the rise of federations…almost everywhere
DESCRIPTION
The Rise of Federations…Almost Everywhere. Topics. Federation Basics Drivers Components International and pulic sector developments InCommon and its uses Next steps for federations Peering, confederation, and similar issues Support for collaboration and virtual organizations - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/1.jpg)
The Rise of Federations…Almost Everywhere
![Page 2: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/2.jpg)
Topics
• Federation Basics• Drivers
• Components
• International and pulic sector developments
• InCommon and its uses
• Next steps for federations• Peering, confederation, and similar issues
• Support for collaboration and virtual organizations
• Development of other aspects of the attribute ecosystem
• Libraries and federations in the US• Issues and opportunities
• Next steps
![Page 3: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/3.jpg)
Middleware vision in one slide
• Build a campus/enterprise core middleware infrastructure that• Serves the overall enterprise IT environment, providing business
drivers and institutional investment for sustainability and scalability
• Is designed from the start to support the research and instructional missions • Implies consistent approaches and common practices across campuses
and internationally
• Build, plumb, and replumb the tools of research on top of that emergent infrastructure• Domain-specific middleware (grids, sensor nets, etc)
• Common collaboration tools (video, protected wikis, shared calendaring, audioconferencing, etc.)
![Page 4: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/4.jpg)
Federated identity
• Leveraging enterprise identity management beyond the enterprise
• Creates general purpose interrealm trust fabrics
• Standards (SAML) and open source (Shibboleth) well aligned and gaining broad adoption
• Persistent and broad R&E federations in many countries now
![Page 5: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/5.jpg)
Drivers
• Campuses want to allow their community to use their local credentials to access external partners in academia, government, businesses, etc.
• Relying Parties want to use campus authn • For economies
• Not another sso to incorporate into the app• Avoid much of the costs of account management
• For scaling in users• Interest is tempered by legal considerations,
policy considerations, and unintended disruptive economic consequences
![Page 6: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/6.jpg)
Uses - Content
• To protect IPR (the JSTOR incident…)• To open up markets• Popular content – Ruckus, CDigix, etc• MS• Scholarly content – Google, OCLC
WorldCat• Scope of IdM may be an issue
![Page 7: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/7.jpg)
Services
• Student travel, charitable giving, web learning and testing, plagiarism testing service, etc.
• Allure for alumni services and other internal businesses
• Student loans, student testing, graduate school admissions, etc.
• The Teragrid
![Page 8: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/8.jpg)
Government
• NSF Fastlane Grant Submission• Dept of Agriculture Permits• Social Security• NIH• Dept of Ed
![Page 9: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/9.jpg)
![Page 10: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/10.jpg)
Components of Federation
• Federating Software• Federation operator and metadata• Participants
• Policies on identity management• Policies on privacy
• Shared set of attributes, including LOA• Legal agreements among participants• Management and governance• (Peering, economics,…)
![Page 11: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/11.jpg)
International Federations
• Widespread in Europe (over 15 countries), emergent in Australia, nascent in Asia.
• The UK federation (http://www.ukfederation.org.uk/) already has over five million active users and intends to grow to all of higher ed, K-12 and further education.
• Used for academic content access, research support, national level services, etc
• Clear needs for peering; some need for confederation or dynamic relationships.
![Page 12: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/12.jpg)
Public sector federations
• http://www.public-cio.com/story.php?id=2007.02.02-103751
• State-based among health agencies (NY), presenting a SSO to citizens (Washington), etc.
• GSA EAuthentication• NSF, NIH, and the Dept of Ed…
• State university federations - Texas, California, Maryland, etc
• InCommon
![Page 13: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/13.jpg)
UTexas Federation Apps
• Project Tracking (CHA)• Monthly Financial Reporting
(BUD)• TIXX (GOV)• UT Plane (ADM)• Compliance Training (ADM)• Research Projects Tracking
(ACA)
• Academic Affairs Jobs (ACA)
• Degree Programs (ACA)• Grad Registration (ACA)• System Administration
Wireless (OTIS)
• Legal Tracking (OGC)• Parking Management (APS)• Signature Authority (APS)• Bid Specification (OFPC)• Project Time Reporting
(OFPC)• Student Couponing (UT
Austin)• Online Education via
Blackboard (UTHSCH)• Board of Regents Agenda
(BOR) 12/06• Budget Change Request
(BUD) 12/06• UTANOP (BUD) 12/06
![Page 14: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/14.jpg)
InCommon
• US R&E Federation
• www.incommon.org
• Members join a 501(c)3
• Addresses legal, LOA, shared attributes, business proposition, etc issues
• Approximately 50 members and growing
• A low percentage of national Shib use…
![Page 15: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/15.jpg)
InCommon Members 2/27/07
• Case Western Reserve University • Clemson University • Cornell University• Dartmouth • Duke University • Florida State University• Georgetown University• Miami University• New York University • Ohio University • Penn State • Stanford University • Stony Brook University • SUNY Buffalo • The Ohio State University • The University of Chicago • University of Alabama at Birmingham • University of California, Irvine • University of California, Los Angeles • University of California, Merced • University of California, Office of the President • University of California, Riverside • University of California, San Diego
• University of Maryland• University of Maryland Baltimore County• University of Maryland, Baltimore • University of Rochester • University of Southern California • University of Virginia • University of Washington • University of Wisconsin - Madison • Cdigix • EBSCO Publishing • Elsevier ScienceDirect • Houston Academy of Medicine - Texas Medical Center
Library • Internet2 • JSTOR • Napster, LLC • OCLC• OhioLink - The Ohio Library & Information Network • ProtectNetwork • Symplicity Corporation • Thomson Learning, Inc.• Turnitin • WebAssign
![Page 16: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/16.jpg)
Key aspects of InCommon
• Federating software• Shib 1.2+ (other possibilities in the future)
• Shared attributes and schema• eduPerson right now
• Levels of authentication• POP (participant operational practices)• InCommon Bronze and Silver will map to LOA 1 & 2
• Management• Steering committee of members IT executives• Operations staffed by Internet2
![Page 17: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/17.jpg)
Shibboleth
• Shib 1.3 widely deployed; 1.2 still common• Along the way, other capabilities added:
• ADFS compatibility for WS-Fed, (MS $)• Eauthentication certification (with waiver form:))
• Shib 2.0 completes the SAML+Shib integration• More compatible with COTS SAML 2.0 products than
they are with each other• A Shib/SAML to TCP/IP analogy isn’t bad; Shib adds
multi-party federation support through metadata, ARPS, etc.
• Also eases support for n-tier, non-web and other capabilities
• Alpha in April
![Page 18: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/18.jpg)
The Shibboleth 2.0 Sidebar
• Support for the attribute ecosystem• attribute handling, including policy, in both SP and IdP• designed to be reusable for other protocols (eg CardSpace) • sets stage for further work on multiple attribute sources,
reputation management, etc. • All Java SP (in addition to current Java/Apache), easing
integration for some applications• Trust management
• PKI still seems too hard, even at the simpler enterprise level• Supports a broad set of trust choices – CA’s, certs, plain
keys, managing site metadata (naming, acquisition, validating)
• A product of years of painful experience
![Page 19: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/19.jpg)
InCommon Management/Governance
• Steering Committee of campus/vendor CIO’s and policy people – sets policies for membership, business model, etc.
• Technical advisory committee - Sets common member standards for attributes (eduPerson 2.0) , identity management good practices, etc.
![Page 20: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/20.jpg)
InCommon Uses
• Access control to content• Popular content – Ruckus, CDigix, etc• Scholarly content – Google, OCLC WorldCat• Downloads – Microsoft
• Access to external services• Student travel, charitable giving, web learning and testing,
plagiarism testing service, etc.• Allure for alumni services and other internal businesses• Student loans, student testing, graduate school admissions,
etc.• Access to national services
• The National Science Digital Library• The Teragrid pilot
![Page 21: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/21.jpg)
Inter-federation key issues
• Peering, peering, peering• At what size of the globe? • Confederation, overlapping, leveraged
• Tightly coupled autonomous federations
• How do vertical sectors relate? How to relate to a government federation?
• On what policy issues to peer and how?• Legal framework
• Treaties? Indemnification? Adjudication
• How to technically implement• Wide variety of scale issues
• WAYF functionality• Virtual organization support
![Page 22: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/22.jpg)
Virtual Organizations
• The big team science efforts, and smaller collaborations across a broad set of disciplines with real resources to be managed seriously
• Have their own IdM issues• Collaboration tools• Domain science identity management
• Today’s solutions are non-existent, insecure or widely despised…
• Could leverage federated identity for both ease of use and better security
![Page 23: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/23.jpg)
Peering
Parameters:
•LOA•Attribute mapping•Legal structures• Liability• Adjudication•Metadata
•VO Support•Economics•Privacy
![Page 24: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/24.jpg)
VOs plumbed to federations
![Page 25: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/25.jpg)
The Attribute Ecosystem
• We now understand, we think, an overall “attribute ecosystem”• Shibboleth is the real-time transport of
attributes from an IdP to an SP for an authorization decision
• Other, “compile-time” means are used to ship attributes from sources of authority to IdP
• Or to the SP, or to the various middlemen (portals, proxies, etc.)
• And a user needs to be manage all of this
![Page 26: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/26.jpg)
Libraries and Shib in the US
• Not the driver that it is overseas• Content acquisition at local versus national levels
• Poor communication between campus IT management and library management• Many universities have Shib in some form of
deployment; very few use it for library content access• Preference of patron db for authentication and
authorization over central directory services• Failure of Internet2 to publicize the many hybrid
models available (eg IP address on campus, Shib for off campus, with or without SSO)
![Page 27: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/27.jpg)
Libraries and Shib in the US
• Misunderstandings on Shibboleth and privacy• Shibboleth is privacy preserving• Institutions and users can change that
• “Extra step” of authentication• Confusion about the relationship of federations
and licenses• Shibboleth is not worth the work since some form
of IP address control will always be needed• Too many publishers• Additional features not worth the work
![Page 28: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/28.jpg)
The “Stepping Up” Group
• University of Chicago, Penn State University, UCSD, and the University of Maryland System Library Consortium
• InCommon-library-services• Identity issues in technology, user
experience, policy, and practices for access to external licensed resources
• (Identify opportunities for value-added services that leverage infrastructure)
• Report back…
![Page 29: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/29.jpg)
First thoughts…
• Internal SP’s• Different policies for walk-ins and remote• People not in the institutional db – paid
alumni…• PKI management in trust• Students working as RA’s and proxies for
faculty• Looking up ARP’s for various SP
![Page 30: The Rise of Federations…Almost Everywhere](https://reader035.vdocuments.net/reader035/viewer/2022081520/568150af550346895dbecd0a/html5/thumbnails/30.jpg)
Opportunities
• Integration with repositories• NITLE and its offerings…• NSDL type collaborations• Collaboration tool platforms• New joint licensing possibilities