80 likes | 244 Views
Federations round table Haka federation of Finland. EuroCAMP 17.4.2007 Mikael Linden mikael.linden@csc.fi CSC, the Finnish IT Center for Science. Status of Haka Federation. Operational 8/2005 23 (of 48) Federation Members with 213 000 end users (68% of eduPersons; in universities 90%)
E N D
Federations round tableHaka federation of Finland EuroCAMP 17.4.2007 Mikael Linden mikael.linden@csc.fi CSC, the Finnish IT Center for Science
Status of Haka Federation • Operational 8/2005 • 23 (of 48) Federation Members • with 213 000 end users (68% of eduPersons; in universities 90%) • 3 Federation partners • Library content providers, ASP service providers • 13 IdPs operational • with 159 000 end users (51% of eduPersons) • 20 SPs • 168 400 logins in March 2007 • federating sw: Shibboleth ver 1.3 • 2 IdPs still running Shibboleth 1.2
Library services Nelli portal (Ex libris Metalib) Library management system (Endeavor Voyager) eLearning Moodle, A&O, Optima learning management systems CSC’s services Funet extranet Scientist’s Interface SPs in the federation Student administration • Application form for becoming a visiting student www.joopas.fi HR administration • Competence management system/ASP (Personec hr) Other administration • Process database for universities WLAN roaming (Jyväskylä polytech)
Campus IdM policies in Haka federation Home organisations must make sure that • only fresh attributes are released to SPs • when an end user departs, the accounts must be closed (or the roles updated) no later than in seven days • initial authentication face-to-face (or similar) • using photo ID issued by the police • on-line authentication at least with passwords • no less than 8 characters + other quality checks
Campus IdM policy enforcement in Haka • Home organisation publishes its IdM practices in the web • using a template provided by federation operator;http://www.csc.fi/english/institutions/haka/registration/idm-description • Self-Audit for joining IdPs • When an IdP is registered to the federation, the federation operator checks the published document to assess if minimum requirements are met • If OK, the IdP is added to the federation metadata • If it turns out that the policy is not followed by a home organisation there is a procedure for dropping a home organisation from the federation
Privacy and the Data Protection Directive (DPD) in Haka • Only SPs related to research and education can be registered to the federation • DPD: dependability on the purpose of processing personal data • Only attributes relevant for the service are released to an SP • when a new SP is registered, the SP admin declares the relevant attributes • based on the declaration, federation operator constructs and distributes Shibboleth Site-ARPs to the IdPs • End user’s informed consent is a requirement for attribute release • to make the consent informed, the end user is provided with a link to the service’s privacy policy document
Schemas, roles and groups in Haka • funetEduPerson 2.0 schema • incorporates schac 1.2.0 • roles/groups in funetEduPerson • eduPersonAffiliation – a Finnish interpretation of the vocabulary is presented in funetEduPerson • funetEduPersonStudentCategory – 10 categories for students (BSc,MSc,doctor,other,open-university,exchange-student…) • students’ target degree – e.g. MSc in Engineering • students’ educational degree probram – e.g. Political history • students’ specialisation option – e.g. software engineering • student status – present/absent • student union membership • schacHomeOrganizationType – university/polytechnic
Level of assurance for authentication in Haka • currently one LoA: the miminum requirement is a password • stronger methods ”can be used” • University of Helsinki has had a pilot on PKI/Smartcards in Shibboleth 1.x IdP • Waiting for Shibboleth/SAML2.0 • authentication context concept • Services asking for certain level of authentication • candidates for stronger authentication • PKI/smartcards • OTPs provided by the Finnish banks