Presentation is loading. Please wait.

Presentation is loading. Please wait.

InAcademia Simple Validation Service Niels van Dijk

Published byAustin Campbell Modified over 6 years ago

Similar presentations

Presentation on theme: "InAcademia Simple Validation Service Niels van Dijk"— Presentation transcript:

1 InAcademia Simple Validation Service Niels van Dijk
InAcademia lead, GN4-1 SA5 Technical Product Manager, SURFnet Groningen Declaration Network meeting May 18, 2016 – Capetown

2 Academic Affiliation and Federations
Many Services (want to) provide benefits or discounts for members of Academia (Student/Employee) And a federated (SAML) login with the (eduPerson)Affiliation attribute can be used to validate membership of the academic community. However: Joining a federation has several obstacles (policies and contracts) Implementing SAML and doing federation is not easy Interfederation is even harder Upfront cost, but no customers A lot of work, while the service only needs the Affiliation, which is pretty low risk in the data protection spectrum The mechanism for transferring user affiliation within a SAML federation is well understood.

3 Example use cases for Affiliation validation
Discount at web shops One-time discount, e.g., at Telco (GN3plus SA7 mobile procurement) ‘Free’ access to generic cloud service: Microsoft, Apple, Adobe Online reservations for Theatres and Sports accommodations on Student Campuses Validate affiliation on relevant ‘Social’ platforms such as Mendeley, ResearchGate, LinkedIn, etc. Lightweight validation for research services such as ORCID Although these are provided as examples, real world examples of these exist currently, and SAML federation as we currently operate it did not provide a sufficient solution.

4 InAcademia - a Simple validation Service
What would make affiliation validation easier? Services get most attributes from user (self asserted) Only affiliation must come from the Home Organisation Query a single, centralised service to confirm affiliation A user ‘proves’ affiliation by authentication with home IdP A simple protocol can be used by the Services Validation service accessible for all eduGAIN IdPs The policy barrier for using should be low Service pays a small transaction fee Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

5 InAcademia - Simplified overview
SAML world (eduGAIN) IdP = Identity Providers (Institutional) SP = Service provider Attributes OpenID Connect OP = OpenID Connect OpenID Provider RP = Relying Party Claims InAcademia Flow: Service gets attributes directly from user Service queries a single, centralised service, the “InAcademia Simple validation Service” (SvS) to confirm affiliation A simple, well understood, protocol (OpenID Connect) can be used to query SvS The policy barrier for using SvS is low The user ‘proves’ his/her affiliation at SvS which is under control of the federations / NRENs SvS is connected to eduGAIN Authentication at home IdP delivers requested affiliation (SAML) SvS interprets the affiliation and answers the Service, but SvS never directly delivers attribute value to the requesting Service User gets discount Service pays a small transaction fee

6 eduGAIN SAML world (eduGAIN) IdP = Identity Providers (Institutional)
SP = Service provider Attributes OpenID Connect OP = OpenID Connect OpenID Provider RP = Relying Party Claims InAcademia Flow: Service gets attributes directly from user Service queries a single, centralised service, the “InAcademia Simple validation Service” (SvS) to confirm affiliation A simple, well understood, protocol (OpenID Connect) can be used to query SvS The policy barrier for using SvS is low The user ‘proves’ his/her affiliation at SvS which is under control of the federations / NRENs SvS is connected to eduGAIN Authentication at home IdP delivers requested affiliation (SAML) SvS interprets the affiliation and answers the Service, but SvS never directly delivers attribute value to the requesting Service User gets discount Service pays a small transaction fee

7 InAcademia - Supported scopes
Description Affiliation Scopes Based on [1], [2] affiliated This person is affiliated to the institution (Student, Employee). Affiliation value is not revealed. employee Institutional workers whose primary role is teaching or research and workers other than teachers or researchers student A student at the institution alum An alumnus at the institution Identifier Scopes (not the SAML persistent ID) persistent A persistent identifier, unique for this person, on a per RP, per IdP basis transient A transient identifier, which is unique for each transaction So we have seen the highlevel setup and information flows. Next I will give you some insight into what information gets transferred. In openidconnect these are called Claims. InAcademia only allows specific claims to be queried by a Service. [1] [2]

8 InAcademia - Supported claims
Description Claims (Optional) country What is the country of the users home institution? -> Deducted from Country of IdP domain What is the domain name of the institution of the user? -> SchacHomeOrganisation attribute Examples: scope=affiliated scope=affiliated transient scope=affiliated persistent scope=affiliated persistent & claim = country scope=student persistent & claim = country domain

9 InAcademia – Validation flow
SAML world (eduGAIN) IdP = Identity Providers (Institutional) SP = Service provider Attributes OpenID Connect OP = OpenID Connect OpenID Provider RP = Relying Party Claims InAcademia Flow: Service gets attributes directly from user Service queries a single, centralised service, the “InAcademia Simple validation Service” (SvS) to confirm affiliation A simple, well understood, protocol (OpenID Connect) can be used to query SvS The policy barrier for using SvS is low The user ‘proves’ his/her affiliation at SvS which is under control of the federations / NRENs SvS is connected to eduGAIN Authentication at home IdP delivers requested affiliation (SAML) SvS interprets the affiliation and answers the Service, but SvS never directly delivers attribute value to the requesting Service User gets discount Service pays a small transaction fee

10 Legal & Privacy considerations
Technical measures for dealing with personal data: InAcademia supports eduGAIN Code of Conduct InAcademia requests pseudonymous id and affiliation from IdP InAcademia sends (different) pseudonymous identifier and affiliation confirmation to Service All transactions are atomic: No user data stored, consent always asked, no SSO All consent logging is stored pseudonymously (SHA512) Transaction data is aggregated immediately Two legal models for InAcademia, in relation to how the contracts are arranged Direct legal responsibility: Broker Just passing data: Gateway

11 Scenario 1: InAcademia ‘Broker’
InAcademia ‘Broker’: InAcademia engages in contracts with services InAcademia is a Service Provider in the local Federation (via eduGAIN) Even if InAcademia supports eduGAIN, there is no legal ground to process data coming from an Institution Consent from an end user suffices here, but must be given freely. That cannot be guaranteed for all services Solution is a (two party) contract between Home Institution and InAcademia. Scales poorly….

12 Scenario 2: InAcademia ‘Gateway’
InAcademia ‘Gateway’: InAcademia facilitates data transfer Contract between Service and Home Institution – or its representatives: NRENs, Federations, Procurement Org., GÉANT, etc Contract should at minimum contain clauses from eduGAIN CoCo InAcademia is now (only) the technical transfer mechanism, handling personal data on behalf of Home Institution Requires good support for connecting services Investigate opt-in vs opt-out for Home Organisations

13 Cost and Benefit: “The numbers game”
InAcademia platform is nimble and has all characteristics to scale well If support is routed through NRENs / Federations operational cost is expected to be low Benefit As this service does not directly benefit Institutions, it should be self sustaining A ‘pay per use’ model is proposed where an initially low transaction fee gradually increases, in relation to transaction frequency No or low fees for research services within community Support from NRENs/GÉANT is required for a few years to allow InAcademia reach a point where it can sustain itself

14 InAcademia - Recap For Identity Providers, Federations and NRENs
SAML based, connected via eduGAIN Two profiles that have minimal, ‘low risk’ attribute requirements No personal data stored at service One connection with many Services that are high value to users, but low effort for IdP A pricing model which creates a revenue stream to sustain InAcademia upon success For Services OpenID Connect interface towards Service, no SAML required No need to deal with (inter) federation Simplified Policy, compatible with eduGAIN CoCo The pricing model allows new Services to enter the market easily One connection with many trusted Identity Providers Allows Procurement to collaborate on pan EU scale as it provides a safe, secure and privacy preserving gateway to (potentially) all end users in Academia

15

Download ppt "InAcademia Simple Validation Service Niels van Dijk"

Similar presentations

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden,

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Toward the Clouds, Together ! Collaboration effort of European NRENs in Cloud Computing Branko Radojević, Deputy Director, CARNet/GEANT TF-MSP Budapest,

Toward the Clouds, Together ! Collaboration effort of European NRENs in Cloud Computing Branko Radojević, Deputy Director, CARNet/GEANT TF-MSP Budapest,
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n. 306819.

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service 2012-02-27 Federated Identity Systems.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.

Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Similar presentations

Ads by Google