Presentation is loading. Please wait.

Presentation is loading. Please wait.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.

Published byColleen Walker Modified over 8 years ago

Similar presentations

Presentation on theme: "Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006."— Presentation transcript:

1 Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006

2 2 Topics Federation, micro and macro End to end Interoperability and flexibility Inter/confederation and federation services

3 3 Federation at the micro level 3 parties interacting requesting party (aka user) asserting party (aka IdP), relying party (aka service) federation at “micro” level happens when asserting party gives requesting party a token, requesting party gives it to relying party, relying party uses it to establish security properties of requesting party asserting party and relying party are under separate administration (note useful case when requesting party and asserting party are the same, ie user asserts about itself)

4 4 Fundamental infrastructure Federation (at micro level) is a fundamental building-block computing structure like “file”, “network”, “GUI”, “database”, etc hence not product- or technology-specific permits specialization in management of security information asserting party can be good at user proofing, authentication, roles, etc relying party can be good at stuff specific to its application area

5 5 Federation (micro) barriers 3-party federation requires many agreements signon protocol/profile participant (i.e. server) naming protection/validation methods for transmitted data responsibilities of asserting and relying parties what can be asserted about subjects, syntactically and semantically capabilities of requesting party (ie client) elements specific to parties: integration, usability, error handling, etc

6 6 Federation at the macro level Micro-federation is good, so we want to do it a lot ala filesystems, GUI windows, inter-networks, etc Federation at “macro” level supports interests of many parties in doing micro-level federation, by creating community to reduce barriers Hence: naming of parties, discovery/listing of parties, defining use of options, organizing into sets by characteristics, establishment/removal processes, etc primarily about parties benefiting from shared management

7 7 End-to-end in federation 2 kinds of people in the world those who cling to end-to-end principle, those who don't End-to-end argument says elements interacting via infrastructure are responsible for their own semantics; infra services support/optimize but do not alter following this principle in macro-federation federation infra supports parties in management of info needed for their micro-federation interaction, but doesn't take active part in interaction itself parties can micro-federate outside of macro-federation

8 8 Interoperation and diversity An instance of micro-federation... uses more or less static feature set: user identifiers, encryption, flow, attributes, etc A macro-federation supports constrained option set in order to support diversity of business purposes key issue is expectation (or assurance) of full NxN interoperation across the federation most federations have assumed/mandated this, but it is unlikely to persist going forward (SAML 1 vs 2, WS- Fed, WS-Trust) managing option evolution is key technical role of fed

9 9 Interfederation? Given multiple federations... SP or IdP can simply participate directly in whatever federations it needs to; this is current state of the art what if policy of federation X prohibits party Y from joining? what does that mean? that as a member of fed X I'm not allow to talk to party Y? if everyone ultimately needs to talk to everyone, doesn't that imply one big federation? don't we want a model where sites join one fed and via that gets access to all others?

10 10 Interfederation Interfed services from a federation: metadata federation A could have arrangement with federation B to incorporate all/some of its members, and provide that to its members along with local fed metadata, perhaps re-signed or mapped this would remove the burden of explicit joining from fed members, but sites would end up with same combined metadata dynamic metadata acquisition? orthogonal, i.e. could be performed by members or by federation service

11 11 Interfederation Interfed services for IdP discovery run a multi-fed WAYF? promote scenarios that don't require discovery... potential new Shib/SAML discovery protocol might help...

12 12 Interfederation Interfed services for mapping attributes and policies... mapping info could be provided to IdPs/SPs for inclusion in attribute/policy handling or this could be done by in-line proxy protocols... requires multiple protocol support at IdPs/SPs

Download ppt "Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006."

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte

The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

Similar presentations

Ads by Google