Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Networks·Services·Peoplewww.geant.org
MaartenKremers
Internet2TechEx 2017,SanFrancisco,CA
GN4-2Project- NextGenerationTrust&IdentityTechnologyDevelopmentTrust&Identity:What’snext?!
16th October2017
TaskLeaderTrust&IdentityTechnologyDevelopment,GN4Project
TechnicalProductManager&ProjectmanagerT&I,SURFnet
Networks·Services·Peoplewww.geant.org
Trust&IdentityOperations• eduGAIN• eduPKI• eduroam
Trust&IdentityDevelopment• eduGAINDevelopment– FederationandCampus• eduGAINDevelopment– e-ResearchandServiceProviders• Trust&IdentityTechnologyDevelopment• eduroamServiceDevelopment
2
TheGN4-2ProjectandT&I
Networks·Services·Peoplewww.geant.org 3
GN4-2- Trust&IdentityTechnologyDevelopment
OpenIDConnectFederations
REFEDSAuthenticationprofiles&Step-UpService
eduKEEP – TowardsaUserDrivenIdentityFederation
eIDAS &eduGAIN
Networks·Services·Peoplewww.geant.org 4
OpenIDConnectFederations
Networks·Services·Peoplewww.geant.org 5
eduKEEP – TheChallenge
Overcometheorganisation-centricidentitymodelshortcomings
Identitiesaretightlycoupledwithroleandaffiliation
Poorsupportfordynamicandlooserelationships
Identitiesbootstrapping
Multipleconcurrentaffiliations
Networks·Services·Peoplewww.geant.org 6
eduKEEP – TheApproach
User-driven,persistent,privacypreserving,institutionalbackedidentity(UPPII)
Theuseridentityiscreatedoutside theorganisation
Theorganisationvalidates theuseridentity
Theorganisationlink theuseridentitytoroleandaffiliation
Theorganisationbootstrap alocaluseraccountleveragingtheexternalidentity
and/or
Networks·Services·Peoplewww.geant.org 7
eduKEEP – ThePossibilities
Registration/Alumni/lifelonglearners
Researchers
Teachers
ThirdPartiesServices
OneidentitytorulethemallToregister,joinanotheruniversity,becomeanalumni
Oneidentityinconcurrentprojectswithmultipleaffiliationsandforallpublicationwork
(withhelpofORCIDandfriends)
Oneidentityforinteractingwiththeirlearnersacrossmultipleuniversities
Supportslonger-termclient-relationship.Offeringsandconditionscanbebased
onrolesavailableatgiventime
Networks·Services·Peoplewww.geant.org 8
eduKEEP – CurrenteduID initiatives
SWITCHEduID(Switserland)
SUNETEduID(Sweden)
GARReGOV IDs,IdP/Proxy&
Aas (Italy)
Centraluser-centricIdPtobootstrapidentitiesatHomeOrganisations
ConsideringtouseanIdp/SPProxytolinkeGOV IDstoHomeOrganisationsAttributeAuthorities
Centraluser-centricIdP,enrichingidentitieswithattributesfromHomeOrganisations
Networks·Services·Peoplewww.geant.org 9
eduKEEP – Comparison
Feature SWITCHedu-ID SUNETeduIDGARRIdP/SP
Proxy
A- TargetaudienceR&ECommunity R&ECommunity R&ECommunity
B- Anewidentifierisprovided YES YES YES
B1- IdentitysuitableforAuthN YES YES NO
B2- Long-termidentity YES YES YES*
B3- Persistentidentifier YES YES YES*
B4- GloballyUniqueIdentifier YES** YES** YES*
C- IdPactingonbehalfofHomeOrganisationIdPs YES NO YES
*externaldependency**confirmedidentities
Networks·Services·Peoplewww.geant.org 10
eduKEEP – Comparison
Feature SWITCHedu-ID SUNETeduIDGARRIdP/SP
Proxy
D- AccountLinking YES YES YES
D1- LinkedAccountAuthN NO NO YES
E- Self-assertedIdentity YES YES YES*
E1- IdentityAssuranceElevation YES YES YES
E2- VO-basedvetting NO NO YES
F- AttributeAggregationatIdP YES NO YES
G- AttributeReleasePolicy- DelegateManagementtoHomeOrganisations
YES NO YES*
*externaldependency**confirmedidentities
Networks·Services·Peoplewww.geant.org
BestPractices•TheincrementalapproachofSWITCHeduID•TheAssuranceLevelelevationmodelofSUNETeduID•Solidpolicyandsecurity
LongLivedIdentitiesandeduIDs areonthewayforward•BYOID•1stclasscitizenship•Thepathtobefurtherdetermined
11
eduKEEP – Observations
Networks·Services·Peoplewww.geant.org 12
EduKEEP – TowardsaUserDrivenIdentityFederation
eduID SWITCHeduID SUNET
GARR
ArchitecturePolicy
Features
October2017:BestCurrentPractices
Document
2018:BestCurrentPractices
Pilot
Networks·Services·Peoplewww.geant.org
DevelopprofilesforAuthenticationsupportinREFEDS
DevelopStep-upservice
13
REFEDSAuthenticationprofiles&Step-UpService
Networks·Services·Peoplewww.geant.org
REFEDSAssuranceFramework(RAF)
Authenticationvector•BaseLevelAuthenticationProfile
•SingleFactor(Good-Entropy)Profile
•MFAProfile
14
REFEDSProfilesforAuthentication
Networks·Services·Peoplewww.geant.org
BaseLevelAuthenticationProfile
• Baseprofile• Noexplicitauthenticationrequirements
• draftdone,REFEDSconsultationpending
SingleFactor(Good-Entropy)Profile
• Requirementsforsinglefactors
• BCPforpasswordscenarios
• Inprogress
MFAProfile
• RequirementsforMFA
• Done
15
REFEDSProfilesforAuthentication
Networks·Services·Peoplewww.geant.org
Primaryaudience:ResearchCollaborations
BothIdentityandAuthenticationStep-UPCollaborationwithAARC•Usecases•User/communityrequirements•Architecture
Potentialpilots(Autumns2018)
Inprogress:•Analyzingdifferentapproaches
NextSteps•Timeline• Testingscalability
16
Step-UpService
DeliverStep-UpService
Networks·Services·Peoplewww.geant.org
electronicIDentification,AuthenticationandtrustServices
(UpcomingEUregulation)
LeveragetheuseofeGOV IDsforhigherLoA intheR&Efederations
Technicalinteroperabilitywithbuildproxy,technicalpilotsdone
Interoperabilitycomparisonbetweentheframeworks
17
eIDAS
Networks·Services·Peoplewww.geant.org
ScenariosNationalgatewayper
nationalR&Efederationandthenationalnode
ServicewithaglobalscopethatactsasagatewaytheeduGAINinter-federationand
eduGAIN
eduGAIN SGadoptedthe
’global’approach
Thisapproachwillbetakenasbaselinein
conversationswiththeeIDAS representatives
18
eIDAS &eduGAIN
Networks·Services·Peoplewww.geant.org 19
Moreinformation
https://wiki.geant.org/display/gn42jra3/Task+3%3A+Next+Generation+Trust+and+Identity+Technology+
Development+-+TrustTech
Networks·Services·Peoplewww.geant.org
Thankyou
Networks·Services·Peoplewww.geant.org
20