Federated Identity, Accessing World-Wide Services with your Campus Id

Innovation through participation

Federated Identity,

Accessing World-Wide Services

with your Campus Id

Brook Schofield

Project Development Officer, TERENA

[email protected]

27 September 2012, edutic Chile


Brook Schofield mailto:[email protected]

skype://brookschofield

tel:+31651553991

http://terena.org/~schofield

linkedin.com/in/brookschofield

Australian living in The Netherlands. Grew up on the

island state of Tasmania (named after a Dutchman).

Task Leader in the GN3 Project for eduGAIN.

Secretary of the Global eduroam Governance Committee.

About me…


Campus Identity Management

Bad old days

Islands of Identity

Email System, File Server, Student Enrolment,

Library Catalogue

Often run by different divisions

Good old days

LDAP for everything! (or most things)

Centralisation of services under a single unit

Future

Services are outside your campus


Accessing International Resources

Freely available to all - Wikipedia

IP Address Authorisation

Library Journals and Databases

Reverse Proxy or VPN to simulate “on campus”

User confusion, Library Portal vs Google Search

Personal Subscriptions/Payment

Negates community purchasing power

Guest Access Required

Another account, poor password choices or reuse

User mobility


A family of federated services

eduroam: 10 years of development …now available in Chile

Promotional video (available in Spanish)

7

http://www.youtube.com/watch_popup?v=1HQbU4KELtk

Two (2) options explored …and rejected

8

• VPN – Open WiFi

– Route traffic back to your home organisation via VPN • Benefit that “internet” traffic was from the home institution

– Access Control is problematic • You don’t really know who is using it (just that they have a

VPN)

• Web Redirect / Splash-screen Portal – Popular at airports, cafés and hotels

– No “over the air” security

The solution: eduroam

9

• Trust based on national policy

• Security based on 802.1X/RADIUS

• VLAN assignment to separate users

RADIUS server

University B

RADIUS server

University A

NREN

Central RADIUS

Proxy server

WiFi

Access Point User DB

User DB

Visitor VLAN

Student VLAN

Employee VLAN

[email protected]

data

signaling

Eduroam Benefits

12

• Builds on your existing campus wifi

– Not new equipment – just new configuration

• Use eduroam @ home

– Only 1 campus wifi network for all!

• No guest accounts

– Helpdesk + identity verification is expensive

• Improved support services in development

– Global improvements benefit your campus


Identity Federation Technologies

http://switch.ch/aai

http://wayf.dk/

34 Federations

2114 IdPs

…and Virtual IdPs

Denmark, Norway & Croatia are 1 IdP

3434 SPs

http://refeds.org/

http://refeds.org/


Federation Interoperability

wayf.dk

http://wayf.dk/


Federation Login Workflow

http://wayf.dk/


simpleSAMLphp

PHP (is an IdP, SP and Bridge)

Multi-lingual support

Linux, Windows or Mac

Shibboleth

IdP is Java (Apache Tomcat)

SP is C (Apache + IIS Support)

Both are free software.

They are interoperable with each other

Connect your campus services…

http://simplesamlphp.org

http://shibboleth.net/


Benefits of Federated Login

Chicken & Egg

Identity Providers with People

Service Providers with Resources

How can I be an identity provider?

Do you have information on people?

Choose some software…

Success!

What about service providers?

REUNA/COFRE is in talks with publishers

There are other resources available too…

Image from http://www.flickr.com/photos/71218130@N00/1412804148/

Innovation through participation 21

connect • communicate • collaborate

Interconnecting federations…

Solves the scaling problem

eduGAIN entities are a subset of a federation

Profiles and policies to harmonize environment

More info at http://eduGAIN.org/

21

Your Federation

Federation B

Federation A

Federation C

SP IdPIdP

IdP

IdP

IdPSP

SP

SP

SP

SPSP

Identity ProviderService Provider

SP

MDS

MDSIdPIdP

SP SP SP SP

1

2

Attributes

Terms of Use

Metadata

Web SSO

Good Practice

Constitution

eduGAINDeclaration

3

Upstream Federation Metadata

Downstream eduGAIN Metadata

1

Other Federation

BA

Your Federation

Federation B

Federation A

Federation C

SP IdPIdP

IdP

IdP

IdPSP

SP

SP

SP

SPSP

Identity ProviderService Provider

SP

MDS

MDSIdPIdP

SP SP SP SP

1

2

Attributes

Terms of Use

Metadata

Web SSO

Good Practice

Constitution

eduGAINDeclaration

3

Upstream Federation Metadata

Downstream eduGAIN Metadata

1

Other Federation

BA


eduGAIN status (in numbers)

15 participant federations

2 candidate federations & 2 pilot participants

7 European federations not participating

AT, DK, EE, IE, PT, SI, UK

8 federations not participating

AU, CL, CN, IN, JP, NZ, OM, US

14 GN3 Partners without a federation (18 GN3+)


More services require a trade-off…

eduroam

Decentralised identity

Secure alternative to splash

screen portals

Privacy Preserving

Consistent Brand

1 service (Network Access)

Consistent user experience

Minimal User Information

Interfederation by default

Identity Federation/eduGAIN

Decentralised identity

Secure alternative to central

auth or guest services

Can be privacy preserving

Brand Differentiation

Multiple Services (Web)

Multiple Interfaces (Web)

Rich Attribute AuthNZ

Interfederation by opt-in

linkedin.com/in/brookschofield facebook.com/brook.schofield skype://brookschofield [email protected] @BrookSchofield +31651553991

Slide 24

Federated Identity, Accessing World-Wide Services with your Campus Id

Education

Transcript of Federated Identity, Accessing World-Wide Services with your Campus Id