trial or test the Athens to Shibboleth gateways –To provide Shibboleth test capability in the wider sense (Shib to Shib) –To provide a WAYF service for participating organisations –Freely available to all JISC-supported organisations Member Service Providers –Standard Shib target using I2 reference software –Shibboleth to Athens Gateway (available now) providing access to test Athens resources Member Identity Providers –Standard Shib origin based on AthensIM –Athens to Shibboleth Gateway (available end May) Providing access for Athens enabled accounts

Athens Touchstone Federation Athens to Shibboleth Gateway Test Organisation Shibboleth Origin Based on AthensIM Shibboleth to Athens Gateway Test Athens resources Shibboleth Target(s) Test Athens users Registration Trust Policies WAYF

Athens Federation Production Federation Provides access to real Athens protected resources via the Shib to Athens Gateway Provides access to Shib protected resources for Athens enabled accounts via the Athens to Shib Gateway Strict Terms & Conditions – same as the current Athens service Infrastructure runs on very high availability infrastructure –WAYF –Athens gateways (when launched) Will be linked to Internet2 shortly

Athens Federation Athens to Shibboleth Gateway Shibboleth Origin Shibboleth to Athens Gateway Athens resources Shibboleth Target(s) Athens users Registration Trust Policies WAYF

Pre-requisites Athens Registration –Either as an organisation or a Service Provider Acceptance of the standard Athens Terms & Conditions Username/password policy judged as secure by Eduserv –Registration procedure will include providing information on this policy Meets the Athens Implementation Standards for Identity & Service Providers –Independent assessment carried out by Eduserv Athens support staff

Registration Need to register in order to use gateway: –HS/AA URLs –Handle Assertion signing cert must be securely registered –Choose authorisation policy –Nominate attribute to use as persistent ID –May upload CSR requests to Athens CA Athens requires that AA server cert is signed by a recognised root CA, currently –Thawte Server CA –Verisign Class 3 CA –GlobalSign Root CA –Athens CA

Attributes Athens-specific attributes appear in MACE registered namespace –urn:mace:eduserv.org.uk:athens:… Current set of attribute names are defined and specified for Athens service –Documentation published to SPs AthensIM and Athens to Shib gateway offer attribute mapping capability Additional recommended Attributes for Athens federations under discussion –eduPersonTargetedID –eduPersonEntitlement for authorisation to resource –eduPerson mappings

Multiple Federations The reality is that there will be multiple federations The Athens gateway products can be registered with multiple federations –Subject to suitable Terms & Conditions