Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federation management A mess? 9.4.2008 Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science.

Similar presentations


Presentation on theme: "Federation management A mess? 9.4.2008 Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science."— Presentation transcript:

1 Federation management A mess? Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science

2 What is Federated Identity technology? Home Organisation (Helsinki U of Technology) Identity Provider IdP Service Provider SP (University of Turku) Moodle Learning Management System Let him in. 3. Username: bsmith Password: 95iEfHw 1. HTTP Let me in to 2. HTTP redirect SAML authentication request Someone from HUT wants to log in to our Moodle. Authenticate him. 4. HTTP POST SAML Authentication response Let me in to My home organisation has authenticated me and asserts that my name is Bob Smith and Im a student at Helsinki University of Technology

3 What is an identity federation (aka Circle of Trust)? InCommon: A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions. Liberty Alliance: A circle of trust is a federation of service providers and identity providers that have business relationships based on Liberty architecture and operational agreements and with whom users can transact business in a secure and apparently seamless environment. => A federation is an organisational (not a technical) construct

4 Haka federation (coordinated and operated by CSC) Home organisations Identity Provider, IdP Haka federation of Finland U of Helsinki U of Tampere TUT Services Service Provider, SP Nelli portal (libraries) Circulation of incoming invoices Moodle LMS (e-learning) Supercomputer (CSC) Grid wiki, blog etc Haka operational since 8/ end users 2.0 million logins 2007 Home organisations maintains identities Home organisations authenticate the end users Home organisations release attributes to services Services do access control HUT Tampere UA Savonia UAS IdP SP # of IdPs: 24# of IdPs: 42

5 Do we need a federation? Case Higher education Nelli library portal 3/2008, Haka logins There are often end users from several IdPs using the same SP The IdPs and SPs dont necessarily have business relationships => YES

6 Do we need a federation? Case B2B In Business-to-business world: use of federated identity management is based on business relationships Business relationships are typically bilateral Not necessarily Identities can be federated between organisations on a bilateral basis

7 Contractual shape of a federation A federation Home organisations Identity Provider, IdP U of Helsinki U of Tampere TUT Services Service Provider, SP Nelli portal (libraries) Circulation of invoices Moodle LMS(e-learning) Supercomputer (CSC) Grid Coordinator HUT Tampere UAS Savonia UAS Operator Coordinator Has a contractual relationship with home organisations and services Sets the policy Operator subcontractor of the coordinator takes care of daily technical operations of the federation

8 An IdP centric view to a federation A federation is seen as a set of IdPs which have deployed similar policies SPs not considered as part of the federation but as a consumer of the federation service SPs need not to have contractual relationship with the federation The data protection directive binds also the SPs anyway Oper ator IdP SP

9 Technical shape of a federation: Distributed Model deployed by Haka (.fi), SWAMID (.se) and several other federations Pros No single point of failure in the message flow Costs of federation management low Cons Hard to track errors and Not well supported by commercial products IdP SP

10 Technical shape of a federation: Centralised Model deployed by Feide (.no) and WAYF (.dk) Pros A single point where to locate problems and introduce new features Economics of scale Cons A single point of failure Everyone needs to trust the IdP in the middle IdP SP IdP proxy

11 The Nordic dimension A common denominator for Nordic identity federations: Campus identity management Identity providers are expected to provide only identities of high quality High quality of Authentication (face-to-face registration and token delivery) Attributes (students and employees accounts are closed as they depart) Included also in the charter of Kalmar Union The confederation of Nordic federations

12 Coordinations of a federation: leadership in a network of organisations Understanding universities needs and limitations Understanding the possibilities of the technology Steering the development of the federation. Making organisations involved …without having a mandate to dictate anything Changes are slow and difficult to drive in a federation Communications with different players in the academia


Download ppt "Federation management A mess? 9.4.2008 Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science."

Similar presentations


Ads by Google