Presentation is loading. Please wait.

Presentation is loading. Please wait.

Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

Published byRosemary Norman Modified over 8 years ago

Similar presentations

Presentation on theme: "Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it."— Presentation transcript:

1 Growth

2 kjk@internet2.edu Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it scale globally? Inter-federation Like BGP, only 1000 times harder

3 kjk@internet2.edu Interfederation Connecting autonomous identity federations Critical for global scaling, accommodating local federations, integration across vertical sectors Has technical, financial and policy dimensions Several operational instances – Kalmar2 Union, eduGAIN, ad hocs (UC Trust, Texas) Use cases now numerous, across sectors, within sectors Short-term and long-term approaches If its called the Internet, shouldn’t we start talking about Interfederated identity

4 kjk@internet2.edu Interfederation: Short-term/long-term Long-term is starting to be worked, mostly technically, some ad hoc policy Short-term has happened and should continue, but be informed/inform by long-term Both short-term and long-term need to address same buckets of issues Long-term has potentially disruptive service models

5 kjk@internet2.edu Buckets of interfed issues Both short-term and long-term approaches must address: Exchange, and massage, of metadata Policy alignment Alignment of payloads (attributes) Operational issues – error handling, incident handling, legal and contractual, etc

6 kjk@internet2.edu UK Access Federation Metadata processing

7 kjk@internet2.edu Future metadata flows in Interfederation Org Registrar Aggregator Local trust oracle

8 kjk@internet2.edu Multiple trust contexts in interfederation Org Registrar Aggregator Application auditor Local trust oracle

9 kjk@internet2.edu Trust and Metadata Trusting that the metadata was provided by an authorized entity Secure deposit Trusting that the “organizationally vetted” metadata is correct Self-certified Trusting that the “externally vetted” metadata is true Certified apps E.g. an app listed as R&S is in fact right

10 kjk@internet2.edu Emerging key software and protocols MDA – metadata aggregator PEER – metadata registry management software There may be multiple PEER services instances MDX – the query protocol(s) to request metadata; return via normal publishing protocols Improved discovery services – accountchooser, discojuice, embedded discovery services End-entity categories – an important new type of metadata, allowing for certified apps and IdP’s.

11 kjk@internet2.edu Meta-meta-data Metadata has its own metadata – e.g. who supplied it, when, terms of use, etc. Meta-meta-data may be contained in metadata stream, peeled off to help processing the other metadata, then reinserted as regular metadata into products No real discussions yet on normalizing meta-meta-data Likely little or no need for meta-meta-meta-data, thankfully…

12 kjk@internet2.edu Policy Points in Interfederation How the federation manages verification of both the organizations and their (perhaps delegated) authorized submitters (the FOP) How does the federation manage verification of other richer end-entity attributes it asserts, such as classification of applications (e.g. R&S), recommended attribute release policies, etc. How the federation operates, in terms of signing metadata approaches, legal status, etc. Aligning the LOA at basic and higher levels for authentication Aligning the relationships between IdP and SP when they are not in the same federation Direct contracts should govern where applicable If the contractual flow is member to fed, and then across interfed to an SP in another…

13 kjk@internet2.edu Interfed policy areas Federation operations Legal status and bone fides Operational issues – signing key and metadata protection, incident handling, etc Federation to member relationships Contractual Vetting of members and delegation of metadata Community standards LOA End-entities and vetting values Attribute bundles IdP-SP direct relationships What issues do they work directly? If they have a contract? If they don’t

14 kjk@internet2.edu Interfed policy areas – status/need Federation operations Legal status and bone fides – normative format Operational issues – REFEDS Ops or ? Federation to member relationships Contractual – normative format+normalization Vetting of members and delegation of metadata - normalization Community standards LOA – basic ok. Silver and Bronze need normalization End-entities and vetting values – good informal start; registry and best practices Attribute bundles - good informal start; registry and best practices IdP-SP direct relationships - ???? Privacy, consent, etc handled somewhat by above

15 kjk@internet2.edu Is there a financial dimension to interfed Potential for some federations who charge will lose certain SP’s Seems like a small subset might, but modest financial impacts Charging for registration? For publication of metadata? For use of metadata? Costs of operating the interfed coordination infrastructure – schema, registries, etc. We shall see, sigh…

16 kjk@internet2.edu Is interfederation getting harder? Or, as Ian says, do we just understand the problem better? In the old days, just exchange signing keys Now, do you understand my metadata? My attribute bundles? My application categories and how I assess apps? My policies And do I understand yours? And with more use cases every day…

Download ppt "Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it."

Similar presentations

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.
Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN 2011-10-17/18 Valter Nordh, NORDUnet / GU.

Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN /18 Valter Nordh, NORDUnet / GU.
Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC 2014 20 May 2014 Dublin.

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.
Interfederation subgroup of InCommon Technical Advisory Committee (TAC) spaces.internet2.edu/display/incinterfed.

Interfederation subgroup of InCommon Technical Advisory Committee (TAC) spaces.internet2.edu/display/incinterfed.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna 17-18 Oct 2011

Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna Oct 2011
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.

REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality 2014-06-10.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
InCommon Forum Fall 2012 Internet2 Member Meeting Wednesday, October 3, 2012 1.

InCommon Forum Fall 2012 Internet2 Member Meeting Wednesday, October 3,
Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,

Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.

Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service 2012-02-27 Federated Identity Systems.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

Similar presentations

Ads by Google