1. Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security

2. kjk@internet2.edu Topics The Needs of researchers Meeting those needs International Issues and Implications

3. kjk@internet2.edu IdM Needs of Researchers Access to collaboration tools No modifications to existing domain science apps Command line tools International capabilities Multiple levels of assurance Roles, schema and attributes

4. kjk@internet2.edu Meeting those needs Bridging Federated Identity to Domain Apps Gridshib – federated id in, X.509 PKI certificate out Oauth – federated id in, delegation token out SAML Extended Client Profile (ECP) for non-web apps Boarding process a one-time task Connecting federated identity to existing app identity

5. kjk@internet2.edu Multiple levels of assurance LOA 1 for wikis, outreach, etc LOA 2 for grant administration LOA 3/4 for sensitive data and apps Step-up processes to integrate user experience

6. kjk@internet2.edu Roles, schema and attributes Research communities have their own cultures, vocabularies, needs Building community-wide consistency on roles, privileges, groups provides tremendous leverage for collaborations Keeping it simple is critical and difficult

7. kjk@internet2.edu Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.

8. kjk@internet2.edu Domestication of applications The work of re-factoring applications to use the emergent identity services infrastructure Begins with federated identity and authentication, use of directories; gains a lot from group management for access control, etc Needs a fine grain set of authorization tools down the road Domesticated apps can receive IdM attributes via LDAP, SAML, X.509, SQL, Kerberos PAC, and maybe all of the above

9. kjk@internet2.edu COmanage can provide authentication and basic authorization services (group membership, privilege management, etc) to domesticated apps “Domesticated” applications currently include Mediawiki, Confluence, Jira, Subversion, Sympa, Listserv, Drupal, Nagios, Wordpress, Git. Plan to add audioconferencing, IM and chat rooms, EC2, Fedora, web-based file share, etc. Not “collaboration in a box”. More collaboration in an open-standard, integrated box. The “stand-alone” can be readily replumbed to be completely integrated into enterprise, federated or other attribute ecosystems as they develop Implemented as a service or as a VM, perhaps in a cloud

10. kjk@internet2.edu International issues Interoperability among federations Technical issues straightforward Policy alignment roughly okay Formalizing however will be hard Semantic differences in attributes

11. kjk@internet2.edu International privacy issues Privacy policies quite different Differences among national policies Differences between national and EU policies Differences between policies and courts PII differences Consent and necessity differences