Transcript TNC
Towards Interconnecting the Nordic Identity Federations TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide Interconnecting federations The Kalmar Union policy Cross-federation model Technical solution Crossing circles of trust Participants Consent and attributes Future works Kalmar union First Kalmar union (1397-1524) united the Nordic countries under a single monarch, giving up sovereignty but not independence Interconnecting Nordic AAI federations Model for exchanging traffic – – My users have access to your services? Your users have access to my services? What is the simplest solution for interconnecting access control? Policy issues for federations Policy Minimal information disclosure, informed consent Voluntary participation in cross-federation No liability (this must be written in contract) Conflict resolution by elected board Minimal intellectual property rights, as there are minimal central components Services across borders, jurisdiction Best effort, no guarantees needed Money flow outside our scope (goes direct IdP-SP) Kalmar cross-federation model Bi-lateral agreements Cross-federation charter Overlapping federations, may chose to leave out parts from the overlap Previous work – – – Aligned federation policies Worked together in GNOMIS norEdu* schemas developped in GNOMIS Participants Federations – – HAKA in Finland Feide in Norway Federations to join – – SWAMI in Sweden DK-AAI in Denmark End users Identity providers (home organizations) Service Providers Technical Kalmar solution SAML 2 metadata for federation overlap HAKA Identity Provider Feide Identity Provider HAKA Service Provider Feide Service Provider Technical work Trial interconnect in September 2006 – – eduGAIN bridging element evaluated – – Shibboleth1.3 in HAKA Sun Access Manager (SAML2.0) in Feide Backwards compatible with Shibboleth 1.3 Not yet available, but preliminary tests running Easier to do SAML2.0-based connections Crossing Circles of Trust User wants to access service in other Identity Federation – What is really transferred – – Must find the right login service (WFAYF or explicit links) Identity Provider sends login and attributes Service Provider must trust third party login outside his federation Opt-in at all levels: user, IdP and federation May have opt-out at the federation level, if needed Consent and attributes Informed consent Attribute transfer – Voluntary participation in cross-federation – – – Safeguards at 3 levels: user, IdP/home, federation Opt-in for end user Opt-in for identity providers (home organizations) Opt-in for each federation Semantic interoperability based on eduPerson (with extensions) – – Information about semantics We do not enforce the same semantics Future work Single Sign On and informed consent – Operational service – How to inform users Depends on introduction of SAML2.0 Revisit policy after we have real life experience of what problems turn up in production