fim-ig federated identity management interest group
TRANSCRIPT
FIM-igFederated Identity Management
Interest Group
2
Introduction FIM, what is it what should it do. A short overview including FIM4R activities
Stakeholders, who is here, what are their interests? What is or should be within the IG scope? Specific topics within FIM, priorities for our group. How to organize ourselves further.
Agenda
3
Purpose: Allow access to distributed services with a single set of
credentials Maintained at the user’s (trusted) home organization
Single Sign-on
Why? Economic advantages
Scaling Separate domains of responsibility
Convenience Existing organizational infrastructure for research &
education: National Identity Federations etc.
Federated Identity
4Federations
FederationExternalLocal
DB
HTTP
HTTP
HTTP
LDAP LDAP LDAP
SAML(HTTP)
DB
DB
IDP
SP
B
SP
B B
SP
HTTP
From a local user store to a federation…
5Federations
FederationExternalLocal
DB
HTTP
HTTP
HTTP
LDAP LDAP LDAP
SAML(HTTP)
DB
DB
IDP
SP
B
SP
B B
SP
HTTP
From a local user store to a federation…
IDPIDP
IDP
DBDB
DB
RDB
SP
B
SAML(HTTP)
6
Federation
IDP
SP
IDP
IDP
IDP
SP
IDP
SP
W
Federation Operator A formal agreement:
Privacy issues Traceability Agreement on user
attributes exchange Agreement on attribute
semantics Common Attribute set
definition …
Exchange method for (federation) metadata
What makes a Federation?
FO
Federations
7
Federation A
IDP
SP
IDP
IDP
IDP
SP
IDP
SP
W
Inter Federation
FO
Federations
Federation B
IDP
SP
IDP
IDP
IDP
SP
IDP
SP
FO
IFO
8
The attributes released by the Home Organization can be used for Authorization Can be sufficient to identify ‘academic users’ or ‘affiliation’ So allow students of ‘University X’ access to ‘Library Y’
However more complicated cases are difficult: Organizational distance between IdP and SP inhibits having very
specific attributes such as: User A signed ‘license B’ and is a member of ‘Organization X’
There is eduPersonEntitlement, but the scope of use is limited Better use ‘external’ community specific attribute providers that can
hold such specific attributes
User authentication and identification is already a worthwhile cause
FIM for Authorization
9
Sharing data with non-academic users Homeless Identity Provider operated by specific
communities Allowing access with social network accounts What are the consequences
Level of assurance Federation operators ?
Homeless users
10
IN EU, several research communities saw the potential of FIM and have been experimenting and using FIM But not in a unified approach, Unification and coordination came mostly from FIM service providers
as the national academic federation providers While technology and organizational structure is still maturing and in
need of steering Common needs should be communicated to FIM providers, funding
agencies etc.
So FIM4R initiative as an initiative of the research communities to find commonalities in FIM requirements and discuss with the stakeholders and produce recommendations
FIM for Research (FIM4R) initiative
11
Communities Involved: High Energy Physics, Life Sciences, SSH, European Neutron Photon facilities, Earth Sciences
Had now six FIM4R workshops organized by different communities: CERN in June 2011, RAL in November 2011, Taipei in February 2012, MPI-PL in June 2012, PSI in March 2013, CSC in Oct 2013
As a result of these workshops, a common vision for FIM across the research collaborations has emerged along with the desire to see this implemented with a roadmap and a set of recommendations.
FIM for Research (FIM4R) initiative
12
Need for a common policy and trust framework for Identity Management based on existing structures and federations either presently in use by or available to the communities. This framework must provide researchers with unique electronic identities authenticated in multiple administrative domains and across national boundaries that can be used together with community defined attributes to authorize access to digital resources.
The necessary brevity of the vision statement had us skip some issues, but it is relatively complete
Common Vision for FIM
13
Non exhaustive list of problems the communities need solved Non-browser based application support Multi-tier delegation for Web Services Generation of (short-lived) X509 certificates Lacking attribute release by IdPs
Within the academic federations themselves Between federations i.e. eduGAIN inter-federation
Need different Levels of Assurance (LoA) to cater for different sensitive data levels
User friendly solutions: Homeless IdP, Discovery Services, … Community specific attributes Unique persistent user identification Cater for citizen scientists (homeless IdP, Social networks)
Community perceived FIM problems from FIM4R discussions
14
Recommendations to the research communities Pragmatic Risk Analysis from the RI viewpoint Pilot studies to explore further requirements and provide feedback on
technologies and service providers
Recommendations to technology providers Separation of Authentication and Authorization Credential revocation Attribute delegation to the research community More levels of security
Recommendations to funding agencies Funding for FIM technologies that are focused on solving the described
issues
Recommendations
15
Hope to catch a wider, global audience More facilities to have a continuous interaction Perhaps create an umbrella for other also non-RDA
related FIM activities Possibility to create WGs on specific topics within the
FIM IG Interaction with other groups:
DFT User Identification, ORCID …
Why a FIM Interest Group next to FIM4R?
16
As Research Communities, ESFRI Research Infrastructures have also identified FIM as a key common point:Paper: “Realising the full potential of research data: common challenges in data management, sharing and integration across scientific disciplines”
https://zenodo.org/record/7636
ESFRI Research Infrastructures
17
Research Communities FIM Service providers
Federation operators FIM Software developers ?
Funding Industry
Stakeholders in FIM, who is here?
18
No exclusions?
Specific topics: User attributes: release policy, attribute sets Security levels Scenarios needing connection to other technologies:
OpenID (Connect) OAUTH X509 Non-browser tools
Organizational/management issues Federation as a service
What should be in the FIM ig scope, what are priorities
19
Documentation gathering Prioritising areas of investigation and building a
roadmap to produce results
How to organize ourselves further.
Thank You