Transcript Alternative Forms of Expressing Identity
On the Many Ways to Identity Exchange (Again)
Digital identities are more valuable as they are more widely assertable Diego R. Lopez, RedIRIS 18 th TF-EMC2. WebEx, June 2011
STORK
• • Pilot for academic institutions successfully finished https://www.eid-stork.eu/pilots/pilot3.htm
STORK IdPs integrated as special SIR IdPs “If you are in SIR, you can deal with STORK identities” Looking forward to strengthening integration Sub-task in the current eduGAIN workplan • • • Module for simpleSAMLPHP Metadata management Policy issues Additional use cases proposed for STORK extension • Credential management LoA handling 18 th TF-EMC2. WebEx, June 2011
Proxying
• • Two proposals submitted for REFEDS funding Federated management of central proxy instances Central proxy configuration services Do we need and open-source proxy?
EZProxy is well-known, widely deployed, provided in reasonably fair terms Would it scale up to • • • • National proxy services More specific usages (Web Services, AJAX…) Other access control mechanisms (OAuth, WS Trust…) Transformations from identity data to proxy mechanisms 18 th TF-EMC2. WebEx, June 2011
OAuth (2, of course…)
• • • ID in its draft 16 Rather stable: Both kernel and side standards • Including SAML and JWT OpenID integrated flow: OpenIDConnect UMA considering the user and consent sides Use cases on their way The RedIRIS service panel GN3 VOOT (three-legged OAuth1 for the moment) And
Clouds
A few references if your are (still) curious http://www.independentid.com/2011/02/does-oauth-have-legs.html
http://www.rediris.es/oauth2/ https://spaces.internet2.edu/display/socialid/ 18 th TF-EMC2. WebEx, June 2011
JSON Space
• • • • • Proposals are blooming on RESTful services using JSON as coding mechanism Out of the common standard processes Though many proposals are IDs Supported by many of the big dogs Google, Microsoft, Yahoo, Facebook The good news Essentially compatible with our current federation stuff The not-so-good news Too many fronts to be influential enough?
http://self-issued.info/papers/The_Emerging_JSON-Based_Identity_Protocols.pdf
18 th TF-EMC2. WebEx, June 2011
The Omnipresent Cloud
• • • SCIM, previously known as
Cloud Directory
Intended for identity data exchange among actors in the cloud • Cloud Service Provider • • Enterprise Cloud Subscriber Cloud Service User General “neutral” schema • Bindings to JSON, SAML and “bare” XML • RESTful API Security and trust models still in their initial stages Experiments on access control OpenNebula usage of Grid certificates Others initiatives not very active OASIS IDCloud 18 th TF-EMC2. WebEx, June 2011
GEMBus STS
• Demonstrator available http://gembus.rediris.es:8181/STSDemonstrator Adaptors for Apache ServiceMix • Spring coming soon Current token format based on GN2 relayed-trust SAML • Plans for a more neutral JWT-based token Coordination with EUGridPMA policies 18 th TF-EMC2. WebEx, June 2011