On the Many Ways to Identity Exchange (Again)

Digital identities are more valuable as they are more widely assertable Diego R. Lopez, RedIRIS 18 th TF-EMC2. WebEx, June 2011

STORK

• • Pilot for academic institutions successfully finished   https://www.eid-stork.eu/pilots/pilot3.htm

STORK IdPs integrated as special SIR IdPs “If you are in SIR, you can deal with STORK identities” Looking forward to strengthening integration  Sub-task in the current eduGAIN workplan • • • Module for simpleSAMLPHP Metadata management Policy issues  Additional use cases proposed for STORK extension • Credential management  LoA handling 18 th TF-EMC2. WebEx, June 2011

Proxying

• • Two proposals submitted for REFEDS funding   Federated management of central proxy instances Central proxy configuration services Do we need and open-source proxy?

 EZProxy is well-known, widely deployed, provided in reasonably fair terms  Would it scale up to • • • • National proxy services More specific usages (Web Services, AJAX…) Other access control mechanisms (OAuth, WS Trust…) Transformations from identity data to proxy mechanisms 18 th TF-EMC2. WebEx, June 2011

OAuth (2, of course…)

• • • ID in its draft 16  Rather stable: Both kernel and side standards • Including SAML and JWT   OpenID integrated flow: OpenIDConnect UMA considering the user and consent sides Use cases on their way   The RedIRIS service panel GN3 VOOT (three-legged OAuth1 for the moment)  And

Clouds

A few references if your are (still) curious http://www.independentid.com/2011/02/does-oauth-have-legs.html

http://www.rediris.es/oauth2/ https://spaces.internet2.edu/display/socialid/ 18 th TF-EMC2. WebEx, June 2011

JSON Space

• • • • • Proposals are blooming on RESTful services using JSON as coding mechanism Out of the common standard processes  Though many proposals are IDs Supported by many of the big dogs  Google, Microsoft, Yahoo, Facebook The good news  Essentially compatible with our current federation stuff The not-so-good news  Too many fronts to be influential enough?

http://self-issued.info/papers/The_Emerging_JSON-Based_Identity_Protocols.pdf

18 th TF-EMC2. WebEx, June 2011

The Omnipresent Cloud

• • • SCIM, previously known as

Cloud Directory

  Intended for identity data exchange among actors in the cloud • Cloud Service Provider • • Enterprise Cloud Subscriber Cloud Service User General “neutral” schema • Bindings to JSON, SAML and “bare” XML • RESTful API  Security and trust models still in their initial stages Experiments on access control  OpenNebula usage of Grid certificates Others initiatives not very active  OASIS IDCloud 18 th TF-EMC2. WebEx, June 2011

GEMBus STS

•    Demonstrator available http://gembus.rediris.es:8181/STSDemonstrator Adaptors for Apache ServiceMix • Spring coming soon Current token format based on GN2 relayed-trust SAML • Plans for a more neutral JWT-based token Coordination with EUGridPMA policies 18 th TF-EMC2. WebEx, June 2011