Embed Size (px)
Citation preview
Building a Successful Federation
InCommon (10 years and going strong)
Klara Jelinkova
Chair of InCommon Steering Committee
Trust Basics
• User: Person accessing the service – faculty, staff, students, community members
• Identity Provider: The organization that knows that person and verifies her identity online. – usually a University
• Service Provider: The organization the offers the service and grants access to use it. – a University, consortium, company or other
organization • Federation Operator: The organization that vets
the membership, implements the community “rules” and publishes the certified phonebook. – InCommon
Federa&on is Distributed
Services
Service Provider Authoriza1on
Cer1fied Federa1on Metadata “Phone Book”
End User
Authn
6 -‐ Authoriza&on
1
Fed schema
Enterprise Directory
Fede
ra&o
n So<w
are
3
2 -‐ Request Authen&ca&on & Access Informa&on (aGributes) 4
5 – Authen&ca&on Verified. Sending AGributes
7
2 Federa&on So<w
are
Campus Authen1ca1on and User Informa1on
3 -‐ Authen&ca&on
Federation is Distributed
InCommon Federation (8+ million users and 780 organizations)
Identity Provider Services (408)
Application Services (2,486)
InCommon Operations
(1)
Issues we face
• Participation is voluntary – Not all institutions participate
• Level of participation is voluntary – Not all institutions that participate share attributes
• Institutional (Identity Provider) preference to operate in a binary relationship mode to control risk
• Service provider preference to have standards and easy onboarding of services
• National boundaries - need to access global resources
On our Hotlist
• Research service tag – attempt to bridge lack of participation standards (but still voluntary)
• IdP of last resort – Alternative to OpenID
• EduGAIN – Metadata sharing globally
• Provide additional service to campuses to increase participation of smaller less technical institutions
Refeds MAP
What we learned • Provide IdP of last resort from the start • Be clearer about what people need to do in
order to participate – Service providers – Identity providers
• Avoid the R&S experiment (shortcut) • We would have thought globally from the
start and written EDUGAIN in – Rather than incorporating later
Thank you!
Klara Jelinkova Vice President and CIO
Rice University Chair of InCommon Steering Committee
