View
202
Download
1
Category
Preview:
DESCRIPTION
Readout and update on Identity Management effort from Europe for the MAGIC team at SuperComputing2014 in New Orleans.
Citation preview
Federations on the rise…
Licia Florio (GÉANT) & Harold Teunissen (SURFnet) MAGIC Workshop SC14New Orleans, November 2014
© WALLNOY
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
Serving Dutch research & education
2
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
SURF as umbrella
3
Scientific Computing & Big Data
Commercial ICT Products & Services
National Research & Education Network
eScience Collaboration and Tools
• All ICT activities for Higher Education and Research in the Netherlands are under the SURF umbrella
Source: REFEFDS mapproductionpilot
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
Where are these Id. Federations?
4
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
Federation essentials
• We need a working inter-federation framework • Collaboration does not have boundaries
5
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
Federations work but…
6
ATTRIBUTE AGGREGATION
CREDENTIAL TRANSLATION
LEVELS OF ASSURANCE
CHALLENGES STILL AHEAD
BRIDGING COMMUNITIES
USER FRIENDLINESS
ATTRIBUTE RELEASE
HOMELESS USERS
NON-WEB-BROWSER
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
Developments in EU and beyond
• EU work on two tiers: - National basis, led by the NRENs - EU scale as part of the GEANT project, mostly the identity
and Trust research work and services
• Global scale: - REFEDS
7
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
GEANT InAcademia
• To create a simple service to validate the affiliation of a user (i.e. is this a student?)
• Use-cases for this: - Web shops discounts - “Free” access to some cloud services (i.e. Office 365, Apple,
etc) - Validate affiliation on relevant social platforms
• Pilot service expected by end of 2014, early 2015
8
eduPersonAffiliationattribute
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
InAcademia Rationale
• The attribute within a federated login can be used to validate membership of the academic community, however: - Joining a federation is a problem (policies and contracts) - Implementing SAML and doing federation is though - Inter-federation is even harder - Up front cost, but no customers
• So, a lot of work, while the service only needs the Affiliation — pretty low risk in the privacy spectrum
9
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
InAcademia — Workflow
• Service gets attributes directly from user (self asserted or social) • Service queries a single “centralised” service — InAcademia
Simple Validation Service to confirm affiliation • A well understood protocol can be used to query InAcademia • Policy barrier for using InAcademia is low • The user “proves” his affiliation at InAcademia which is under
control of the existing federations and NRENs • InAcademia is connected to eduGAIN • Authentication at home Identity Provider delivers requested
affiliation • InAcademia interprets the affiliation and answers the requesting
service, but never directly delivers attribute values! • User gets discount and service pays a small transaction fee
10
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
InAcademia - Benefits
• For Identity Providers - SAML based, connected via eduGAIN - Two profiles that have minimal ‘low risk’ attribute requirements - No personal data stored at central service - One connection with many services that are of high value to
users, but low effort for IdPs
• For Services - OpenID Connect interface towards service, no SAML required - No need to deal with (inter) federation - Simplified policy, compatible with eduGAIN CoCo - Little upfront cost, only pay small amount when transaction is
made - One connection with many trusted Identity Providers
11
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
REFEDS
• REFEDS = Research and Education FEDERATIONS - To that articulates the mutual needs of research and education identity federations worldwide
- To offer best practices for R&E federations to ease inter-federation
- Supported by GEANT Association (formerly Terena) - Open to anybody with an interest in using federated
credentials
12
https://refeds.org
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
REFEDS — Entity Categories
• Aim: to group federation entities that share common criteria - To ease the attribute release problems - IdPs would release the same set of attributes to all SPs that
are in a category instead than negotiating with each of them individually
• Two categories approved: - Hide from Discovery - Research and Scholarship
13
https://wiki.refeds.org/display/ENT/Entity-Categories+Home
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
REFEDS — SIRTFI
• A Security Incident Response Trust Framework for Federated Identity — SIR-T-FI
• To define a process for expressing security incident handling requirements as an assurance profile for federations.
• Not strictly a REFEDS work, yet… • A lot of interest in this area
14
https://wiki.refeds.org/display/GROUPS/SIRTFI
harold.teunissen@surfnet.nl haroldteunissen
Recommended