1 / 12

Federation management A mess?

Federation management A mess?. 9.4.2008 Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science. 3. Username: bsmith Password: 95iEfHw. What is Federated Identity technology?. 1. HTTP ”Let me in to http://moodle.utu.fi/”. Service Provider SP (University of Turku)

magee-stanley
Download Presentation

Federation management A mess?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federation managementA mess? 9.4.2008 Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science

  2. 3. Username: bsmith Password: 95iEfHw What is Federated Identity technology? 1. HTTP ”Let me in to http://moodle.utu.fi/” Service Provider SP(University of Turku) Moodle Learning Management System 2. HTTP redirectSAML authentication request ”Someone from HUT wants to log in to our Moodle. Authenticate him.” Home Organisation(Helsinki U of Technology)Identity Provider IdP 4. HTTP POST SAML Authentication response ”Let me in to http://moodle.utu.fi/My home organisation has authenticated me and asserts that my name is Bob Smith and I’m a student at Helsinki University of Technology” Let him in.

  3. What is an identity federation (aka Circle of Trust)? • InCommon: • A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions. • Liberty Alliance: • A circle of trust is a federation of service providers and identity providers that have business relationships based on Liberty architecture and operational agreements and with whom users can transact business in a secure and apparently seamless environment. => A federation is an organisational (not a technical) construct

  4. Haka federation of Finland Haka federation (coordinated and operated by CSC) Home organisationsIdentity Provider, IdP ServicesService Provider, SP • Haka operational since 8/2005 • 240 000 end users • 2.0 million logins 2007 • Home organisations maintains identities • Home organisations authenticate the end users • Home organisations release attributes to services • Services do access control U of Helsinki Nelli portal (libraries) IdP SP U of Tampere IdP Moodle LMS(e-learning) SP HUT IdP Circulation ofincoming invoices SP TUT IdP Supercomputer(CSC) SP Savonia UAS IdP Grid SP Tampere UA IdP wiki, blog etc SP # of IdPs: 24 # of IdPs: 42

  5. Do we need a federation?Case Higher education • There are often end users from several IdPs using the same SP • The IdPs and SPs don’t necessarily have business relationships => YES Nelli library portal 3/2008, 119 582 Haka logins

  6. Do we need a federation?Case B2B • In Business-to-business world:use of federated identity management is based on business relationships • Business relationships are typically bilateral • Not necessarily • Identities can be federated between organisations on a bilateral basis

  7. Contractual shape of a federation A federation Coordinator Coordinator • Has a contractual relationship with home organisations and services • Sets the policy Operator • subcontractor of the coordinator • takes care of daily technical operations of the federation Operator Home organisationsIdentity Provider, IdP ServicesService Provider, SP U of Helsinki Nelli portal (libraries) U of Tampere Moodle LMS(e-learning) HUT Circulation of invoices TUT Supercomputer (CSC) Savonia UAS Grid Tampere UAS

  8. An IdP centric view to a federation SP SP • A federation is seen as a set of IdPs which have deployed similar policies • SPs not considered as part of the federation but as a consumer of the federation service • SPs need not to have contractual relationship with the federation • The data protection directive binds also the SPs anyway IdP SP SP IdP IdP Oper ator IdP IdP SP IdP SP SP SP

  9. Technical shape of a federation:Distributed • Model deployed by Haka (.fi), SWAMID (.se) and several other federations • Pros • No single point of failure in the message flow • Costs of federation management low • Cons • Hard to track errors and • Not well supported by commercial products IdP SP IdP SP IdP SP IdP SP

  10. Technical shape of a federation: Centralised • Model deployed by Feide (.no) and WAYF (.dk) • Pros • A single point where to locate problems and introduce new features • Economics of scale • Cons • A single point of failure • Everyone needs to trust the IdP in the middle IdP SP IdP SP IdP proxy IdP SP IdP SP

  11. The Nordic dimension • A common denominator for Nordic identity federations:Campus identity management • Identity providers are expected to provide only identities of high quality • High quality of • Authentication (face-to-face registration and token delivery) • Attributes (students’ and employees’ accounts are closed as they depart) • Included also in the charter of Kalmar Union • The confederation of Nordic federations

  12. Coordinations of a federation: leadership in a network of organisations • Understanding universities’ needs and limitations • Understanding the possibilities of the technology • Steering the development of the federation. Making organisations involved …without having a mandate to dictate anything • Changes are slow and difficult to drive in a federation • Communications with different players in the academia

More Related