federation management a mess? 9.4.2008 nordunet conference mikael linden csc, the finnish it center...
TRANSCRIPT
Federation managementA mess?
9.4.2008 Nordunet Conference
Mikael Linden
CSC, the Finnish IT Center for Science
What is Federated Identity technology?
Home Organisation
(Helsinki U ofTechnology)
Identity ProviderIdP
Service ProviderSP
(University of Turku)Moodle Learning
ManagementSystem
Let him in.
3. Username: bsmithPassword: 95iEfHw
1. HTTP ”Let me in to http://moodle.utu.fi/”
2. HTTP redirectSAML authentication request”Someone from HUT wants to log in to our Moodle. Authenticate him.”
4. HTTP POSTSAML Authentication response”Let me in to http://moodle.utu.fi/My home organisation has authenticated me and asserts that my name is Bob Smith and I’m a student at Helsinki University of Technology”
What is an identity federation (aka Circle of Trust)? InCommon: A federation is an association of organizations that come
together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.
Liberty Alliance: A circle of trust is a federation of service providers and
identity providers that have business relationships based on Liberty architecture and operational agreements and with whom users can transact business in a secure and apparently seamless environment.
=> A federation is an organisational (not a technical) construct
Haka federation (coordinated and operated by CSC)
Home organisationsIdentity Provider, IdP
Haka federation of Finland
U of Helsinki
U of Tampere
TUT
ServicesService Provider, SP
Nelli portal (libraries)
Circulation ofincoming invoices
Moodle LMS(e-learning)
Supercomputer(CSC)
Grid
wiki, blog etc
Haka operational since 8/2005
240 000 end users 2.0 million logins 2007 Home organisations
maintains identities Home organisations
authenticate the end users
Home organisations release attributes to services
Services do access control
HUT
Tampere UA
Savonia UAS
IdP
IdP
IdP
IdP
IdP
IdP
SP
SP
SP
SP
SP
SP
# of IdPs: 24 # of IdPs: 42
Do we need a federation?Case Higher education
Nelli library portal 3/2008, 119 582 Haka logins
There are often end users from several IdPs using the same SP The IdPs and SPs don’t necessarily have business relationships
=> YES
Do we need a federation?Case B2B
In Business-to-business world:use of federated identity management is based on business relationships
Business relationships are typically bilateral
Not necessarily• Identities can be federated between organisations on a bilateral
basis
Contractual shape of a federation
A federation
Home organisationsIdentity Provider, IdP
U of Helsinki
U of Tampere
TUT
ServicesService Provider, SP
Nelli portal (libraries)
Circulation of invoices
Moodle LMS(e-learning)
Supercomputer (CSC)
Grid
Coordinator
HUT
Tampere UAS
Savonia UAS
Operator
Coordinator Has a contractual
relationship with home organisations and services
Sets the policy
Operator subcontractor of the
coordinator takes care of daily
technical operations of the federation
An IdP centric view to a federation
A federation is seen as a set of IdPs which have deployed similar policies
SPs not considered as part of the federation but as a consumer of the federation service
SPs need not to have contractual relationship with the federation
The data protection directive binds also the SPs anyway
Operator
IdP
IdP
IdP
IdP
IdP
IdP
SP
SP
SP
SP
SP
SPSP
SP
Technical shape of a federation:Distributed
Model deployed by Haka (.fi), SWAMID (.se) and several other federations
Pros• No single point of failure in the
message flow• Costs of federation management low
Cons• Hard to track errors and • Not well supported by commercial
products
IdP
IdP
IdP
IdP
SP
SP
SP
SP
Technical shape of a federation: Centralised
Model deployed by Feide (.no) and WAYF (.dk)
Pros• A single point where to locate
problems and introduce new features
• Economics of scale
Cons• A single point of failure• Everyone needs to trust the
IdP in the middle
IdP
IdP
IdP
IdP
SP
SP
SP
SP
IdP proxy
The Nordic dimension
A common denominator for Nordic identity federations:Campus identity management
• Identity providers are expected to provide only identities of high quality
High quality of• Authentication (face-to-face registration and token delivery)• Attributes (students’ and employees’ accounts are closed as they depart)
Included also in the charter of Kalmar Union• The confederation of Nordic federations
Coordinations of a federation: leadership in a network of organisations
Understanding universities’ needs and limitations Understanding the possibilities of the technology Steering the development of the federation. Making
organisations involved
…without having a mandate to dictate anything
Changes are slow and difficult to drive in a federation Communications with different players in the academia