1 / 30

Federation Soup: A Comprehensive Guide to Identity Federations and Interfederation Interactions

Dive into the world of identity federations with this comprehensive guide, covering topics such as policies, technologies, and peering. Learn about the history of federations, their impacts, and the development of InCommon Silver. Explore the complexities of interfederation interactions and workshop goals, outcomes, and dimensions. Discover how businesses, legal models, and user experience play crucial roles in the success of federations. Stay updated on the latest trends and best practices in the realm of identity federations.

jpickrell
Download Presentation

Federation Soup: A Comprehensive Guide to Identity Federations and Interfederation Interactions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stuff Ken Klingenstein

  2. Stuff sack • InCommon Stuff • Infocard, Open Id, etc… • Federation soup • Cormack slides on EU (and US) privacy • International federation & Liberty Alliance • ISOC and Identity and trust • COmanage and collaboration support • Kumbaya for open source middleware? • Rumors and gossip

  3. About federating software… • Shibboleth project formation - Feb 2000 • OASIS starts SAML work; linkages with Shib established Dec 2000 • Release dates: Shib alpha1 April 2002, OpenSAML July, 2002, Shib v1.0 April 2003 • SAML TC evolved a fusion of Liberty, Shib and SAML into SAML 2.0 Nov 2005 • Microsoft-led business consortium develops WS-*, including WS-Fed, 2002-2008 • Closure likely next year around SAML 2.0 and Shib metadata as the first metadata profile in OASIS

  4. InCommon • Approximately 90 members and growing steadily • More than two million “users” • Most of the major research institutions • New types of members • Non usual suspects – Lafayette, NITLE, Univ of Mary Washington, etc. • National Institute of Health, soon NSF and research.gov • Energy Labs, ESnet, TeraGrid • MS, Apple, soon Google • Student service providers • Steering Committee chaired by Clair Goldsmith of Univ of Texas; Technical Committee chaired by Renee Shuey of Penn State

  5. Uses • Access controlled wikis • Access to academic content, such as Elsevier • Access to popular content, such as Cdigix • Access to Microsoft, iTunes U • Access to services, such as student travel agencies, testing services, • Access to Grid computational resources, portal providers, recruitment services, etc • Access to external apps (e.g. Google Apps for Education) and clouds

  6. InCommon • Impacts of federation are real • Dreamspark - Microsoft delivery of developer kits, source code, etc to students https://downloads.channel8.msdn.com/; over 50% of all download traffic from Microsoft was federation-enabled one week after announcement. • {Federation + persistent, opaque identifier + attributes with consent} addresses international privacy requirements. • InCommon Silver, a new profile is now being deployed to serve higher assurance applications • Federated Sharepoint, federated wikis are proving to be killer apps…. • www.incommonfederation.org

  7. A brief history of federations • Federations at national levels in several countries, beginning with a variety of protocols and converging on SAML • Federations form along natural relationships – state university systems, state educational agencies, regional optical networks,… • Federations in the business context begin as 1-1 (outsourced services, like accounting) and sometimes grow into hub and spoke (e.g. automobile industry) • Other types of identity federations exist in pockets (e.g. federated PKI roots for IGTF)

  8. Federation Soup • Workshop held early June • Brought together all manners of federation to figure out federation relationships • InCommon, JISC, state federations, library federations, university system federations, grid federations, etc. • Topics include alignment of policies, technologies, attributes, metadata, etc. • Approaches include peering, nested, leveraged, and a whole lot of ad hoc • Web site at https://spaces.internet2.edu/display/FederationSoup/Home

  9. Why we are here:Interfederation Interactions • Peering and soup • Service providers often belong to multiple federations; some identity providers are being asked to join several federations • Federal government interactions happening, but not as first anticipated • Virtual organizations (e.g. OOI and LIGO) are now presenting real use cases that require international federation interactions • Other sectors keenly watching us

  10. Workshop Goals and Outcomes • Inform specific efforts • fostering of local federations • blending of local federations with national ones • minimizing challenges down the road through some up-front consensus and coordination (ala federation best practices) • international peering/soup • Exchange governance and organizational approaches • Understand businesses and business models • Establish ongoing mechanisms for communication and coordination • Grow community

  11. Some soup dimensions • Alignments – LOA, attributes, user experience • Legal models – Dispute Resolution, Indemnification, etc • Business models – Operator, Source of funds, Services offered, Communities served • Privacy management and international issues • User experience – large multiplier…

  12. Federations.org • Interfederation of national R&E federations • More peering than soup • Possible activities • Reference point for new national federations • Aggregation of common materials • Triage for SP’s that want to learn how to deal with multiple federations • Assist in taking the federation template doc to RFC status • IDABC and EU Article 29 coordination • Successor to Refeds (http://www.terena.org/activities/refeds/)

  13. International Activities • http://www.terena.org/activities/refeds/ • A summary of discussions among R&E networks, including a survey of national efforts • http://www.jisclegal.ac.uk/access/ • Excellent policy analytics, especially around international issues of privacy, peering, and attributes • http://ec.europa.eu/idabc/ • TransEuropean activities in IdM for use among citizens, governments, and businesses

  14. Peering Parameters • Parameters: • LOA • Attribute mapping • Legal structures • Liability • Adjudication • Metadata • VO Support • Economics • Privacy

  15. Peering frameworks • JISC Member-Federated Operator analysis • Feasability of cross-federation • EAuth-InCommon peering corpse • Kalmar Union • JISC template for inter-federation

  16. Next soup steps • Affinity group in system federations • State feds – not yet • PII normalization • Ask NACUA • Coping with EU privacy compliance • Interfederation template agreement • InCommon as a focus point for interfederation in the US

  17. Trust, Identity and the Internet • ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC’s and protocols • Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities • Will leverage both federated and p2p trust (for those instances where there is no trusted IdP) • http://www.isoc.org/isoc/mission/initiative/trust.shtml • Dublin IETF at the end of July kick-off…

  18. ISOC Key Objectives • Architecture and TrustImplementing open trust mechanisms throughout the full cycle of Internet research, standardization, development and deployment • Current Problems/Solutions and TrustMitigating the social, policy, and economic factors that may hinder development and deployment for trust enabling technologies • Identity and TrustElevating "Identity" to a core issue in network research and standards development

  19. Infocard, Open ID, etc. • OpenId widespread inter-site authn • lightweight technically and legally • you get what you pay for… • Warrants intelligent integration with federated identity • User control of identity selection and attribute release becoming critical • One model is the ARPviewer approach • Another attractive model is InfoCard

  20. Collaboration and Federated Identity • Two powerful forces being leveraged • the rise of federated identity • the bloom in collaboration tools, most particularly in the Web 2.0 space but including file shares, email list procs, etc • Collaboration management platforms provide identity services to “domesticated” collaboration applications • Results in user and collaboration centric identity, not tool-based identity

  21. A Bloom of Collaboration Tools • An over-abundance of new tools that provide rich and growing collaboration capabilities (aka Web 2.0) • Do you • Wiki, blog, moodle, sakai, IM, Chat, videoconference, audioconference, calendar, flikr, netmeeting, access grid, dimdim, listserv, webdav, etc • Share files among workgroups, access Elsevier, work with the IEEE, etc • No uber-app – limits invention and community of users • 3 - 4 is fine, but many per user is hard to manage • Leads to the need to manage the collaborations and its tools

  22. COmanage • A collaboration management platform, supported in part by a NSF OCI grant, being developed by the Internet2 community, with Stanford as a lead institution • “Domesticated” applications externalize their identity management dimensions to an general identity/group/privilege/etc repository (LDAP, MySQL, etc.) • Users manage IdM in a collaboration-centric way, not in a tool-centric way • Uses Shibboleth, Grouper, and Signet • Open source, open protocol

  23. COmanage • A “stand-alone” platform to manage IdM for many different applications. • User accounts to access COmanage can be based in COmanage or, preferably, federated. • COmanage can provide authentication and authorization services (group membership, privilege management, etc) to apps • The “stand-alone” can be readily replumbed to be fully integrated into enterprise, federated or other attribute ecosystems as they develop

  24. Two types of application enablement • “domesticated” apps know to draw their entitlements, attributes and roles from the CMP directory or db or… (something external to the app) • Other apps can have information from COManage pushed into them • Static or dynamic provisioning • Connectors could be X.509 certs, SAML assertions, etc.

  25. Domesticated applications • Applications that externalize their identity management dimensions • Domestication typically goes in stages – first identity, then group and privilege management, perhaps then provisioning • Domestication relative to the external access protocols used (SAML, LDAP, MySQL, web services, etc.) • Applications domesticated or being targeted • Sympa, Confluence, Asterisk (open-source IP audioconferencing), Dim-Dim (open-source web meeting), Bedeworks (federated open-source calendar), Subversion, JIRA, Al fresco, Foodle • Finally domain science resources – Instruments, Grids, etc

  26. Domain ScienceInstrument Domain ScienceGrid C o Laboratory X Collaboration Management Platform (CMP)and the Attribute Ecosystem File Sharing Calendar Email List Manager Phone/VideoConference FederatedWiki CollaborationTools/ Resources ApplicationAttributes manage CollaborationManagementPlatform Authorization –Group Info Authorization –Privilege Info Authentication PeoplePicker OtherFunctions Attribute/Resource Info Data Store AttributeEcosystemFlows Home Org & Id Providers/Sources ofAuthority Sources of Authority University A University B

  27. COmanage specifics • Wiki, dev and users being set up • Beta release in July, 1.0 in August, OpenLDAP as the data store. • Debian VMware • Domesticated apps in bundle where licenses permit • Testing in several venues and VO’s • GUI issues, modularity of components issues under discussion

  28. Domain ScienceInstrument Domain ScienceGrid C o Laboratory X Collaboration Management Platform (CMP)and the Attribute Ecosystem File Sharing Calendar Email List Manager Phone/VideoConference FederatedWiki CollaborationTools/ Resources ApplicationAttributes manage CollaborationManagementPlatform Authorization –Group Info Authorization –Privilege Info Authentication PeoplePicker OtherFunctions Attribute/Resource Info Data Store AttributeEcosystemFlows Home Org & Id Providers/Sources ofAuthority Sources of Authority University A University B

  29. Kumbaya for open source? • Now that people believe there is a middleware layer, they want only one of them… • Most open source apps started well before plumbing and middleware • Some left open API’s, etc; some didn’t • Alignment between JA-SIG, Kuali Student, Kuali Financials, OKI, Fedora, Dspace, Sakai, etc. happening, slowly, intermittently, but happening…

  30. Rumors and Gossip • Nuclear winter at summer solstice • Internet2, strategic planning and tactical • NLR and Darkstrand • NSF and OCI • Teragrid, OGF, Condor, Genesis II, etc.

More Related