1. Stuff Ken Klingenstein

2. kjk@internet2.edu Stuff sack InCommon Stuff Infocard, Open Id, etc… Federation soup Cormack slides on EU (and US) privacy International federation & Liberty Alliance ISOC and Identity and trust COmanage and collaboration support Kumbaya for open source middleware? Rumors and gossip

3. kjk@internet2.edu About federating software… Shibboleth project formation - Feb 2000 OASIS starts SAML work; linkages with Shib established Dec 2000 Release dates: Shib alpha1 April 2002, OpenSAML July, 2002, Shib v1.0 April 2003 SAML TC evolved a fusion of Liberty, Shib and SAML into SAML 2.0 Nov 2005 Microsoft-led business consortium develops WS-*, including WS-Fed, 2002-2008 Closure likely next year around SAML 2.0 and Shib metadata as the first metadata profile in OASIS

4. kjk@internet2.edu InCommon Approximately 90 members and growing steadily More than two million “users” Most of the major research institutions New types of members Non usual suspects – Lafayette, NITLE, Univ of Mary Washington, etc. National Institute of Health, soon NSF and research.gov Energy Labs, ESnet, TeraGrid MS, Apple, soon Google Student service providers Steering Committee chaired by Clair Goldsmith of Univ of Texas; Technical Committee chaired by Renee Shuey of Penn State

5. kjk@internet2.edu Uses Access controlled wikis Access to academic content, such as Elsevier Access to popular content, such as Cdigix Access to Microsoft, iTunes U Access to services, such as student travel agencies, testing services, Access to Grid computational resources, portal providers, recruitment services, etc Access to external apps (e.g. Google Apps for Education) and clouds

6. kjk@internet2.edu InCommon Impacts of federation are real Dreamspark - Microsoft delivery of developer kits, source code, etc to students https://downloads.channel8.msdn.com/; over 50% of all download traffic from Microsoft was federation- enabled one week after announcement.https://downloads.channel8.msdn.com/ {Federation + persistent, opaque identifier + attributes with consent} addresses international privacy requirements. InCommon Silver, a new profile is now being deployed to serve higher assurance applications Federated Sharepoint, federated wikis are proving to be killer apps…. www.incommonfederation.org

7. kjk@internet2.edu A brief history of federations Federations at national levels in several countries, beginning with a variety of protocols and converging on SAML Federations form along natural relationships – state university systems, state educational agencies, regional optical networks,… Federations in the business context begin as 1-1 (outsourced services, like accounting) and sometimes grow into hub and spoke (e.g. automobile industry) Other types of identity federations exist in pockets (e.g. federated PKI roots for IGTF)

8. kjk@internet2.edu Federation Soup Workshop held early June Brought together all manners of federation to figure out federation relationships InCommon, JISC, state federations, library federations, university system federations, grid federations, etc. Topics include alignment of policies, technologies, attributes, metadata, etc. Approaches include peering, nested, leveraged, and a whole lot of ad hoc Web site at https://spaces.internet2.edu/display/FederationSoup/Home

9. kjk@internet2.edu Why we are here: Interfederation Interactions Peering and soup Service providers often belong to multiple federations; some identity providers are being asked to join several federations Federal government interactions happening, but not as first anticipated Virtual organizations (e.g. OOI and LIGO) are now presenting real use cases that require international federation interactions Other sectors keenly watching us

10. kjk@internet2.edu Workshop Goals and Outcomes Inform specific efforts fostering of local federations blending of local federations with national ones minimizing challenges down the road through some up-front consensus and coordination (ala federation best practices) international peering/soup Exchange governance and organizational approaches Understand businesses and business models Establish ongoing mechanisms for communication and coordination Grow community

11. kjk@internet2.edu Some soup dimensions Alignments – LOA, attributes, user experience Legal models – Dispute Resolution, Indemnification, etc Business models – Operator, Source of funds, Services offered, Communities served Privacy management and international issues User experience – large multiplier…

12. kjk@internet2.edu Federations.org Interfederation of national R&E federations More peering than soup Possible activities Reference point for new national federations Aggregation of common materials Triage for SP’s that want to learn how to deal with multiple federations Assist in taking the federation template doc to RFC status IDABC and EU Article 29 coordination Successor to Refeds (http://www.terena.org/activities/refeds/)

13. kjk@internet2.edu International Activities http://www.terena.org/activities/refeds/ A summary of discussions among R&E networks, including a survey of national efforts http://www.jisclegal.ac.uk/access/ Excellent policy analytics, especially around international issues of privacy, peering, and attributes http://ec.europa.eu/idabc/ TransEuropean activities in IdM for use among citizens, governments, and businesses

14. kjk@internet2.edu Peering Parameters Parameters: LOA Attribute mapping Legal structures Liability Adjudication Metadata VO Support Economics Privacy

15. kjk@internet2.edu Peering frameworks JISC Member-Federated Operator analysis Feasability of cross-federation EAuth-InCommon peering corpse Kalmar Union JISC template for inter-federation

16. kjk@internet2.edu Next soup steps Affinity group in system federations State feds – not yet PII normalization Ask NACUA Coping with EU privacy compliance Interfederation template agreement InCommon as a focus point for interfederation in the US

17. kjk@internet2.edu Trust, Identity and the Internet ISOC initiative to introduce trust and identity- leveraged capabilities to many RFC’s and protocols Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities Will leverage both federated and p2p trust (for those instances where there is no trusted IdP) http://www.isoc.org/isoc/mission/initiative/trust.shtml Dublin IETF at the end of July kick-off…

18. kjk@internet2.edu ISOC Key Objectives Architecture and Trust Implementing open trust mechanisms throughout the full cycle of Internet research, standardization, development and deployment Current Problems/Solutions and Trust Mitigating the social, policy, and economic factors that may hinder development and deployment for trust enabling technologies Identity and Trust Elevating "Identity" to a core issue in network research and standards development

19. kjk@internet2.edu Infocard, Open ID, etc. OpenId widespread inter-site authn lightweight technically and legally you get what you pay for… Warrants intelligent integration with federated identity User control of identity selection and attribute release becoming critical One model is the ARPviewer approach Another attractive model is InfoCard

20. kjk@internet2.edu Collaboration and Federated Identity Two powerful forces being leveraged the rise of federated identity the bloom in collaboration tools, most particularly in the Web 2.0 space but including file shares, email list procs, etc Collaboration management platforms provide identity services to “domesticated” collaboration applications Results in user and collaboration centric identity, not tool-based identity

21. kjk@internet2.edu A Bloom of Collaboration Tools An over-abundance of new tools that provide rich and growing collaboration capabilities (aka Web 2.0) Do you Wiki, blog, moodle, sakai, IM, Chat, videoconference, audioconference, calendar, flikr, netmeeting, access grid, dimdim, listserv, webdav, etc Share files among workgroups, access Elsevier, work with the IEEE, etc No uber-app – limits invention and community of users 3 - 4 is fine, but many per user is hard to manage Leads to the need to manage the collaborations and its tools

22. kjk@internet2.edu COmanage A collaboration management platform, supported in part by a NSF OCI grant, being developed by the Internet2 community, with Stanford as a lead institution “Domesticated” applications externalize their identity management dimensions to an general identity/group/privilege/etc repository (LDAP, MySQL, etc.) Users manage IdM in a collaboration-centric way, not in a tool-centric way Uses Shibboleth, Grouper, and Signet Open source, open protocol

23. kjk@internet2.edu COmanage A “stand-alone” platform to manage IdM for many different applications. User accounts to access COmanage can be based in COmanage or, preferably, federated. COmanage can provide authentication and authorization services (group membership, privilege management, etc) to apps The “stand-alone” can be readily replumbed to be fully integrated into enterprise, federated or other attribute ecosystems as they develop

24. kjk@internet2.edu Two types of application enablement “domesticated” apps know to draw their entitlements, attributes and roles from the CMP directory or db or… (something external to the app) Other apps can have information from COManage pushed into them Static or dynamic provisioning Connectors could be X.509 certs, SAML assertions, etc.

25. kjk@internet2.edu Domesticated applications Applications that externalize their identity management dimensions Domestication typically goes in stages – first identity, then group and privilege management, perhaps then provisioning Domestication relative to the external access protocols used (SAML, LDAP, MySQL, web services, etc.) Applications domesticated or being targeted Sympa, Confluence, Asterisk (open-source IP audioconferencing), Dim-Dim (open-source web meeting), Bedeworks (federated open- source calendar), Subversion, JIRA, Al fresco, Foodle Finally domain science resources – Instruments, Grids, etc

26. Federated Wiki Domain Science Grid Domain Science Instrument University AUniversity B Laboratory X Collaboration Management Platform Collaboration Tools/ Resources Application Attributes Home Org & Id Providers/ Sources of Authority Attribute Ecosystem Flows Attribute/Resource Info Data Store Collaboration Management Platform (CMP) and the Attribute Ecosystem Sources of Authority C o Authorization – Group Info Authorization – Privilege Info Authentication People Picker Other Functions manage File Sharing Calendar Phone/ Video Conference Email List Manager

27. kjk@internet2.edu COmanage specifics Wiki, dev and users being set up Beta release in July, 1.0 in August, OpenLDAP as the data store. Debian VMware Domesticated apps in bundle where licenses permit Testing in several venues and VO’s GUI issues, modularity of components issues under discussion

28. Federated Wiki Domain Science Grid Domain Science Instrument University AUniversity B Laboratory X Collaboration Management Platform Collaboration Tools/ Resources Application Attributes Home Org & Id Providers/ Sources of Authority Attribute Ecosystem Flows Attribute/Resource Info Data Store Collaboration Management Platform (CMP) and the Attribute Ecosystem Sources of Authority C o Authorization – Group Info Authorization – Privilege Info Authentication People Picker Other Functions manage File Sharing Calendar Phone/ Video Conference Email List Manager

29. kjk@internet2.edu Kumbaya for open source? Now that people believe there is a middleware layer, they want only one of them… Most open source apps started well before plumbing and middleware Some left open API’s, etc; some didn’t Alignment between JA-SIG, Kuali Student, Kuali Financials, OKI, Fedora, Dspace, Sakai, etc. happening, slowly, intermittently, but happening…

30. kjk@internet2.edu Rumors and Gossip Nuclear winter at summer solstice Internet2, strategic planning and tactical NLR and Darkstrand NSF and OCI Teragrid, OGF, Condor, Genesis II, etc.