discovery refeds 11

May 2011REFEDS PragueCopyright © University of Edinburgh 2011

Discovery & Login Status

Some thoughts for federation

operators.

Rod Widdowson EDINA


2

Status

• Next generation software is here or nearly

here.

– Shibboleth: EDS V1.0.

IdP 2.3.

SP 2.4.

– DiscoJuice.

– But the work now moves to federation operators.


3

Take-aways from this talk

• “Discovery & Login” Extensions are really

important:

– Make recommendations about them.

– Start collecting them.

– Engage with entity operators about them.

• ... And don’t forget your own discovery

service


4

Discovery Extensions?

• A picture may be worth 1024 words

• (which is between 1024 and 4096 octets

depending on the architecture in question)


5

WAS: Start at the SP


6

WAS: Go to the DS


7

WAS: Thence to the IdP


8

To note

• Three different web pages

• Three different brandings

• One of which is probably complete strange to

the first time user.

• There is no indication that you are doing the

right thing


9

With Added Extensions SP


10

Embedded Discovery Service


11

IdP


12

SP


13

Centralized Discovery Service


14

IdP


15

And DiscoJuice


16

Discovery extensions?

• Or “SAML V2.0 Metadata Extensions for Login

and Discovery User Interface Version 1.0” as

it likes to be known.

• http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf

• User Information

• Hinting Information

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf




17

User Info

• Things used in the UI to ease discovery and

login.

– Display Name.

– Display Description.

– Logos.

– Keywords.

– Information & Privacy Statement URLs.


18

Logo

• But what sizes?

• Shibboleth recommendations:

– IdPs https://wiki.shibboleth.net/confluence/display/EDS10

/4.+Metadata+Considerations

– SPs https://wiki.shibboleth.net/confluence/display/SHIB2/

IdPMDUIRecommendations

• Your CDS will also have recommendations.

• As will policy.

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMDUIRecommendations





19

Hinting

• Geo: “If you physically close to a campus you

may prefer that IdP”.

• IP: “If you are on an campus IP address you


• DNS: “If you machine has a campus DNS, you



20

Take-aways From this talk

• “Discovery & Login” extensions really matter.

– Make recommendations about them.

– Start collecting them.

– Engage with entity operators To add the extensions.

To exploit the extensions:

• There is software already shipping to do this.

• Not just Shibboleth.

• ... And don’t forget your own discovery service.


21

Federation Discovery Service

Based on UK experience:

• Try to down play it within your organization.

You don’t show off your toilets to your house guests: It’s just something you have to have.

• Think about the continuing story.

– Add SP co-branding.

– Add IdP branding.

• Remove your own branding.

• Remember to consider accessibility.

• Start thinking about cross federation discovery.


22

Questions

• Rod Widdowson

[email protected]


23

Discovery isn’t

• About scale.

• About the operators’ branding.

• About accounting.

• About a central service.

• Confined to your domain.


24

Discovery is

• Never perfectly addressed.

• Going to get harder.

• About the first user.

• About a seamless experience.

• About commonality of experience.

• Everyone’s job.


25

Discovery isn’t about scale

• Actually it might be. But not yet


26

Discovery isn’t

• About accounting

– No matter how tempting it might be to assume it, not every transaction goes via the DS.

• About a single central service

– Well it is, but we would like it not to be.

– And we are going to have to move away from that.


27

Discovery Isn’tConfined to your domain


28

Discovery is

• Never perfectly addressed

– We can just make it less bad via a series of aproximations.

• About the first user

– The first ever user

– The first user at this site

• Consistency

– Between discovery pages at different sites.

– Give the feeling of an ongoing story.


29

Discovery isn’t about the operator’s branding

• It just confuses the first time user


30

Suggestions for OperatorsSPs

• Work with your SP to deploy their own

discovery solutions

– Shibboleth SP

– SPs using the Shibboleth CDS

– Other types of SP which use the Shibboleth EDS

– SimpleSAMLphp

• Get SP operators to contribute discovery &

login information.


31

Suggestions for OperatorsIdPs

• Work with your IdPs to add SP co-branding on

the login page

– Shibboleth: Always been feasible

Default page in 2.3

– Other IdPs

• Get IdP operators to contribute discovery &

login information.

discovery refeds 11

Technology

contribute

federation

discovery

talkdiscovery

discovery

dont forget

add sp

login information