Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.

Published byCalvin Dixon Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014."— Presentation transcript:

1 Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.

2 2 Connect | Communicate | Collaborate Identity Federation Identity federation enables campus authentication systems to integrate with a wide variety of services on campus, between campuses in a country and beyond Supports different technologies RADIUS Moonshot

3 3 Connect | Communicate | Collaborate Identity Federation Technology can be straightforward, but what about Enabling an Identity federation demands a formalized policy

4 4 Connect | Communicate | Collaborate European Identity Federations the Evolution Identity federations started emerging 10 years ago leading to approx. half of European countries have deployed an WebSSO Identity federation Significant knowledge and experience has been gathered through the operation of those Identity federations Identity federation communities such as REFEDS enabled the exchange of knowledge and addressed the common issues Existing Identity federation policies has evolved based on local needs

5 5 Connect | Communicate | Collaborate European Identity Federations The Evolution The “Federation Policy Best Practice Approach” and “Federation Policy Mapping” analyses were performed by REFEDS

6 6 Connect | Communicate | Collaborate Identity Federation Policy Template eduGAIN GN3 task supported the creation of Identity Federation Policy Template document http://www.terena.org/activities/eurocamp/oct12/programme1.html Gathered experience from existing Identity Federations in what not to put, and what to put in a Policy Based on Sweden Identity Federation - SWAMID policy Policy template is easy to be changed for local conditions Existing federations can use it if they want to change or update their existing policies

7 7 Connect | Communicate | Collaborate Allow multiple technologies Identity federation Policy should cover all these and allow for future adding new technologies Organizations join Identity federation only one time and then pick out which federation services they want to implement Identity Federation eduroam WebSSO Moonshot … Make the Policy in such a way that it allows for multiple technologies to be served using the same policy structure

8 8 Connect | Communicate | Collaborate Make resistant (as possible) to changes Make the Policy document in such a way to avoid the need for repeated changes Definitions that falls into changeable category should be put elsewhere e.g. federation website or appendix Find the right balance : Do not over specify Do not leave out important stuff Make resistant (as possible) to changes

9 9 Connect | Communicate | Collaborate Make future changes easy Policy will keep evolving and in certain degree changes will happen Make procedure for changing the policy lightweight as possible Important issue that can make effect on how easily a policy can be changed is what members sign when they join the Identity federation: Member fills in a separate form agreeing to be bound by the Policy document Member signs a copy of the actual policy (there are placeholders for signatures at the end the policy document)

10 10 Connect | Communicate | Collaborate Identity Federation Policy document suite Identity Federation Policy document Identity Federation Policy (main) Appendices Technology Profile eduroam Technology Profile Web single sign-on Level of Assurance Profiles Data Protection Profile Federation Operational Practices Appendix Governance Appendix Fees

11 11 Connect | Communicate | Collaborate Identity Federation Policy Template Sections Definitions and TerminologyIntroductionGovernance and Roles Governance Obligations and Rights of Federation Operator Obligations and Rights of Federation Members EligibilityProcedures How to Join How to Withdraw Legal conditions of use Termination Liability and indemnification Jurisdiction and dispute resolution Interfederation Amendment

12 12 Connect | Communicate | Collaborate Eligibility Defines which organizations are eligible to become a Member of your Federation, and which Member is eligible to act as Home Organization Depending on your country’s regulations for education and research sector and administrative/political circumstances, you should define which organizations are eligible to become a Member in your federation. However, as eligibility criterion is something you may want to adapt and change over time, it is the best to keep this section very short, and publish the eligibility criteria in some other place - this could simply be the website, or in separate appendix.

13 13 Connect | Communicate | Collaborate Governance of the federation Federation should have governing body which has advisory, decision or some other rights on certain federation issues. Structure and election process for the governing body falls into changeable category and should be specified elsewhere e.g. appendix Structure will probably highly depend on your local circumstances, how federation is established and funded Rights appointed to the governing body, advisory vs. deciding: Criteria for membership for the Federation Revoking the membership of a Federation Member Entering into interfederation agreement Formal ties with relevant national and international organisations Approving changes to the Federation Policy...

14 14 Connect | Communicate | Collaborate Obligations and Rights of Federation Operator It is very important to clearly define what are the obligations and rights of the Federation Operator Obligations boosts the members trust to Federation Operator, e.g.: Secure and trustworthy operational management of the federation Provides support services for Federation Members Maintaining relationships with national and international stakeholders in the area of Identity Federations Promoting the idea and concepts implemented in the Federation Federation Operator should keep certain rights, e.g. : temporarily suspend a Member who is in breach in policy publish some data about Federation Members

15 15 Connect | Communicate | Collaborate Obligations and Rights of Federation Members For mutual Federation Members trust, it is important to clearly define their obligations and rights There can be three types of Federation Members: Home Organization Attribute Authority Service Provider Some obligations and rights are same, but some differ !

16 16 Connect | Communicate | Collaborate Obligations and Rights of Federation Members - ALL Must cooperate with the Federation Operator and other Members in resolving incidents and should report incidents Must comply with the obligations of the Technology Profiles which it implements Must ensure its IT systems that are used in implemented Technology Profiles are operated securely Must pay the fees. Prices and payment terms are specified in appendix Fees If a Federation Member processes personal data, Federation Member will be subject to applicable data protection laws and must follow the practice presented in Data Protection Profile

17 17 Connect | Communicate | Collaborate Obligations and Rights of Federation Members – HO Is responsible for delivering and managing authentication credentials for its End Users and for authenticating them, as may be further specified in Level of Assurance Profiles Submit its Identity Management Practice Statement to the Federation Operator Ensures an End User is committed to the Home Organization’s Acceptable Usage Policy Operates a helpdesk for its End Users regarding Federation services related issues

18 18 Connect | Communicate | Collaborate Obligations and Rights of Federation Members – AA or HO Is responsible for assigning Attribute values to the End Users and managing the values in a way which ensures they are up-to-date Is responsible to releasing the Attributes to Service Providers

19 19 Connect | Communicate | Collaborate Obligations and Rights of Federation Members - SP Is responsible for making decision on which End Users can access the services they operate and which access rights are granted to an End User It is Service Providers responsibility to implement those decisions

20 20 Connect | Communicate | Collaborate Interfederation Enables federation to enter into interfederation agreements Technical and administrative issues related to interfederation are dependent of Technology Profile, and should be described there Federation Members will interact with entities which may be bound by very different rules and laws than the Members in this Federation A fundamental idea of an interfederation is that Members are bound by their local federation policies only and if anyone has a problem with the behavior of an entity in an Interfederation, he/she should go and check what the entity’s own Federation’s policy stipulates on it

21 21 Connect | Communicate | Collaborate Amendment Procedures required to get changes to the Federation Policy implemented Keep things simple and have the same procedure for all documents that make up the Federation Policy Give Federation Members a notification of the upcoming changes well in advance, allowing for feedback and resolution of potential points of contention before the changes come into force

22 22 Connect | Communicate | Collaborate www.geant.net www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv Connect | Communicate | Collaborate Thank you!

Download ppt "Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Freedom of Information Act 2000 and the PCT Audit Procedure Background: The Act was passed in November 2000. The Act will be fully in force by January.

Freedom of Information Act 2000 and the PCT Audit Procedure Background: The Act was passed in November The Act will be fully in force by January.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Research Contracts and IP Services TRAINING WORKSHOPS ON HORIZON 2020 – 27 NOV 2014 The Grant Agreement Roger Wallace – Research Contracts & IP Services.

Research Contracts and IP Services TRAINING WORKSHOPS ON HORIZON 2020 – 27 NOV 2014 The Grant Agreement Roger Wallace – Research Contracts & IP Services.
Department of Transportation Support Services Branch ODOT Procurement Office Intergovernmental Agreements 455 Airport Rd. SE, Bldg K Salem, OR 97301-5348.

Department of Transportation Support Services Branch ODOT Procurement Office Intergovernmental Agreements 455 Airport Rd. SE, Bldg K Salem, OR
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
An Introduction to the Hennepin County Hennepin County GIS Technical Advisory Group (eGTAG) 10/20/2009.

An Introduction to the Hennepin County Hennepin County GIS Technical Advisory Group (eGTAG) 10/20/2009.
Access and Benefit Sharing and the Nagoya Protocol Nashina Shariff Manager Environmental Stewardship Branch November 2014.

Access and Benefit Sharing and the Nagoya Protocol Nashina Shariff Manager Environmental Stewardship Branch November 2014.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Regulatory Body MODIFIED Day 8 – Lecture 3.

Regulatory Body MODIFIED Day 8 – Lecture 3.
Governance requirements for Regional Associations as specified by Ocean.US Worth D. Nowlin, Jr. Texas A&M University NDBC and CSC of NOAA GCOOS Stakeholders.

Governance requirements for Regional Associations as specified by Ocean.US Worth D. Nowlin, Jr. Texas A&M University NDBC and CSC of NOAA GCOOS Stakeholders.
Networks ∙ Services ∙ People www.geant.org John DYER TF-MSP Video Conference Community Procurement Support Building on the SPOT-ON Proposal Smart Procurement,

Networks ∙ Services ∙ People John DYER TF-MSP Video Conference Community Procurement Support Building on the SPOT-ON Proposal Smart Procurement,
Implementation of Leader Axis measures by Jean-Michel Courades AGRI-F3.

Implementation of Leader Axis measures by Jean-Michel Courades AGRI-F3.
UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.

UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.
Non-governmental Actors in the Compliance with and Monitoring of Multilateral Environmental Decisions.

Non-governmental Actors in the Compliance with and Monitoring of Multilateral Environmental Decisions.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.

A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.

Similar presentations

Ads by Google