Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Australian Access Federation Inc. P RIVACY AND T HE A USTRALIAN A CCESS F EDERATION Presented by: Terry Smith 1 st June 2010 Supported by the Australian.

Published byKristina Chase Modified over 8 years ago

Similar presentations

Presentation on theme: "© Australian Access Federation Inc. P RIVACY AND T HE A USTRALIAN A CCESS F EDERATION Presented by: Terry Smith 1 st June 2010 Supported by the Australian."— Presentation transcript:

1 © Australian Access Federation Inc. P RIVACY AND T HE A USTRALIAN A CCESS F EDERATION Presented by: Terry Smith 1 st June 2010 Supported by the Australian Government through the Department of Innovation, Industry, Science and Research

2 T HE AAF A BRIEF HISTORY o Federation for Higher Education and Research o Replaces the MAMS Test bed federation o Shibboleth, SAML2, based on SWITCHaai model o AAF Incorporated mid 2009 o 50% of AU and NZ Universities and growing o Mini Grant program to encourage service providers o Federally funded until the end of 2010 o Self sustaining from 2011 thru subscriptions o Three streams of activities o Policy o Technology o Marketing Visit us online: www.aaf.edu.au © Australian Access Federation Inc. www.aaf.edu.au

3 P RIVACY IN A USTRALIA o Australian Privacy Law o Framework and Guidelines for Privacy o State Privacy Laws o AAF Rules for participants o Requirements from our participants © Australian Access Federation Inc. www.aaf.edu.au o Project underway to meet Australian legal requirements o Must ensure we continue with standard solution o Must be simple, useable and non-intrusive Australia's national privacy regulator, protecting personal information http://www.privacy.gov.au/index.php AAF SOLUTION AAF R EQUIREMENTS

4 I NFORMATION P RIVACY P RINCIPLES Summary of the eleven Information Privacy Principles IPP 1: manner and purpose of collection IPP 2: collecting information directly from individuals IPP 3: collecting information generally IPP 4: storage and security IPPs 5 - 7: access and amendment IPPs 8 - 10: information use IPP 11: disclosure © Australian Access Federation Inc. www.aaf.edu.au Personal Information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

5 W HERE TO B EGIN The AU privacy guidelines inform us to do... o Threshold Assessment – are there privacy risks that need to be addressed? o YES o Privacy Impact Assessment © Australian Access Federation Inc. www.aaf.edu.au Project descriptionMapping information flows and privacy framework Privacy impact analysis Privacy management Recommendations After the assessment --- what then?

6 P ROJECT D ESCRIPTION The Big picture – Building a Higher Education and Research Federation © Australian Access Federation Inc. www.aaf.edu.au

7 I NFORMATION FLOWS, C ORE A TTRIBUTES Identity Providers assert user information to Service Providers as attributes. Full attribute specification at : https://wiki.caudit.edu.au/confluence/display/aafaueduperson/Home. © Australian Access Federation Inc. www.aaf.edu.au auEduPersonSharedToken – unique, persistent ID eduPersonTargetedID – privacy-preserving ID targeted to a particular SP eduPersonAffiliation and eduPersonScopedAffiliation – e.g. student or staff eduPersonEntitlement – string arranged with SP to grant a particular entitlement eduPersonAssurance – URN indicating one of 4 levels of identity assurance AuthenticationMethod – URN indicating one of 4 levels of authentication assurance displayName and cn – contain the user’s name mail – the user’s email address o – the name of the organisation

8 I MPACT A NALYSIS & M ANAGEMENT o Risk analysis and management of privacy information... © Australian Access Federation Inc. www.aaf.edu.au How information flows affect individuals’ choices in the way personal information about them is handled The degree of intrusiveness into individuals’ lives Compliance with privacy law How the project fits into community expectations.

9 R ECOMMENDATIONS © Australian Access Federation Inc. www.aaf.edu.au Develop and deploy solution Review existing options against the requirements Technical architecture AAF Privacy Requirement document

10 R EQUIREMENTS © Australian Access Federation Inc. www.aaf.edu.au Terms of Use Information that is necessary, minimal disclosure Purpose for use of information Review claim sent to SP’s User friendly and easy to incorporate, standards based.

11 OTHER FACTORS TO CONSIDER Do we show users privacy preserving attributes or do we assume they are outside the privacy regime? What does the AAF and its members consider “Personal Information”? Are there any legal requirements on how long claim records should be kept by identity providers? © Australian Access Federation Inc. www.aaf.edu.au

12 OTHER FACTORS TO CONSIDER C ONT What levels of access should be defined for report generation and what information should be available to administrators at each level? In the future how do we deal with attribute release for minors? Are users who are under 18 able to accept release of their personal information? Should the federation support user modification and choice for attributes that certain service providers consider ‘optional’? © Australian Access Federation Inc. www.aaf.edu.au

13 A RCHITECTURE © Australian Access Federation Inc. www.aaf.edu.au Holistic Approach User Identity Provider Service Provider Federation

14 A VAILABLE OPTIONS, U SER C ONSENT o AAF could build it own solution from the ground up o Use MAMS Autograph + SHARPe o Shibboleth 1.3.x only o Not production quality o Difficult to install / configure o uApprove o Good fit – need some extensions o Moving into Shibboleth core with V3.0 o simpleSAMLphp + consent o Good fit – may need some extensions o Not currently used any IdP’s, but some are considering o The trusted third party model (TTP) o Still being investigated o Possible User privacy concerns, in particular the centralized recording off all federation user attributes (used to determine if there have been value changes) o Change in from current hybrid model to Hub-and-spoke o Other options... © Australian Access Federation Inc. www.aaf.edu.au

15 U A PPROVE EXTENDED + … uApprove extensions o Regular retrieval Federation Terms of Service from central point o Provide two Terms of Service agree buttons (Local & Federation) o Store user attributes to enable re-approval if values change o Retrieve SP Statements of Attribute requirement from central point o Store history for attribute release consent and agreement to ToS © Australian Access Federation Inc. www.aaf.edu.au

16 … A DDITIONAL S UPPORT COMPONENTS Federation Tools o Record SP Attribute requirements and related information including attribute value sets, e.g. List of accepted entitlements o Approval process for SP Attribute requirement o Record IdP Attribute release policies o Metadata generator to include SP Attributes and values o Attribute-Filter generator that filters based on SP Attributes and Values + IdP release policy o Attribute-Map generator that filters based on SP Attributes and Values + IdP release policy o End point for SP Attribute requirements statement o End point for Federation ToS © Australian Access Federation Inc. www.aaf.edu.au Local Tools for IdPs o Review Attribute release consent o Review agreement to ToS o Local Administrators able to view

17 … A DDITIONAL S UPPORT COMPONENTS Identity Providers (Shibboleth only) o Inclusion and configuration of extended uApprove o Recording Attribute release policies with the federation o Use the generated Attribute-Filter from federation © Australian Access Federation Inc. www.aaf.edu.au Service Providers o Recording of Attribute requirements with the federation o Optional use of generated Attribute-Policy from federation

18 P OLICY AND M ARKETING Technology is not enough, it needs to be backed by POLICY and well Publicised IdPs and SPs must Deploy the technical solution Register information centrally and be informed Know their responsibilities w.r.t privacy laws Be aware of the risks and how they can be mitigated User must be aware of the rights and responsibilities © Australian Access Federation Inc. www.aaf.edu.au

19 T IME FRAMES © Australian Access Federation Inc. www.aaf.edu.au Deployment and testing against the AAF Test environment during Q3 2010 Early adopters begin using in production AAF environment during Q4 2010 Expect major take up by from the start of 2011

20 O THER I SSUES o Co-federation o Non web protocols and applications – Project Moonshot o Other Federation stacks o simpleSAML o ORACLE Access Manager o Novell Access Manager o Future versions o Changes to Requirements o Australian Laws o Participant requirements o Federation Group attributes and other attributes from secondary IdPs o Attribute release via data-mining, e.g. De-provisioning o Computed Attributes (Age > 18: True/False) o Utilization reporting – accuracy © Australian Access Federation Inc. www.aaf.edu.au

21 Visit us online www.aaf.edu.au Heath Marks Project Manager Heath.Marks@aaf.edu.au Patricia McMillan Policy, Strategy and Process Patricia.McMillan@uq.edu.au More Information? enquiries@aaf.edu.au © Australian Access Federation Inc. www.aaf.edu.au Q UESTIONS ? Terry Smith Technical Program Manager T.Smith@aaf.edu.au

Download ppt "© Australian Access Federation Inc. P RIVACY AND T HE A USTRALIAN A CCESS F EDERATION Presented by: Terry Smith 1 st June 2010 Supported by the Australian."

Similar presentations

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Family Educational Rights and Privacy Act (FERPA) Basics For Faculty and Staff.

Family Educational Rights and Privacy Act (FERPA) Basics For Faculty and Staff.
Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden,

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.

Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.

Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)

CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.

REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
AAI with simpleSAMLphp

AAI with simpleSAMLphp
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
AAF Middleware update February16 2012 Presented by Terry Smith Technical Manager and Heath Marks Manager.

AAF Middleware update February Presented by Terry Smith Technical Manager and Heath Marks Manager.
NSTIC ID Ecosystem A Conceptual Model v03 Andrew Hughes October 2013 - October 2013 - IDESG Version 1.

NSTIC ID Ecosystem A Conceptual Model v03 Andrew Hughes October October IDESG Version 1.
Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.

Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.
Shibboleth and uApprove at University of Michigan Luke Tracy – Ken Hammer –

Shibboleth and uApprove at University of Michigan Luke Tracy – Ken Hammer –

Similar presentations

Ads by Google