Upload
eamon
View
39
Download
0
Embed Size (px)
DESCRIPTION
SIR, FedSSH and more to come…. SIR Servicio de Identidad de RedIRIS. Provide a single entry point to digital identity services for the academic community Multiprotocol Simplify management Guarantee evolution Flexible Compatible with any level of IdM deployment - PowerPoint PPT Presentation
Citation preview
Diego R. Lopez, RedIRIS
TF-EMC2, Umea
SIR, FedSSH and more to SIR, FedSSH and more to come…come…
TF-EMC2. Umea, July 2008
SIRServicio de Identidad de RedIRIS
• Provide a single entry point to digital identity services for the academic community
• Multiprotocol Simplify management Guarantee evolution
• Flexible Compatible with any level of IdM deployment Able to live in parallel with other infrastructures
• http://www.rediris.es/sir/
TF-EMC2. Umea, July 2008
The SIR Model
One Ring to bring them all and in
thedarkness bind
them In the Land of Mordor where theShadows lie.
TF-EMC2. Umea, July 2008
IdPs in SIR
• Institutions in the RedIRIS constituency Virtual organizations related to them
• Must install a connector Able to produce assertions in the PAPI v1 protocol Minimum set of attributes in the iris-* schemas PHP, Java (JSP & Filter), Apache mod_perl, ASP, Sun
AM, OSSO and some specific ones Community process for developing new ones
• Must register for the service Accepting the conditions of use Providing their metadata
TF-EMC2. Umea, July 2008
SIR Services
• Interconnection with SAML infrastructures• Access to PAPI-based
services• eduGAIN BE• OpenID producer
• Validation services Attribute exchange SAML OpenID
TF-EMC2. Umea, July 2008
SIR: SAML (including eduGAIN)
• Virtual IdP per institution Using simpleSAMLphp capabilities
• Metadata distribution for regional federations Direct integration of SAML IdPs is feasible
• Central eduGAIN BE Plus virtual BEs for institutions requesting them
• Commercial providers Microsoft Elsevier Requests ongoing for Ovid, JSTOR, EBSCO,… Driven by the user institutions
TF-EMC2. Umea, July 2008
SIR: PAPI
• Two ways for connection: GPoA SIR Virtual AS for each institution
• Access to the the national license on ISI WoK• RedIRIS inner services
Conferences Service control panel Portals
• Proxies
TF-EMC2. Umea, July 2008
SIR: OpenID
• Virtual producer per institution• Additional controls
Match URL with attribute values Specify acceptable RPs User consent for extensions related to personal data
• Identifiers in whatever Spanish languageyo.rediris.es/soy/[email protected]
jo.rediris.es/soc/[email protected]
eu.rediris.es/son/[email protected]
ni.rediris.es/[email protected]/naiz
Simplified versions possible for OpenID2
TF-EMC2. Umea, July 2008
SIR: Some ideas for the future
• New protocols and identity services OAuth Cardspace COmanage
• New applications (beyond WebSSO) SSH access Distributed storage Attribute authorities (a-la-COManage)
• Grid interconnection SLCS VOMS
• Usage of DNIe And the PEPS
TF-EMC2. Umea, July 2008
FedSSH
• Based on the ideas discussed byTF-EMC2 along past summer
• Common public key servers are updated through specific SPs
• A modified version of the SSH server able to use an external repository for public keys
TF-EMC2. Umea, July 2008
Deploying FedSSH
• Deployed as a pilot by CONFIA, the Southern Spanish federation Applied to teaching
environments Connected to a federated
account provision system
• Plans to explore the applicability to storage services
TF-EMC2. Umea, July 2008
Riding the Hype
• Make the case for identity services among the wider user community Some of the big players
are behind
• Explore direct potential applications There are smart people
working on this
TF-EMC2. Umea, July 2008
Identity a-la-carte
• “Use your identity everywhere” Easy deployment of
additional control
Makes it more valuable to users
• OpenID identifiers for catch-all, low-LoA IdPs
TF-EMC2. Umea, July 2008
Lightweight federation?
• No changes to the basic protocol required
• ARPs could be implemented as well
• Simpler to deploy?• Easier to integrate?• Closer to commercial
providers?
SP checks for trusted IdP
IdP checks for trusted SP
Mutual authenticationpossible
TF-EMC2. Umea, July 2008
OAuth for auto-registration
Fed SPFed IdP
Initiate registration
Request attributes
Process attributes• Decide on values• Update databases• Associate with agreed identifiers
Edificio CICAAvenida Reina Mercedes s/n41012 Sevilla. España