Identity Federation Policy â€“ template document

Innovation through participation

Identity Federation Policy – template document

EuroCAMP, Vienna 15th October 2012 Marina Vermezovic, Academic Network of Serbia


Who am I

! Working for AMRES as head of department for development of user services

! Working on edugain and eduroam GN3 tasks

! We are boosting AMRES Identity Federation

! We are testing technical solutions, but we need a policy !


Our work

! Understanding and setting up Identity Federation Policy document is a big barrier for emerging Identity Federations

! eduGAIN task interests : !   increasing number of new Identity Federations => more Identity

Federations participating in eduGAIN !   emerging Identity Federations have Policy which is "compatible"

with eduGAIN !   one step towards harmonizing federation policies

! eduGAIN task is helping emerging Identity Federations by : !   writing Identity Federation Policy Template document which could

be easily used and optionally changed for local conditions ! organizing series of workshops, with presenters who are experts in

this area !   continue working with participants to help them implement the

template document


Our work

! The outcome - a policy template expected to be changed for local conditions.

! Geographical scope - can be used by any federation globally, not limited to EU

! Existing federations - they can use it if they want to change or update their existing policies

! REFEDS - synchronize with refeds federation harmonization work


Template document

! International working group (Finland, UK, Austria, Serbia)

! Took 2 months to develop, induced a lot of discussions

! There are still some discussions that are not closed J

! Gathered experience from existing Identity Federations in what not to

put, and what to put in a Policy

! We hope to get feedback from federations implementing this template,

and to keep evolving the template document


Inital assumptions Allows multiple technologies

! There are multiple Federation Technologies which can make use of Identity Federation: eduroam, WebSSO, Project Moonshoot

! Identity Federation Policy should cover all these and allow for future adding new technologies

! Organizations join Identity Federation only one time and then pick out which Federation service they want to implement

Make the Policy in such a way that it allows for multiple technologies to be served using the same policy structure


Inital assumptions Makes changes easy way

! There could be a need in a working Identity Federation lifetime to make changes to the Policy

! Important issue than can make effect on how easily can a policy be changed is what members sign when they join the Identity Federation:

1.  Member fills in a form agreeing to be bound by the Policy document

2.  Member signs a copy of the actual policy (there are placeholders for signatures at the end the policy document)

Make the Policy document in such a way to avoid the need for

repeated changes to the Policy document and to enable changing stuff easy


Identity Federation Policy document suite

Identity Federation Policy document

Identity Federation Policy (main)

Appendices

Technology Profile eduroam

Technology Profile Web single sign-on

Level of Assurance Profiles

Data Protection Profile

Federation Operational Practices

Appendix Governance

Appendix Fees


How is the document used

! Every section contains ! Description Explains what is the subject of the section, which issues the section is addressing and gives additional clarifications if needed ! Example Wording contains text which could be easily reused for your policy

! It is expected that federation addapt the text for their policy, since some sections depend on local circumastances, country’s regulations, governing and funding of the federation etc.

All organisations should seek local legal advice before implementing

a policy based on this template


Copyright

! Template document is based on "SWAMID Federation Policy v2.0" and being published under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0)

! If you are using the example wording from the template, you must release your policy document under the same licence.

! You are free: to Share — to copy, distribute and transmit the work to Remix — to adapt the work

! Under the following conditions: Attribution — You must attribute the work in the manner specified by the author or licensor Noncommercial — You may not use this work for commercial purpose Share Alike — If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


Template document Section Structure

1 Definitions and Terminology 2 Introduction 3 Governance and Roles

3.1 Governance 3.2 Obligations and Rights of Federation Operator 3.3 Obligations and Rights of Federation Members

4 Eligibility 5 Procedures

5.1 How to Join 5.2 How to Withdraw

6 Legal conditions of use 6.1 Termination 6.2 Liability and indemnification 6.3 Jurisdiction and dispute resolution 6.4 Interfederation 6.5 Amendment


Definitions and Terminology

! Defines basic terms that are used in the document. ! There is no single common definition of those terms ! It is assumed that additional terms (such as Identity Provider, SAML,

RADIUS) will be introduced in related Technology Profiles. ! The definition of “End User” is a sensitive question as it defines who can

have a digital identity in your federation. ! In broader definition End User can be:

!   a natural person who belongs to an organization (typically an employee, researcher or student)

!   a legal person !   a virtual artifact (e.g. a computer process, an application) !   a tangible object (e.g. a device) !   a group


Introduction

! Definition of an Identity Federation, its purpose and the benefits it provides to the members are introduced in this section.

! You can introduce a specific name for your Identity Federation, some ideas (full list https://refeds.terena.org/index.php/Federations) :

AT ACOnet Identity Federation AU Australian Access Federation AAF CH SWITCHaai CZ eduID.cz DK WAYF (Where Are You From) FI Haka (means Hook) NO FEIDE ( Felles Elektronisk IDEntitet ) SE SWAMID ( Swedish Academic Identity) UK UK Access Management Federation for Education and Research

! Definition of Policy document is also introduced in this section. It should be made clear that this document, together with all its appendices makes the Identity Federation Policy.


Governance

! Defines role and obligation of the body that is governing the federation

! What you need to decide is : !   How the governing body is structured and elected - you should

specify this in an appendix Governing Body Constitution. !   What is the name of the Governing Body !   Rights that are appointed to the governing body


Governance

! Sample list is presented in the example wording: !   Criteria for membership for the Federation. !   Application for membership in the Federation !   Whether a Federation Member is entitled to act as Home Organization. !   Revoking the membership of a Federation Member !   Future directions and enhancements for the Federation !   Entering into interfederation agreement. !   Formal ties with relevant national and international organisations. !   Approving changes to the Federation Policy !   Address financing of the Federation. !   Approves the fees to be paid by the Federation Members !   Deciding on any other matter referred to it by the Federation Operator.


Obligations and Rights of Federation Operator

! Defines obligations and rights of the Federation Operator. ! Sample list of Federation Operator responsibilities is presented in the

example wording: !   Secure and trustworthy operational management of the Federation !   Provides support services for Federation Members’ !   Acts as centre of competence for Identity Federation !   Prepares and presents issues to the *governing body* !   Maintaining relationships with national and international stakeholders in

the area of Identity Federations !   Promoting the idea and concepts implemented in the Federation


Obligations and Rights of Federation Operator

! Sample list of Federation Operator rights is presented in the example wording: !   Temporarily suspend individual Technology Profiles for a Federation

Member that is disrupting secure and trustworthy operation of the Federation.

!   Publish a list of Federation Members along with information about which profiles they implement

!   Publish some of the data regarding the Federation Member using specific Technology Profile.


Obligations and Rights of Federation Members ! Defines obligations and rights of the Federation Members. ! In general, there are some obligations and rights that are appointed to

all Federation Members ! Then there are some that are specific if a Member is acting as Home

Organization, Attribute Authority or Service Provider. ! According to that, first obligations and rights for all Members can be

stated out, following with more specific ones depending on roles a Member is taking.


Obligations and Rights of Federation Members - ALL

! Shall appoint and name an administrative contact. ! Must cooperate with the Federation Operator and other Members in

resolving incidents and should report incidents. ! Must comply with the obligations of the Technology Profiles which it

implements. ! Must ensure its IT systems that are used in implemented Technology

Profiles are operated securely. ! Must pay the fees. Prices and payment terms are specified in appendix

Fees. ! If a Federation Member processes personal data, Federation Member

will be subject to applicable data protection laws and must follow the practice presented in Data Protection Profile.


Obligations and Rights of Federation Members – HO

! Is responsible for delivering and managing authentication credentials for its End Users and for authenticating them, as may be further specified in Level of Assurance Profiles.

! Submit its Identity Management Practice Statement to the Federation Operator.

! Ensures an End User is committed to the Home Organization’s Acceptable Usage Policy.

! Operates a helpdesk for its End Users regarding Federation services related issues


Obligations and Rights of Federation Members – AA or HO

! Is responsible for assigning Attribute values to the End Users and managing the values in a way which ensures they are up-to-date.

! Is responsible to releasing the Attributes to Service Providers.


Obligations and Rights of Federation Members - SP

! Is responsible for making decision on which End Users can access the services they operate and which access rights are granted to an End User.

! It is Service Providers responsibility to implement those decisions.


Eligibility

! Defines which organizations are eligible to become a Member of your Federation, and which Member is eligible to act as Home Organization

! Depending on your country’s regulations for education and research sector and administrative/political circumstances, you should define which organizations are eligible to become a Member in your federation.

! However, as eligibility criterion is something you may want to adapt and change over time, it is the best to keep this section very short, and publish the eligibility criteria in some other place - this could simply be the website, or in separate appendix.


How to Join

! Procedure for an organization joining the federation. ! It shouldn’t define each step of this procedure in detail as it is likely you

would want to change some details in future. ! Should only briefly describe the joining process and publish all details

for example on web site of the federation.


How to withdraw

! This section defines procedure for members voluntarily withdrawing from the Federation.

! There are two scenarios that can happen: !   Member withdraws from the Federation. This process can be ended in reasonable time interval in which Federation Operator cancels all Technology Profiles that Member is using. !   Federation Operator withdraws from the Federation Federation Operator should ensure that Federation is running some more time before its termination so Members can find some other way to establish cooperation.


Termination

! Termination of the membership if a Member breaks the terms of the Federation Policy.

! In such a case, the Federation Operator should inform the Member and, depending of the severity of the breach, Federation Operator should give some time frame for the Member to comply.

! If after this time Member doesn’t comply to the Federation Policy, governing body can revoke the membership in the Federation.

! Also, in this point the governing body of the federation may give the final decision for revocation, as it is written in the example wording.


Liability and indemnification

! This section defines liability for damage and limitation of liability that should be defined in following relations :

Member

Member

Operator Member-to-Member

Member-to-Operator

Operator-to-Member

Other Federations and their entities


Liability and indemnification

! There are two models that we were able to recognize: •  Limitation of liability to the fullest extent only in regard to Federation

Operator •  Limitation of liability in regard to Federation Operator and Federation

Member


Limitation of liability to the fullest extent only in regard to Federation Operator

! Without liability for Federation Operator and *governing body* for any faults and defects

! This limitation of liability does not however apply in the case of gross

negligence or intent shown by Federation Operator personnel. ! Federation Operator maximum liability for damages under the

agreement per calendar year is limited to *enter the sum of money*


Limitation of liability in regard to Federation Operator and Federation Member ! Neither the Federation Operator nor the *governing body* shall be liable

for damage caused to the Federation Member or its End Users.

! The Federation Member shall not be liable for damage caused to the Federation Operator or the *governing body* due to: !   the use of the Federation services, service downtime or other

issues relating to the use of the Federation services.

! For any other damage, the liability for damages in case of a breach is limited to *enter the sum of money*.


Limitation of liability in regard to Federation Operator and Federation Member

! Federation Operator and Federation Members remain bound only by their own respective laws and jurisdictions.

! The Federation Member and Federation Operator shall refrain from

claiming damages from entities in other federations involved in an interfederation agreement.


Limitation of liability in regard to Federation Operator and Federation Member ! Unless agreed otherwise in writing between Federation Members, the

Federation Member will have no liability to any other Federation Member solely by virtue of the Federation Member’s membership of the Federation.

! The Federation Member may, in its absolute discretion, agree variations

with any other Federation Member to the exclusions of liability. Such variations will only apply between those Federation Members.


Jurisdiction and dispute resolution

! Disputes are usually resolved: !   primarily through negotiation, or !   if the issue cannot be resolved through negotiation, by submitting to

the courts of law. You should determine which court of law has jurisdiction (e.g. the ordinary court at the domicile of the Federation Operator)

! In some federations time limit for negotiations is also set out, so in example wording the time frame of four weeks is given.

! In this section you may also state a provision „if any clause of this Federation policy is ruled unlawful, then the rest of it remain in force”.


Interfederation

! Enables federation to enter into interfederation agreements. ! Technical and administrative issues related to interfederation are

dependent of Technology Profile, and should be described there. ! Federation Members will interact with entities which may be bound by

very different rules and laws than the Members in this Federation. ! A fundamental idea of an interfederation is that Members are bound by

their local federation policies only and if anyone has a problem with the behavior of an entity in an Interfederation, he/she should go and check what the entity’s own Federation’s policy stipulates on it.


Amendment

! Procedures required to get changes to the Federation Policy implemented

! Keep things simple and have the same procedure for all documents that make up the Federation Policy.

! Give Federation Members a notification of the upcoming changes well in advance, allowing for feedback and resolution of potential points of contention before the changes come into force.


Thanks for your attention !

! Questions ?

Documents

Identity Federation Policy â€“ template document