Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Interconnecting the Nordic Identity Federations TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide.

Similar presentations


Presentation on theme: "Towards Interconnecting the Nordic Identity Federations TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide."— Presentation transcript:

1 Towards Interconnecting the Nordic Identity Federations TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide

2 Interconnecting federations The Kalmar Union policy Cross-federation model Technical solution Crossing circles of trust Participants Consent and attributes Future works

3 Kalmar union First Kalmar union (1397-1524) united the Nordic countries under a single monarch, giving up sovereignty but not independence Interconnecting Nordic AAI federations Model for exchanging traffic – My users have access to your services? – Your users have access to my services? What is the simplest solution for interconnecting access control? Policy issues for federations

4 Policy Minimal information disclosure, informed consent Voluntary participation in cross-federation No liability (this must be written in contract) Conflict resolution by elected board Minimal intellectual property rights, as there are minimal central components Services across borders, jurisdiction Best effort, no guarantees needed Money flow outside our scope (goes direct IdP-SP)

5 Kalmar cross-federation model Bi-lateral agreements Cross-federation charter Overlapping federations, may chose to leave out parts from the overlap Previous work – Aligned federation policies – Worked together in GNOMIS – norEdu* schemas developped in GNOMIS

6 Participants Federations – HAKA in Finland – Feide in Norway Federations to join – SWAMI in Sweden – DK-AAI in Denmark End users Identity providers (home organizations) Service Providers

7 Technical Kalmar solution SAML 2 metadata for federation overlap HAKA Identity Provider Feide Identity Provider HAKA Service Provider Feide Service Provider

8 Technical work Trial interconnect in September 2006 – Shibboleth1.3 in HAKA – Sun Access Manager (SAML2.0) in Feide eduGAIN bridging element evaluated – Backwards compatible with Shibboleth 1.3 – Not yet available, but preliminary tests running Easier to do SAML2.0-based connections

9 Crossing Circles of Trust User wants to access service in other Identity Federation – Must find the right login service (WFAYF or explicit links) What is really transferred – Identity Provider sends login and attributes – Service Provider must trust third party login outside his federation Opt-in at all levels: user, IdP and federation May have opt-out at the federation level, if needed

10 Consent and attributes Informed consent Attribute transfer – Safeguards at 3 levels: user, IdP/home, federation Voluntary participation in cross-federation – Opt-in for end user – Opt-in for identity providers (home organizations) – Opt-in for each federation Semantic interoperability based on eduPerson (with extensions) – Information about semantics – We do not enforce the same semantics

11 Future work Single Sign On and informed consent – How to inform users Operational service – Depends on introduction of SAML2.0 Revisit policy after we have real life experience of what problems turn up in production


Download ppt "Towards Interconnecting the Nordic Identity Federations TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide."

Similar presentations


Ads by Google