glenn wearen 20091203 ifif he anet gwearen

Federated Access

Glenn Wearen

HEAnet

TerminologySingle Log On

• single point of authentication (e.g ldap)• synchronised account and credentials• authenticate to each application

Single Sign On• single point of authentication

• single credential, single account• authenticate once

TerminologyIdentity Provider

• Organisation that holds identity data/credentials

Service Provider• Organisation accepting federated identities

IdP, SP, OP, RP

TerminologyWeb SSO

– OpenID

– Cardspace (Infocard, Higgins etc.)

– SAML, WS-Trust

– Facebook Connect, Friend Connect

– OAuth

Data exchange

Federated Access in EducationSAML widely adopted in national academic federations

• UK Access Management Federation

• InCommon

• Switch AAI

• HAKA

• Swamid

• AAF

• Surfederatie

• Feide

• GARR Idem AAI

SAML used in other sectors Realty, Aerospace, Automobile, 401k

Confederation

Institutional User Repository

Institutional WebServer

Institutional SAML Server

Service Provider SAML server

Service Provider Web Server

Service Provider User Repository

Federation or Service Provider WAYF Server

Service Provider (SP).

Inst

itutio

n (Id

P).

Federated Access in Education

– IdP’s• Institutes of Technology

• Universities• Private colleges

• Research agencies

Edugate

– SP's• Any IdP can be a SP

• Shared services offered by IdP's• Academic content providers

• Research portals

• Organisations offering academic discount

Edugate

Federation is a web of trust underpinned by...– Policy

• Membership rules– Identity providers must ensure identities are assured

– Service providers must not abuse data protection rules

• Confederation/Interfederation

– Technical• Standard protocol

Membership has its benefits

Management of identity provider– Consent management

– Attribute release

HEAnet assistance to get started– Directory integration for IdP's

– Application integration for SP's

Membership has its benefits

Resource Registry -SP

Resource Registry –IdP (i)

Resource Registry –IdP (ii)

Resource Registry – IdP (iv)

Resource Registry – IdP (v)

Future Directions

– Confederation• UK Federation / eduGAIN

– Attribute aggregation• Student account is but one part of a user account

– Who knows?• Schools• Make a 'social' account out of of the 'campus' id.

• National student ID

Summary

Terminology

SAML

Edugate

Join us at www.edugate.ie

glenn wearen 20091203 ifif he anet gwearen

Technology

resource registry idp

single account

resource registry sp

user account

terminology single log

benefits federation

application single sign

social account