Post on 16-Jan-2016
Stuff,including interfederation stuff
Dr Ken Klingenstein,
Director, Middleware and Security, Internet2
kjk@internet2.edu
Topics
• InCommon Growth
• ISOC and Attributes
• NSTIC (and FICAM)
• Interfederation• Federation Risk Assessment• Gap Analysis
kjk@internet2.edu
Growth
kjk@internet2.edu
ISOC and Attribute Infrastructure
• Workshop held March 12, 2012 in DC as follow-up to workshop in Amsterdam in December.
• Outcomes include• Planning for attribute registries• Name space registries• Good attribute design principles document• Attributes of attributes• Quality (LOA) of attributes• Managing the marketplace
kjk@internet2.edu
NSTIC and FICAM
• NSTIC is an initiative, intended to foster the Identity Ecosystem and the US Government’s participation in it.•Works with agencies, IdP’s, standards and
advocacy groups, etc.• Pilot programs this fall
• FICAM is an operational service, setting standards (LOA, privacy, etc) and certifying compliance
kjk@internet2.edu
Interfederation
• The use cases
• The theory and the practice
• Gap analysis
kjk@internet2.edu
The use cases
• Between R&E feds (contacts in Turkey, Middle East and India urgently needed)
• Between .gov fed and InCommon
• With K-12 fed
• With OIX fed
kjk@internet2.edu
Theory and practice
• In theory, there is no difference between practice and theory; in practice there is.
• Interfederation has several steps• Ad hoc interfeds today and soon• PEER to exchange metadata• True interfederation
kjk@internet2.edu
Federation Manager Risk Assessment
• Assesses risks in the full metadata process• Internal ops• Vetting of enterprise• Security of metadata supply chain in organization
• Authentication• Delegation
• https://spaces.internet2.edu/display/InCCollaborate/Federation+Manager+Authentication+Risk+Assessment
• Immediate consequences in 2FA metadata submission
kjk@internet2.edu
Buckets of interfed issues
• Exchange of metadata
• Policy alignment
• Alignment of payloads (attributes)
• Operational issues
kjk@internet2.edu
Short-term and long-term
• A few high-level distinctions between the short-term and long-term approaches to the meeting these needs:
• Short-term, the flow of metadata for interfederation and the flow of trust in the values being asserted in the metadata are the same – member to federation to another federation to its members. Long-term, the flow of metadata and the flow of trust in the values within the metadata may diverge, allowing an ecosystem of other “vetters” of application or end-entity characteristics.
• Short-term, a limited set of widely used attributes (eduPerson, Shac) enables almost all essential needs. Long-term, richer attributes will require some mapping approaches, as well as interfederation coordination of names, identifiers, etc.
• Short-term, almost all operational aspects are handled on a case by case basis. Long-term, operational standards will be needed for effective use and best practices.
kjk@internet2.edu
Alignment of policies to enable trust in the metadata being exchanged
• How the federation manages verification of both the organizations and their (perhaps delegated) authorized submitters (the FOP)
• How does the federation manage verification of other richer end-entity attributes it asserts, such as classification of applications (e.g. R&S), recommended attribute release policies, etc.
• How the federation operates, in terms of signing metadata approaches, legal status, etc.
• Aligning the LOA at basic and higher levels for authentication
• Aligning the relationships between IdP and SP when they are not in the same federation• Direct contracts should govern where applicable• If the contractual flow is member to fed, and then across interfed to
an SP in another…
kjk@internet2.edu
Interfed gap analysis
• Technical• Interfed discovery•Metadata sharing• Aligned attribute bundles
• Policy