interfederation rl “bob” morgan university of washington and internet2 digital id world 2005 san...
TRANSCRIPT
![Page 1: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/1.jpg)
Interfederation
RL “Bob” Morgan
University of Washington and Internet2
Digital ID World 2005
San Francisco
![Page 2: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/2.jpg)
2
TopicsTopics
• Federation and Interfederation
• US E-Authentication Program and Internet2
• USperson schema
![Page 3: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/3.jpg)
3
Federations definedFederations defined
• created to support community• interesting ones are multi-IdP, multi-SP
• embodies agreements on many levels• membership, technology, assurance, key mgt, legal,
attributes, privacy, appropriate use, etc
• facilitates member federated interactions• many potential sub-communities and their apps
• operational support• key/config distribution, IdP discovery, etc
• doesn't preclude non-fed arrangements
![Page 4: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/4.jpg)
4
Federations happeningFederations happening
• i.e., SAML-based (or similar) federations• in Europe, natural extension of HE NREN
services• Switzerland, Finland, Netherlands, UK, Spain, France,
etc
• in US• InCommon Federation in higher ed
• also state-level planning, vertical apps such as student loan management
• US government E-Authentication Program
• also much non-fed or pre-fed deployment among fed members
![Page 5: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/5.jpg)
5
InterfederationInterfederation
• an immediate consequence of federation• brand-new federations don't have well-defined
boundaries or service scopes
• it's the Internet, we're all connected
• many interesting SPs are global, e.g. Elsevier
• Interfederation workshop, Oct 2004• Upper Slaughter, UK (a nicer walled garden?)
• many countries, including CERN
• many agreements on direction, future work
![Page 6: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/6.jpg)
6
... but it's a nice garden... but it's a nice garden
![Page 7: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/7.jpg)
7
Interfederation modelsInterfederation models
• parallel universes• members simply participate in many if needed
• consistent with fundamental pairwise nature of app-level relationships
• scaling, diversity not addressed
• peering• transitive assurance, legal, policy, maybe ops
• too tight a coupling?
• league of federations?• some historical examples ...
![Page 8: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/8.jpg)
8
US E-AuthenticationUS E-Authentication
• http://cio.gov/eauthentication• for authoritative info
• facilitates trusted access to e-government
• e-auth elements• credential providers (CSPs), agency apps (AAs)
• credential assessment framework (CAF), application risk assessment, defined LoAs
• approved technologies, products (X.509, SAML)
• e-auth ops: membership, portal (aka “Fed fed”)
• agency mandates
![Page 9: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/9.jpg)
9
InCommon E-Auth alignmentInCommon E-Auth alignment
• promote interop for widespread higher-ed access to USG applications• grants process, research support, student loans ...
• process• project started Oct 2004, thru Sept 2005
• compare federation models
• propose alignment steps
• validate with federation members, via concrete application trials
• implement via next e-auth, InCommon phases
![Page 10: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/10.jpg)
10
Alignment pointsAlignment points
• Basic divergence: loose vs tight coupling
• assurance: facilitated vs guaranteed• InCommon participants publish their processes
• E-auth participants audited, approved by GSA• level of assurance is fundamental characteristic
• membership: IdP-centric vs SP-centric• E-auth driven by requirements of e-government AAs
• InCommon driven by requirements of university CSPs
• operation: metadata-centric vs portal-centric• InCommon-managed metadata supports interaction
• E-auth portal mediates flow, adds adapation point
![Page 11: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/11.jpg)
11
Alignment points 2Alignment points 2
• user identity: application-supporting attributes vs fixed identifier set• InCommon relies on Internet2-defined eduPerson,
promotes attribute-based authorization
• E-Authentication specifies delivery of identifiers
• technology: SAML and profiles• InCommon specifies Shib profile of SAML 1.1
• E-authentication specifies extensive profile on top of SAML 1.0
• intend to converge on SAML 2.0
![Page 12: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/12.jpg)
12
Validation stepsValidation steps
• universities undergo trial by CAF• assess whether compliance is likely across HE
• U Washington, Penn State, Cornell
• pretty darned close: 50% all-OK, others do-able
• deploy access to a real USG app• summer 2005
• requires E-Auth acceptance of univs as CSPs
• app will modify existing provisioning process
• practical feedback to alignment recommendations
![Page 13: Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649e425503460f94b35435/html5/thumbnails/13.jpg)
13
US personUS person
• motivated by InCommon desire for attribute-based authorization
• modeled on Internet2 eduPerson spec
• framework on which agency/app definitions can be built
• not just SAML• generic information model, mapped to LDAP,
SAML, XML provisioning
• ambitious? yes ...