Federation managementA mess?

9.4.2008 Nordunet Conference

Mikael Linden

CSC, the Finnish IT Center for Science

What is Federated Identity technology?

Home Organisation

(Helsinki U ofTechnology)

Identity ProviderIdP

Service ProviderSP

(University of Turku)Moodle Learning

ManagementSystem

Let him in.

3. Username: bsmithPassword: 95iEfHw

1. HTTP ”Let me in to http://moodle.utu.fi/”

2. HTTP redirectSAML authentication request”Someone from HUT wants to log in to our Moodle. Authenticate him.”

4. HTTP POSTSAML Authentication response”Let me in to http://moodle.utu.fi/My home organisation has authenticated me and asserts that my name is Bob Smith and I’m a student at Helsinki University of Technology”

What is an identity federation (aka Circle of Trust)? InCommon: A federation is an association of organizations that come

together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.

Liberty Alliance: A circle of trust is a federation of service providers and

identity providers that have business relationships based on Liberty architecture and operational agreements and with whom users can transact business in a secure and apparently seamless environment.

=> A federation is an organisational (not a technical) construct

Haka federation (coordinated and operated by CSC)

Home organisationsIdentity Provider, IdP

Haka federation of Finland

U of Helsinki

U of Tampere

TUT

ServicesService Provider, SP

Nelli portal (libraries)

Circulation ofincoming invoices

Moodle LMS(e-learning)

Supercomputer(CSC)

Grid

wiki, blog etc

Haka operational since 8/2005

240 000 end users 2.0 million logins 2007 Home organisations

maintains identities Home organisations

authenticate the end users

Home organisations release attributes to services

Services do access control

HUT

Tampere UA

Savonia UAS

IdP

IdP

IdP

IdP

IdP

IdP

SP

SP

SP

SP

SP

SP

# of IdPs: 24 # of IdPs: 42

Do we need a federation?Case Higher education

Nelli library portal 3/2008, 119 582 Haka logins

There are often end users from several IdPs using the same SP The IdPs and SPs don’t necessarily have business relationships

=> YES

Do we need a federation?Case B2B

In Business-to-business world:use of federated identity management is based on business relationships

Business relationships are typically bilateral

Not necessarily• Identities can be federated between organisations on a bilateral

basis

Contractual shape of a federation

A federation

Home organisationsIdentity Provider, IdP

U of Helsinki

U of Tampere

TUT

ServicesService Provider, SP

Nelli portal (libraries)

Circulation of invoices

Moodle LMS(e-learning)

Supercomputer (CSC)

Grid

Coordinator

HUT

Tampere UAS

Savonia UAS

Operator

Coordinator Has a contractual

relationship with home organisations and services

Sets the policy

Operator subcontractor of the

coordinator takes care of daily

technical operations of the federation

An IdP centric view to a federation

A federation is seen as a set of IdPs which have deployed similar policies

SPs not considered as part of the federation but as a consumer of the federation service

SPs need not to have contractual relationship with the federation

The data protection directive binds also the SPs anyway

Operator

IdP

IdP

IdP

IdP

IdP

IdP

SP

SP

SP

SP

SP

SPSP

SP

Technical shape of a federation:Distributed

Model deployed by Haka (.fi), SWAMID (.se) and several other federations

Pros• No single point of failure in the

message flow• Costs of federation management low

Cons• Hard to track errors and • Not well supported by commercial

products

IdP

IdP

IdP

IdP

SP

SP

SP

SP

Technical shape of a federation: Centralised

Model deployed by Feide (.no) and WAYF (.dk)

Pros• A single point where to locate

problems and introduce new features

• Economics of scale

Cons• A single point of failure• Everyone needs to trust the

IdP in the middle

IdP

IdP

IdP

IdP

SP

SP

SP

SP

IdP proxy

The Nordic dimension

A common denominator for Nordic identity federations:Campus identity management

• Identity providers are expected to provide only identities of high quality

High quality of• Authentication (face-to-face registration and token delivery)• Attributes (students’ and employees’ accounts are closed as they depart)

Included also in the charter of Kalmar Union• The confederation of Nordic federations

Coordinations of a federation: leadership in a network of organisations

Understanding universities’ needs and limitations Understanding the possibilities of the technology Steering the development of the federation. Making

organisations involved

…without having a mandate to dictate anything

Changes are slow and difficult to drive in a federation Communications with different players in the academia