160 likes | 175 Views
Learn about the challenges and benefits of delivering trusted collaboration at scale, bridging the gap between R&E and non-R&E practices. Discover how collaborating with the OpenID Foundation can help achieve multi-lateral trust, interoperability, and secure data exchange. Get involved to shape the future of trusted collaboration.
E N D
OpenID Connect and R&E 2019 Chris Phillips | Technical Architect, Canadian Access Federation | TNC 2019 | Tallinn
Challenge: Scaling trusted collaboration regardless of technology
Delivering Trusted Collaboration at Scale • R&E • Trust by multi-lateral practices • Rich R&E data dictionary • Built primarily for and by R&E
Understanding the Gap • R&E • Trust by multi-lateral practices • Rich R&E data dictionary • Built primarily for and by R&E • Non R&E • Trust by bi-lateral practices • Minimal data dictionary • Built primarily for and by business
Bridging the Gap • Work ongoing on many fronts • OpenID Foundation(OIDF) are overseers of OpenID Connect (OIDC)
Benefits of Collaborating with OIDF • Governance aligns with R&E • Well documented & similar merit driven processes • Already formally recognized as a working group • Chair: Davide Vaghetti (GARR/GÉANT) • Home: https://openid.net/wg/rande/
OIDC R&E Profile Context Relies on & interops with Implementers Draft: R&E Profile Relies on & interops with More depth on process: https://openid.net/wg/about
Scope of OIDF Working Group • Develop profiles with specific requirements for: • Security • Multi-lateral trust • Interoperability in the R&E sector • Specific set of claims and scopes related to R&E • Extensions to OpenID Connect entity's metadata Charter: https://github.com/daserzw/oidc-edu-wg/blob/master/charter.md
Path to Success • 1st class multi-lateral trust support in OIDC • Ubiquitously supported by platforms • Operational capabilities on premises, by vendors, & fed-ops • Training offerings to ramp community knowledge • Regardless of protocol • Interoperability of multi-lateral inter-federation trusts • Predictable attribute exchange • Parity of trustworthiness of endpoints • R&E profile must work with existing OIDC libraries • Stretch goal: User Experience • Login once, user is able to access SAML or OIDC resources transparently and simultaneously
What is R&E doing right now? • Collecting use cases for the OIDF R&E WG • Implementing OIDC and OAuth2 endpoints in: • Shibboleth OIDC Extension • Central Authentication Service (CAS) • Active Directory Federation Services (AD FS) Server2016 and higher • SATOSA • Working on guidance • Internet2 OIDC-OAuth WG • Implementing proxying now • CILogon • Authentication and Authorisation for Research Collaborations (AARC) Blueprint
Are Proxies enough? • No, they are not. • Proxying is short term gain with long term pain • Offers temporary relief while we do the core work in the spec
Why? • Proxies are not simple nor are they ‘free’ • Cloud will eclipse us: • In person power • In ubiquity of deployment • Ability to tightly integrate to cloud identity stores – a good thing!
Do Nothing? • Only assures that: • Our needs will never be met • We will always have to ‘fix’ things for our world view • Cost and difficulty of delivering on core mission increase • Diminished relevancy and ability to serve the Researcher
Call to Action: Get Involved! • Where? • OIDF WG list is main work area • REFEDS OIDCre WG on ramp/incubation area for R&E items • Passive participation • Join OIDF WG list and OIDCre and observe • Active participation • Join OIDF formally and be a voter (strongly encouraged) • Further steps: • Start learning more about OIDC and OAuth2 • Get involved on activities or projects • Experiment and implement Shib OIDC plugin in your sandbox • Participate in prototyping and pilots