1 / 11

Kalmar Union lessons: Findings in federation harmonisation

Kalmar Union lessons: Findings in federation harmonisation. REFEDS 7.6.2009 Mikael Linden, CSC. Kalmar Union: a Nordic confederation. A confederation by sharing SAML2 metadata FEIDE 1 IdP 7 SPs currently in Kalmar SWAMID Haka 2 IdPs 2 SPs WAYF 1 IdP 3 SPs www.kalmar2.org

eitan
Download Presentation

Kalmar Union lessons: Findings in federation harmonisation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kalmar Union lessons:Findings in federation harmonisation REFEDS 7.6.2009 Mikael Linden, CSC

  2. Kalmar Union: a Nordic confederation • A confederation by sharing SAML2 metadata FEIDE 1 IdP 7 SPs currently in Kalmar SWAMID Haka 2 IdPs 2 SPs WAYF 1 IdP 3 SPs • www.kalmar2.org • Kalmar speak on Tuesday in TNC – welcome • This speak summarises the findings

  3. Findings in federation harmonisation • Harmoniseattributes • mandatoryattributes • semantics of attributes • uniqueidentifiers • Campus Identity Management requirements • The floor for IdMquality in the IdP side • Usability and userexperience • SAML 2.0 profile • Federation business models

  4. 1.1. Harmonise mandatory attributes • Must=available for each end user (but not released to every SP) • The first question from a confederation SP:”What is the list of attributes whose existence in any federation I can rely on?”

  5. 1.2. Harmonise attribute semantics • too difficult if interpreting the differences is left to the admin of a confederation SP

  6. 1.3. Harmonise unique identifiers • Currently: eduPersonPrincipalName (ePPN) used almost everywhere • But: it’s primary property (uniqueness) is not quaranteed over time • Some feds/IdPs reassign ePPN (DK, NO) • Some feds never reassign ePPN (SE) • The SP admin needs to adapt to the weakest policy • Or: abandon ePPN, go for SAML2 persistent ID (eduPersonTargetedID, ePTID)

  7. 2. Floor for Campus IdM • In Kalmar, high requirement for Campus IdM • Traditional LoA: Initial Identity proofing, password quality • Quality of attributes – accounts closed for departing users • Trade-off between • What SPs want (e.g. TERENA Grid Certificate project, CLARIN project) • What federations want to enforce to their IdPs • Too difficult if tackling the differences is left to SP admins

  8. 3. Usability and user experience • How to make IdP Discovery easy? • How to inform the end user on processing his/her personal data?

  9. 4. Harmonised SAML2 profile • Until now, most federations have used a single product (e.g. Shibboleth, SimpleSAMLphp) • For cross-product interoperability, a SAML2 WebSSO profile is needed • Few profiles exist • The IdP/SP Lite of OASIS – still quite complex • SAML2Simple • Good news: it’s not too late to harmonise this

  10. 5. Harmonised business models • Invoicing federation members/partners differs federation-by-federation. • e.g. external SPs: • WAYF (DK) does not invoice anyone • Haka (FI) does not invoice library content providers but invoices DreamSpark • If the model isn’t harmonised in a confederation, every SP joins the cheapest federation and gets the others for free

  11. Summary • Harmonising federations is a boring job • A change to a productional distributed system • Backwards incompatible changes? • Without harmonisation, issues get too difficult for the confederation SP admin • S/he is an expert in his/her service • S/he is not and does not want to become an expert in understanding how foreign federations are different • If we don’t harmonise them, confederations won’t fly • High hopes on eduGAIN to work on the issue

More Related