Embed Size (px)
DESCRIPTION
Three observations 1.The User-Agent is normally a browser. 2.The Web is not the Internet. 3.We already have some good systems for non- Web identity federation.
Citation preview
What is “Federated identity”?
2
User principal wieldinguser-agent
Identity ProviderRelying Party
Access resource Authentication
Trust (business and/or technical)
Directory
Relying Party’sadministrative domain
User principal’sadministrative domain
Three observations
1. The User-Agent is normally a browser.2. The Web is not the Internet.
3. We already have some good systems for non-Web identity federation.
Example 1: federated network access
4
RADIUS serverUniversity B
RADIUS serverUniversity A
SURFnet
Central .nl RADIUS
Proxy server
Authenticator(AP or switch) User
DBUser DB
Supplicant
Visiting useruser@university_b.nl
StudentVLAN
CommercialVLAN
EmployeeVLAN
datasignalling
• 802.1X• RADIUS• EAP
Source: SURFnet
Example 2: the hybrid approach• Authenticate using Web SSO, and insert a token
into the non-web protocol flow.• Example: Jabber with SAML or OpenID:– Without changing SAML IdP– Minimal change at Jabber client – Jabber server can run “in-the-cloud”
• Current work (proposed as WG item for KITTEN) looks at leveraging SASL– draft-wierenga-ietf-sasl-saml, draft-lear-ietf-sasl-
openid, draft-cantor-ietf-sasl-saml-ec• This is necessary work, but not sufficient.
Research & Education Federations
• Early and aggressive adopters of federated identity technology.
• Large and rapidly growing federated systems.– UK R&E federation ≈ 10 million identities and
growing.– eduGAIN ≈ projected 10s millions of identities.
• But some growing pains…
Use-case 1: Out-sourcing• Reduce costs by out-sourcing services to third party
service providers.• Federated identity• provides better user experience through SSO.• reduces helpdesk burden for both IdP and SP.
• Today, this only works for Web applications; not for IMAP, SMTP, POP3, Jabber, Calendaring, etc.
• Identity Provisioning APIs exist, but • Requires sharing credentials with SP.• Not a complete IdM / directory system, which is often
required for application personalisation or authorisation.
Use-case 2: High Performance Computing
• Improve Business Continuity.
• Offer HPC-as-a-service to more internal and external customers.
• Reduce costs incurred in operating HPC-specific RA.
• SSH, SFTP, SCP, NFS, CIFS.
Use-case 3: learning from Web SSO In creating federated authentication for new
applications, avoid problems discovered with web SSO today (and fix them for web SSO).
Identity Provider discovery Users already presented with hundreds of possible
identity providers; international inter-federation will likely increase this to thousands quite soon.
Multiple affiliations It is sometimes difficult to select the appropriate
identity provider for a particular service.
Use-case 4: establishing trust in SAML metadata
SAML IdP and SP entities usually establish trust using SAML metadata that describes each entity.
In R&E federations, member SP and IdP metadata is (usually) collected into an aggregate, signed by the federation Operator and published.
The distribution of the aggregate, across the network from federation to entities, is the basis of trust.
Scaling Revocation Consuming metadata for entities from other federations
Discuss!
