Stuff,including interfederation stuff

Dr Ken Klingenstein,

Director, Middleware and Security, Internet2

kjk@internet2.edu

Topics

• InCommon Growth

• ISOC and Attributes

• NSTIC (and FICAM)

• Interfederation• Federation Risk Assessment• Gap Analysis

kjk@internet2.edu

Growth

kjk@internet2.edu

ISOC and Attribute Infrastructure

• Workshop held March 12, 2012 in DC as follow-up to workshop in Amsterdam in December.

• Outcomes include• Planning for attribute registries• Name space registries• Good attribute design principles document• Attributes of attributes• Quality (LOA) of attributes• Managing the marketplace

kjk@internet2.edu

NSTIC and FICAM

• NSTIC is an initiative, intended to foster the Identity Ecosystem and the US Government’s participation in it.•Works with agencies, IdP’s, standards and

advocacy groups, etc.• Pilot programs this fall

• FICAM is an operational service, setting standards (LOA, privacy, etc) and certifying compliance

kjk@internet2.edu

Interfederation

• The use cases

• The theory and the practice

• Gap analysis

kjk@internet2.edu

The use cases

• Between R&E feds (contacts in Turkey, Middle East and India urgently needed)

• Between .gov fed and InCommon

• With K-12 fed

• With OIX fed

kjk@internet2.edu

Theory and practice

• In theory, there is no difference between practice and theory; in practice there is.

• Interfederation has several steps• Ad hoc interfeds today and soon• PEER to exchange metadata• True interfederation

kjk@internet2.edu

Federation Manager Risk Assessment

• Assesses risks in the full metadata process• Internal ops• Vetting of enterprise• Security of metadata supply chain in organization

• Authentication• Delegation

• https://spaces.internet2.edu/display/InCCollaborate/Federation+Manager+Authentication+Risk+Assessment

• Immediate consequences in 2FA metadata submission

kjk@internet2.edu

Buckets of interfed issues

• Exchange of metadata

• Policy alignment

• Alignment of payloads (attributes)

• Operational issues

kjk@internet2.edu

Short-term and long-term

• A few high-level distinctions between the short-term and long-term approaches to the meeting these needs:

• Short-term, the flow of metadata for interfederation and the flow of trust in the values being asserted in the metadata are the same – member to federation to another federation to its members. Long-term, the flow of metadata and the flow of trust in the values within the metadata may diverge, allowing an ecosystem of other “vetters” of application or end-entity characteristics.

• Short-term, a limited set of widely used attributes (eduPerson, Shac) enables almost all essential needs. Long-term, richer attributes will require some mapping approaches, as well as interfederation coordination of names, identifiers, etc.

• Short-term, almost all operational aspects are handled on a case by case basis. Long-term, operational standards will be needed for effective use and best practices.

kjk@internet2.edu

Alignment of policies to enable trust in the metadata being exchanged

• How the federation manages verification of both the organizations and their (perhaps delegated) authorized submitters (the FOP)

• How does the federation manage verification of other richer end-entity attributes it asserts, such as classification of applications (e.g. R&S), recommended attribute release policies, etc.

• How the federation operates, in terms of signing metadata approaches, legal status, etc.

• Aligning the LOA at basic and higher levels for authentication

• Aligning the relationships between IdP and SP when they are not in the same federation• Direct contracts should govern where applicable• If the contractual flow is member to fed, and then across interfed to

an SP in another…

kjk@internet2.edu

Interfed gap analysis

• Technical• Interfed discovery•Metadata sharing• Aligned attribute bundles

• Policy