case: haka federation eurocamp, 3-5 april, 2006 csc, the finnish it center for science...
TRANSCRIPT
![Page 1: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/1.jpg)
CASE: Haka federation
EuroCAMP, 3-5 April, 2006
CSC, the Finnish IT Center for Science
![Page 2: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/2.jpg)
Outline
Finnish higher education overview Status Technology Organisation Privacy Service categories Institutional Identity Management
![Page 3: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/3.jpg)
Finnish higher education overview
20 universities, 29 polytechnics (universities of applied sciences)
• Small units spread all over the country
300 000 degree students, 40 000 employees
CSC, the Finnish IT Center for Science Non-profit company owned by the ministry of education To provide centralised IT services to higher education
and research• Scentific computing, supercomputing• Funet – the Finnish national research network (NREN)• Haka identity federation
![Page 4: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/4.jpg)
Status of Haka federation
Pilot federation operational 12/2003 Production federation operational 8/2005 Current members: 8/20 universities, 5/29 polytechnic
• Big universities; coverage 72% of eduPersons in universities• Goal: 12/2006 14/20 universities, 15/29 polytechs
Agreement for federation partners available, no partners yet IdPs and SPs
• 8 IdPs• 8 SPs• ~53 000 logins to services in February 2006
![Page 5: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/5.jpg)
Technology in Haka
Shibboleth 1.2/1.3• Implemented IdP-side logout as an add-on feature
Schema: funetEduPerson 1.0• eduPerson + 10 national attributes (national identity code, date of birth,
homeOrganization, student number, target degree/educational program/major of a univ/polytech student)
• Going to release a new version soon (Schac adopted) PKI/Server certificates: Sonera CA (a pop-up free Finnish CA)
• CSC has a framework agreement with Sonera CA Federation metadata management: SWITCH’s Resource Registry
• We (the operator) use it internally only WAYF: going to migrate to the PHP WAYF of SWITCH
• To be placed in a commercial High Availability machineroom with 24x7 monitoring
![Page 6: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/6.jpg)
Haka is a service provided to the institutions by CSC (”the operator”)
Federation partners
Operator
Federation members
CSC – scientific computing ltd
Central AAI services
IdP PalveluPalvelu
PalveluIdP Palvelu
PalveluPalvelu
IdP SPSP
SP
SPSP
SP
Advisory co
mm
.
Ope
rations comm
.
![Page 7: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/7.jpg)
Haka federation and privacy
In Finland, Personal data act implements the data protection directive
Only relevant attributes are released to a SP• When a new SP is registered to the federation, the SP provides a list of
necessary attributes to the operator• The operator constructs the site-ARP and distributes it to IdPs as part of the
federation metadata IdP asks user’s consent for attribute release beforehand
• After Shib IdP authenticates the user, before s/he is redirected back to the SP To make the consent informed, the Privacy Policy of the SP is
provided to the user • The operator has a centralised service that gathers links to the Privacy
Policies of the SPs in the federation• IdP may use a redirection service with a simple interface
https://haka.funet.fi/cgi-bin/privacypolicy?providerid=..
![Page 8: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/8.jpg)
Resource categories so far
1. Library services The library management system (Voyager), the library portal (Metalib), the
digital content repository (Encompass, work in progress) The content providers (work in progress)
2. eLearning services Learning management systems (Moodle, A&O, Optima) Electronic application form for becoming a visiting student in another
Finnish university (www.joopas.fi)
3. Nationally provided services CSC’s extranet services to researchers Research funding application form (work in progress)
4. ASP services in the administration of the institution Circulation of travel expence reports & incoming invoices (work in progress) HR software/Employee self-service (work-in-progress)
![Page 9: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/9.jpg)
Haka federation and the quality of institutional identity management High-quality institutional identity management is a necessity for
an IdP joining Haka• The typical problem: accounts not closed as students/employees leave
the organisation• Best practice: link the IdP’s user database to student&HR registry
When a new IdP is being registered to the federation, the institution makes an IdM self-audit
• The operator checks that the minimum requirement is fulfilled
![Page 10: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/10.jpg)
Supporting institutions to improve IdM:”School in user administration” CSC’s workshop of 3 days for staff in IT departments in HEIs 1st day 1/2005
- Theory, best practices, commercial/open source products…
- First homework: evaluate your current institutional IdM
2nd day 5/2005
- homeworks gone through
- The concept of an identity federation introduced
- Second homework: set target for your institutional IdM
3rd day 11/2005
- Again, homeworks gone through
- More best practices and products…
![Page 11: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/11.jpg)
Future Challenges
Shibboleth/SAML 2.0 Focus from new IdPs to new SPs Monitoring, reporting and configuration management Trying to catalyse commercial companies to provide
IdP hosting for small institutions More ASP services Cross-national confederation
![Page 12: CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science mikael.linden@csc.fi](https://reader031.vdocuments.net/reader031/viewer/2022020417/56649e415503460f94b32f77/html5/thumbnails/12.jpg)
More Information
http://www.csc.fi/suomi/funet/middleware/english/
TNC’05 conference paper “Organising Federated Identity in Finnish Higher Education”, available: http://www.terena.nl/conferences/tnc2005/programme/presentations/show.php?pres_id=77