What is REFEDS Interested In?

Nicole Harris UK Access Management Focus, JISC Advance

@nicoleharrisSlides: http://www.slideshare.net/nicolevharris

Me

• UK Access Management Focus;• Advisor to UK federation;• REFEDS Coordinator;• PEER Project Manager;• Shibboleth Consortium Manager;• Generally opinionated about access and identity.

What does the R&E Federation space look like?

R&E Federations Status (1)

R&E Federations Status (2)

• 27 Federations plus 2 confederations.• 4753 entities within those federations.• 1815 Identity Providers. • 2755 Service Providers. • Plus several ‘others’ (don’t worry about it).

(November 2011)

Top resources?

• In 14 federations: – Czech Medical Atlas and Microsoft Dreamspark.

• In 12: – Web of Knowledge, Scopus, ScienceDirect.

• In 11: – IEEE, EBSCO.

• In 10: – Springer, OVID.

So it’s all working, right?

For SPs, Federation SucksI know because I wrote a paper on it!

Barriers

• Multiple registry of entity data. • Multiple legal documents. • One-off clauses.• Interpretation of data protection. • Sponsorship letters.• Fees.• Technical Barriers.

https://refeds.terena.org/index.php/Barriers_for_Service_Providers

Registering Entity Data

• Federations are just big metadata (xml) files.• Entity = your chunk of that data. • It goes a bit like this:

How does it work?

Federation A

Federation B

Federation C

You

What we need is a place where this can be centrally registered and then called on by federations…

PEER

http://beta.terena-peer.yaco.es/

Legal Contracts

Wouldn’t it be great if these were standardised and simplified?

REFEDs Policy Review

• Painstakingly taking apart every clause in every federation policy.

• Mapping these to generic content ‘blocks’ and ‘elements’ within each block.

• Making recommendations about structure and unnecessary language.

• NOT a legal review.

Isn’t there an easier way?

Full Interfederation

• The ability of federations to exchange metadata about their entities.

• Normally an additional legal agreement between the 2 federations.

• Full technical and policy integration. • Bi-lateral (UK and Edugate) or via groups

(eduGain and Kalmar2).

eduGain (1)

www.edugain.org

eduGain (2) – Drawbacks

• At least one of the federations you are a member of needs to have signed up for eduGain.

• Opt-in: you have to ask to be included in an aggregate.

• Not always clear which entities are interfederated – are your customers there?

eduGain (3) Benefits

• Only have to have a relationship with 1 federation.

• Technically, as an SP, you can chose with federation that is.

A quick note on Barriers to Users

Login Interfaces Suck I know this because I’ve tried to use them

How Bad?

New UK federation WAYF

Foodle and DiscoJuice

MDUI

• Currently being used by DiscoJuice and Shibboleth Embedded Discovery Service / Central Discovery Service.

• OASIS Standard for IdP Discovery: – http://docs.oasis-open.org/security/saml/

Post2.0/sstc-saml-idp-discovery.pdf.

MDUI for SPs (Shibboleth Recs)

Non Logo elements• <mdui:DisplayName>Recommended required

<mdui:Description>Recommended 100 chars max • <mdui:Keywords> Not used • <mdui:InformationURL> Available • <mdui:PrivacyStatementURL> Available

Logo elements• Shibboleth - must be specified using an HTTPS URL • Shibboleth - logo size should be between 64px by 350px wide and 64px by

146px high • Shibboleth - logos should have transparent backgrounds • Shibboleth - logos look better if they have a landscape rather than a

portrait aspect ratio

https://refeds.terena.org/index.php/MDUI_-_Software_recommendations

MDUI for IdPs (Shibboleth Recs)

Non Logo elements<mdui:DisplayName>Recommended, 33 chars max Strongly recomended <mdui:Description> Supporting the Display Name function with more details<mdui:Keywords> Used Used for incremental search <mdui:InformationURL> Not used at present<mdui:PrivacyStatementURL>Not used at present – see Attribute WG recs <mdui:IPHint>Not used Planned for future release <mdui:DomainHint> Not used Planned for future release <mdui:GeolocationHint> Not used Heavily used. Strongly recomended.

Logo elements• Shibboleth - The URL specifying the logo must be https protected. • Shibboleth - One logo should be provided of size approximately 80px(width) by 60px (height). A larger

logo may be provided but the aspect ratio should be maintained (logos are selected based on apsect ration).

• Shibboleth - One logo should be provided of size 16px by 16px. • Shibboleth - Logo backgrounds should be transparent.

https://refeds.terena.org/index.php/MDUI_-_Software_recommendations

Thank you for listening