10/25/2015 AEB/Yleisesittely Organising Federated Identity in Finnish Higher Education TNC2005 Mikael Linden June 8th, 2005
10/25/2015 AEB/Yleisesittely Outline Status of the Federation Organisation of the Federation Data protection directive and how it is followed in Haka Quality of institutional identity management
10/25/2015 AEB/Yleisesittely Background The Finnish higher education 20 universities, 29 polytechnics (all are public institutions) students, employees CSC, the Finnish IT Center for Science Non-profit company owned by the ministry of education Mission: centralised IT infrastructure for higher education –Funet network, high performance computing CSC and user administration –Users and services are in higher education institutions (HEI) –Role of CSC: coordinate and support HEIs
10/25/2015 AEB/Yleisesittely Status of the Haka Federation pilot federation operational 12/2003 –5 IdPs, 7 SPs production level federation 5/2005 –Federation agreement was drafted last winter –First five institutions have signed the federation agreement –Federation agreement in English:
10/25/2015 AEB/Yleisesittely Service Providers Libraries –national library portal Nelli (Ex Libris: Metalib) –under work: library management system (Endeavour: Voyager) –shown interest: content providers (Elsevier) eLearning –learning management systems (Moodle, WebCT, others…) –service for applying as a visiting student in another university National Services –under work: Academy of Finland: applying for research funding –shown interest: student health service foundation ASP in the administration of the universities –shown interest: Electronic circulation of invoices and travel expense reports
10/25/2015 AEB/Yleisesittely Outline Status of the Federation Organisation of the Federation Data protection directive and how it is followed in Haka Quality of institutional identity management
10/25/2015 AEB/Yleisesittely Federation Organisation of a federation Alternative 1: Federation as a consortium HEI1 HEI5 HEI2 HEI3 HEI7 HEI6 HEI4 A federation as a consortium that outsources operations of the AAI to some external organisation(s). CSC (operator) Outsourcing
10/25/2015 AEB/Yleisesittely Federation Organisation of a federation Alternative 2: Federation as a service HEI1 HEI5 HEI2 HEI7HEI3 HEI8 HEI6 HEI4 CSC (operator) A federation as a service provided by an operator. The way chosen by InCommon, SWITCHaai and Haka.
10/25/2015 AEB/Yleisesittely Organisation of the Haka infrastructure is similar to SWITCHaai Federation partners Operator Federation members CSC – scientific computing ltd Central AAI services IdPPalvelu IdPPalvelu IdPSP Advisory comm.Operations comm.
10/25/2015 AEB/Yleisesittely Outline Status of the Federation Organisation of the Federation Data protection directive and how it is followed in Haka Quality of institutional identity management
10/25/2015 AEB/Yleisesittely Data protection directive Definitions (Article 2) Personal data: any information relating to an identified or identifiable natural person Personal data: ”he is Bob Smith” Not personal data: ”he is a medicine student” Processing of personal data: any operation on personal data, such as collection, storage, retrieval, dissemination etc… for an Identity Provider, release of attributes is processing of personal data… for an Service Provider, collecting attributes can be processing of personal data…
10/25/2015 AEB/Yleisesittely Data protection directive Requirement 1: Which SPs may join the federation Article 6: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Purpose for processing personal data in HEIs: roughly ”To support research and education” Release of personal data to a Service Provider shall not be incompatible with the purpose IdPs may release personal data only to SPs who are processing data ”to support research and education” Haka: only Service Providers that are supporting research and education are accepted to the federation
10/25/2015 AEB/Yleisesittely Data protection directive Requirement 2: What attributes may be released Article 6: Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. only relevant attributes may be released from IdP to SPs both IdP and SP have to consider, what are actually the relevant attributes from the service point of view Haka: administrational contact person of the federation member checks a new SP and the relevance of the attributes claimed before CSC adds the SP to the federation metadata. CSC maintains and distributes Site ARPs to IdPs.
10/25/2015 AEB/Yleisesittely Data protection directive Requirement 3: User consent Article 7: Personal data may be processed only if a) the data subject has unambiguously given his consent; or b) processing is necessary for the performance of a contract to which the data subject is party… etc… Article 11: Where the data have not been obtained from the data subject, … controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information... Haka: Finnish data protection ombudsman: – Always ask user consent before first attribute release (Article 7) – When you do that, the user will be informed (Article 11)
10/25/2015 AEB/Yleisesittely Outline Status of the Federation Organisation of the Federation Data protection directive and how it is followed in Haka Quality of institutional identity management
10/25/2015 AEB/Yleisesittely Institutional idenitity management as a requirement Can’t do inter-institutional identity management if intra-institutional IdM is not taken care of properly! –Many institutions have problems with data quality in the institutional enterprise directory –Reason: links between student registy, HR registry and the directory are missing SPs expect that the attributes released are of high quality Haka: having up-to-date data in the enterprise directory is a requirement for an IdP joining the federation –Self-audit for IdPs joining the federation –Based on the self-audit, operator makes the decision