Sustainability in Federated Identity Services - Global and ... · What works and what doesn’t...

Networks·Services·Peoplewww.geant.org

AnnHarding@hardingar

I2GlobalSummit

Whatworksandwhatdoesn’twitheduroamandeduGAIN

SustainabilityinFederatedIdentityServices- GlobalandLocal

April2017

ActivityLead,Trust&IdentityDevelopment,GÉANTPersonwhoAsksUncomfortableQuestions,SWITCH


function ScaleGlobalService (){global $UseCases;global $TechGlue;

//TODO– MagicGoesHere

echo $DeclareVictory;}

$DeclareVictory =true;

2

Findingthemagic

Networks·Services·Peoplewww.geant.org 3

TwoGloballyScaledServices,TwoPathstoSuccess

• 10+Yearsold,• 70+countries,tensofthousandsofsites• Oneservice– networkaccess

• WIFIdominated,fixtechpossible• Servicevisibletousers

• GlobaleduroamGovernanceCommittee(GeGC)• Nominatedbyconfederations• Setstechnicalandorganisationalstandards

fortheservice• SecretariatfundedfromGÉANTAssoc.

generalcosts,ETLRSviaGÉANTProject

• 5+Yearsold• 48countries,2k+IdPs,nearly1.5kservices• Serviceismetadataexchange

• Notvisibletousers• UservisibleserviceisWebSSO

• eduGAINSGandeduGAINExecutive• Eachmemberhas2xSGreps• GÉANTBoardistheExecutive• 100%fundedviaGÉANTProjectMechanisms• SGsetstechnicalandoperationalstandards


Fromlocalideastoglobalservice– eduroamevolution

.nl

.by.dk

.ca.cz

.hr

.fi

.be

.gr .hk

.is

.by

.mx.pl

.ie

.sa

.jp

.se


5

Fromlocalservicetoglobalservice– eduGAINevolution


Whodeliversthese

services?6

Quiztime!


Whydoesthatmatter?


ScalingGloballyisObeyingtheInvisibleRulesofIrrationality

“Ifyou'reacompany,myadviceistorememberthatyoucan'thaveitbothways.Youcan’ttreatyourcustomerslikefamilyonemomentandthentreatthemimpersonally—or,evenworse,asanuisanceoracompetitor—amomentlaterwhenthisbecomesmore

convenientorprofitable.”“MONEY,ASITturnsout,isveryoftenthemostexpensivewaytomotivatepeople.Socialnormsarenotonlycheaper,but

oftenmoreeffectiveaswell.”DanAriely,PredictablyIrrational:TheHiddenForcesThatShapeOurDecisions

“Therearemanyexamplestoshowthatpeoplewillworkmoreforacausethan

forcash.”


Enlightenedselfinterest


BeatingTheLimitationsofSuccess– eduroam’sroadmap

eduroamCATtransformedthedeployability ofeduroamonuser

devices

Alittlecentralisationisagoodthing

CAT++forenduserdevicediagnostics

“silverbullet”toenablecampus&SP

infrastructure

Communityideasgohere

Builtinf-ticksmonitoringandaggregationearly


BeatingTheLimitationsofSuccess– eduGAIN’sroadmap

RobustnessofOperations

Federationcoverage

SupportFederationstoSupportCampus

Beyondthebaseline:SIRTFI&MFA

Entitycoverage

SupportforFederations:FaaS

NextGenerationArchitecturesand

Protocols

Beyondthebaseline:CoCo &R&S


• AAIasaServiceforCollaborativeorganisations• Expandingtoserveothersectorswithoutdisruptingsustainabilityforexistingusers

• InAcademia– SimpleaffiliationvalidationasaService• Monetising theadvantageswehave

12

Twoevolutionsinsustainability


Sciencerequirements– TheNetworkView

AdaptedfromTheRationaleofOpticalNetworking,Cees deLaat,ErikRadius,StevenWallace(c2002)

ClassA)arethetypicalhomeusers

ClassB)consistsofthecorporations,enterprises,Universities,virtualorganisations andlaboratories.

ClassC)arethereallyhighendapplications

Sciencemeansbigdata


• ClassA)arethesimplelibrary/journal/learningapplications

• ClassB)consistsofthecampus‘corporate’infrastructure

• ClassC)arethereallycomplextrustapplicationsforcollaborationande-Research

• Sciencemeansbigcollaboration

14

ScienceRequirements- theTrustandIdentityView

Complexity

0

50

100

150

200

250

300

350

Library&Journals

Teaching&Learning

CampusInfrastructure

Other CloudService CollaborationPlatform

ResearchService

ServicesineduGAIN


Designpattern1:Enableyourcollaboration flows• ExportIdPstoeduGAIN• ExporteResearchSPstoeduGAIN

Designpattern2:Unclogyourpolicytaps• Forhubandspoke– doyouneedthesamepoliciesforyourCusersasforyouraandB?Canyoubemoreflexible?

• Forfullmesh– doyouneedtoleaveeverythingtotheedges?Canyouuseyourresourceregistry/centraltoolstoapplypolicyfore-Researchmorescalably?

• Pragmaticassurance

Designpattern3:Buildawelltrustedendtoendinfrastructure• UseResearchandScholarshipandGÉANTCodeofConductEntityCategoriestomaketrustscalebeyondyourfederation

• AdoptSIRTFIincidentresponseframeworktobuildtrust

• Adoptgroupandattributemanagementservicese.g.VOPlatform

15

ScienceDMZ,theTrustandIdentityView


InAcademia- aSimplevalidationService

InAcademialeveragesexistingeduGAINinfrastructureforInstitutions,whileatthesametimeradicallysimplifiesaffiliationvalidationforservices

MicrosoftwantstoofferfreeOffice365toallstudentsinEU

ORCIDseekstoimproveaccountquality

SMEswantlowbarriersforleveragingdigitalacademicIdentity:asimplecontract,apredictablecostmodelandhighassuranceonidentity


InAcademia

DEMO


InAcademia– theconceptCu

stom

erValue

s Queryasingle,centralisedservicetoconfirmaffiliationValidationserviceaccessibleforalleduGAINIdPsAsimpleprotocolisusedbytheServices(OpenIDConnect)Singlecontractpolicy

Commun

ityValue

s Minimalexchangeofpersonaldata– neverpassedtotheSPfromtheInAcademiaserviceActsasa‘normal’SPtowardstheIdPEnableslowertrustusageofinformationwithoutloweringoveralltrust Su

stainability SPpaysasmallper

transactionfeeforthevalidationRevenuesaresustainablyandfairlydistributed• SupportoperationsforInAcademia&eduGAIN

•ProvideaninnovationfundforOpenCalls

• Kickbacktoorganisationsprovidingvalidations


Unifygenuineusecases

Notsoabstractthatyouwillneed38waystoimplement,evenifyouleaveitfreeasatheoreticalpossibility

Scale‘cheaply’bybringingin

infrastructurefrommanyparties

Respecttheadvantagesofsocial

contractandunderstandwheretheyoutweighthecertaintyoffinancialcontract

Designfairness

Balancethepainpointswithinthedifferentstakeholdersofthe

infrastructure

Understandwhatisimportantto

participantsandpreserveit

Buildtrusttohelpyouovercomeyour

limitations

WeasNRENSareproudandfiercelyprotectiveofour

reputations

Noamountoftechnicaltrustorgovernance

tweakingwillmakeyoubeabletogofurtherthanyouaretrusted

19

Whatisthemagicforsustainability?


Thankyou


This workispartofaprojectthathasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeunderGrantAgreementNo.691567(GN4-1).20

Sustainability in Federated Identity Services - Global and ... · What works and what doesn’t...

Documents

Transcript of Sustainability in Federated Identity Services - Global and ... · What works and what doesn’t...