EuroCAMP Summary(in 15 mins)

Diego

• We are at the teenager stage of IDM• IDM is maturing• Welcome to the schema Onion

• Jasmina• Welcome to LDAP [the syntax]• Flat tends to be better than hierarchical

• Feed your LDAP automatically• No manual LDAP updates

Miroslav• Welcome to LDAP [semantics]• Don’t re-purpose a schema

Victoriano • Can you trust the applications that your users enter passwords into?

• Don’t let your users enter passwords into applications outside your control

Roland (rhubarb, rhubarb, rhubarb)• How to do LDAP properly

– Attribute extensions• How to do IDM properly• Sun’s 10 best practices (see also Cameron’s 7 laws of identity)

• Get sponsorship for your strategy, and aim for quick wins.

Gerard• Challenges• Hopes

Roland (rhubarb, rhubarb, rhubarb)

• Cutting edge homebrew IDM system based on standards.

• Sweden’s Universities are one legal entity

• Jasmina• Guest accounts

• Make sure you deprovision• Make sure you know who the guest is

Panel• Don't come up with your own schema if an existing standard can be used

• Don't put sensitive data in your directory, – Unless you are prepared to meet the regulatory obligations

• The standard schemas may not be enough

Kevin• Management view• What is a user, person• Level Of Assurance• If your do a good job, your IDM system will become authorative

David• The Zoo of beasts• Intro to federation

– Conventional– Hub-spoke

• Legal– MoU’s– Contracts– charters– Consent

•Engage lawyers, don't write each others code•Talk to your date and consumer protection agencies•Define your federations legal body (NREN or otherwise)•Read the JISC legal document on federation policies

Victoriano • eduPerson

– Good starting point– Pseudononymous id

• SCHAC– Designed for specific European uses

Jacob

• WAYF.dk Style SSO– CAS – SAML, – LDAP.

• The scary fish <SimpleSAMLphp>– Simple– Simple– simple

• Making the case with a killer app–efficiency–collaboration–compliance–new business model

• Business case for federation is the same as the case you would use for an IDM, butwith the context that goes beyond the cam

• More services off your ID the better for your ID• More services in your federation, the better forIdP (and thus IDM).

• The more your accounts are used, the better)

Kevin

Miro

• eduroam– RADIUS– Monitoring

• as a means to show that your service is valuable

– Tools • to show that you can troubleshoot

– Future plans• GN3-SA3(t2) & JRA3

Diego

SIR• Why PAPI?

– (years+)– Connectors to lower the entry barrier for institutions, so not just PAPI

• Simple Policy– To lower the entry barrier– Explicit description of data protec...

• Interconnected with– OpenID – eduGAIN

• SAML Services– External, managed, outer, outsourced

• Regional Federations

Victoriano, Rok, Michal

SAML with non-webSAML with kerberos

Entitlements