Embed Size (px)
Citation preview
Growth and Change in Federations and What This Means for Supporting Technologies
Nick Roy and Chris [email protected], [email protected]
REFEDS at Internet2 TechEx
2015.10.04
Agenda:
✧Tech landscape, continuing the discussion✧What is happening in N. America?✧Exploring Next Steps
2
Context
Goal: Stay current while meeting the needs of our community
• Safely and securely• Effectively and efficiently• In a scalable fashion
2015Q3 IdP Tech Profile(simplified)
References: Original data: https://spaces.internet2.edu/display/altidp/Alternative+IdP+Strategies+and+Assessment+CriteriaADFS: http://www.cloudidentity.com/blog/2015/08/21/openid-connect-web-sign-on-with-adfs-in-windows-server-2016-tp3/
Observations✧Shibboleth still the ‘reference platform for Federated SSO’
➢Shibboleth makes up ~80% of 1828 IdP deployments as of Jul 16, 2015[1]
➢Understanding features for next 6-18 months will be key✧ADFS practically everywhere, but lacks features.
➢Driven by Active Directory & O365/Azure requirement.
➢Downside/Upside:•ADFS has classically not met functional points•Upside: change is happening (see previous link:2016TP3)
✧SSP still current➢Installation is more lightweight➢Both SP/IdP in same code base➢Others may speak more authoritatively on this.
[1] https://spaces.internet2.edu/display/InCFederation/Global+Shib+IdP+Deployments
Additional Data Points
New IdP Platforms Emerging
✧Ellucian* building an embedded IdP offering➢Partnered with WSO2[1]➢Guidance on implementation offered by inCommon[2]➢Could be a significant gain if done well.
* Ellucian is an ERP vendor with many installs in Higher ed that manages Banner/SCT[1] http://www.ellucian.com/News/Ellucian-Announces-New-Single-Sign-On-Identity-Management-Service/[2] http://walterhoehn.com/dl/SAML-Impl-Profile/rendered/main.html
InCommon Metadata Growing
✧The “Steward Model”➢Allowing regional networks to act as InCommon registrars for their connected constituent orgs➢An outcome of “The Quilt” consortium discussions➢MCNC will be the pilot for this
✧eduGAIN➢Phased Opt-Out for IdPs (~400 entities)➢Opt-In for SPs➢Planned over the next 12 months
Aggregate Size Implications Catching Up
✧Monolithic metadata is unsustainable longterm
➢REFEDS MDQ work seen as key➢InCommon is working toward production support due to critical need
✧Symptoms of the problem➢Shibboleth & SSP have difficulty with signature validation
•rapid growth in memory usage and time to validate
•Current response of increase RAM buys time, but for how long?
–Long enough to solve problem or introduce MDQ?
Entity Categories Key for Attribute Release
✧Entity Categories critical to enabling attribute release
➢Instrumental to handling attribute release at scale
➢Unfortunately not universally enabled across tool space
Interpretations & Thoughts
Fill the Information Vaccuum✧Ellucian is where Microsoft was a few years ago but has the benefit of
our insight from us because they asked. ✧Microsoft only worked from spec and what they thought their
customer needs were. ➢We weren’t vocal or consulted as well as we could have been.➢Spec and written authoritative material key.
✧Material with gaps between Spec and practice:➢OASIS ➢SAML2Int.org
✧Actions that may improve things➢Updating SAML2Int.org to be more robust
•Complement it with inCommon authored doc?
➢Capitalize and act on IETF stream•Migrate IETF documents (somehow) from personal submissions to a more firm posture
•Will vendors implement spec under an individual submission? Unlikely? Insight welcome.
➢Does Kantara have a role here too?
Improve on Communicating Technical Needs
✧Speak up for product features for prioritization.
➢Different teams have different resourcing models and need to hear from us on what is important.
➢Otherwise, they will only choose what matters to them.
✧Case in point:➢ADFS is near ubiquitous, but not so good on matching our needs
✧Understanding team constraints key &
➢Time constrained?➢Resource constrained?➢Can we somehow assist?
Where To Continue This Dialog?
