eurocamp summary - terena · • how to do ldap properly – attribute extensions • how to do idm...
TRANSCRIPT
![Page 1: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/1.jpg)
EuroCAMP Summary(in 15 mins)
![Page 2: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/2.jpg)
Diego
• We are at the teenager stage of IDM• IDM is maturing• Welcome to the schema Onion
![Page 3: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/3.jpg)
• Jasmina• Welcome to LDAP [the syntax]• Flat tends to be better than hierarchical
• Feed your LDAP automatically• No manual LDAP updates
Miroslav• Welcome to LDAP [semantics]• Don’t re-purpose a schema
![Page 4: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/4.jpg)
Victoriano • Can you trust the applications that your users enter passwords into?
• Don’t let your users enter passwords into applications outside your control
![Page 5: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/5.jpg)
Roland (rhubarb, rhubarb, rhubarb)• How to do LDAP properly
– Attribute extensions• How to do IDM properly• Sun’s 10 best practices (see also Cameron’s 7 laws of identity)
• Get sponsorship for your strategy, and aim for quick wins.
![Page 6: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/6.jpg)
Gerard• Challenges• Hopes
![Page 7: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/7.jpg)
Roland (rhubarb, rhubarb, rhubarb)
• Cutting edge homebrew IDM system based on standards.
• Sweden’s Universities are one legal entity
![Page 8: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/8.jpg)
• Jasmina• Guest accounts
• Make sure you deprovision• Make sure you know who the guest is
![Page 9: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/9.jpg)
Panel• Don't come up with your own schema if an existing standard can be used
• Don't put sensitive data in your directory, – Unless you are prepared to meet the regulatory obligations
• The standard schemas may not be enough
![Page 10: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/10.jpg)
Kevin• Management view• What is a user, person• Level Of Assurance• If your do a good job, your IDM system will become authorative
![Page 11: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/11.jpg)
David• The Zoo of beasts• Intro to federation
– Conventional– Hub-spoke
• Legal– MoU’s– Contracts– charters– Consent
•Engage lawyers, don't write each others code•Talk to your date and consumer protection agencies•Define your federations legal body (NREN or otherwise)•Read the JISC legal document on federation policies
![Page 12: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/12.jpg)
Victoriano • eduPerson
– Good starting point– Pseudononymous id
• SCHAC– Designed for specific European uses
![Page 13: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/13.jpg)
Jacob
• WAYF.dk Style SSO– CAS – SAML, – LDAP.
• The scary fish <SimpleSAMLphp>– Simple– Simple– simple
![Page 14: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/14.jpg)
• Making the case with a killer app–efficiency–collaboration–compliance–new business model
• Business case for federation is the same as the case you would use for an IDM, butwith the context that goes beyond the cam
• More services off your ID the better for your ID• More services in your federation, the better forIdP (and thus IDM).
• The more your accounts are used, the better)
Kevin
![Page 15: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/15.jpg)
Miro
• eduroam– RADIUS– Monitoring
• as a means to show that your service is valuable
– Tools • to show that you can troubleshoot
– Future plans• GN3-SA3(t2) & JRA3
![Page 16: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/16.jpg)
Diego
SIR• Why PAPI?
– (years+)– Connectors to lower the entry barrier for institutions, so not just PAPI
• Simple Policy– To lower the entry barrier– Explicit description of data protec...
• Interconnected with– OpenID – eduGAIN
• SAML Services– External, managed, outer, outsourced
• Regional Federations
![Page 17: EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM properly • Sun’s 10 best practices (see also Cameron’s 7 laws of identity)](https://reader034.vdocuments.us/reader034/viewer/2022043008/5f997acaca1c7d26742b98b0/html5/thumbnails/17.jpg)
Victoriano, Rok, Michal
SAML with non-webSAML with kerberos
Entitlements