Kalmar Union lessons: Findings in federation harmonisation REFEDS 7.6.2009 Mikael Linden, CSC.

Slides:

Advertisements

Similar presentations

Federation management A mess? Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science.

Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.

Innovation through participation Data Protection Code of Conduct (DP CoC) REFEDS Helsinki Mikael Linden, CSC – IT Center for Science

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,

DK update David Simonsen, WAYF (the federation formerly known as DK-AAI) It's a WAYFIt's about consentIt's a project.

EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.

Interfederation subgroup of InCommon Technical Advisory Committee (TAC) spaces.internet2.edu/display/incinterfed.

Kalmar Union Mikael Linden CSC, the Finnish IT Center for Science.

Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna Oct 2011

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

TERENA TF-EMC2 15 feb 2011 Dyonisius Visser

TERENA EUROCamp 2010 Dyonisius Visser

WebFTS as a first WLCG/HEP FIM pilot

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Refeds federation survey update Theme of the day: Campus Identity Management TF-EMC2 Umeå 9th Jul 2008 CSC, the Finnish IT Center.

AAI with simpleSAMLphp

Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,

Feide is a identity management system on a national level for the educational sector in Norway. Federated Electronic Identity for Norwegian Education Tromsø,

EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck

SWITCHaai Team Introduction to Shibboleth.

CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.

InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

HAKA project HAKA User administration inside Finnish Higher Education Institutes results from the KATO project Barbro Sjöblom EDS 2003 Uppsala.

FIM, , Nijmegen CLARIN: status of FIM Dieter Van Uytvanck 1.

Kalmar Union, a Conferedation of Nordic Identity Federations TNC2009 Mikael Linden, CSC Andreas Solberg, UNINETT.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Towards Interconnecting the Nordic Identity Federations TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide.

10/25/2015 AEB/Yleisesittely Organising Federated Identity in Finnish Higher Education TNC2005 Mikael Linden June 8th, 2005.

Campus Identity Management Requirements (=IAP) REFEDs meeting Mikael Linden,

Schac attributes and common vocabularies TF-EMC Mikael Linden CSC, the Finnish IT Center for Science.

Federations round table Haka federation of Finland EuroCAMP Mikael Linden CSC, the Finnish IT Center for Science.

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

Overview of schemas used for IdM community Setting up of identity provider Motonori Nakamura, National Institute of Informatics, Japan 2nd TEIN IAM Workshop.

Innovation through participation eduGAIN interfederation service for research and education Cern FedID workshop in RAL, UK 2-3 Nov 2011 Mikael Linden,

Innovation through participation eduGAIN policy: A worm report TF-EMC2 Vienna Mikael Linden, CSC The worm farmer.

Federations, the Data Protection Directive and WP29 TF-EMC2 Mikael Linden, CSC, the Finnish IT Center for Science.

Refeds update TF-EMC2 Utrecht 3-Dec 2008 Mikael Linden CSC – the Finnish IT Center for Science.

CARSI: Federated Identity and Resource Sharing over CERNET Dr. PING CHEN Peking University( 北京大学 ) Jan, 24 th, 2008.

Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.

The UK Access Management Federation John Chapman Project Adviser – Becta.

Copyright JNT Association 20051Optional Copyright JNT Association The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA.

Haka federation status  24 institutions and IdPs end users 96% coverage in universities, 41% in polytechnics  41 services Elearning Libraries.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Clain update TF-EMC Mikael Linden, CSC.

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.

Innovation through participation EduGAIN policy (working draft) Status update REFEDs 30th May 2010

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. SAML2 draft profile in Haka Vienna Mikael Linden.

Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.

AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

How eduGAIN can help education: a real life story Sabita Behari Product Manager TNC14.

Innovation through participation Data Protection Code of Conduct (DP CoC) TNC2013 conference, 4 June 2013 Mikael Linden, CSC – IT Center for Science

Extending Authentication to Members of Social Networks

AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)

Scalability of trust and metadata exchange across federations

CLARIN Federated Identity Vision

GakuNin: Federated Identity Management Activities in Japan

AARC2 JRA1 Nicolas Liampotis

eduPersonAffiliation semantics – a spin-off of eduGAIN policy

TERENA EUROCamp 2010 Dyonisius Visser

CSC, the Finnish IT Center for Science

REFEDS Assurance WG REFEDS meeting 16 June 2019

REFEDS Assurance Suite

Presentation transcript:

Kalmar Union lessons: Findings in federation harmonisation REFEDS Mikael Linden, CSC

Kalmar Union: a Nordic confederation A confederation by sharing SAML2 metadata FEIDE1 IdP7 SPs currently in Kalmar SWAMID Haka2 IdPs2 SPs WAYF1 IdP 3 SPs Kalmar speak on Tuesday in TNC – welcome This speak summarises the findings

Findings in federation harmonisation 1.Harmonise attributes – mandatory attributes – semantics of attributes – unique identifiers 2.Campus Identity Management requirements – The floor for IdM quality in the IdP side 3.Usability and user experience 4.SAML 2.0 profile 5.Federation business models

1.1. Harmonise mandatory attributes Must=available for each end user (but not released to every SP) The first question from a confederation SP: ”What is the list of attributes whose existence in any federation I can rely on?” WAYFHakaFEIDEAttribute name MUST eduPersonPrincipalName MUST cn MUST sn MUSTgn MUSTdisplayname MUST mail MUSTo eduPersonAffiliation MUSTeduPersonPrimaryAffiliation MUSTeduPersonTargetedID MUST schacHomeOrganization MUSTschacHomeOrganizationType …

1.2. Harmonise attribute semantics too difficult if interpreting the differences is left to the admin of a confederation SP eduPersonAffiliatio n value The Finnish Interpretation (Haka federation) The British Interpretation (UK federation) StudentDegree student, exchange student, visiting student Undergraduate or postgraduate student FacultyAcademic workers (research and education workers at laboratories) Teaching staff StaffNon-academic workers (administrational workers) All staff EmployeePerson actually employed by the institution (e.g. not a contractor) Other than staff or faculty (e.g. a contractor) MemberAll above + students taking qualifying/further education courses All above AffiliateOthers, such as Open University students Relationship short of full member AlumGraduate

1.3. Harmonise unique identifiers Currently: eduPersonPrincipalName (ePPN) used almost everywhere But: it’s primary property (uniqueness) is not quaranteed over time – Some feds/IdPs reassign ePPN (DK, NO) – Some feds never reassign ePPN (SE) – The SP admin needs to adapt to the weakest policy Or: abandon ePPN, go for SAML2 persistent ID (eduPersonTargetedID, ePTID)

2. Floor for Campus IdM In Kalmar, high requirement for Campus IdM – Traditional LoA: Initial Identity proofing, password quality – Quality of attributes – accounts closed for departing users Trade-off between – What SPs want (e.g. TERENA Grid Certificate project, CLARIN project) – What federations want to enforce to their IdPs Too difficult if tackling the differences is left to SP admins

3. Usability and user experience How to make IdP Discovery easy? How to inform the end user on processing his/her personal data?

4. Harmonised SAML2 profile Until now, most federations have used a single product (e.g. Shibboleth, SimpleSAMLphp) For cross-product interoperability, a SAML2 WebSSO profile is needed Few profiles exist – The IdP/SP Lite of OASIS – still quite complex – SAML2Simple Good news: it’s not too late to harmonise this

5. Harmonised business models Invoicing federation members/partners differs federation-by-federation. e.g. external SPs: – WAYF (DK) does not invoice anyone – Haka (FI) does not invoice library content providers but invoices DreamSpark If the model isn’t harmonised in a confederation, every SP joins the cheapest federation and gets the others for free

Summary Harmonising federations is a boring job – A change to a productional distributed system – Backwards incompatible changes? Without harmonisation, issues get too difficult for the confederation SP admin – S/he is an expert in his/her service – S/he is not and does not want to become an expert in understanding how foreign federations are different If we don’t harmonise them, confederations won’t fly High hopes on eduGAIN to work on the issue