Upload
dale-ford
View
213
Download
1
Embed Size (px)
Citation preview
Federations round tableHaka federation of Finland
EuroCAMP 17.4.2007
Mikael Linden
CSC, the Finnish IT Center for Science
Status of Haka Federation
Operational 8/2005 23 (of 48) Federation Members
• with 213 000 end users (68% of eduPersons; in universities 90%)
3 Federation partners• Library content providers, ASP service providers
13 IdPs operational• with 159 000 end users (51% of eduPersons)
20 SPs 168 400 logins in March 2007 federating sw: Shibboleth ver 1.3
• 2 IdPs still running Shibboleth 1.2
SPs in the federation
Library services Nelli portal (Ex libris
Metalib) Library management
system (Endeavor Voyager)
eLearning Moodle, A&O, Optima
learning management systems
CSC’s services Funet extranet Scientist’s Interface
Student administration Application form for becoming a
visiting student www.joopas.fi
HR administration Competence management
system/ASP (Personec hr)
Other administration Process database for universities
WLAN roaming (Jyväskylä polytech)
Campus IdM policies in Haka federation
Home organisations must make sure that only fresh attributes are released to SPs
• when an end user departs, the accounts must be closed (or the roles updated) no later than in seven days
initial authentication face-to-face (or similar)• using photo ID issued by the police
on-line authentication at least with passwords• no less than 8 characters + other quality checks
Campus IdM policy enforcement in Haka
Home organisation publishes its IdM practices in the web• using a template provided by federation operator;
http://www.csc.fi/english/institutions/haka/registration/idm-description
Self-Audit for joining IdPs• When an IdP is registered to the federation, the federation operator checks
the published document to assess if minimum requirements are met• If OK, the IdP is added to the federation metadata
If it turns out that the policy is not followed by a home organisation there is a procedure for dropping a home organisation from the federation
Privacy and the Data Protection Directive (DPD) in Haka
1. Only SPs related to research and education can be registered to the federation
• DPD: dependability on the purpose of processing personal data
2. Only attributes relevant for the service are released to an SP• when a new SP is registered, the SP admin declares the relevant attributes• based on the declaration, federation operator constructs and distributes
Shibboleth Site-ARPs to the IdPs
3. End user’s informed consent is a requirement for attribute release• to make the consent informed, the end user is provided with a link to the
service’s privacy policy document
Schemas, roles and groups in Haka
funetEduPerson 2.0 schema• incorporates schac 1.2.0
roles/groups in funetEduPerson• eduPersonAffiliation – a Finnish interpretation of the vocabulary
is presented in funetEduPerson• funetEduPersonStudentCategory – 10 categories for students
(BSc,MSc,doctor,other,open-university,exchange-student…)• students’ target degree – e.g. MSc in Engineering• students’ educational degree probram – e.g. Political history• students’ specialisation option – e.g. software engineering• student status – present/absent• student union membership• schacHomeOrganizationType – university/polytechnic
Level of assurance for authentication in Haka currently one LoA: the miminum requirement is a
password• stronger methods ”can be used”• University of Helsinki has had a pilot on PKI/Smartcards in
Shibboleth 1.x IdP
Waiting for Shibboleth/SAML2.0• authentication context concept• Services asking for certain level of authentication
candidates for stronger authentication• PKI/smartcards• OTPs provided by the Finnish banks