Identity federation:A new way tomanage access toresourcesSANLiC 2017Durban, May 2017

1

Identity FederationsA brief introduction

2

FederatedIdentity

A federated identity in informationtechnology is the means of linking aperson's electronic identity andattributes, stored across multipledistinct identity management systems

3https://en.wikipedia.org/wiki/Federated_identity

FederatedIdentity

4

Identity Providers(Home Organisations)

IdentityFederation

Service Providers’Web Sites

Why not justuse Google?

All the major social network platforms providefederated identities…

… so why don’t we just use these?

They all have one major drawback – they are selfasserted

This means you cannot trust any of the information

This is often okay, but…

5

donald.trump17@gmail.com

AcademicIdentityFederations

Academic identity federations exist to solvethe trust problem

Your home organisation – university,research council, etc – knows a lot aboutyou

They also know stuff specific to highereducation (HEMIS, RIMS)

More importantly, most of this informationhas usually been checked and may besubject to audit

This makes them ideal to act as identityproviders

6

AcademicFederationOperators

All federations have operators Facebook Inc operates Facebook Connect

Academic federations Usually operated by the National Research and

Education Network (NREN)

Typically only one per country

65 known academic federations worldwide

7

AcademicIdentityFederationsAround theWorld

8https://refeds.org/federations/federations-map, May 2017

AcademicFederationOperators

Academic federations are primarily trustrelationships with federation operatorsacting as trusted introducers

Federation operators worldwide collaborateon issues of interest to the research &education Interoperability (R&S profile)

Common identifiers (eduPersonOrcid)

Handling of sensitive information

Security/incident response (SIRTFI)

etc…

9

Inter-federation

Inter-federation is the linking of one(academic) federation to another

Through inter-federation we can gainaccess to services that are not yet availablein our own country

Service providers can gain access tocustomers

10

SAFIRESouth African Identity Federation

11

SAFIRE –South AfricanIdentityFederation

Academic identity federation for SouthAfrica

Conceived by the community and pilotedover a number of years

Supported service operated by TENET

Member of eduGAIN (since February) 48th member / 41st full participant

1st member in Africa

Your IT Department should know all this…

12

SAFIRE –Participants

13

So what does this allmean for libraries?

14

The“traditional”licensingmodel

License based on some form of FTE count

Site-wide, but use restricted to the localcampus network

Off-campus users must make use of areverse proxy or VPN solution

Not easy to enforce more granular controls

IP-based restrictions don’t scale well – andare out-of-sync with the modern Internet

15

Average student carries 3+ devices.

Default IPv6 allocation foruniversities in South Africa has

1 208 925 819 614 629 174 706 176IP addresses in it.

ReverseProxies

Many libraries use reverse proxies to provideoff-campus access to electronic resources EZProxy III WAM Proxy

Campus networks – indeed “campuses” – arebecoming increasingly hard to define, andusers are becoming increasingly mobile

Confusing for users – “why can’t I just log inlike every other website I use?!”

Difficult to support & troubleshoot

As journal providers embrace SSL, thesebecome more complicated – and expensive –to maintain

16

ReverseProxies

17

By perpetuating reverseproxies, libraries are

undermining Internet securityand directly contributing to

the problem of phishing

https://www.us-cert.gov/ncas/alerts/TA17-075A

What if wecouldleverage ofexistinginstitutionallogins?

18

What if wecould licensein a morespecific way?

19

schacHomeOrganizationType urn:schac:homeOrganizationType:int:university

schacHomeOrganization example.ac.za

eduPersonAffiliation faculty employee member

eduPersonScopedAffiliation student@archaeology.example.ac.za faculty@law.example.ac.za employee@example.ac.za member@example.ac.za

What if wecould benefitfrom theintegrationwork done byothers?

20Rhodes University Library & eduGAIN MET, August 2016

What if wecould do thiswhilst stillprotectingpersonalprivacy?

21

Federation…

Provides a new approach to electronicresource management

Gives better control over who has access toyour resources = better compliance withlicensing agreements

Allows you to downsize/decommissionreverse proxies

Is less confusing for your users

Saves you money…

22

FIM4RFindings(2012)

Federated technologies are good. Takeadvantage of them.

The infrastructure needs to be improved totake advantage of federated technologies.Do it.

Relying on older models of local accountcreation and IP-based ACLs is easier. Thisis a very limited view. Stop it.

If you can’t fix it all yourself (and you can’t),facilitate the efforts of groups that can. Buildrelationships, target your spending orfunding to make the biggest impact.

23Source: http://cds.cern.ch/record/1442597

Via: https://learn.nsrc.org/fedidm/iam_researchers

Questions?https://safire.ac.za/

safire@tenet.ac.za

24

The problemwe’re tryingto solve

25