70 likes | 87 Views
On the Many Ways to Identity Exchange (Again) Digital identities are more valuable as they are more widely assertable. Diego R. Lopez, RedIRIS. STORK. Pilot for academic institutions successfully finished https://www.eid-stork.eu/pilots/pilot3.htm STORK IdPs integrated as special SIR IdPs
E N D
On the Many Ways to Identity Exchange (Again)Digital identities are more valuable as they are more widely assertable Diego R. Lopez, RedIRIS
STORK • Pilot for academic institutions successfully finished • https://www.eid-stork.eu/pilots/pilot3.htm • STORK IdPs integrated as special SIR IdPs “If you are in SIR, you can deal with STORK identities” • Looking forward to strengthening integration • Sub-task in the current eduGAIN workplan • Module for simpleSAMLPHP • Metadata management • Policy issues • Additional use cases proposed for STORK extension • Credential management • LoA handling
Proxying • Two proposals submitted for REFEDS funding • Federated management of central proxy instances • Central proxy configuration services • Do we need and open-source proxy? • EZProxy is well-known, widely deployed, provided in reasonably fair terms • Would it scale up to • National proxy services • More specific usages (Web Services, AJAX…) • Other access control mechanisms (OAuth, WS-Trust…) • Transformations from identity data to proxy mechanisms
OAuth (2, of course…) • ID in its draft 16 • Rather stable: Both kernel and side standards • Including SAML and JWT • OpenID integrated flow: OpenIDConnect • UMA considering the user and consent sides • Use cases on their way • The RedIRIS service panel • GN3 VOOT (three-legged OAuth1 for the moment) • And Clouds • A few references if your are (still) curious http://www.independentid.com/2011/02/does-oauth-have-legs.html http://www.rediris.es/oauth2/ https://spaces.internet2.edu/display/socialid/
JSON Space • Proposals are blooming on RESTful services using JSON as coding mechanism • Out of the common standard processes • Though many proposals are IDs • Supported by many of the big dogs • Google, Microsoft, Yahoo, Facebook • The good news • Essentially compatible with our current federation stuff • The not-so-good news • Too many fronts to be influential enough? http://self-issued.info/papers/The_Emerging_JSON-Based_Identity_Protocols.pdf
The Omnipresent Cloud • SCIM, previously known as Cloud Directory • Intended for identity data exchange among actors in the cloud • Cloud Service Provider • Enterprise Cloud Subscriber • Cloud Service User • General “neutral” schema • Bindings to JSON, SAML and “bare” XML • RESTful API • Security and trust models still in their initial stages • Experiments on access control • OpenNebula usage of Grid certificates • Others initiatives not very active • OASIS IDCloud
GEMBus STS • Demonstrator available http://gembus.rediris.es:8181/STSDemonstrator • Adaptors for Apache ServiceMix • Spring coming soon • Current token format based on GN2 relayed-trust SAML • Plans for a more neutral JWT-based token • Coordination with EUGridPMA policies