1 / 11

Towards Interconnecting the Nordic Identity Federations

Towards Interconnecting the Nordic Identity Federations. TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide. Interconnecting federations. The Kalmar Union policy Cross-federation model Technical solution Crossing circles of trust Participants

calvin-fulton
Download Presentation

Towards Interconnecting the Nordic Identity Federations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Interconnecting the Nordic Identity Federations TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide

  2. Interconnecting federations • The Kalmar Union policy • Cross-federation model • Technical solution • Crossing circles of trust • Participants • Consent and attributes • Future works

  3. Kalmar union • First Kalmar union (1397-1524) united the Nordic countries under a single monarch, giving up sovereignty but not independence • Interconnecting Nordic AAI federations • Model for exchanging traffic • My users have access to your services? • Your users have access to my services? • What is the simplest solution for interconnecting access control? • Policy issues for federations

  4. Policy • Minimal information disclosure, informed consent • Voluntary participation in cross-federation • No liability (this must be written in contract) • Conflict resolution by elected board • Minimal intellectual property rights, as there are minimal central components • Services across borders, jurisdiction • Best effort, no guarantees needed • Money flow outside our scope (goes direct IdP-SP)

  5. Kalmar cross-federation model • Bi-lateral agreements • Cross-federation charter • Overlapping federations, may chose to leave out parts from the overlap • Previous work • Aligned federation policies • Worked together in GNOMIS • norEdu* schemas developped in GNOMIS

  6. Federations HAKA in Finland Feide in Norway Federations to join SWAMI in Sweden DK-AAI in Denmark End users Identity providers (home organizations) Service Providers Participants

  7. Technical Kalmar solution • SAML 2 metadata for federation overlap HAKA Identity Provider HAKA Service Provider Feide Identity Provider Feide Service Provider

  8. Technical work • Trial interconnect in September 2006 • Shibboleth1.3 in HAKA • Sun Access Manager (SAML2.0) in Feide • eduGAIN bridging element evaluated • Backwards compatible with Shibboleth 1.3 • Not yet available, but preliminary tests running • Easier to do SAML2.0-based connections

  9. Crossing Circles of Trust • User wants to access service in other Identity Federation • Must find the right login service (WFAYF or explicit links) • What is really transferred • Identity Provider sends login and attributes • Service Provider must trust third party login outside his federation • Opt-in at all levels: user, IdP and federation • May have opt-out at the federation level, if needed

  10. Consent and attributes • Informed consent • Attribute transfer • Safeguards at 3 levels: user, IdP/home, federation • Voluntary participation in cross-federation • Opt-in for end user • Opt-in for identity providers (home organizations) • Opt-in for each federation • Semantic interoperability based on eduPerson (with extensions) • Information about semantics • We do not enforce the same semantics

  11. Future work • Single Sign On and informed consent • How to inform users • Operational service • Depends on introduction of SAML2.0 • Revisit policy after we have real life experience of what problems turn up in production

More Related