sustainability in federated identity services - global and ... · what works and what doesn’t...
TRANSCRIPT
Networks·Services·Peoplewww.geant.org
AnnHarding@hardingar
I2GlobalSummit
Whatworksandwhatdoesn’twitheduroamandeduGAIN
SustainabilityinFederatedIdentityServices- GlobalandLocal
April2017
ActivityLead,Trust&IdentityDevelopment,GÉANTPersonwhoAsksUncomfortableQuestions,SWITCH
Networks·Services·Peoplewww.geant.org
function ScaleGlobalService (){global $UseCases;global $TechGlue;
//TODO– MagicGoesHere
echo $DeclareVictory;}
$DeclareVictory =true;
2
Findingthemagic
Networks·Services·Peoplewww.geant.org 3
TwoGloballyScaledServices,TwoPathstoSuccess
• 10+Yearsold,• 70+countries,tensofthousandsofsites• Oneservice– networkaccess
• WIFIdominated,fixtechpossible• Servicevisibletousers
• GlobaleduroamGovernanceCommittee(GeGC)• Nominatedbyconfederations• Setstechnicalandorganisationalstandards
fortheservice• SecretariatfundedfromGÉANTAssoc.
generalcosts,ETLRSviaGÉANTProject
• 5+Yearsold• 48countries,2k+IdPs,nearly1.5kservices• Serviceismetadataexchange
• Notvisibletousers• UservisibleserviceisWebSSO
• eduGAINSGandeduGAINExecutive• Eachmemberhas2xSGreps• GÉANTBoardistheExecutive• 100%fundedviaGÉANTProjectMechanisms• SGsetstechnicalandoperationalstandards
Networks·Services·Peoplewww.geant.org 4
Fromlocalideastoglobalservice– eduroamevolution
.nl
.by.dk
.ca.cz
.hr
.fi
.be
.gr .hk
.is
.by
.mx.pl
.ie
.sa
.jp
.se
Networks·Services·Peoplewww.geant.org 8
ScalingGloballyisObeyingtheInvisibleRulesofIrrationality
“Ifyou'reacompany,myadviceistorememberthatyoucan'thaveitbothways.Youcan’ttreatyourcustomerslikefamilyonemomentandthentreatthemimpersonally—or,evenworse,asanuisanceoracompetitor—amomentlaterwhenthisbecomesmore
convenientorprofitable.”“MONEY,ASITturnsout,isveryoftenthemostexpensivewaytomotivatepeople.Socialnormsarenotonlycheaper,but
oftenmoreeffectiveaswell.”DanAriely,PredictablyIrrational:TheHiddenForcesThatShapeOurDecisions
“Therearemanyexamplestoshowthatpeoplewillworkmoreforacausethan
forcash.”
Networks·Services·Peoplewww.geant.org 10
BeatingTheLimitationsofSuccess– eduroam’sroadmap
eduroamCATtransformedthedeployability ofeduroamonuser
devices
Alittlecentralisationisagoodthing
CAT++forenduserdevicediagnostics
“silverbullet”toenablecampus&SP
infrastructure
Communityideasgohere
Builtinf-ticksmonitoringandaggregationearly
Networks·Services·Peoplewww.geant.org 11
BeatingTheLimitationsofSuccess– eduGAIN’sroadmap
RobustnessofOperations
Federationcoverage
SupportFederationstoSupportCampus
Beyondthebaseline:SIRTFI&MFA
Entitycoverage
SupportforFederations:FaaS
NextGenerationArchitecturesand
Protocols
Beyondthebaseline:CoCo &R&S
Networks·Services·Peoplewww.geant.org
• AAIasaServiceforCollaborativeorganisations• Expandingtoserveothersectorswithoutdisruptingsustainabilityforexistingusers
• InAcademia– SimpleaffiliationvalidationasaService• Monetising theadvantageswehave
12
Twoevolutionsinsustainability
Networks·Services·Peoplewww.geant.org 13
Sciencerequirements– TheNetworkView
AdaptedfromTheRationaleofOpticalNetworking,Cees deLaat,ErikRadius,StevenWallace(c2002)
ClassA)arethetypicalhomeusers
ClassB)consistsofthecorporations,enterprises,Universities,virtualorganisations andlaboratories.
ClassC)arethereallyhighendapplications
Sciencemeansbigdata
Networks·Services·Peoplewww.geant.org
• ClassA)arethesimplelibrary/journal/learningapplications
• ClassB)consistsofthecampus‘corporate’infrastructure
• ClassC)arethereallycomplextrustapplicationsforcollaborationande-Research
• Sciencemeansbigcollaboration
14
ScienceRequirements- theTrustandIdentityView
Complexity
0
50
100
150
200
250
300
350
Library&Journals
Teaching&Learning
CampusInfrastructure
Other CloudService CollaborationPlatform
ResearchService
ServicesineduGAIN
Networks·Services·Peoplewww.geant.org
Designpattern1:Enableyourcollaboration flows• ExportIdPstoeduGAIN• ExporteResearchSPstoeduGAIN
Designpattern2:Unclogyourpolicytaps• Forhubandspoke– doyouneedthesamepoliciesforyourCusersasforyouraandB?Canyoubemoreflexible?
• Forfullmesh– doyouneedtoleaveeverythingtotheedges?Canyouuseyourresourceregistry/centraltoolstoapplypolicyfore-Researchmorescalably?
• Pragmaticassurance
Designpattern3:Buildawelltrustedendtoendinfrastructure• UseResearchandScholarshipandGÉANTCodeofConductEntityCategoriestomaketrustscalebeyondyourfederation
• AdoptSIRTFIincidentresponseframeworktobuildtrust
• Adoptgroupandattributemanagementservicese.g.VOPlatform
15
ScienceDMZ,theTrustandIdentityView
Networks·Services·Peoplewww.geant.org
InAcademia- aSimplevalidationService
InAcademialeveragesexistingeduGAINinfrastructureforInstitutions,whileatthesametimeradicallysimplifiesaffiliationvalidationforservices
MicrosoftwantstoofferfreeOffice365toallstudentsinEU
ORCIDseekstoimproveaccountquality
SMEswantlowbarriersforleveragingdigitalacademicIdentity:asimplecontract,apredictablecostmodelandhighassuranceonidentity
Networks·Services·Peoplewww.geant.org
InAcademia– theconceptCu
stom
erValue
s Queryasingle,centralisedservicetoconfirmaffiliationValidationserviceaccessibleforalleduGAINIdPsAsimpleprotocolisusedbytheServices(OpenIDConnect)Singlecontractpolicy
Commun
ityValue
s Minimalexchangeofpersonaldata– neverpassedtotheSPfromtheInAcademiaserviceActsasa‘normal’SPtowardstheIdPEnableslowertrustusageofinformationwithoutloweringoveralltrust Su
stainability SPpaysasmallper
transactionfeeforthevalidationRevenuesaresustainablyandfairlydistributed• SupportoperationsforInAcademia&eduGAIN
•ProvideaninnovationfundforOpenCalls
• Kickbacktoorganisationsprovidingvalidations
Networks·Services·Peoplewww.geant.org
Unifygenuineusecases
Notsoabstractthatyouwillneed38waystoimplement,evenifyouleaveitfreeasatheoreticalpossibility
Scale‘cheaply’bybringingin
infrastructurefrommanyparties
Respecttheadvantagesofsocial
contractandunderstandwheretheyoutweighthecertaintyoffinancialcontract
Designfairness
Balancethepainpointswithinthedifferentstakeholdersofthe
infrastructure
Understandwhatisimportantto
participantsandpreserveit
Buildtrusttohelpyouovercomeyour
limitations
WeasNRENSareproudandfiercelyprotectiveofour
reputations
Noamountoftechnicaltrustorgovernance
tweakingwillmakeyoubeabletogofurtherthanyouaretrusted
19
Whatisthemagicforsustainability?