Presentation is loading. Please wait.

Presentation is loading. Please wait.

InAcademia.org Simple affiliation validation for Academia

Published byGeoffrey Morgan Modified over 6 years ago

Similar presentations

Presentation on theme: "InAcademia.org Simple affiliation validation for Academia"— Presentation transcript:

1 InAcademia.org Simple affiliation validation for Academia
Niels van Dijk, SURFnet bv TNC2015, June 16, Porto, Portugal

2 Academic Affiliation and Federations
Many Services (want to) provide benefits or discounts for members of Academia (Student/Employee) And a federated (SAML) login with the (eduPerson)Affiliation attribute can be used to validate membership of the academic community. However: Joining a federation is a big hurtle (policies and contracts) Implementing SAML and doing federation is not easy Interfederation is even harder Upfront cost, but no customers A lot of work, while the service only needs the Affiliation, which is pretty low risk in the data protection spectrum The mechanism for transferring user affiliation within a SAML federation is well understood.

3 Example use cases for Affiliation validation
Discount at web shops One-time discount e.g. at Telco (Geant3+ SA7 mobile procurement) ‘Free’ access to generic cloud service: Microsoft, Apple, Adobe Online reservations for Theatres and Sports accommodations on Student Campuses Validate affiliation on relevant ‘Social’ platforms like e.g. Mendeley, ReseachGate, LinkedIn, etc. Lightweight validation for research services, like e.g. ORCID Although these are provided as examples, real world examples of these exist currently, and SAML federation as we currently operate it did not provide a sufficient solution.

4 InAcademia.org a Simple validation Service
What would make affiliation validation easier? Services get most attributes from user (self asserted) Only affiliation must come from the Home Organisation Query a single, centralised service to confirm affiliation A user ‘proves’ affiliation by authentication with home IdP A simple protocol can be used by the Services Validation service accessible for all IdPs The policy barrier for using should be low Service pays a small transaction fee Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

5 InAcademia.org Simplified overview
SAML world (eduGAIN) IdP = Identity Providers (Institutional) SP = Service provider Attributes OpenID Connect OP = OpenID Connect OpenID Provider RP = Relying Party Claims InAcademia Flow: Service gets attributes directly from user Service queries a single, centralised service, the “InAcademia Simple validation Service” (SvS) to confirm affiliation A simple, well understood, protocol (OpenID Connect) can be used to query SvS The policy barrier for using SvS is low The user ‘proves’ his/her affiliation at SvS which is under control of the federations / NRENs SvS is connected to eduGAIN Authentication at home IdP delivers requested affiliation (SAML) SvS interprets the affiliation and answers the Service, but SvS never directly delivers attribute value to the requesting Service User gets discount Service pays a small transaction fee

6 OpenID Connect Supported scopes
Description Affiliation Scopes Based on [1], [2] affiliated This person is affiliated to the institution (Student, Employee). Affiliation value is not revealed. employee Institutional workers whose primary role is teaching or research and workers other than teachers or researchers student A student at the institution alum An alumnus at the institution Identifier Scopes (not the SAML persistent ID) persistent A persistent identifier, unique for this person, on a per RP, per IdP basis transient A transient identifier, which is unique for each transaction So we have seen the highlevel setup and information flows. Next I will give you some insight into what information gets transferred. In openidconnect these are called Claims. InAcademia only allows specific claims to be queried by a Service. [1] [2]

7 OpenID Connect Supported claims
Description Claims (Optional) country What is the country of the users home institution? -> Deducted from Country of IdP domain What is the domain name of the institution of the user? -> SchacHomeOrganisation attribute Examples: scope=affiliated scope=affiliated transient scope=affiliated persistent scope=affiliated persistent & claim = country scope=student persistent & claim = country domain

8 SAML SP Attribute requirements Transient profile
Description Status transient SAML nameID We request a transient NameID None transient NameIDs will be ignored Required eduPersonAffiliation urn:oid: The home institution affiliation. Supported values: Student, Employee, Alum Other affiliations are ignored schacHomeOrganization urn:oid: RFC-1035 domain Optional

9 SAML SP Attribute requirements Persistent profile
Description Status persistent SAML NameID A persistent NameID Optional eduPersonAffiliation urn:oid: The home institution affiliation Supported values: Student, Employee, Alum Other affiliations are ignored Required schacHomeOrganization urn:oid: RFC-1035 domain

10 Technical Design Characteristics
Considerations: Should scale globally Should minimize personal data handling Should keep data in EU if possible Features: One service, but nodes are geographically distributed Currently 8 nodes (3x NL, 3x DK, 2x GR) By using GeoDNS, transactions are handed in the same ‘zone’. Two SAML Attribute profiles (persistent & transient) with low attribute requirements OpenID Connect for talking to Services Stateless: not storing personal data of transaction at any time Data logged on local nodes and kept in accordance with local law All eduGAIN IdPs are allowed by default

11 Legal considerations Dealing with personal data:
InAcademia supports eduGAIN Code of Conduct InAcademia requests pseudonymous id and affiliation from IdP InAcademia sends (different) pseudonymous identifier and affiliation confirmation to Service All transactions are atomic: No user data stored, consent always asked, no SSO All consent logging will be stored pseudonymously (SHA512) Transaction data is aggregated immediately InAcademia is a proxy that handles personal data Question is, on behalf of whom?

12 Legal considerations Scenario 1: InAcademia ‘Broker’
InAcademia ‘Broker’ -> InAcademia engages in contracts Even if InAcademia supports eduGAIN, there is no legal ground to process data coming from an Institution Consent from an end user can help here, but must be given freely. That cannot be guaranteed for all services Solution is a (two party) contract between Home Institution and InAcademia. Scales poorly….

13 Legal considerations Scenario 2: InAcademia ‘Gateway’
InAcademia ‘Gateway’ -> InAcademia facilitates transfer Contract between Service and Home Institution – or its representatives: NRENs, Federations, GÉANT, etc Contract should at minimum contain clauses from eduGAIN CoCo InAcademia is now (only) the technical transfer mechanism, handling personal data on behalf of Home Institution Requires good support for connecting services Investigate opt-in vs opt-out for Home Organisations

14 Cost and Benefit “Selling the Crown Jewels”
InAcademia platform is nimble and has all characteristics to scale well If support is routed through NRENs / Federations operational cost is expected to be low Benefit As this service does not directly benefit Institutions, it should be self sustaining A ‘freemium’ pay per use model is proposed where an initially zero transaction fee gradually increases, in relation to both transaction frequency as well as transaction price Support from NRENs/GÉANT is required for a few years to allow InAcademia reach a point where it can sustain itself

15 InAcademia.org Recap For Identity Providers / NRENs
SAML based, connected via eduGAIN Two profiles that have minimal, ‘low risk’ attribute requirements No personal data stored at central service One connection with many Services that are high value to users, but low effort for IdP A pricing model which creates a revenue stream to sustain InAcademia upon success For Services OpenID Connect interface towards Service, no SAML required No need to deal with (inter) federation Simplified Policy, compatible with eduGAIN CoCo The pricing model allows new Services to enter the market easily One connection with many trusted Identity Providers

16 Project and Team Started Sept 1, 2014 (Geant3+ JRA3-T1)
Continued in GN4, SA5 T4 Team Devs: Daniel, Rebecka, Roland (Umeå University) Infra: Leif (SUNET), Niels (SURFnet), Legal: Mikael (CSC), Evelijn (SURFnet) Documentation: Remco, Niels (SURFnet) Project: Niels (SURFnet) with additional support from SA*

17 InAcademia.org Timeline
Beta platform available since Q1 2015 Technically available SUNET/NORDUnet and ~Okeanos (GRNET) Public website: Technically ready for pilots By Q2 2015 Legal & Policy recommendation Bug fixes and testing First client libraries (Python, PHP) available on website GEANT4 (SA5, year 1) Work out operational model (CBA) Setup transaction fee & billing, together with GN4 SA7 Move towards fully operation service

Download ppt "InAcademia.org Simple affiliation validation for Academia"

Similar presentations

Innovation through participation Data Protection Code of Conduct (DP CoC) REFEDS Helsinki 2.10.2013 Mikael Linden, CSC – IT Center for Science

Innovation through participation Data Protection Code of Conduct (DP CoC) REFEDS Helsinki Mikael Linden, CSC – IT Center for Science
Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden,

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n. 306819.

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service 2012-02-27 Federated Identity Systems.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Chad La Joie Shibboleth’s Future.

Chad La Joie Shibboleth’s Future.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.

Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team

Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.

Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
Networks ∙ Services ∙ People www.geant.org Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Similar presentations

Ads by Google