Presentation is loading. Please wait.

Presentation is loading. Please wait.

Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna 17-18 Oct 2011

Similar presentations


Presentation on theme: "Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna 17-18 Oct 2011"— Presentation transcript:

1 Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna 17-18 Oct 2011 Mikael.linden@csc.fi

2 Innovation through participation Outline Background eduGAIN Policy Framework Data protection issues and the data protection good practice profile

3 Innovation through participation Federation is all about trust SP needs to trust the IdP LoA: quality of identities and authentication are as agreed Schema: attributes and their semantics are as agreed IdP needs to trust the SP Privacy: That the SP does not infringe the privacy laws Everyone needs to trust the federation operator Security: Operations are done securely Rules: Operations follow the federation rules These issues are covered in the federation policy (agreement) No federation policy => no federation c.f. PEER, a pure SAML metadata delivery service

4 Innovation through participation Starting point for eduGAIN interfederation service Heterogenious national federations Sectors covered: universities, research institutions, schools… Level of Assurance (LoA): reliability of identities/authentication Attributes. Recommended attributes. Semantics (ePAffiliation) Privacy mechanisms: attribute release policies, consent modules Incident handling mechanisms Liability, indemnification, other typical contractual issues eduGAIN didn’t want to make the national federations to change policies Would have caused too much trouble/hallse for the federations

5 Innovation through participation eduGAIN’s approach Keep the bar low for federations to join Don’t exclude anyone Keep the basic level of trust low Introduce optional profiles for higher levels of trust Data protection Level of Assurance Policy of Fed 1 Policy of Fed 2 Policy of Fed 3 eduGAIN basic level

6 Innovation through participation And the result was Interfederation, not confederation eduGAIN is mostly a metadata exchange service IdPs and SPs are bound only by their national federation’s policy Any complaints about an IdP or SP will be covered locally in its home federation Side effect: Provider in fed 1 doesn’t necessarily trust provider in fed 2  opt-in needed by Entities Edu GAIN fed 1 fed 2 fed 3 fed 4 fed 5 IdP SPSP SPSP SPSP SPSP SPSP SPSPSPSP SPSP SPSP SPSP SPSP SPSP SPSP SPSP

7 Innovation through participation Opt-in for Entities 1. ”Uplink”: Entity opts in for being exposed to eduGAIN 2. ”Downlink”: Each peer Entity decides if it wants to on-board the metadata of an entity that has been exposed to eduGAIN IdP needs to consider the privacy risks of releasing Personal Data to foreign SPs SP needs to consider LoA and attribute semantics of foreign IdPs Everyone needs to consider if they are happy with the peer Provider’s federation agreement

8 Innovation through participation eduGAIN policy framework

9 Innovation through participation eduGAIN policy ver 1.0 www.edugain.org/policy 1. Policy Declaration 2. Constitution 3. Metadata Terms of Access and Use See also: Introduction to the eduGAIN policy framework Profiles: 4. Metadata profile (MUST) 5. WebSSO profile (MAY) 6. Attribute profile (SHOULD) 7. Data protection good practice profile (MAY) Policy Declaration (signed by Federation 3) Policy Declaration (signed by Federation 2) Policy Declaration (signed by Federation 1) Profiles, optional (TSG approves/changes) Profiles, recommended (TSG approves/changes) Profiles, required (NREN PC approves/changes) Profiles, recommended (TSG approves/changes) Profiles, optional (TSG approves/changes) refers to is supplemented by eduGAIN Constitution (NREN PC approves/changes)

10 Innovation through participation 1. eduGAIN Declaration Cannot be changed later Two pages of text Joining federation signs and presents to Operational Team (OT) Essential issues of the policy Metadata exchange Entities are bound by their local federation policies only No new legal rights or obligations for Entities (e.g. liabilities)

11 Innovation through participation 2. Constitution Goal of eduGAIN ”to support NREN constituency by interfederation service” Bodies NREN PC, GEANT EXEC, Technical steering group, OT Requirements and process for joining Policy violation Branding and trademarks Quality of identities and attributes dispute resolution for user identities, freshness of attributes Audits for Entities and federations (none) and eduGAIN operations

12 Innovation through participation 3. Metadata Terms of Use <!— Use of this metadata is subject to the Terms of Use at http://www.edugain.org/policy/metadata-tou_1_0.txt --> URL Attached to all published eduGAIN metadata ”license” agreement of the metadata file Secondary; participant federations’ policies override this ”use at your own risk”

13 Innovation through participation 4. SAML2 Metadata profile (MUST) MUST: MUST: publisher MUST: with a link to Metadata ToU SHOULD: creationInstant or publicationID elements MUST: with contactType="technical“ – MUST: MUST: – MUST: registrationAuthority – SHOULD: registrationInstant, SHOULD: with English and native values: –,,

14 Innovation through participation 4. SAML2 Metadata profile (c’d) If contains or or SHOULD: and in English and native language(s) If contains MAY: Aggregated SHOULD: MUST: Conformance to SAML V2.0 Metadata Interoperability Profile

15 Innovation through participation 5. WebSSO profile (OPTIONAL) ”Currently, the only allowed SAML 2.0 protocol profile to be used for Web Single Sign-on in eduGAIN is saml2int (ver 0.2) ”

16 Innovation through participation 6. Attribute profile (SHOULD) RECOMMENDED attributes: displayName, common name, mail, eduPerson(Scoped)Affiliation), schacHomeOrganization and schacHomeOrganizationType At least one schacHomeOrganizationType SHOULD be from international vocabulary urn:mace:terena.org:schac:homeOrganizationType:int MUST: eP(S)A vocabulary: member,faculty,student,alum,affiliate,library- walk-in Semantics as defined by REFEDS comparison ver 0.13 SAML2 persistent ID is RECOMMENDED as the unique ID Placed in SAML assertion’s subject/nameID element and attribute statement

17 Innovation through participation Data protection issues and 7. Data protection good practice profile (OPTIONAL)

18 Innovation through participation eduGAIN Data protection good practice profile (DP profile) EU Data protection directive: The IdP takes a legal risk when it releases personal data (PII) to the SP eduGAIN DP profile uses SAML2 metadata to mediate SP’s privacy related properties to the IdP in a structured way element New and elements IdP uses the elements to decide if attributes can be released to the SP to fulfill its related obligations For details, see the full DP profile in www.edugain.org/policy

19 Innovation through participation eduGAIN Data protection profile: 1/4: Two kinds of SPs Category non-PII: SP receives no personal data eduPersonAffiliation, schacHomeOrganization… Data protection laws not applied Category PII: SP receives personal data eduPersonPrincipalName, mail, CN… Data protection laws applied SAML2 metadata indicates the SP’s category: PII

20 Innovation through participation eduGAIN Data protection profile: 2/4: Relevance of attributes released Data protection laws: attributes an SP receives must be adequate, relevant and not excessive in relation to the purpose of the SP  The IdP must not release attributes the SP does not need SP’s SAML metadata indicates the attributes the SP declares relevant for its needs <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri“ Name="urn:oid:2.5.4.4" isRequired="true"/> <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri“ Name="urn:oid:2.5.4.42" isRequired="false"/>

21 Innovation through participation eduGAIN Data protection profile: 3/4: Legal grounds Data protection laws: releasing attributes to an SP is based on either User’s consent, or Necessity (for performing a contract, for performing a task carried out in the public interest, for legitimate interests…) SP proposes the legal grounds in SAML 2.0 metadata If the legal grounds is consent, the IdP asks the user to consent to the attribute release (cf. Consent modules such as uApprove) consent In July, 2011 The WP29 Data Protection Working Party of EU published its opinion on Consent. Related modifications to the profile are being drafted.

22 Innovation through participation eduGAIN Data protection profile: 4/4: Informing the data subject When releasing personal data to the SP, the data controller must tell the end user What personal data will be released, to whom and for what purposes, etc SP places its privacy policy URL to its SAML metadata’s MDUI element The IdP provides the link to the user (e.g. when s/he consents to attribute release) http://www.example.org/privacypolicy.html

23 Innovation through participation Luckily, the level of security is relative to the risks the controller must implement appropriate technical and organizational measures to protect personal data...... such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Most collaboration services (wikis…) need just CN, mail and ePTID IdPSP SAML assertion CN, mail, ePTID

24 Innovation through participation Future policy work GN3 project asked eduGAIN task to prepare an updated Constitution To find a long-term solution to the governance model Level of Assurance issues Strong identity, strong authentication…? c.f. REFEDS work item ref6 C.f. NIST 800-63, inCommon bronze/silver Currently looking at Kantara IAF (LoA 1 and 2?) Data protection issues Joined forces with REFEDS attribute release WG Supporting eduGAIN Data Protection Good Practice Profile in IdP- side implementations


Download ppt "Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna 17-18 Oct 2011"

Similar presentations


Ads by Google