stuff ken klingenstein. [email protected] four pieces of stuff federation soup cormack slides on eu...
TRANSCRIPT
Stuff
Ken Klingenstein
Four pieces of stuff
• Federation soup• Cormack slides on EU (and US) privacy
• NIH-InCommon
• International federation & Liberty Alliance
• ISOC and Identity and trust
Federation Soup:An Assembly of Ingredients
Welcome to the kitchen
• A bit of context• Goals and outcomes• Overview of agenda• Some other agendas-------------------• Who we are in the room – some stories-------------------• Reference terminology
A bit of context
• A very brief history of federating software
• An even briefer history of federations
• Interfederation interactions• of peering and soup• of technology and policy• of identity providers and service providers• outside our sector…
Federating software• Shibboleth project formation - Feb 2000 • OASIS starts SAML work; linkages with Shib
established Dec 2000 • Architecture and protocol completion - Aug 2001 • Release dates: Shib alpha1 April 2002, OpenSAML
July, 2002, Shib v1.0 April 2003• SAML TC evolved a fusion of Liberty, Shib and
SAML into SAML 2.0 Nov 2005• Microsoft-led business consortium develops WS-*,
including WS-Fed, 2002-2008
A brief history of federations
• Federations at national levels in several countries, beginning with a variety of protocols and converging on SAML
• Federations form along natural relationships – state university systems, state educational agencies, regional optical networks,…
• Federations in the business context begin as 1-1 (outsourced services, like accounting) and sometimes grow into hub and spoke (e.g. automobile industry)
• Other types of identity federations exist in pockets (e.g. federated PKI roots for IGTF)
Why we are here:Interfederation Interactions
• Peering and soup• Service providers often belong to multiple federations;
some identity providers are being asked to join several federations• Federal government interactions happening, but not as
first anticipated• Virtual organizations are now presenting real use
cases that require international federation interactions• Other sectors keenly watching us
Workshop Goals and Outcomes
• Inform specific efforts• fostering of local federations• blending of local federations with national ones• minimizing challenges down the road through some up-front
consensus and coordination (ala federation best practices)• international peering/soup
• Exchange governance and organizational approaches• Understand businesses and business models• Establish ongoing mechanisms for communication and
coordination• Grow community
Overview of Workshop Agenda
• Monday • Identifying the ingredients• Talking soup• BoF’s
• Tuesday• Making soup• Affinity groups
• Wednesday • Tasting the soup • Next steps
Some other agendas
• Getting to know each other• And finding affinity groups
• Maximal discussions
• Minimal powerpoint
Some soup dimensions
• Alignments – LOA, attributes, user experience
• Legal models – Dispute Resolution, Indemnification, etc
• Business models – Operator, Source of funds, Services offered, Communities served
• Privacy management and international issues
Alignments
• Level of assurance – for strength of authentication
• Attributes – for conveying authorization information, preserving privacy, etc
• User experience – large multiplier…
Possible business opportunities
• Trust• For identity management• For ??
• Content distribution, ala BBC• Operate collaboration management platforms• Circulate related metadata• VO stuff (Schema, arps)• ?
• Training
Some stories
• International tales –• Edupass.ca, UK Federation, Swami
• InCommon• State and system activities• UCOP, UNC, Clair
• Spices and salt• DOEgrids, Great Plains, Farmfed
Who we are in the room – some stories
• Communities served
• Purpose of federation
• Organizational and business approaches
• One thing that has been surprising…
Reference terminology
• Terms vary in meaning by country and context
• Shelf life of terms, especially policy and business ones, may be short
• It’s ratholes all the way down…
Thanks
• To the Shibboleth crew
• To the federation workers
• To all of you• For the time you’ve taken• For tolerating an overdone metaphor• For the consequence we may have
Federation Soup:Out of the Kitchen…
Topics
• Use cases
• Federations.org
• SAML-rama
• Peering frameworks
• Next steps
Motivation
• St. Mary’s of the Plains wanting access to StudentUniverse • Does a commercial SP have to join every federation? • Overlapping US federations, with different membership criteria • Where/how do we reach agreement on:
• Attribute mapping• Identity Assurance mapping• Common approaches, in order to avoid mapping...
• Do other communities need standardized attributes? How do they do that? Can we help?
More questions
• How do VOs fit into the federation picture? • How do US sites handle international partners, respecting
privacy laws, etc. • What can the national level federations do to simplify this
process (signed agreements, policy alignment, etc.)• Logging and audit in a federated space• What types of businesses are proper work for federations• Home for the homeless, alumni and OpenIds• Migrations from other technologies
Federations.org
• Interfederation of national R&E federations• More peering than soup
• Possible activities• Reference point for new national federations• Aggregation of common materials• Triage for SP’s that want to learn how to deal with multiple
federations• Assist in taking the federation template doc to RFC status• IDABC and EU Article 29 coordination
• Successor to Refeds(http://www.terena.org/activities/refeds/)
International Activities
• http://www.terena.org/activities/refeds/ • A summary of discussions among R&E networks, including
a survey of national efforts
• http://www.jisclegal.ac.uk/access/• Excellent policy analytics, especially around international
issues of privacy, peering, and attributes
• http://ec.europa.eu/idabc/• TransEuropean activities in IdM for use among citizens,
governments, and businesses
IDABC, EU Article 29, Concordia Issues
• IDABC • The pluses and minuses of gateways between SAML
federations
• EU Article 29• Liberty attributes and PII• EPTID
• Concordia• End-end use cases in federated identity intended to
highlight gaps in protocols, schema, etc
SAML-rama
• The meeting right after this…
• Developing a spec for a metadata profile
• Addresses some of the critical technical issues in interfederation
Peering Parameters
Parameters:
•LOA•Attribute mapping•Legal structures• Liability• Adjudication•Metadata
•VO Support•Economics•Privacy
Peering frameworks
• JISC Member-Federated Operator analysis• Feasability of cross-federation
• EAuth-InCommon peering corpse
• Kalmar Union
• JISC template for inter-federation
UK Bilateral Interfederation Template
• Purpose, scope and limits of agreement
• Entity assurance
• Member-operator behavior
• Problem resolution
• Member-member behavior
• Interfederation infrastructure
Major Sections
• Introduction (parties, nature of agreement, …)• Background (context, terminology, …)• Scope of the Agreement• Rights and Obligations of the Parties (see next)• Dispute Resolution• Financial Considerations• Limitation of Liability• Special Considerations (communications,
implementation, technical issues)• Suspension or Termination
Responsibilities of Parties
1. Ensure proper operation of federation operator according to documentation
2. Evaluate ISPs for conformance with defined identity assurance standards
3. Provide the other Party information about new federation members
4. Provide the other Party accurate metadata for federation members
5. Make federation metadata available to the other Party
6. Notify the other Party of changes to federation member requirements
7. Notify the other Party of federation inability to comply with its obligations
8. Coordinate with the other Party with respect to federation changes
9. Require transaction logs be kept by federation members for at least 6 months
10. Coordinate problem resolution with the other Party
11. Work with the other Party to resolve technical or operational problems
12. Respond to requests from the other Party for information about the federation
13. Notify the other Party in case of non-compliance with this agreement
Kalmar Union
• Common terminology
• Rules
• Privacy and Security
• Technology
• Change control
• User Interface
Privacy and Security
• PII baseline
• Explicit tie-in with EU PI directive
• Delegate responsibility for 95/46/EC
Technology & Standards
• Gory details in appendix (RSN)
• Establish ”do now lower loa”-principle
Next Steps
• International• Federations.org• Peering between edupass.ca and InCommon,
UK and InCommon, Kalmar Union
• Federation roadmap
• Soup
Next soup steps
• Affinity group in system federations• State feds – not yet• PII normalization• Ask NACUA
• Coping with EU privacy compliance• Interfederation template agreement• InCommon as a focus point for interfederation in
the US