Embed Size (px)
Citation preview
Towards Interconnecting the Nordic Identity Federations
TNC2007
Walter M Tveter, UiO
Mikael Linden, CSC/HAKA
Ingrid Melve, Uninett/Feide
Interconnecting federations
The Kalmar Union policy Cross-federation model Technical solution Crossing circles of trust Participants Consent and attributes Future works
Kalmar union
First Kalmar union (1397-1524) united the Nordic countries under a single monarch, giving up sovereignty but not independence
Interconnecting Nordic AAI federations Model for exchanging traffic
– My users have access to your services?– Your users have access to my services?
What is the simplest solution for interconnecting access control?
Policy issues for federations
Policy
Minimal information disclosure, informed consent Voluntary participation in cross-federation No liability (this must be written in contract) Conflict resolution by elected board Minimal intellectual property rights, as there are
minimal central components Services across borders, jurisdiction Best effort, no guarantees needed Money flow outside our scope (goes direct IdP-SP)
Kalmar cross-federation model
Bi-lateral agreements Cross-federation charter Overlapping federations, may chose to leave
out parts from the overlap Previous work
– Aligned federation policies– Worked together in GNOMIS– norEdu* schemas developped in GNOMIS
Participants
Federations– HAKA in Finland– Feide in Norway
Federations to join– SWAMI in Sweden– DK-AAI in Denmark
End users Identity providers
(home organizations) Service Providers
Technical Kalmar solution
SAML 2 metadata for federation overlap
HAKA Identity ProviderFeide Identity Provider
HAKA Service ProviderFeide Service Provider
Technical work
Trial interconnect in September 2006– Shibboleth1.3 in HAKA– Sun Access Manager (SAML2.0) in Feide
eduGAIN bridging element evaluated– Backwards compatible with Shibboleth 1.3– Not yet available, but preliminary tests running
Easier to do SAML2.0-based connections
Crossing Circles of Trust
User wants to access service in other Identity Federation
– Must find the right login service (WFAYF or explicit links)
What is really transferred– Identity Provider sends login and attributes– Service Provider must trust third party login outside his
federation
Opt-in at all levels: user, IdP and federation May have opt-out at the federation level, if needed
Consent and attributes
Informed consent Attribute transfer
– Safeguards at 3 levels: user, IdP/home, federation Voluntary participation in cross-federation
– Opt-in for end user– Opt-in for identity providers (home organizations)– Opt-in for each federation
Semantic interoperability based on eduPerson (with extensions)
– Information about semantics– We do not enforce the same semantics
Future work
Single Sign On and informed consent– How to inform users
Operational service– Depends on introduction of SAML2.0
Revisit policy after we have real life experience of what problems turn up in production
