SIR, FedSSH and more to come…

Diego R. Lopez, RedIRIS

TF-EMC2, Umea

SIR, FedSSH and more to SIR, FedSSH and more to come…come…

TF-EMC2. Umea, July 2008

SIRServicio de Identidad de RedIRIS

• Provide a single entry point to digital identity services for the academic community

• Multiprotocol Simplify management Guarantee evolution

• Flexible Compatible with any level of IdM deployment Able to live in parallel with other infrastructures

• http://www.rediris.es/sir/


The SIR Model

One Ring to bring them all and in

thedarkness bind

them In the Land of Mordor where theShadows lie.


IdPs in SIR

• Institutions in the RedIRIS constituency Virtual organizations related to them

• Must install a connector Able to produce assertions in the PAPI v1 protocol Minimum set of attributes in the iris-* schemas PHP, Java (JSP & Filter), Apache mod_perl, ASP, Sun

AM, OSSO and some specific ones Community process for developing new ones

• Must register for the service Accepting the conditions of use Providing their metadata


SIR Services

• Interconnection with SAML infrastructures• Access to PAPI-based

services• eduGAIN BE• OpenID producer

• Validation services Attribute exchange SAML OpenID


SIR: SAML (including eduGAIN)

• Virtual IdP per institution Using simpleSAMLphp capabilities

• Metadata distribution for regional federations Direct integration of SAML IdPs is feasible

• Central eduGAIN BE Plus virtual BEs for institutions requesting them

• Commercial providers Microsoft Elsevier Requests ongoing for Ovid, JSTOR, EBSCO,… Driven by the user institutions


SIR: PAPI

• Two ways for connection: GPoA SIR Virtual AS for each institution

• Access to the the national license on ISI WoK• RedIRIS inner services

Conferences Service control panel Portals

• Proxies


SIR: OpenID

• Virtual producer per institution• Additional controls

Match URL with attribute values Specify acceptable RPs User consent for extensions related to personal data

• Identifiers in whatever Spanish languageyo.rediris.es/soy/[email protected]

jo.rediris.es/soc/[email protected]

eu.rediris.es/son/[email protected]

ni.rediris.es/[email protected]/naiz

Simplified versions possible for OpenID2


SIR: Some ideas for the future

• New protocols and identity services OAuth Cardspace COmanage

• New applications (beyond WebSSO) SSH access Distributed storage Attribute authorities (a-la-COManage)

• Grid interconnection SLCS VOMS

• Usage of DNIe And the PEPS


FedSSH

• Based on the ideas discussed byTF-EMC2 along past summer

• Common public key servers are updated through specific SPs

• A modified version of the SSH server able to use an external repository for public keys


Deploying FedSSH

• Deployed as a pilot by CONFIA, the Southern Spanish federation Applied to teaching

environments Connected to a federated

account provision system

• Plans to explore the applicability to storage services


Riding the Hype

• Make the case for identity services among the wider user community Some of the big players

are behind

• Explore direct potential applications There are smart people

working on this


Identity a-la-carte

• “Use your identity everywhere” Easy deployment of

additional control

Makes it more valuable to users

• OpenID identifiers for catch-all, low-LoA IdPs


Lightweight federation?

• No changes to the basic protocol required

• ARPs could be implemented as well

• Simpler to deploy?• Easier to integrate?• Closer to commercial

providers?

SP checks for trusted IdP

IdP checks for trusted SP

Mutual authenticationpossible


OAuth for auto-registration

Fed SPFed IdP

Initiate registration

Request attributes

Process attributes• Decide on values• Update databases• Associate with agreed identifiers

Edificio CICAAvenida Reina Mercedes s/n41012 Sevilla. España

Documents

SIR, FedSSH and more to come…