Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.

Published byAdrian Hart Modified over 8 years ago

Similar presentations

Presentation on theme: "Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014."— Presentation transcript:

1 Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014

2 2 Connect | Communicate | Collaborate Understanding implications on the supply chain Interactive Session Technical briefing Interactive discussion Review of ideas Topics Levels of Assurance Attribute Release Attribute Aggregation Monitoring and Accounting

3 3 Connect | Communicate | Collaborate To the whiteboard!

4 4 Connect | Communicate | Collaborate Assurance and Trust Behavioural Trust - IdP Behavioural Trust - SP Technical Trust - IdP Technical Trust - SP TRUST

5 5 Connect | Communicate | Collaborate What assurances? Organisational Security Management Notices and User Information Infrastructure Service Maturity Operational User Registration Password strength Maintaining logs Revocation { Externally Audited

6 6 Connect | Communicate | Collaborate The Problem Statement The Research Community/SP view Our resources are ‘special’ are we need to know they are protected properly. We need to know that you have taken care to make sure the right people are registered. This should be the responsibility of the infrastructure providers, not projects. The Campus/IdP view Reasonable level of trust through federation – you know us. Assurance is EXPENSIVE and you are asking us to bear the cost. Different SPs want different things all the time. There are no clear use cases as to WHY you need this.

7 7 Connect | Communicate | Collaborate Let’s discuss

8 8 Connect | Communicate | Collaborate Attribute Release – the Problem Statement The Research Community/SP view Different communities and different SPs need different attributes Need to identify individual’s personal informtion e.g. ethical committees need names etc. Negotiation with individual IdPs does not work and does not scale The Campus/IdP view An IdP takes a risk when it releases attributes Intentional or accidental misuse of information by SPs Data Protection legislation typically encourages a minimal release policy without specifying what minimal is Dealing with requests from many quarters burdens overworked IT departments

9 9 Connect | Communicate | Collaborate Attribute Release – uApprove Automated workflow for user approval for attribute release Consent not considered sufficient in many EU jurisdictions Shibboleth IdP extension

10 10 Connect | Communicate | Collaborate Attribute Release – Entity Categories Group federation entities that share common criteria. Facilitate IdP decisions to release a defined set of attributes to SPs without the need for detailed local review for each SP IdP makes a release decision based on the criteria detailed in each SP entity category specification Example Entity Categories Code of Conduct (CoCO) Research and Scholarship (R&S) Early days for deployment Example Entity Categories Code of Conduct (CoCO) Research and Scholarship (R&S) Early days for deployment Release is *facilitated* not *mandated* SP’s registrar (typically the Federation) checks for compliance at registration

11 11 Connect | Communicate | Collaborate Let’s discuss

12 12 Connect | Communicate | Collaborate Attribute Aggregation The “Scott Cantor is a Member of IETF” Problem. Affiliation Professional Body UniversityCharity Research Project

13 13 Connect | Communicate | Collaborate Attribute Aggregation

14 14 Connect | Communicate | Collaborate Let’s discuss

15 15 Connect | Communicate | Collaborate Monitoring and Accounting – what eduGAIN knows

16 16 Connect | Communicate | Collaborate Monitoring and Accounting – What Federations know Some know more than others Hub and Spoke vs Full Mesh Few if any standard tools Scalability and standard specs a big issue Some know more than others Hub and Spoke vs Full Mesh Few if any standard tools Scalability and standard specs a big issue Learn from the perfSONAR experience and not leap in with a ‘solution’ from above Raptor, f-ticks, AAIeye, AMAAIS, custom scripts to Nagios, Icinga, in-house tools and nothing

17 17 Connect | Communicate | Collaborate What IdPs and SPs know – Shibboleth Example idp-access.log contains a log entry for each time the IdP is accessed, whether information was ever sent back or not. request time, remote host making the request, server host name and port, and the request path idp-audit.log contains a log entry for each time the IdP sends data to an SP event time, IdP and relying party IDs, request and response binding, communication profile ID, request and response ID, principal name, authentication method, and released attribute of the current user. SP Transaction/Audit Each session that's created or removed Login, Logout, AuthnRequest Older versions show lack of error if an attribute was not provided

18 18 Connect | Communicate | Collaborate Let’s discuss

19 19 Connect | Communicate | Collaborate Back at 11:30

20 20 Connect | Communicate | Collaborate www.geant.net www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv Connect | Communicate | Collaborate Thank you!

Download ppt "Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014."

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden,

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.

SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.
EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.

EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Geneva, Switzerland, 15-16 September 2014 Introduction of ISO/IEC 29003 Identity Proofing Patrick Curry Director, British Business Federation Authority.

Geneva, Switzerland, September 2014 Introduction of ISO/IEC Identity Proofing Patrick Curry Director, British Business Federation Authority.
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.

REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
EduGAIN Code of Conduct Workshop, 2012-02-09, Brussels GEANT eduGAIN Data Protection Code of Conduct Workshop Dieter Van Uytvanck

EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Integrating with UCSF’s Shibboleth system

Integrating with UCSF’s Shibboleth system
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Similar presentations

Ads by Google