Presentation is loading. Please wait.

Presentation is loading. Please wait.

Moonshot Workshop 14 th October 2014. Introduction to the Day Moonshot Workshop.

Published byHomer Whitehead Modified over 9 years ago

Similar presentations

Presentation on theme: "Moonshot Workshop 14 th October 2014. Introduction to the Day Moonshot Workshop."— Presentation transcript:

1 Moonshot Workshop 14 th October 2014

2 Introduction to the Day Moonshot Workshop

3 Agenda 10:00 – 10:10 Intro to the morning 10:00 – 11:00 Pseudonymous identifiers, account mapping 11:00 – 11:15 Break 11:15 – 12:30 Your requirements 12:30 – 13:30 Lunch 13:30 – 13:40 Intro to the afternoon 13:40 – 14:30 Management Portal 14:30 – 15:30 Open questions / assistance 15:30 – 15:45 Break 15:45 – 16:00 Summary

4 Moonshot & Communities A quick reminder… What are communities?

5 Communities and Policy Authentication Policy Community / (Community of Registration) Authentication Policy Community / (Community of Registration) Community A Community B Community C Organisation validation to APC’s defined standards Policy coming from community requirements. Could include: Registration LoA AuthN LoA Operational Practices User behaviour Attribute release (RADIUS & SAML) Etc.

6 Moonshot & Communities Communities will consist of a subset of the entities connected to a particular APC.

7 Whole Trust Network

8 Community A

9 Community B

10 Community C

11 Moonshot/TR – Pseudonymous Identifiers SAML & eduroam roam have one pseudonymous id: – eduPersonTargetedId – CUI Allows pseudonymous use of resources – good Typically targeted to RP to stop vendor collusion – From privacy perspective – good – From perspective of projects with multiple resources that want to link accounts – bad!

12 Moonshot/TR – Pseudonymous Identifiers Moonshot has more layers than SAML / eduroam Let’s take advantage of that… Three layers: – Host – Realm – Community

13 RP1IdP1RP2 cardiff.ac.uk RP1RP2 IdP1 ja.net Community A RP Targeted Identifier RP Targeted abcd efgh ijkl mnop Different for every RP – No collusion – But no (good) linking either

14 RP1IdP1RP2 cardiff.ac.uk RP1RP2 IdP1 ja.net Community A Realm Targeted Identifier Realm Targeted abcd Different for every realm – No collusion across realms – Linkability between RPs in same realm abcd efgh

15 RP1IdP1RP2 cardiff.ac.uk RP1RP2 IdP1 ja.net Community A Community Targeted Identifier Community Targeted abcd Different for every community – No collusion across communities – Linkability between RPs in same community abcd

16 Pseudonymous Identifiers Wiki contains (or will do) instructions on how IdPs can enable this: – FreeRADIUS policy.d file – Currently hash based generation – Will also support stored (and revokable) option

17 Account Mapping / AuthZ Two/three/four main options: – IdP has control: IdP asserts info (e.g. mailbox name), RP uses that info to map directly to account – RP has control: IdP asserts info (e.g. pseudonymous id (in RADIUS or SAML)): – RP Proxy uses that info to map to account, with transformational logic – RP Proxy passes info unmodified, and service itself uses its own stuff to map to account – RP Proxy passes info after transformation, and service itself uses its own stuff to map to account

18 Existing vs JIT account Existing accounts: – Use realm/COI wide identifier to get people to register online first and create and account linked to that id – Or create account in advance, get IdP to assert that info for each user JIT – Could get FR to run custom command to create something on the fly – Or app/service may be able to do this itself

19 DEMO

20 Final Q&A Any questions?

21 THANK YOU Janet, Lumen House Library Avenue, Harwell Oxford Didcot, Oxfordshire t: +44 (0) 1235 822200 f: +44 (0) 1235 822399 e: service@ja.net

Download ppt "Moonshot Workshop 14 th October 2014. Introduction to the Day Moonshot Workshop."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…

From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Andrew Cormack Chief Regulatory Adviser, Access Management and Security WG.

Andrew Cormack Chief Regulatory Adviser, Access Management and Security WG.
Trust Router. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any.

Trust Router. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any.
John Littledale Service Lead Network Services Group Janet(UK) 01235 822303 East Scotland.

John Littledale Service Lead Network Services Group Janet(UK) East Scotland.
Trust Router Workshop 15 th October 2014. Introduction to the Day Moonshot Workshop.

Trust Router Workshop 15 th October Introduction to the Day Moonshot Workshop.
Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.
Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010.

Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010.
Cost Attribution and Charging Models Mark Tysom Product Manager.

Cost Attribution and Charging Models Mark Tysom Product Manager.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Similar presentations

Ads by Google