Federations round table Haka federation of Finland EuroCAMP Mikael Linden CSC, the Finnish IT Center for Science

Status of Haka Federation  Operational 8/2005  23 (of 48) Federation Members with end users (68% of eduPersons; in universities 90%)  3 Federation partners Library content providers, ASP service providers  13 IdPs operational with end users (51% of eduPersons)  20 SPs  logins in March 2007  federating sw: Shibboleth ver IdPs still running Shibboleth 1.2

SPs in the federation Library services  Nelli portal (Ex libris Metalib)  Library management system (Endeavor Voyager) eLearning  Moodle, A&O, Optima learning management systems CSC’s services  Funet extranet  Scientist’s Interface Student administration  Application form for becoming a visiting student HR administration  Competence management system/ASP (Personec hr) Other administration  Process database for universities WLAN roaming (Jyväskylä polytech)

Campus IdM policies in Haka federation Home organisations must make sure that  only fresh attributes are released to SPs when an end user departs, the accounts must be closed (or the roles updated) no later than in seven days  initial authentication face-to-face (or similar) using photo ID issued by the police  on-line authentication at least with passwords no less than 8 characters + other quality checks

Campus IdM policy enforcement in Haka  Home organisation publishes its IdM practices in the web using a template provided by federation operator;  Self-Audit for joining IdPs When an IdP is registered to the federation, the federation operator checks the published document to assess if minimum requirements are met If OK, the IdP is added to the federation metadata  If it turns out that the policy is not followed by a home organisation there is a procedure for dropping a home organisation from the federation

Privacy and the Data Protection Directive (DPD) in Haka 1.Only SPs related to research and education can be registered to the federation DPD: dependability on the purpose of processing personal data 2.Only attributes relevant for the service are released to an SP when a new SP is registered, the SP admin declares the relevant attributes based on the declaration, federation operator constructs and distributes Shibboleth Site-ARPs to the IdPs 3.End user’s informed consent is a requirement for attribute release to make the consent informed, the end user is provided with a link to the service’s privacy policy document

Schemas, roles and groups in Haka  funetEduPerson 2.0 schema incorporates schac  roles/groups in funetEduPerson eduPersonAffiliation – a Finnish interpretation of the vocabulary is presented in funetEduPerson funetEduPersonStudentCategory – 10 categories for students (BSc,MSc,doctor,other,open-university,exchange-student…) students’ target degree – e.g. MSc in Engineering students’ educational degree probram – e.g. Political history students’ specialisation option – e.g. software engineering student status – present/absent student union membership schacHomeOrganizationType – university/polytechnic

Level of assurance for authentication in Haka  currently one LoA: the miminum requirement is a password stronger methods ”can be used” University of Helsinki has had a pilot on PKI/Smartcards in Shibboleth 1.x IdP  Waiting for Shibboleth/SAML2.0 authentication context concept Services asking for certain level of authentication  candidates for stronger authentication PKI/smartcards OTPs provided by the Finnish banks