1 / 16

SIR, FedSSH and more to come…

SIR, FedSSH and more to come…. SIR Servicio de Identidad de RedIRIS. Provide a single entry point to digital identity services for the academic community Multiprotocol Simplify management Guarantee evolution Flexible Compatible with any level of IdM deployment

muellers
Download Presentation

SIR, FedSSH and more to come…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIR, FedSSH and more to come…

  2. SIRServicio de Identidad de RedIRIS • Provide a single entry point to digital identity services for the academic community • Multiprotocol • Simplify management • Guarantee evolution • Flexible • Compatible with any level of IdM deployment • Able to live in parallel with other infrastructures • http://www.rediris.es/sir/

  3. The SIR Model One Ring to bring them all and in the darkness bind them In the Land of Mordor where the Shadows lie.

  4. IdPs in SIR • Institutions in the RedIRIS constituency • Virtual organizations related to them • Must install a connector • Able to produce assertions in the PAPI v1 protocol • Minimum set of attributes in the iris-* schemas • PHP, Java (JSP & Filter), Apache mod_perl, ASP, Sun AM, OSSO and some specific ones • Community process for developing new ones • Must register for the service • Accepting the conditions of use • Providing their metadata

  5. SIR Services • Interconnection with SAML infrastructures • Access to PAPI-basedservices • eduGAIN BE • OpenID producer • Validation services • Attribute exchange • SAML • OpenID

  6. SIR: SAML (including eduGAIN) • Virtual IdP per institution • Using simpleSAMLphp capabilities • Metadata distribution for regional federations • Direct integration of SAML IdPs is feasible • Central eduGAIN BE • Plus virtual BEs for institutions requesting them • Commercial providers • Microsoft • Elsevier • Requests ongoing for Ovid, JSTOR, EBSCO,… • Driven by the user institutions

  7. SIR: PAPI • Two ways for connection: • GPoA SIR • Virtual AS for each institution • Access to the the national license on ISI WoK • RedIRIS inner services • Conferences • Service control panel • Portals • Proxies

  8. SIR: OpenID • Virtual producer per institution • Additional controls • Match URL with attribute values • Specify acceptable RPs • User consent for extensions related to personal data • Identifiers in whatever Spanish language yo.rediris.es/soy/diego.lopez@rediris.es jo.rediris.es/soc/diego.lopez@rediris.es eu.rediris.es/son/diego.lopez@rediris.es ni.rediris.es/diego.lopez@rediris.es/naiz • Simplified versions possible for OpenID2

  9. SIR: Some ideas for the future • New protocols and identity services • OAuth • Cardspace • COmanage • New applications (beyond WebSSO) • SSH access • Distributed storage • Attribute authorities (a-la-COManage) • Grid interconnection • SLCS • VOMS • Usage of DNIe • And the PEPS

  10. FedSSH • Based on the ideas discussed byTF-EMC2 along past summer • Common public key servers are updated through specific SPs • A modified version of the SSH server able to use an external repository for public keys

  11. Deploying FedSSH • Deployed as a pilot by CONFIA, the Southern Spanish federation • Applied to teaching environments • Connected to a federated account provision system • Plans to explore the applicability to storage services

  12. Riding the Hype • Make the case for identity services among the wider user community • Some of the big players are behind • Explore direct potential applications • There are smart people working on this

  13. Identity a-la-carte • “Use your identity everywhere” • Easy deployment of additional control • Makes it more valuable to users • OpenID identifiers for catch-all, low-LoA IdPs

  14. SP checks for trusted IdP IdP checks for trusted SP Mutual authentication possible Lightweight federation? • No changes to the basic protocol required • ARPs could be implemented as well • Simpler to deploy? • Easier to integrate? • Closer to commercial providers?

  15. Fed IdP Fed SP Initiate registration Request attributes • Process attributes • Decide on values • Update databases • Associate with agreed identifiers OAuth for auto-registration

More Related