Identity Federation Policy

Marina Vermezović, AMRES

Federated Identity Technology Workshop

Sofia, Bulgaria, 20. Jun 2014.

2Connect | Communicate | Collaborate

Identity Federation

Identity federation enables campus authentication systems to integrate with a wide variety of services on campus, between campuses in a country and beyond

Supports different technologies

RADIUS

Moonshot

3Connect | Communicate | Collaborate

Identity Federation

Technology can be straightforward, but what about

Enabling an Identity federation demands a formalized policy

4Connect | Communicate | Collaborate

European Identity Federationsthe Evolution

Identity federations started emerging 10 years ago leading to approx. half of European countries have deployed an WebSSO Identity federation

Significant knowledge and experience has been gathered through the operation of those Identity federations

Identity federation communities such as REFEDS enabled the exchange of knowledge and addressed the common issues

Existing Identity federation policies has evolved based on local needs

5Connect | Communicate | Collaborate

European Identity Federations The Evolution

The “Federation Policy Best Practice Approach” and “Federation Policy Mapping” analyses were performed by REFEDS

6Connect | Communicate | Collaborate

Identity Federation Policy Template

eduGAIN GN3 task supported the creation of Identity Federation Policy Template document

http://www.terena.org/activities/eurocamp/oct12/programme1.html

Gathered experience from existing Identity Federations in what not to put, and what to put in a Policy

Based on Sweden Identity Federation - SWAMID policy

Policy template is easy to be changed for local conditions

Existing federations can use it if they want to change or update their existing policies

7Connect | Communicate | Collaborate

Allow multiple technologies

Identity federation Policy should cover all these and allow for future adding new technologies

Organizations join Identity federation only one time and then pick out which federation services they want to implement

Identity Federationeduroam

WebSSO Moonshot

…

Make the Policy in such a way that it allows for multiple technologies to be served using the same policy structure

8Connect | Communicate | Collaborate

Make resistant (as possible) to changes

Make the Policy document in such a way to avoid the need for repeated changes

Definitions that falls into changeable category should be put elsewhere e.g. federation website or appendix

Find the right balance :

Do not over specify

Do not leave out important stuff

Make resistant (as possible) to changes

9Connect | Communicate | Collaborate

Make future changes easy

Policy will keep evolving and in certain degree changes will happen Make procedure for changing the policy lightweight as possible

Important issue that can make effect on how easily a policy can be changed is what members sign when they join the Identity federation:

• Member fills in a separate form agreeing to be bound by the Policy document

• Member signs a copy of the actual policy (there are placeholders for signatures at the end the policy document)

10Connect | Communicate | Collaborate

Identity Federation Policydocument suite

Identity Federation Policy document

Identity Federation Policy (main)

Appendices

Technology Profile eduroam

Technology Profile Web single sign-on

Level of Assurance Profiles

Data Protection Profile

Federation Operational Practices

Appendix Governance

AppendixFees

11Connect | Communicate | Collaborate

Identity Federation Policy TemplateSections

Definitions and Terminology

Introduction

Governance and Roles

• Governance• Obligations and Rights of Federation Operator• Obligations and Rights of Federation Members

Eligibility

Procedures

• How to Join• How to Withdraw

Legal conditions of use

• Termination• Liability and indemnification• Jurisdiction and dispute resolution• Interfederation• Amendment

12Connect | Communicate | Collaborate

Eligibility

Defines which organizations are eligible to become a Member of your Federation, and which Member is eligible to act as Home Organization

Depending on your country’s regulations for education and research sector and administrative/political circumstances, you should define which organizations are eligible to become a Member in your federation.

However, as eligibility criterion is something you may want to adapt and change over time, it is the best to keep this section very short, and publish the eligibility criteria in some other place - this could simply be the website, or in separate appendix.

13Connect | Communicate | Collaborate

Governance of the federation

Federation should have governing body which has advisory, decision or some other rights on certain federation issues.

Structure and election process for the governing body falls into changeable category and should be specified elsewhere e.g. appendix

Structure will probably highly depend on your local circumstances, how federation is established and funded

Rights appointed to the governing body, advisory vs. deciding:Criteria for membership for the Federation

Revoking the membership of a Federation Member

Entering into interfederation agreement

Formal ties with relevant national and international organisations

Approving changes to the Federation Policy

. . .

14Connect | Communicate | Collaborate

Obligations and Rights of Federation Operator

It is very important to clearly define what are the obligations and rights of the Federation Operator

Obligations boosts the members trust to Federation Operator, e.g.:

Secure and trustworthy operational management of the federation

Provides support services for Federation Members

Maintaining relationships with national and international stakeholders in the area of Identity Federations

Promoting the idea and concepts implemented in the Federation

Federation Operator should keep certain rights, e.g. :

temporarily suspend a Member who is in breach in policy

publish some data about Federation Members

15Connect | Communicate | Collaborate

Obligations and Rights of Federation Members

For mutual Federation Members trust, it is important to clearly define their obligations and rights

There can be three types of Federation Members:

Home Organization

Attribute Authority

Service Provider

Some obligations and rights are same, but some differ !

16Connect | Communicate | Collaborate

Obligations and Rights of Federation Members - ALL

Must cooperate with the Federation Operator and other Members in resolving incidents and should report incidents

Must comply with the obligations of the Technology Profiles which it implements

Must ensure its IT systems that are used in implemented Technology Profiles are operated securely

Must pay the fees. Prices and payment terms are specified in appendix Fees

If a Federation Member processes personal data, Federation Member will be subject to applicable data protection laws and must follow the practice presented in Data Protection Profile

17Connect | Communicate | Collaborate

Obligations and Rights of Federation Members – HO

Is responsible for delivering and managing authentication credentials for its End Users and for authenticating them, as may be further specified in Level of Assurance Profiles

Submit its Identity Management Practice Statement to the Federation Operator

Ensures an End User is committed to the Home Organization’s Acceptable Usage Policy

Operates a helpdesk for its End Users regarding Federation services related issues

18Connect | Communicate | Collaborate

Obligations and Rights of Federation Members – AA or HO

Is responsible for assigning Attribute values to the End Users and managing the values in a way which ensures they are up-to-date

Is responsible to releasing the Attributes to Service Providers

19Connect | Communicate | Collaborate

Obligations and Rights of Federation Members - SP

Is responsible for making decision on which End Users can access the services they operate and which access rights are granted to an End User

It is Service Providers responsibility to implement those decisions

20Connect | Communicate | Collaborate

Interfederation

Enables federation to enter into interfederation agreements

Technical and administrative issues related to interfederation are dependent of Technology Profile, and should be described there

Federation Members will interact with entities which may be bound by very different rules and laws than the Members in this Federation

A fundamental idea of an interfederation is that Members are bound by their local federation policies only and if anyone has a problem with the behavior of an entity in an Interfederation, he/she should go and check what the entity’s own Federation’s policy stipulates on it

21Connect | Communicate | Collaborate

Amendment

Procedures required to get changes to the Federation Policy implemented

Keep things simple and have the same procedure for all documents that make up the Federation Policy

Give Federation Members a notification of the upcoming changes well in advance, allowing for feedback and resolution of potential points of contention before the changes come into force

22Connect | Communicate | Collaborate

www.geant.net

www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv

Connect | Communicate | Collaborate

Thank you!