discovery refeds 11
DESCRIPTION
Rod Widdowson's presentation to REFEDS, Prague 2011TRANSCRIPT
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
Discovery & Login Status
Some thoughts for federation
operators.
Rod Widdowson EDINA
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
2
Status
• Next generation software is here or nearly
here.
– Shibboleth: EDS V1.0.
IdP 2.3.
SP 2.4.
– DiscoJuice.
– But the work now moves to federation operators.
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
3
Take-aways from this talk
• “Discovery & Login” Extensions are really
important:
– Make recommendations about them.
– Start collecting them.
– Engage with entity operators about them.
• ... And don’t forget your own discovery
service
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
4
Discovery Extensions?
• A picture may be worth 1024 words
• (which is between 1024 and 4096 octets
depending on the architecture in question)
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
5
WAS: Start at the SP
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
6
WAS: Go to the DS
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
7
WAS: Thence to the IdP
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
8
To note
• Three different web pages
• Three different brandings
• One of which is probably complete strange to
the first time user.
• There is no indication that you are doing the
right thing
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
9
With Added Extensions SP
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
10
Embedded Discovery Service
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
11
IdP
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
12
SP
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
13
Centralized Discovery Service
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
14
IdP
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
15
And DiscoJuice
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
16
Discovery extensions?
• Or “SAML V2.0 Metadata Extensions for Login
and Discovery User Interface Version 1.0” as
it likes to be known.
• http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf
• User Information
• Hinting Information
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
17
User Info
• Things used in the UI to ease discovery and
login.
– Display Name.
– Display Description.
– Logos.
– Keywords.
– Information & Privacy Statement URLs.
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
18
Logo
• But what sizes?
• Shibboleth recommendations:
– IdPs https://wiki.shibboleth.net/confluence/display/EDS10
/4.+Metadata+Considerations
– SPs https://wiki.shibboleth.net/confluence/display/SHIB2/
IdPMDUIRecommendations
• Your CDS will also have recommendations.
• As will policy.
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
19
Hinting
• Geo: “If you physically close to a campus you
may prefer that IdP”.
• IP: “If you are on an campus IP address you
may prefer that IdP”.
• DNS: “If you machine has a campus DNS, you
may prefer that IdP”.
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
20
Take-aways From this talk
• “Discovery & Login” extensions really matter.
– Make recommendations about them.
– Start collecting them.
– Engage with entity operators To add the extensions.
To exploit the extensions:
• There is software already shipping to do this.
• Not just Shibboleth.
• ... And don’t forget your own discovery service.
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
21
Federation Discovery Service
Based on UK experience:
• Try to down play it within your organization.
You don’t show off your toilets to your house guests: It’s just something you have to have.
• Think about the continuing story.
– Add SP co-branding.
– Add IdP branding.
• Remove your own branding.
• Remember to consider accessibility.
• Start thinking about cross federation discovery.
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
22
Questions
• Rod Widdowson
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
23
Discovery isn’t
• About scale.
• About the operators’ branding.
• About accounting.
• About a central service.
• Confined to your domain.
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
24
Discovery is
• Never perfectly addressed.
• Going to get harder.
• About the first user.
• About a seamless experience.
• About commonality of experience.
• Everyone’s job.
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
25
Discovery isn’t about scale
• Actually it might be. But not yet
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
26
Discovery isn’t
• About accounting
– No matter how tempting it might be to assume it, not every transaction goes via the DS.
• About a single central service
– Well it is, but we would like it not to be.
– And we are going to have to move away from that.
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
27
Discovery Isn’tConfined to your domain
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
28
Discovery is
• Never perfectly addressed
– We can just make it less bad via a series of aproximations.
• About the first user
– The first ever user
– The first user at this site
• Consistency
– Between discovery pages at different sites.
– Give the feeling of an ongoing story.
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
29
Discovery isn’t about the operator’s branding
• It just confuses the first time user
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
30
Suggestions for OperatorsSPs
• Work with your SP to deploy their own
discovery solutions
– Shibboleth SP
– SPs using the Shibboleth CDS
– Other types of SP which use the Shibboleth EDS
– SimpleSAMLphp
• Get SP operators to contribute discovery &
login information.
May 2011REFEDS PragueCopyright © University of Edinburgh 2011
31
Suggestions for OperatorsIdPs
• Work with your IdPs to add SP co-branding on
the login page
– Shibboleth: Always been feasible
Default page in 2.3
– Other IdPs
• Get IdP operators to contribute discovery &
login information.