Federations round tableHaka federation of Finland

EuroCAMP 17.4.2007

Mikael Linden

mikael.linden@csc.fi

CSC, the Finnish IT Center for Science

Status of Haka Federation

Operational 8/2005 23 (of 48) Federation Members

• with 213 000 end users (68% of eduPersons; in universities 90%)

3 Federation partners• Library content providers, ASP service providers

13 IdPs operational• with 159 000 end users (51% of eduPersons)

20 SPs 168 400 logins in March 2007 federating sw: Shibboleth ver 1.3

• 2 IdPs still running Shibboleth 1.2

SPs in the federation

Library services Nelli portal (Ex libris

Metalib) Library management

system (Endeavor Voyager)

eLearning Moodle, A&O, Optima

learning management systems

CSC’s services Funet extranet Scientist’s Interface

Student administration Application form for becoming a

visiting student www.joopas.fi

HR administration Competence management

system/ASP (Personec hr)

Other administration Process database for universities

WLAN roaming (Jyväskylä polytech)

Campus IdM policies in Haka federation

Home organisations must make sure that only fresh attributes are released to SPs

• when an end user departs, the accounts must be closed (or the roles updated) no later than in seven days

initial authentication face-to-face (or similar)• using photo ID issued by the police

on-line authentication at least with passwords• no less than 8 characters + other quality checks

Campus IdM policy enforcement in Haka

Home organisation publishes its IdM practices in the web• using a template provided by federation operator;

http://www.csc.fi/english/institutions/haka/registration/idm-description

Self-Audit for joining IdPs• When an IdP is registered to the federation, the federation operator checks

the published document to assess if minimum requirements are met• If OK, the IdP is added to the federation metadata

If it turns out that the policy is not followed by a home organisation there is a procedure for dropping a home organisation from the federation

Privacy and the Data Protection Directive (DPD) in Haka

1. Only SPs related to research and education can be registered to the federation

• DPD: dependability on the purpose of processing personal data

2. Only attributes relevant for the service are released to an SP• when a new SP is registered, the SP admin declares the relevant attributes• based on the declaration, federation operator constructs and distributes

Shibboleth Site-ARPs to the IdPs

3. End user’s informed consent is a requirement for attribute release• to make the consent informed, the end user is provided with a link to the

service’s privacy policy document

Schemas, roles and groups in Haka

funetEduPerson 2.0 schema• incorporates schac 1.2.0

roles/groups in funetEduPerson• eduPersonAffiliation – a Finnish interpretation of the vocabulary

is presented in funetEduPerson• funetEduPersonStudentCategory – 10 categories for students

(BSc,MSc,doctor,other,open-university,exchange-student…)• students’ target degree – e.g. MSc in Engineering• students’ educational degree probram – e.g. Political history• students’ specialisation option – e.g. software engineering• student status – present/absent• student union membership• schacHomeOrganizationType – university/polytechnic

Level of assurance for authentication in Haka currently one LoA: the miminum requirement is a

password• stronger methods ”can be used”• University of Helsinki has had a pilot on PKI/Smartcards in

Shibboleth 1.x IdP

Waiting for Shibboleth/SAML2.0• authentication context concept• Services asking for certain level of authentication

candidates for stronger authentication• PKI/smartcards• OTPs provided by the Finnish banks