Federations on the rise

Federations on the rise…

Licia Florio (GÉANT) & Harold Teunissen (SURFnet) MAGIC Workshop SC14New Orleans, November 2014

© WALLNOY

MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014

Serving Dutch research & education

2


SURF as umbrella

3

Scientific Computing & Big Data

Commercial ICT Products & Services

National Research & Education Network

eScience Collaboration and Tools

• All ICT activities for Higher Education and Research in the Netherlands are under the SURF umbrella

Source: REFEFDS mapproductionpilot


Where are these Id. Federations?

4


Federation essentials

• We need a working inter-federation framework • Collaboration does not have boundaries

5


Federations work but…

6

ATTRIBUTE AGGREGATION

CREDENTIAL TRANSLATION

LEVELS OF ASSURANCE

CHALLENGES STILL AHEAD

BRIDGING COMMUNITIES

USER FRIENDLINESS

ATTRIBUTE RELEASE

HOMELESS USERS

NON-WEB-BROWSER


Developments in EU and beyond

• EU work on two tiers: - National basis, led by the NRENs - EU scale as part of the GEANT project, mostly the identity

and Trust research work and services

• Global scale: - REFEDS

7


GEANT InAcademia

• To create a simple service to validate the affiliation of a user (i.e. is this a student?)

• Use-cases for this: - Web shops discounts - “Free” access to some cloud services (i.e. Office 365, Apple,

etc) - Validate affiliation on relevant social platforms

• Pilot service expected by end of 2014, early 2015

8

eduPersonAffiliationattribute


InAcademia Rationale

• The attribute within a federated login can be used to validate membership of the academic community, however: - Joining a federation is a problem (policies and contracts) - Implementing SAML and doing federation is though - Inter-federation is even harder - Up front cost, but no customers

• So, a lot of work, while the service only needs the Affiliation — pretty low risk in the privacy spectrum

9


InAcademia — Workflow

• Service gets attributes directly from user (self asserted or social) • Service queries a single “centralised” service — InAcademia

Simple Validation Service to confirm affiliation • A well understood protocol can be used to query InAcademia • Policy barrier for using InAcademia is low • The user “proves” his affiliation at InAcademia which is under

control of the existing federations and NRENs • InAcademia is connected to eduGAIN • Authentication at home Identity Provider delivers requested

affiliation • InAcademia interprets the affiliation and answers the requesting

service, but never directly delivers attribute values! • User gets discount and service pays a small transaction fee

10


InAcademia - Benefits

• For Identity Providers - SAML based, connected via eduGAIN - Two profiles that have minimal ‘low risk’ attribute requirements - No personal data stored at central service - One connection with many services that are of high value to

users, but low effort for IdPs

• For Services - OpenID Connect interface towards service, no SAML required - No need to deal with (inter) federation - Simplified policy, compatible with eduGAIN CoCo - Little upfront cost, only pay small amount when transaction is

made - One connection with many trusted Identity Providers

11


REFEDS

• REFEDS = Research and Education FEDERATIONS - To that articulates the mutual needs of research and education identity federations worldwide

- To offer best practices for R&E federations to ease inter-federation

- Supported by GEANT Association (formerly Terena) - Open to anybody with an interest in using federated

credentials

12

https://refeds.org


REFEDS — Entity Categories

• Aim: to group federation entities that share common criteria - To ease the attribute release problems - IdPs would release the same set of attributes to all SPs that

are in a category instead than negotiating with each of them individually

• Two categories approved: - Hide from Discovery - Research and Scholarship

13

https://wiki.refeds.org/display/ENT/Entity-Categories+Home


REFEDS — SIRTFI

• A Security Incident Response Trust Framework for Federated Identity — SIR-T-FI

• To define a process for expressing security incident handling requirements as an assurance profile for federations.

• Not strictly a REFEDS work, yet… • A lot of interest in this area

14

https://wiki.refeds.org/display/GROUPS/SIRTFI

[email protected] haroldteunissen

mailto:[email protected]

mailto:[email protected]