Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

Slides:

Advertisements

Similar presentations

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.

Advertisements

Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN /18 Valter Nordh, NORDUnet / GU.

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.

Interfederation subgroup of InCommon Technical Advisory Committee (TAC) spaces.internet2.edu/display/incinterfed.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna Oct 2011

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality

FIM-ig Federated Identity Management Interest Group.

SWITCHaai Team Federated Identity Management.

InCommon Forum Fall 2012 Internet2 Member Meeting Wednesday, October 3,

Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.

SWITCHaai Team Introduction to Shibboleth.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

PEER (Public End-Entity Registry) (MLS -> SPIT -> BEER -> PEER)

InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.

Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security.

Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

COmanage and InCommon: Present and Future Activities and Interactions Heather Flanagan, COmanage Project Coordinator, Internet2.

Géant-TrustBroker project overview Slides assembled by the Géant-TrustBroker team at Leibniz Supercomputing Centre, Germany for a short presentation by.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Federation as a Service Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.

1 Registry Services Overview J. Steven Hughes (Deputy Chair) Principal Computer Scientist NASA/JPL 17 December 2015.

Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.

Growth and Change in Federations and What This Means for Supporting Technologies Nick Roy and Chris Phillips

Géant-TrustBroker Project Overview Daniela Pöhn 7 th FIM4R meeting Frascati, Italy April 24 th, 2014.

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Identity Federations: Here and Now David L. Wasley Thomas Lenggenhager Peter Alterman John Krienke.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.

Attribute Release and Scalable Consent \. Part of the original vision for federated identity and necessary for it to succeed Federated identity is less.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Networks ∙ Services ∙ People eduGAIN Townhall Meeting Nicole Harris (or updating the eduGAIN policy suite) “Unicorns can be sued in Wales”

Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.

Trust and Identity Infrastructure Services Above the Network Ann Harding, SWITCH/GÉANT UbuntuNetConnect 2014.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

Internet identity: Forward in All Directions Dr Ken Klingenstein, Director, Middleware, Internet2.

Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation.

Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Cross-sector and user-centric AAI

Identity Federations - Overview

Géant-TrustBroker Dynamic inter-federation identity management

Scalability of trust and metadata exchange across federations

Minimal Level of Assurance (LoA)

GÉANT 4-2 JRA3 T1 and T2 Federations and Campus (CaFe) e-Infrastructures and Service Providers (RASP) Daniela Pöhn JRA3 T1 LRZ/DFN-AAI Technology Exchange.

Policy in harmony: our best practice

Context, Gaps and Challenges

AARC Blueprint Architecture and Pilots

Discovery and Federated Identity

Moving forward with assurance

Baseline Expectations for Trust in Federation

Presentation transcript:

Growth

Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it scale globally? Inter-federation Like BGP, only 1000 times harder

Interfederation Connecting autonomous identity federations Critical for global scaling, accommodating local federations, integration across vertical sectors Has technical, financial and policy dimensions Several operational instances – Kalmar2 Union, eduGAIN, ad hocs (UC Trust, Texas) Use cases now numerous, across sectors, within sectors Short-term and long-term approaches If its called the Internet, shouldn’t we start talking about Interfederated identity

Interfederation: Short-term/long-term Long-term is starting to be worked, mostly technically, some ad hoc policy Short-term has happened and should continue, but be informed/inform by long-term Both short-term and long-term need to address same buckets of issues Long-term has potentially disruptive service models

Buckets of interfed issues Both short-term and long-term approaches must address: Exchange, and massage, of metadata Policy alignment Alignment of payloads (attributes) Operational issues – error handling, incident handling, legal and contractual, etc

UK Access Federation Metadata processing

Future metadata flows in Interfederation Org Registrar Aggregator Local trust oracle

Multiple trust contexts in interfederation Org Registrar Aggregator Application auditor Local trust oracle

Trust and Metadata Trusting that the metadata was provided by an authorized entity Secure deposit Trusting that the “organizationally vetted” metadata is correct Self-certified Trusting that the “externally vetted” metadata is true Certified apps E.g. an app listed as R&S is in fact right

Emerging key software and protocols MDA – metadata aggregator PEER – metadata registry management software There may be multiple PEER services instances MDX – the query protocol(s) to request metadata; return via normal publishing protocols Improved discovery services – accountchooser, discojuice, embedded discovery services End-entity categories – an important new type of metadata, allowing for certified apps and IdP’s.

Meta-meta-data Metadata has its own metadata – e.g. who supplied it, when, terms of use, etc. Meta-meta-data may be contained in metadata stream, peeled off to help processing the other metadata, then reinserted as regular metadata into products No real discussions yet on normalizing meta-meta-data Likely little or no need for meta-meta-meta-data, thankfully…

Policy Points in Interfederation How the federation manages verification of both the organizations and their (perhaps delegated) authorized submitters (the FOP) How does the federation manage verification of other richer end-entity attributes it asserts, such as classification of applications (e.g. R&S), recommended attribute release policies, etc. How the federation operates, in terms of signing metadata approaches, legal status, etc. Aligning the LOA at basic and higher levels for authentication Aligning the relationships between IdP and SP when they are not in the same federation Direct contracts should govern where applicable If the contractual flow is member to fed, and then across interfed to an SP in another…

Interfed policy areas Federation operations Legal status and bone fides Operational issues – signing key and metadata protection, incident handling, etc Federation to member relationships Contractual Vetting of members and delegation of metadata Community standards LOA End-entities and vetting values Attribute bundles IdP-SP direct relationships What issues do they work directly? If they have a contract? If they don’t

Interfed policy areas – status/need Federation operations Legal status and bone fides – normative format Operational issues – REFEDS Ops or ? Federation to member relationships Contractual – normative format+normalization Vetting of members and delegation of metadata - normalization Community standards LOA – basic ok. Silver and Bronze need normalization End-entities and vetting values – good informal start; registry and best practices Attribute bundles - good informal start; registry and best practices IdP-SP direct relationships - ???? Privacy, consent, etc handled somewhat by above

Is there a financial dimension to interfed Potential for some federations who charge will lose certain SP’s Seems like a small subset might, but modest financial impacts Charging for registration? For publication of metadata? For use of metadata? Costs of operating the interfed coordination infrastructure – schema, registries, etc. We shall see, sigh…

Is interfederation getting harder? Or, as Ian says, do we just understand the problem better? In the old days, just exchange signing keys Now, do you understand my metadata? My attribute bundles? My application categories and how I assess apps? My policies And do I understand yours? And with more use cases every day…