110 likes | 289 Views
Refeds federation survey update Theme of the day: Campus Identity Management. TF-EMC2 Umeå 9th Jul 2008 Mikael.Linden@csc.fi CSC, the Finnish IT Center for Science. Federation survey wiki. In the Rediris wiki http://www.rediris.es/wiki/tf-emc2/index.php/Federations
E N D
Refeds federation survey updateTheme of the day: Campus Identity Management TF-EMC2 Umeå 9th Jul 2008 Mikael.Linden@csc.fi CSC, the Finnish IT Center for Science
Federation survey wiki • In the Rediris wiki • http://www.rediris.es/wiki/tf-emc2/index.php/Federations • Publicly readable, editing needs username+passwd for the wiki (ask Diego if you don’t have one) • Federation representatives are expected to maintain their data in the wiki by themselves • Following numbers are based on the current entries in the wiki
Federations covered so far • AAF (.au) Some data • SWITCHaai (.ch) Full data • DFN-AAI (de) Full data • WAYF (.dk) Some data • CBIC (.es) Full data • Sauwok (.es) No data • SIR (.es) Full data • Haka (.fi) Full data • CRU (.fr) Full data • GRNET (.gr) Full data • AAI@EduHr (.hr) Full data • SURFnet (.nl) Full data • FEIDE (.no) Full data • Swamid (.se) Some data • UK Access Management Federation for Education and Research (.uk) Full data • InCommon (.us) Full data • IGTF (int) Full data
13 Production federations Federation (since) Protocols Implementations SWITCHaai (ch, 8/2005) Shib 1.3, SAML2 Shib 1.3, Shib 2 DFN (de, 11/2007) Shib 1.3, (SAML2) Shib 1.3 CBIC (es, 7/2002) PAPI PAPI 1.4 SIR (es, 4/2008) PAPI, Shib 1.3, OpenID PAPI 1.4/5, Shib 1.3/2 SimpleSAMLphp Haka (fi, 8/2005) Shib 1.3 Shib 1.3 CRU (fr, 10/2006) Shib 1.3 Shib 1.3 GRNET (gr, 1/2007) Shib 1.3 Shib 1.3 AAI@edu.hr (hr) RADIUS+SOAP/SAML RADIUS+AOSI+SimpleSAML Surfnet (nl,11/2007) A-select, Shib1.3, A-Select+PingFederate SAML2, WS-fed FEIDE (no, 5/2003) SAML2, Moria Moria2, Sun AM UK fed (uk, 11/2006) Shib 1.3 InCommon (us) Shib 1.3 Shib 1.3 IGTF (int, 10/2005) X.509 OpenSSL, OpenCA etc
IdPs and End users Federation # of users # of IdPs SWITCHaai (ch) 260 000 (95%) 35 IdPs DFN (de) 26 IdPs CBIC (es) 4469 120 IdPs SIR (es) 130 000 (20%) 13 IdPs Haka (fi) 260 000 (80%) 26 IdPs CRU (fr) 640 000 (45%) 42 IdPs GRNET (gr) 30 000 (30%) 19 IdPs AAI@edu.hr 530 000220 IdPs Surfnet (nl) 110 000 13 IdPs Feide (no) 205 000 (80%) 17 home orgs UK fed (uk) 182 IdPs InCommon (us) 1 700 000 53 IdPs IGTF (int) thousands 57 IdPs
SPs and categories Federation # SPs Categories of SPs SWITCHaai (ch) 265 eLearning DFN (de) 17 CBIC (es) 145 Content/library SIR (es) 4 Content/library, eLearning Haka (fi) 46 eLearning, library, administration CRU (fr) 41 library, roaming, eLearning GRNET (gr) 4 AAI@edu.hr 70 network access, eLearning, computing Surfnet (nl) library, eLearning Feide (no) 50 administration, self-service, library etc UK fed (uk) 160 eLearning, library InCommon (us) 112 IGTF (int) dozen grid
Requirements for Campus IdM:Initial authentication Federation Requirements the federation imposes on initial authN SWITCHaai (ch) No (local rules only) DFN (de) No (local rules only) CBIC (es) Face to face registration SIR (es) No (local rules only) Haka (fi) Face to face or first login using bank ID CRU (fr) No (local rules only) GRNET (gr) No (local rules only) AAI@edu.hr Federation lays overall rules, the rest done locally Surfnet (nl) No (local rules only) Feide (no) Photo ID or NIN+PIN UK fed (uk) Federation lays overall rules, the rest done locally InCommon (us) No (local rules only) IGTF (int) Photo ID
Requirements for Campus IdM:On-line authentication during login Federation Requirements the federation imposes on on-line authN SWITCHaai (ch) No (local rules only) DFN (de) uid/pwd (local rules only) CBIC (es) Pwd quality control and change patterns. Some use of x509 SIR (es) No (local rules only) Haka (fi) Pwd at least 8 characters CRU (fr) No (local rules only) GRNET (gr) No (local rules only) AAI@edu.hr Federation lays overall rules, the rest done locally Surfnet (nl) No (local rules), some use of X509&OTP. Work on best practice Feide (no) uid/pwd (local rules only) UK fed (uk) IdP stating they provide user accountability must train users InCommon (us) No (local rules only) IGTF (int) X.509
Requirements for Campus IdM:When a user departs… Federation Requirements the federation imposes on closing an account SWITCHaai (ch) Local established process DFN (de) in 2 weeks CBIC (es) must be kept up-to-date SIR (es) must be kept up-to-date Haka (fi) in 1 week CRU (fr) Local rules only GRNET (gr) Local rules only AAI@edu.hr On best effort Surfnet (nl) Local rules only Feide (no) in 24 hours UK fed (uk) ”promptly” InCommon (us) Local rules only IGTF (int) not applicable
Requirements for Campus IdM:Audits on Campus IdM? Federation Requirements on Campus IdM audits SWITCHaai (ch) No DFN (de) No CBIC (es) According to common policies of CSIC SIR (es) According to local policies Haka (fi) Self-audit for joining IdPs. IdM description published CRU (fr) IdP must provide its IdM policy to CRU on request GRNET (gr) No AAI@edu.hr If deviations detected. Certifications of IdPs planned. Surfnet (nl) If abuse detected, IdP must publish its IdM policy Feide (no) Audit based on a check-list for joining IdPs UK fed (uk) If deviations detected. Uncompliant IdPs dropped out. InCommon (us) No IGTF (int) Initial audit + annual self-audit. CP/CPS published
Please remember to update your federations’ data in the Refeds wiki!