federated identity, accessing world-wide services with your campus id
DESCRIPTION
Brook Schofield Project Development Officer TERENATRANSCRIPT
Innovation through participation
Federated Identity,
Accessing World-Wide Services
with your Campus Id
Brook Schofield
Project Development Officer, TERENA
27 September 2012, edutic Chile
Innovation through participation
Brook Schofield mailto:[email protected]
skype://brookschofield
tel:+31651553991
http://terena.org/~schofield
linkedin.com/in/brookschofield
Australian living in The Netherlands. Grew up on the
island state of Tasmania (named after a Dutchman).
Task Leader in the GN3 Project for eduGAIN.
Secretary of the Global eduroam Governance Committee.
About me…
Innovation through participation
Campus Identity Management
Bad old days
Islands of Identity
Email System, File Server, Student Enrolment,
Library Catalogue
Often run by different divisions
Good old days
LDAP for everything! (or most things)
Centralisation of services under a single unit
Future
Services are outside your campus
Innovation through participation
Accessing International Resources
Freely available to all - Wikipedia
IP Address Authorisation
Library Journals and Databases
Reverse Proxy or VPN to simulate “on campus”
User confusion, Library Portal vs Google Search
Personal Subscriptions/Payment
Negates community purchasing power
Guest Access Required
Another account, poor password choices or reuse
User mobility
Innovation through participation
A family of federated services
eduroam: 10 years of development …now available in Chile
Two (2) options explored …and rejected
8
• VPN – Open WiFi
– Route traffic back to your home organisation via VPN • Benefit that “internet” traffic was from the home institution
– Access Control is problematic • You don’t really know who is using it (just that they have a
VPN)
• Web Redirect / Splash-screen Portal – Popular at airports, cafés and hotels
– No “over the air” security
The solution: eduroam
9
• Trust based on national policy
• Security based on 802.1X/RADIUS
• VLAN assignment to separate users
RADIUS server
University B
RADIUS server
University A
NREN
Central RADIUS
Proxy server
WiFi
Access Point User DB
User DB
Visitor VLAN
Student VLAN
Employee VLAN
data
signaling
Eduroam Benefits
12
• Builds on your existing campus wifi
– Not new equipment – just new configuration
• Use eduroam @ home
– Only 1 campus wifi network for all!
• No guest accounts
– Helpdesk + identity verification is expensive
• Improved support services in development
– Global improvements benefit your campus
Innovation through participation
Identity Federation Technologies
34 Federations
2114 IdPs
…and Virtual IdPs
Denmark, Norway & Croatia are 1 IdP
3434 SPs
Innovation through participation
simpleSAMLphp
PHP (is an IdP, SP and Bridge)
Multi-lingual support
Linux, Windows or Mac
Shibboleth
IdP is Java (Apache Tomcat)
SP is C (Apache + IIS Support)
Both are free software.
They are interoperable with each other
Connect your campus services…
Innovation through participation
Benefits of Federated Login
Chicken & Egg
Identity Providers with People
Service Providers with Resources
How can I be an identity provider?
Do you have information on people?
Choose some software…
Success!
What about service providers?
REUNA/COFRE is in talks with publishers
There are other resources available too…
Image from http://www.flickr.com/photos/71218130@N00/1412804148/
Innovation through participation 21
connect • communicate • collaborate
Interconnecting federations…
Solves the scaling problem
eduGAIN entities are a subset of a federation
Profiles and policies to harmonize environment
More info at http://eduGAIN.org/
21
Your Federation
Federation B
Federation A
Federation C
SP IdPIdP
IdP
IdP
IdPSP
SP
SP
SP
SPSP
Identity ProviderService Provider
SP
MDS
MDSIdPIdP
SP SP SP SP
1
2
Attributes
Terms of Use
Metadata
Web SSO
Good Practice
Constitution
eduGAINDeclaration
3
Upstream Federation Metadata
Downstream eduGAIN Metadata
1
Other Federation
BA
Your Federation
Federation B
Federation A
Federation C
SP IdPIdP
IdP
IdP
IdPSP
SP
SP
SP
SPSP
Identity ProviderService Provider
SP
MDS
MDSIdPIdP
SP SP SP SP
1
2
Attributes
Terms of Use
Metadata
Web SSO
Good Practice
Constitution
eduGAINDeclaration
3
Upstream Federation Metadata
Downstream eduGAIN Metadata
1
Other Federation
BA
Innovation through participation
eduGAIN status (in numbers)
15 participant federations
2 candidate federations & 2 pilot participants
7 European federations not participating
AT, DK, EE, IE, PT, SI, UK
8 federations not participating
AU, CL, CN, IN, JP, NZ, OM, US
14 GN3 Partners without a federation (18 GN3+)
Innovation through participation
More services require a trade-off…
eduroam
Decentralised identity
Secure alternative to splash
screen portals
Privacy Preserving
Consistent Brand
1 service (Network Access)
Consistent user experience
Minimal User Information
Interfederation by default
Identity Federation/eduGAIN
Decentralised identity
Secure alternative to central
auth or guest services
Can be privacy preserving
Brand Differentiation
Multiple Services (Web)
Multiple Interfaces (Web)
Rich Attribute AuthNZ
Interfederation by opt-in
linkedin.com/in/brookschofield facebook.com/brook.schofield skype://brookschofield [email protected] @BrookSchofield +31651553991
Slide 24