1 / 25

Federated Access

Federated Access. Glenn Wearen HEAnet. Terminology. Single Log On single point of authentication (e.g. ldap) synchronised account and credentials authenticate to each application Single Sign On (SSO) single point of authentication single credential, single account authenticate once.

rolf
Download Presentation

Federated Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federated Access Glenn Wearen HEAnet

  2. Terminology • Single Log On • single point of authentication (e.g. ldap) • synchronised account and credentials • authenticate to each application Single Sign On (SSO) • single point of authentication • single credential, single account • authenticate once

  3. Terminology • Web SSO technologies • OpenID • Cardspace (Infocard, Higgins etc.) • SAML, WS-Trust • Facebook Connect, Friend Connect • OAuth Data exchange

  4. Terminology • Identity Provider (IdP) • Organisation that issues identity data/credentials (typically the users home institution) Service Provider (SP) • Organisation accepting federated identities

  5. Terminology • Attribute Schema • A defined set of user attributes e.g. First, last name, email, institution, user ID 1. Simple eduPerson 2. Extensive SCHAC 3. National extensions 4. Bilateral extensions 5. inetOrgPerson and Person Identity provider defines a users attributes, Service provider authorises access based on assertions containing the users attributes

  6. Federated Access in Education • SAML widely adopted in national academic federations • UK Access Management Federation (650 IdP's on eduPerson) • InCommon (4 million eduPerson users) • Switch AAI (eduPerson + national schema) • HAKA (eduPerson + SCHAC + eduOrg) • Swamid (eduPerson) • AAF (auEduPerson) • Surfederatie (SCHAC + eduPerson) • Feide (based on eduPerson • GARR Idem AAI (SCHAC + eduPerson) SAML used in other sectors Realty, Aerospace, Automobile, 401k Confederation

  7. Edugate • Potential IdP’s • Institutes of Technology • Universities • Private colleges • Research agencies

  8. Edugate • Potential SP's • Institutional services • Moodle, Blackboard with joint programme content • Shared services offered by IdP's • NDLR, HEAnet's own services, IReL • Academic content providers • EBSCO, Elsevier, JSTOR • Research portals • Or any cross-institutional research group resource • Organisations offering academic discount • Microsoft Dreamspark, o2, Travelcard

  9. Edugate • Federation is a web of trust underpinned by... • Policy • Membership rules • Identity providers must ensure identities are assured • Service providers must not abuse data protection rules • Confederation/Interfederation • Technical standard • Standard protocol and schema

  10. Edugate • EduPerson Schema • GivenName, surname, email & Organisation • Joseph, Bloggs, joe.bloggs@um.ie, University of Mullingar • EduPersonPrincipalName • jblgs-stu133@um.ie • EduPersonTargetedID • a44ffed231eda7b7a7d • EduPersonScopedAffiliation • student@um.ie, library-walk-in@um.ie • EduPersonEntitlement urn:mace:heanet.ie:media:write

  11. Edugate • SAML2 Protocol • Interoperable Web-SSO Profile as defined by saml2int.org • Shibboleth 2, simpleSAMLphp • Oracle, IBM and Ping • SP • Web server plug-in (optional application integration) • IdP • Web application with connection to campus directory

  12. Edugate • Management of identity provider • Delegated user consent management • Delegated user attribute release policy • Institution can override at any time HEAnet assistance to get started • Directory integration for IdP's • Application integration for institutional SP's • Recruitment of large SP's

  13. Membership has its benefits • Management via web portal • SP's declare the required and desired attributes with justification • HEAnet decides on institutions behalf what attributes to release, when to invoke user consent, and advises institution when decision made. • Institution may override the decision using the web-portal

  14. Resource Registry -SP

  15. Resource Registry –IdP (i)

  16. Resource Registry –IdP (ii)

  17. Resource Registry – IdP (iv)

  18. Resource Registry – IdP (v)

  19. Future Directions • Confederation • UK Federation / eduGAIN • Attribute aggregation • Student account is but one part of a user account • Who knows? • Schools, further education • Campus ID used with other protocols • National student ID

  20. Summary Join us at www.edugate.ie

More Related