Embed Size (px)
Citation preview
Kalmar Union, a Conferedation of Nordic Identity Federations
TNC2009Mikael Linden, CSC
Andreas Solberg, UNINETT
What is a confederation
• Most academic federations cover one countryFEIDE in NorwaySWAMID in SwedenHaka in FinlandWAYF in Denmark and Iceland
• To enable cross-federation use of resources the federations need to be bridged together
=> a confederation is a federation of federations
Confederation use cases
• Research collaboration– Cross-national research groups
• Research Infrastructure– Shared infrastructure => economics of scale
• Learning collaboration– Cross-national courses, LMS
• Licensed content– Library article databases etc
Juridical Shape of Kalmar Union
• Joining feds sign a Memorandum of Understanding and Charter– Not fully binding, lowers threshold to join
• Joining federations remain independent– IdPs&SPs join always a national federation
• Focuses on privacy issues• Liability excluded• No invoicing (money not moving between
feds)
Data protection in Kalmar Union
• Attribute release between security domains – privacy even more important
• Following the Data protection directive– Only relevant attributes released from IdP to SP– End user is informed on attribute release– End user consents to attribute release
Metadata aggregation
Technical set-up
WAYF
Haka
SWAMID
FEIDE
Haka
SWAMID
FEIDE
WAYF
Univ of Helsinki
Univ of Turku
Univ of Uppsala
Univ of Umeå
Univ of Oslo
Univ of Bergen
Univ of Iceland
Univ of Copenhagen
Univ of Aarhus
CSC: supercomputerSP
NMS in i ICT: MoodleSP
Univ of Uppsala: LMSSP
Univ of Umeå: wikiSP
Uninett: FoodleSP
NorduGrid: SLCSSP
Ordbogen.comSP
NIAS: AsiaPortalSP
Kalmar metadata aggregate
IdP
IdP
IdP
IdP
IdP
IdP
• SAML2 end-to-end• Central Aggregate shares SAML2 metadata
National aggregate
Entity descriptors
How to use SAML
• Software: – As of now: Shibboleth and simpleSAMLphp
• SAML 2.0 Interoperable Deployment Profile: – http://rnd.feide.no/documents/saml2simple.html
- HTTP-Redirect in request, POST in response– Encryption: either SSL or encrypted assertions
• SAML2 Metadata interoperability profile – Embedded certificates, no PKIX.
Optional Kalmar features
• Centralized SAML 2.0 Discovery Service
• Shibboleth ARP file generation
Homework: federation harmonisation
• Harmonise attributes– mandatory attributes– semantics of attributes
• especially: attributes for authorisation– unique identifiers
• Campus Identity Management requirements– The floor for IdM quality in the IdP side
• Usability and user experience• SAML 2.0 profile• Federation business models
– The fee for ”external” SPs joining a federation
Conclusions
• It is possible and there are use cases• Start with policy, then go to implementation• We showed bridging elements are not
needed, just use SAML2.0 end to end• Harmonisation of participating federations is
recommended to make it easier to confederate
• www.kalmar2.org• A full paper is uploaded to the conference
web site
