Upload
harold-teunissen
View
209
Download
1
Embed Size (px)
DESCRIPTION
Readout and update on Identity Management effort from Europe for the MAGIC team at SuperComputing2014 in New Orleans.
Citation preview
Federations on the rise…
Licia Florio (GÉANT) & Harold Teunissen (SURFnet) MAGIC Workshop SC14New Orleans, November 2014
© WALLNOY
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
Serving Dutch research & education
2
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
SURF as umbrella
3
Scientific Computing & Big Data
Commercial ICT Products & Services
National Research & Education Network
eScience Collaboration and Tools
• All ICT activities for Higher Education and Research in the Netherlands are under the SURF umbrella
Source: REFEFDS mapproductionpilot
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
Where are these Id. Federations?
4
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
Federation essentials
• We need a working inter-federation framework • Collaboration does not have boundaries
5
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
Federations work but…
6
ATTRIBUTE AGGREGATION
CREDENTIAL TRANSLATION
LEVELS OF ASSURANCE
CHALLENGES STILL AHEAD
BRIDGING COMMUNITIES
USER FRIENDLINESS
ATTRIBUTE RELEASE
HOMELESS USERS
NON-WEB-BROWSER
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
Developments in EU and beyond
• EU work on two tiers: - National basis, led by the NRENs - EU scale as part of the GEANT project, mostly the identity
and Trust research work and services
• Global scale: - REFEDS
7
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
GEANT InAcademia
• To create a simple service to validate the affiliation of a user (i.e. is this a student?)
• Use-cases for this: - Web shops discounts - “Free” access to some cloud services (i.e. Office 365, Apple,
etc) - Validate affiliation on relevant social platforms
• Pilot service expected by end of 2014, early 2015
8
eduPersonAffiliationattribute
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
InAcademia Rationale
• The attribute within a federated login can be used to validate membership of the academic community, however: - Joining a federation is a problem (policies and contracts) - Implementing SAML and doing federation is though - Inter-federation is even harder - Up front cost, but no customers
• So, a lot of work, while the service only needs the Affiliation — pretty low risk in the privacy spectrum
9
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
InAcademia — Workflow
• Service gets attributes directly from user (self asserted or social) • Service queries a single “centralised” service — InAcademia
Simple Validation Service to confirm affiliation • A well understood protocol can be used to query InAcademia • Policy barrier for using InAcademia is low • The user “proves” his affiliation at InAcademia which is under
control of the existing federations and NRENs • InAcademia is connected to eduGAIN • Authentication at home Identity Provider delivers requested
affiliation • InAcademia interprets the affiliation and answers the requesting
service, but never directly delivers attribute values! • User gets discount and service pays a small transaction fee
10
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
InAcademia - Benefits
• For Identity Providers - SAML based, connected via eduGAIN - Two profiles that have minimal ‘low risk’ attribute requirements - No personal data stored at central service - One connection with many services that are of high value to
users, but low effort for IdPs
• For Services - OpenID Connect interface towards service, no SAML required - No need to deal with (inter) federation - Simplified policy, compatible with eduGAIN CoCo - Little upfront cost, only pay small amount when transaction is
made - One connection with many trusted Identity Providers
11
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
REFEDS
• REFEDS = Research and Education FEDERATIONS - To that articulates the mutual needs of research and education identity federations worldwide
- To offer best practices for R&E federations to ease inter-federation
- Supported by GEANT Association (formerly Terena) - Open to anybody with an interest in using federated
credentials
12
https://refeds.org
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
REFEDS — Entity Categories
• Aim: to group federation entities that share common criteria - To ease the attribute release problems - IdPs would release the same set of attributes to all SPs that
are in a category instead than negotiating with each of them individually
• Two categories approved: - Hide from Discovery - Research and Scholarship
13
https://wiki.refeds.org/display/ENT/Entity-Categories+Home
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
REFEDS — SIRTFI
• A Security Incident Response Trust Framework for Federated Identity — SIR-T-FI
• To define a process for expressing security incident handling requirements as an assurance profile for federations.
• Not strictly a REFEDS work, yet… • A lot of interest in this area
14
https://wiki.refeds.org/display/GROUPS/SIRTFI