Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.

Slides:



Advertisements
Similar presentations
Module N° 4 – ICAO SSP framework
Advertisements

Reliability Center Data Request Task Force Report WECC Board Meeting April 2009.
Freedom of Information Act 2000 and the PCT Audit Procedure Background: The Act was passed in November The Act will be fully in force by January.
W HAT IS M UTUAL AGREEMENT AND P ARTICIPATORY GOVERNANCE ? Dr. Eric Oifer Randy Lawson August 26, 2010.
1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.
EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
An Introduction to the Hennepin County Hennepin County GIS Technical Advisory Group (eGTAG) 10/20/2009.
Access and Benefit Sharing and the Nagoya Protocol Nashina Shariff Manager Environmental Stewardship Branch November 2014.
Governance requirements for Regional Associations as specified by Ocean.US Worth D. Nowlin, Jr. Texas A&M University NDBC and CSC of NOAA GCOOS Stakeholders.
Networks ∙ Services ∙ People John DYER TF-MSP Video Conference Community Procurement Support Building on the SPOT-ON Proposal Smart Procurement,
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
National Smartcard Project Work Package 8 – Security Issues Report.
A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.
SWITCHaai Team Federated Identity Management.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
Circulation of authentic instruments under Regulation 650/2012 speaker – Ivaylo Ivanov – Bulgarian Notary Chamber.
The Education Act 2002 & School Staffing Regulations 2009 (as amended 2012 and 2013) Responsibilities for Governors in respect of Staff.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Connect communicate collaborate GÉANT3plus Enabling Users Pilots Lukas Hämmerle Task Leader "Enabling Users"
Recognition: the national centre and the ENIC Network Seminar on the recognition of qualifications Baku, 22 April 2005 Gunnar Vaht Head of the Estonian.
Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.
PDLN Connect Outline for IFRRO Brussels June 2010.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Innovation through participation eduGAIN interfederation service for research and education Cern FedID workshop in RAL, UK 2-3 Nov 2011 Mikael Linden,
Test your IdP
Federation as a Service Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.
9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Géant-TrustBroker Project Overview Daniela Pöhn 7 th FIM4R meeting Frascati, Italy April 24 th, 2014.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Biosafety Clearing House Training Workshop date place.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Copyright JNT Association 2009GN3, 8 th September Inter-Federation Agreements eduGAIN and beyond? Andrew Cormack Chief Regulatory Adviser, JANET(UK)
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
HEXAA e-Science gateways with external attribute authority István Tétényi, MTA SZTAKI 21-May-2014 Co-Authors: Mr. Héder, Mihály (MTA SZTAKI); Mr. BAJNOK,
Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.
Innovation through participation EduGAIN policy (working draft) Status update REFEDs 30th May 2010
DRIVER Action plan for an International Repository Organisation Dale Peters OAI6 Breakout Session Joining up Repositories 18 June 2009.
Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
NREN Trust and Identity Strategy Ann Harding, SWITCH Cambridge July 2014.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Networks ∙ Services ∙ People eduGAIN Townhall Meeting Nicole Harris (or updating the eduGAIN policy suite) “Unicorns can be sued in Wales”
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
Transparency of payments to healthcare professionals: ABPI plans for a central platform for individual disclosures 2016 June 2014.
true potential An Introduction to the Middle Manager Programme’s CMI Qualifications.
B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
European Life Sciences Infrastructure for Biological Information ELIXIR Collaboration Agreement Template ELIXIR/2014/10 Vera Herkommer.
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
Innovation through participation Data Protection Code of Conduct (DP CoC) TNC2013 conference, 4 June 2013 Mikael Linden, CSC – IT Center for Science
BOTSWANA TEACHERS’ UNION VICE REGIONAL ORGANISERS INDUCTION WORKSHOP
Cross-sector and user-centric AAI
Objectives of WHO's collaboration with NGOs
School Site Councils & Site Governance Teams
Gunnar Vaht Head of the Estonian ENIC/NARI Baku, 2017
Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop
Taking the STANDARDS Seriously
Presentation transcript:

Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013

2 Connect | Communicate | Collaborate Identity Federation Identity federation enables campus authentication systems to integrate with a wide variety of services on campus, between campuses in a country and beyond Supports different technologies RADIUS Moonshot

3 Connect | Communicate | Collaborate Identity Federation Technology can be straightforward, but what about Enabling an Identity federation demands a formalized policy

4 Connect | Communicate | Collaborate European Identity Federations the Evolution Identity federations started emerging 10 years ago leading to approx. half of European countries have deployed an WebSSO Identity federation Significant knowledge and experience has been gathered through the operation of those Identity federations Identity federation communities such as REFEDS enabled the exchange of knowledge and addressed the common issues Existing Identity federation policies has evolved based on local needs

5 Connect | Communicate | Collaborate European Identity Federations The Evolution The “Federation Policy Best Practice Approach” and “Federation Policy Mapping” analyses were performed by REFEDS

6 Connect | Communicate | Collaborate European Identity Federations The Future Significant number of countries needs yet to establish an Identity federation Due to emerging interfederation initiatives (e.g. eduGAIN) there is a need for harmonization of both existing and future Identity federations policies

7 Connect | Communicate | Collaborate Identity Federation Policy Template eduGAIN GN3 task supported the creation of Identity Federation Policy Template document International working group (Finland, UK, Austria, Serbia) Gathered experience from existing Identity Federations in what not to put, and what to put in a Policy Based on SWAMID Identity federation policy Policy template is easy to be changed for local conditions Existing federations can use it if they want to change or update their existing policies

8 Connect | Communicate | Collaborate Allow multiple technologies Identity federation Policy should cover all these and allow for future adding new technologies Organizations join Identity federation only one time and then pick out which federation service they want to implement Identity Federation eduroam WebSSO Moonshot … Make the Policy in such a way that it allows for multiple technologies to be served using the same policy structure

9 Connect | Communicate | Collaborate Make resistant (as possible) to changes Make the Policy document in such a way to avoid the need for repeated changes Definitions that falls into changeable category should be put elsewhere e.g. federation website or appendix Find the right balance : Do not over specify Do not leave out important stuff Make resistant (as possible) to changes

10 Connect | Communicate | Collaborate Make future changes easy Policy will keep evolving and in certain degree changes will happen Make procedure for changing the policy lightweight as possible Important issue that can make effect on how easily a policy can be changed is what members sign when they join the Identity federation: Member fills in a separate form agreeing to be bound by the Policy document Member signs a copy of the actual policy (there are placeholders for signatures at the end the policy document)

11 Connect | Communicate | Collaborate Identity Federation Policy document suite Identity Federation Policy document Identity Federation Policy (main) Appendices Technology Profile eduroam Technology Profile Web single sign-on Level of Assurance Profiles Data Protection Profile Federation Operational Practices Appendix Governance Appendix Fees

12 Connect | Communicate | Collaborate Identity Federation Policy Template Sections Definitions and TerminologyIntroductionGovernance and Roles Governance Obligations and Rights of Federation Operator Obligations and Rights of Federation Members EligibilityProcedures How to Join How to Withdraw Legal conditions of use Termination Liability and indemnification Jurisdiction and dispute resolution Interfederation Amendment

13 Connect | Communicate | Collaborate Governance of the federation Federation should have governing body which has advisory, decision or some other rights on certain federation issues. Structure and election process for the governing body falls into changeable category and should specify elsewhere e.g. appendix Structure will probably highly depend on your local circumstances, how federation is established and funded Rights appointed to the governing body, advisory vs. deciding: Criteria for membership for the Federation Revoking the membership of a Federation Member Entering into interfederation agreement Formal ties with relevant national and international organisations Approving changes to the Federation Policy...

14 Connect | Communicate | Collaborate Obligations and Rights of Federation Operator It is very important to clearly define what are the obligations and rights of the Federation Operator Obligations boosts the members trust to Federation Operator, e.g.: Secure and trustworthy operational management of the federation Provides support services for Federation Members Maintaining relationships with national and international stakeholders in the area of Identity Federations Promoting the idea and concepts implemented in the Federation Federation Operator should keep certain rights, e.g. : temporarily suspend a Member who is in breach in policy publish some data about Federation Members

15 Connect | Communicate | Collaborate Obligations and Rights of Federation Members For mutual Federation Members trust, it is important to clearly define their obligations and rights There can be three types of Federation Members: Home Organization Attribute Authority Service Provider Some obligations and rights are same, but some differ !

16 Connect | Communicate | Collaborate Obligations and Rights of Federation Members - ALL Must cooperate with the Federation Operator and other Members in resolving incidents and should report incidents Must comply with the obligations of the Technology Profiles which it implements Must ensure its IT systems that are used in implemented Technology Profiles are operated securely Must pay the fees. Prices and payment terms are specified in appendix Fees If a Federation Member processes personal data, Federation Member will be subject to applicable data protection laws and must follow the practice presented in Data Protection Profile

17 Connect | Communicate | Collaborate Obligations and Rights of Federation Members – HO Is responsible for delivering and managing authentication credentials for its End Users and for authenticating them, as may be further specified in Level of Assurance Profiles Submit its Identity Management Practice Statement to the Federation Operator Ensures an End User is committed to the Home Organization’s Acceptable Usage Policy Operates a helpdesk for its End Users regarding Federation services related issues

18 Connect | Communicate | Collaborate Obligations and Rights of Federation Members – AA or HO Is responsible for assigning Attribute values to the End Users and managing the values in a way which ensures they are up-to-date Is responsible to releasing the Attributes to Service Providers

19 Connect | Communicate | Collaborate Obligations and Rights of Federation Members - SP Is responsible for making decision on which End Users can access the services they operate and which access rights are granted to an End User It is Service Providers responsibility to implement those decisions

20 Connect | Communicate | Collaborate | | Connect | Communicate | Collaborate Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.