SlideShare une entreprise Scribd logo

Eunis federation2

Télécharger en tant que PPT, PDF
HEAnet
HEAnet
1  sur  35
Federated Access 2.0 Glenn Wearen Middleware Specialist HEAnet 13 November 2012
Federated Access 2.0 Agenda 1. Federated Access 1.0 Past to current status 1. Federated Access 2.0 LoA, Inter-federation , confederation, vendor adoption, cloud adoption, groups, discovery UI, Non-Web-SSO, multiple protocols. 3. Edugate 1.0 or 2.0?
Federated Access 1.0 History of Federated Access (academic sector) 2001: Shibboleth, SAML 1.x, OASIS ID-FF V1.2 standards 2003: 1. SAML 2.0 protocol combines elements of all of the above. 2. Feide.no federation launched (not SAML, but similar) 2004: Switzerland launches AAI (Shibboleth 1.3) 2005: UK Federation and InCommon launched (Shibboleth 1.3), 2006: JISC announces migration from Athens to UK Federation 2007: SURFFederatie.nl launched, Google Apps supports SAML 2008: 1. Shibboleth 2.0 implements SAML 2.0 as default protocol 2. SimpleSAMLphp 1.0 released. 3. WAYF.dk launched.
Federated Access 1.0 • History of Federated Access (academic sector) 2009: Edugate pilot commences. 2010: Edugate production federation launched
Federated Access 1.0 • Academic Federations – US: 4 Million ID’s covered – SWISS: 95% of ID’s – UK: 850 Members
Federated Access 1.0 • Academic Federations
Federated Access 2.0 1. Confederation 2. Inter-federation 3. Use outside web-browser 4. Wide application support, incl. Cloud 5. Levels of Assurance (LoA) 6. Cross institutional group management 7. SAML Metadata extensions. 8. Reporting 9. Attribute Aggregation 10. Protocol pluralism
Federated Access 2.0 Production confederation commenced April 2011 Standard Attribute Schema – displayName, cn, mail – eduPersonAffiliation and eduPersonScopedAffiliation – schacHomeOrganization and schacHomeOrganizationType Standard SAML Protocol (SAML2 Interoperable Profile) – Persistent NameID format mandatory, support for Transient format optional – Either format should be accepted by relying services. – AuthRequests >HTTP-Redirect binding, AuthResponses using HTTP-POST – SAML 2 Metadata standard and Discovery recommendations. Standard Policy – Data Protection profile for personal and non-personal data – Federation joins eduGAIN, federation members opt-in.
Federated Access 2.0 Union Standards Attribute Schema Standard SAML Protocol (SAML2 Int.) Opt-in model – 20+ IdP’s – 30+ SP’s
Federated Access 2.0 2. Inter-federation – Technically similar to confederation – Bilateral agreement between two federations.  Members Opt-in (or opt-out)  UK-Ireland under investigation
Federated Access 2.0 3. Wide application support – Google Apps, Salesforce.com since 2009 – Microsoft Live@edu via WIF since 2010 – More recently...  WebEx, Workday & Zendesk – SAML recommended – Account provisioning still proprietary  SCIM proposed by Ping ID and others to standarise account provisioning using choice of REST & SAML
Federated Access 2.0 3. Wide application support – MS ADFS can be configured with SAML IdP’s  Opens up SAML access to Sharepoint and Dynamics CRM – Microsoft WIF SAML 2 support in Beta  No need for ADFS gateway to federated Sharepoint – Blackboard join InCommon
Federated Access 2.0 4. Use outside browser – Networks  NAC, SSL VPN, Web-redirect based wifi – Desktop clients  OpenSSH, Jabber – 1.0  browser plugin ( Mindterm SSH applet) – 2.0  GSS-API or GSS-SASL  SAML Attributes conveyed within protocol messages.
Federated Access 2.0 5. Levels of Assurance – InCommon Bronze and Silver  Align with ICAM* Bronze/Silver. – WAYF.dk approximates to NIST levels 1-4
Federated Access 2.0 6. Cross institutional group management – How can an identity provider assert that a user is a member of a cross institutional group that the identity provider doesn’t control? – How can a service provider create a group from identities that reside at different institutions? What about cross-federation groups?
Federated Access 2.0 Supporting Services •SURFfederatie •SURFteams •OpenSocial Campus Services External Services
Federated Access 2.0 7. User experience improvements – Metadata  Logo, Organisation name  Required and desired attributes, Privacy URL – Standard defined for login  ‘Login’ on top-right  Discovery embedded on providers page.  List institution logo, and provide incremental search  Institution login page displays logo of requester
Federated Access 2.0 8. Reporting – Identity Providers  Can I switch off my IdP?  Can I cross-charge for use of the IdP?  What services do my users use the most?  How many authentication success/failures per day? – Service Providers  From where do my users come?  Do users prefer federated login or local login?  How many authentication success/failures per day?
Federated Access 2.0 9. Attribute aggregation – The institutional account is but one part of the a users digital identity.  Shouldn’t a user be able to self-assert attributes from non-institutional account? – Glenn.wearen – Glennamddy – glennwearen@gmail.com – http://ie.linkedin.com/in/glennwearen
Federated Access 2.0 10. Pluralism of protocols – SAML2, the federated access protocol for edu. – What about supporting protocols other than SAML2?  OpenID, OAuth2  A-Select, PAPI, eID
Federated Access 2.0  Confederation  Inter-federation  Use outside web-browser  Wide application support, incl. Cloud  Levels of Assurance (LoA)  Cross institutional group management  SAML2 and SAML2 Metadata extensions.  Reporting  Attribute Aggregation  Protocol pluralism
Edugate Local implementation of Federated Access
Edugate Edugate 1. Funding 2. Find early adopters 3. Switch to production
Edugate 1. Funding  Long lasting research infrastructure  ...needs a long lasting identity access system – Establishment of identity service at each institution must have local campus benefits to ensure longevity
Edugate 2. Find early adopters – Extol the benefits of Federated Access  Diverse range of identity providers  Campus IDM first concern, intra-campus secondary. Initial effort to deploy IdP services HEAnet’s part. – Find applications  HEAnet’s own web applications (TCS, Media)  Web applications open to large range of institutions  Web applications that participate in other federations  Services suffering from high user attrition – ‘Register here’ / ‘forgot password’, infrequent use
Edugate • Extol Benefits for identity providers – Add value to existing user account  Multiple accounts => low value placed in account – Potential to use identity for;  Cloud services, Shared services  Alliances  Campus Single-Sign-On – Potential for strong password policy or two- factor authentication, less handling of passwords
Edugate • Extol Benefits for service providers  Standard platform for your service to access market  Potential to re-use your implementation worldwide.  Improved service offering for users  Digital ID card Vs. Physical ID card  Distinguish staff from student and 6 others  Personalisation capability (personal or non-personal)  Use as one-time provisioning or validation system  Use as just-in-time access system.
Edugate 3. Switch to production 1. Establish Governance Committee 2. Define Member agreement, attribute schema 3. Establish production infrastructure 4. Sign-up members 5. Launch service 6. Migrate pilot participants (October 2011) 7. Deploy new IdP’s, support new Service Providers 8. Gain critical mass (+50% of identities).
Edugate Service Provider production joining steps – Must provide service of benefit to staff/students – ...or be contracted provide service to identity member – Complete Edugate membership contract  Identities must be used for AuthZ/AuthN – Pay the membership fee of €1 – Add support for Shibboleth2/SAML2 – Decide and declare attribute requirements
Edugate Identity providers production joining steps – Must be part of HEAnet (except schools) – Complete membership agreement  Account cannot be a generic shared account, disabled or compromised account  Student must be treated as student for all campus services. – Deploy SAML2 Identity Provider service – Decide what user attributes to release – Offer service to departments
Edugate Current status – Service Providers  20+ providers, 1 using Edugate for student discount – Identity providers  80% of HEI’s, 100% target for September 2011 http://www.edugate.ie/content/edugate-federation-members
Edugate Edugate 1. Funding 2. Find early adopters 3. Switch to production 4. Add 2.0 features where there is demand
Edugate  Confederation  Inter-federation  Use outside web-browser  Wide application support, incl. Cloud  Levels of Assurance (LoA)  Cross institutional group management  SAML Metadata extensions.  Reporting.  Attribute Aggregation  Protocol pluralism
Edugate • Conclusion 1. Federated Access is maturing  2.0 is not far from here 1. Edugate  1.0 Federation but using SAML2.
Eunis federation2

Recommandé

Benefits of an Open environment with Wakanda
Benefits of an Open environment with WakandaBenefits of an Open environment with Wakanda
Benefits of an Open environment with WakandaAlexandre Morgaut
 
Firebird meets NoSQL
Firebird meets NoSQLFirebird meets NoSQL
Firebird meets NoSQLMind The Firebird
 
Introduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay PortalIntroduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay Portalrivetlogic
 
Using Liferay Portal with LDAP and Single sign-on
Using Liferay Portal with LDAP and Single sign-onUsing Liferay Portal with LDAP and Single sign-on
Using Liferay Portal with LDAP and Single sign-onFirelay
 
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško VukmanovićJavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško VukmanovićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Docker meetup-nyc-v1
Docker meetup-nyc-v1Docker meetup-nyc-v1
Docker meetup-nyc-v1Srdjan Strbanovic
 
Mavenizing your Liferay project
Mavenizing your Liferay projectMavenizing your Liferay project
Mavenizing your Liferay projectmimacom
 
Liferay architecture By Navin Agarwal
Liferay architecture By Navin AgarwalLiferay architecture By Navin Agarwal
Liferay architecture By Navin AgarwalNavin Agarwal
 

Recommandé

Benefits of an Open environment with Wakanda
Benefits of an Open environment with WakandaBenefits of an Open environment with Wakanda
Benefits of an Open environment with WakandaAlexandre Morgaut
 
Firebird meets NoSQL
Firebird meets NoSQLFirebird meets NoSQL
Firebird meets NoSQLMind The Firebird
 
Introduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay PortalIntroduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay Portalrivetlogic
 
Using Liferay Portal with LDAP and Single sign-on
Using Liferay Portal with LDAP and Single sign-onUsing Liferay Portal with LDAP and Single sign-on
Using Liferay Portal with LDAP and Single sign-onFirelay
 
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško VukmanovićJavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško VukmanovićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Docker meetup-nyc-v1
Docker meetup-nyc-v1Docker meetup-nyc-v1
Docker meetup-nyc-v1Srdjan Strbanovic
 
Mavenizing your Liferay project
Mavenizing your Liferay projectMavenizing your Liferay project
Mavenizing your Liferay projectmimacom
 
Liferay architecture By Navin Agarwal
Liferay architecture By Navin AgarwalLiferay architecture By Navin Agarwal
Liferay architecture By Navin AgarwalNavin Agarwal
 
Liferay Developer Best Practices for a Successful Deployment
Liferay Developer Best Practices for a Successful DeploymentLiferay Developer Best Practices for a Successful Deployment
Liferay Developer Best Practices for a Successful Deploymentrivetlogic
 
Building Killer RESTful APIs with NodeJs
Building Killer RESTful APIs with NodeJsBuilding Killer RESTful APIs with NodeJs
Building Killer RESTful APIs with NodeJsSrdjan Strbanovic
 
Javantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoJavantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Support Tools für die Admin-Konsole - Nebil Kisa, Advanced Support Engineer
Support Tools für die Admin-Konsole - Nebil Kisa, Advanced Support EngineerSupport Tools für die Admin-Konsole - Nebil Kisa, Advanced Support Engineer
Support Tools für die Admin-Konsole - Nebil Kisa, Advanced Support EngineerNicole Szigeti
 
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...Nicole Szigeti
 
Java EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolithJava EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolithMarkus Eisele
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAsBen Krug
 
Moving to Web 2.0 - Best Practices for Business and Application Migration
Moving to Web 2.0 - Best Practices for Business and Application MigrationMoving to Web 2.0 - Best Practices for Business and Application Migration
Moving to Web 2.0 - Best Practices for Business and Application Migrationanilmadugula
 
Scalability Availabilty and Management of WSO2 Carbon
Scalability Availabilty and Management of WSO2 CarbonScalability Availabilty and Management of WSO2 Carbon
Scalability Availabilty and Management of WSO2 CarbonWSO2
 
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicThe Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicBrian Huff
 
MicroserviceArchitecture in detail over Monolith.
MicroserviceArchitecture in detail over Monolith.MicroserviceArchitecture in detail over Monolith.
MicroserviceArchitecture in detail over Monolith.PLovababu
 
WSO2Con USA 2015: Building Web Apps with Reusable UI Components and Composition
WSO2Con USA 2015: Building Web Apps with Reusable UI Components and CompositionWSO2Con USA 2015: Building Web Apps with Reusable UI Components and Composition
WSO2Con USA 2015: Building Web Apps with Reusable UI Components and CompositionWSO2
 
Web Apps atop a Content Repository
Web Apps atop a Content RepositoryWeb Apps atop a Content Repository
Web Apps atop a Content RepositoryGabriel Walt
 
Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...
Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...
Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...Chris Sparshott
 
GateIn - Presented at Atlanta JUG on 1/19/2010
GateIn - Presented at Atlanta JUG on 1/19/2010GateIn - Presented at Atlanta JUG on 1/19/2010
GateIn - Presented at Atlanta JUG on 1/19/2010Wesley Hales
 
Planning your Migration for SharePoint 2010
Planning your Migration for SharePoint 2010Planning your Migration for SharePoint 2010
Planning your Migration for SharePoint 2010cScape
 
Migrating From Applets to Java Desktop Apps in JavaFX
Migrating From Applets to Java Desktop Apps in JavaFXMigrating From Applets to Java Desktop Apps in JavaFX
Migrating From Applets to Java Desktop Apps in JavaFXBruno Borges
 
Spring intro classes-in-mumbai
Spring intro classes-in-mumbaiSpring intro classes-in-mumbai
Spring intro classes-in-mumbaivibrantuser
 
WebSphere Portal Technical Overview
WebSphere Portal Technical OverviewWebSphere Portal Technical Overview
WebSphere Portal Technical OverviewVincent Perrin
 
Liferay Configuration and Customization
Liferay Configuration and CustomizationLiferay Configuration and Customization
Liferay Configuration and CustomizationThành Nguyễn
 
Configuring and managing a red
Configuring and managing a redConfiguring and managing a red
Configuring and managing a redzied01
 
Reactive fsharp
Reactive fsharpReactive fsharp
Reactive fsharpSkills Matter
 

Contenu connexe

Tendances

Liferay Developer Best Practices for a Successful Deployment
Liferay Developer Best Practices for a Successful DeploymentLiferay Developer Best Practices for a Successful Deployment
Liferay Developer Best Practices for a Successful Deploymentrivetlogic
 
Building Killer RESTful APIs with NodeJs
Building Killer RESTful APIs with NodeJsBuilding Killer RESTful APIs with NodeJs
Building Killer RESTful APIs with NodeJsSrdjan Strbanovic
 
Support Tools für die Admin-Konsole - Nebil Kisa, Advanced Support Engineer
Support Tools für die Admin-Konsole - Nebil Kisa, Advanced Support EngineerSupport Tools für die Admin-Konsole - Nebil Kisa, Advanced Support Engineer
Support Tools für die Admin-Konsole - Nebil Kisa, Advanced Support EngineerNicole Szigeti
 
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...Nicole Szigeti
 
Java EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolithJava EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolithMarkus Eisele
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAsBen Krug
 
Moving to Web 2.0 - Best Practices for Business and Application Migration
Moving to Web 2.0 - Best Practices for Business and Application MigrationMoving to Web 2.0 - Best Practices for Business and Application Migration
Moving to Web 2.0 - Best Practices for Business and Application Migrationanilmadugula
 
Scalability Availabilty and Management of WSO2 Carbon
Scalability Availabilty and Management of WSO2 CarbonScalability Availabilty and Management of WSO2 Carbon
Scalability Availabilty and Management of WSO2 CarbonWSO2
 
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicThe Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicBrian Huff
 
MicroserviceArchitecture in detail over Monolith.
MicroserviceArchitecture in detail over Monolith.MicroserviceArchitecture in detail over Monolith.
MicroserviceArchitecture in detail over Monolith.PLovababu
 
WSO2Con USA 2015: Building Web Apps with Reusable UI Components and Composition
WSO2Con USA 2015: Building Web Apps with Reusable UI Components and CompositionWSO2Con USA 2015: Building Web Apps with Reusable UI Components and Composition
WSO2Con USA 2015: Building Web Apps with Reusable UI Components and CompositionWSO2
 
Web Apps atop a Content Repository
Web Apps atop a Content RepositoryWeb Apps atop a Content Repository
Web Apps atop a Content RepositoryGabriel Walt
 
Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...
Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...
Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...Chris Sparshott
 
GateIn - Presented at Atlanta JUG on 1/19/2010
GateIn - Presented at Atlanta JUG on 1/19/2010GateIn - Presented at Atlanta JUG on 1/19/2010
GateIn - Presented at Atlanta JUG on 1/19/2010Wesley Hales
 
Planning your Migration for SharePoint 2010
Planning your Migration for SharePoint 2010Planning your Migration for SharePoint 2010
Planning your Migration for SharePoint 2010cScape
 
Migrating From Applets to Java Desktop Apps in JavaFX
Migrating From Applets to Java Desktop Apps in JavaFXMigrating From Applets to Java Desktop Apps in JavaFX
Migrating From Applets to Java Desktop Apps in JavaFXBruno Borges
 
Spring intro classes-in-mumbai
Spring intro classes-in-mumbaiSpring intro classes-in-mumbai
Spring intro classes-in-mumbaivibrantuser
 
WebSphere Portal Technical Overview
WebSphere Portal Technical OverviewWebSphere Portal Technical Overview
WebSphere Portal Technical OverviewVincent Perrin
 
Liferay Configuration and Customization
Liferay Configuration and CustomizationLiferay Configuration and Customization
Liferay Configuration and CustomizationThành Nguyễn
 

Tendances (20)

Liferay Developer Best Practices for a Successful Deployment
Liferay Developer Best Practices for a Successful DeploymentLiferay Developer Best Practices for a Successful Deployment
Liferay Developer Best Practices for a Successful Deployment
 
Building Killer RESTful APIs with NodeJs
Building Killer RESTful APIs with NodeJsBuilding Killer RESTful APIs with NodeJs
Building Killer RESTful APIs with NodeJs
 
Javantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoJavantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter Lehto
 
Support Tools für die Admin-Konsole - Nebil Kisa, Advanced Support Engineer
Support Tools für die Admin-Konsole - Nebil Kisa, Advanced Support EngineerSupport Tools für die Admin-Konsole - Nebil Kisa, Advanced Support Engineer
Support Tools für die Admin-Konsole - Nebil Kisa, Advanced Support Engineer
 
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
 
Java EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolithJava EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolith
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAs
 
Moving to Web 2.0 - Best Practices for Business and Application Migration
Moving to Web 2.0 - Best Practices for Business and Application MigrationMoving to Web 2.0 - Best Practices for Business and Application Migration
Moving to Web 2.0 - Best Practices for Business and Application Migration
 
Scalability Availabilty and Management of WSO2 Carbon
Scalability Availabilty and Management of WSO2 CarbonScalability Availabilty and Management of WSO2 Carbon
Scalability Availabilty and Management of WSO2 Carbon
 
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicThe Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
 
MicroserviceArchitecture in detail over Monolith.
MicroserviceArchitecture in detail over Monolith.MicroserviceArchitecture in detail over Monolith.
MicroserviceArchitecture in detail over Monolith.
 
WSO2Con USA 2015: Building Web Apps with Reusable UI Components and Composition
WSO2Con USA 2015: Building Web Apps with Reusable UI Components and CompositionWSO2Con USA 2015: Building Web Apps with Reusable UI Components and Composition
WSO2Con USA 2015: Building Web Apps with Reusable UI Components and Composition
 
Web Apps atop a Content Repository
Web Apps atop a Content RepositoryWeb Apps atop a Content Repository
Web Apps atop a Content Repository
 
Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...
Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...
Integrating IBM Web Sphere Portal With Web Analytic Hosted And Non Hosted Sit...
 
GateIn - Presented at Atlanta JUG on 1/19/2010
GateIn - Presented at Atlanta JUG on 1/19/2010GateIn - Presented at Atlanta JUG on 1/19/2010
GateIn - Presented at Atlanta JUG on 1/19/2010
 
Planning your Migration for SharePoint 2010
Planning your Migration for SharePoint 2010Planning your Migration for SharePoint 2010
Planning your Migration for SharePoint 2010
 
Migrating From Applets to Java Desktop Apps in JavaFX
Migrating From Applets to Java Desktop Apps in JavaFXMigrating From Applets to Java Desktop Apps in JavaFX
Migrating From Applets to Java Desktop Apps in JavaFX
 
Spring intro classes-in-mumbai
Spring intro classes-in-mumbaiSpring intro classes-in-mumbai
Spring intro classes-in-mumbai
 
WebSphere Portal Technical Overview
WebSphere Portal Technical OverviewWebSphere Portal Technical Overview
WebSphere Portal Technical Overview
 
Liferay Configuration and Customization
Liferay Configuration and CustomizationLiferay Configuration and Customization
Liferay Configuration and Customization
 

En vedette

Configuring and managing a red
Configuring and managing a redConfiguring and managing a red
Configuring and managing a redzied01
 
RESURSE INFORMAŢIONALE DIN DOMENIUL DREPTULUI
RESURSE INFORMAŢIONALE DIN DOMENIUL DREPTULUIRESURSE INFORMAŢIONALE DIN DOMENIUL DREPTULUI
RESURSE INFORMAŢIONALE DIN DOMENIUL DREPTULUIBiblioteca_Drept
 
Registrul Matricol Unic Documentatia De Atribuire
Registrul Matricol Unic Documentatia De AtribuireRegistrul Matricol Unic Documentatia De Atribuire
Registrul Matricol Unic Documentatia De Atribuiredstanca
 
The Sad Story of the Server that Tries to Please Everyone
The Sad Story of the Server that Tries to Please EveryoneThe Sad Story of the Server that Tries to Please Everyone
The Sad Story of the Server that Tries to Please EveryoneIulian Dogariu
 

En vedette (6)

Configuring and managing a red
Configuring and managing a redConfiguring and managing a red
Configuring and managing a red
 
Reactive fsharp
Reactive fsharpReactive fsharp
Reactive fsharp
 
RESURSE INFORMAŢIONALE DIN DOMENIUL DREPTULUI
RESURSE INFORMAŢIONALE DIN DOMENIUL DREPTULUIRESURSE INFORMAŢIONALE DIN DOMENIUL DREPTULUI
RESURSE INFORMAŢIONALE DIN DOMENIUL DREPTULUI
 
Scala
ScalaScala
Scala
 
Registrul Matricol Unic Documentatia De Atribuire
Registrul Matricol Unic Documentatia De AtribuireRegistrul Matricol Unic Documentatia De Atribuire
Registrul Matricol Unic Documentatia De Atribuire
 
The Sad Story of the Server that Tries to Please Everyone
The Sad Story of the Server that Tries to Please EveryoneThe Sad Story of the Server that Tries to Please Everyone
The Sad Story of the Server that Tries to Please Everyone
 

Similaire à Eunis federation2

CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethChris Phillips
 
Canarie Federated Non Web Signon
Canarie Federated Non Web SignonCanarie Federated Non Web Signon
Canarie Federated Non Web SignonChris Phillips
 
Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity ManagmentJohn Lewis
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarJohn Lewis
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestChris Phillips
 
Presentatie Code Jam Niels van Dijk
Presentatie Code Jam Niels van DijkPresentatie Code Jam Niels van Dijk
Presentatie Code Jam Niels van Dijkkirstenveelo
 
OpenAthens and the future of access and identity management
OpenAthens and the future of access and identity managementOpenAthens and the future of access and identity management
OpenAthens and the future of access and identity managementEduserv Foundation
 
How Software Works in system environment
How Software Works in system environmentHow Software Works in system environment
How Software Works in system environmentItcHcm1
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethAndrew Petro
 
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...OpenID Foundation Japan
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Web Based Investment Management System
Web Based Investment Management SystemWeb Based Investment Management System
Web Based Investment Management SystemMike Taylor
 
Identity mediation for enterprise identity bus
Identity mediation for enterprise identity busIdentity mediation for enterprise identity bus
Identity mediation for enterprise identity busPushpalanka Jayawardhana
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
Shibboleth Access Management Federations as an Organisational Model for SDI
Shibboleth Access Management Federations as an Organisational Model for SDIShibboleth Access Management Federations as an Organisational Model for SDI
Shibboleth Access Management Federations as an Organisational Model for SDIEDINA, University of Edinburgh
 
McShibboleth Presentation
McShibboleth PresentationMcShibboleth Presentation
McShibboleth PresentationJISC.AM
 
Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)JISC.AM
 

Similaire à Eunis federation2 (20)

CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
 
Canarie Federated Non Web Signon
Canarie Federated Non Web SignonCanarie Federated Non Web Signon
Canarie Federated Non Web Signon
 
Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity Managment
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour Webinar
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
 
Presentatie Code Jam Niels van Dijk
Presentatie Code Jam Niels van DijkPresentatie Code Jam Niels van Dijk
Presentatie Code Jam Niels van Dijk
 
Open Standards For Social Business Apps
Open Standards For Social Business AppsOpen Standards For Social Business Apps
Open Standards For Social Business Apps
 
OpenAthens and the future of access and identity management
OpenAthens and the future of access and identity managementOpenAthens and the future of access and identity management
OpenAthens and the future of access and identity management
 
How Software Works in system environment
How Software Works in system environmentHow Software Works in system environment
How Software Works in system environment
 
Tee temp
Tee tempTee temp
Tee temp
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and Shibboleth
 
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
Web Based Investment Management System
Web Based Investment Management SystemWeb Based Investment Management System
Web Based Investment Management System
 
Inspire2011 shibb am_fs_paper_v3
Inspire2011 shibb am_fs_paper_v3Inspire2011 shibb am_fs_paper_v3
Inspire2011 shibb am_fs_paper_v3
 
Identity mediation for enterprise identity bus
Identity mediation for enterprise identity busIdentity mediation for enterprise identity bus
Identity mediation for enterprise identity bus
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
Shibboleth Access Management Federations as an Organisational Model for SDI
Shibboleth Access Management Federations as an Organisational Model for SDIShibboleth Access Management Federations as an Organisational Model for SDI
Shibboleth Access Management Federations as an Organisational Model for SDI
 
McShibboleth Presentation
McShibboleth PresentationMcShibboleth Presentation
McShibboleth Presentation
 
Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)
 

Eunis federation2

  • 1. Federated Access 2.0 Glenn Wearen Middleware Specialist HEAnet 13 November 2012
  • 2. Federated Access 2.0 Agenda 1. Federated Access 1.0 Past to current status 1. Federated Access 2.0 LoA, Inter-federation , confederation, vendor adoption, cloud adoption, groups, discovery UI, Non-Web-SSO, multiple protocols. 3. Edugate 1.0 or 2.0?
  • 3. Federated Access 1.0 History of Federated Access (academic sector) 2001: Shibboleth, SAML 1.x, OASIS ID-FF V1.2 standards 2003: 1. SAML 2.0 protocol combines elements of all of the above. 2. Feide.no federation launched (not SAML, but similar) 2004: Switzerland launches AAI (Shibboleth 1.3) 2005: UK Federation and InCommon launched (Shibboleth 1.3), 2006: JISC announces migration from Athens to UK Federation 2007: SURFFederatie.nl launched, Google Apps supports SAML 2008: 1. Shibboleth 2.0 implements SAML 2.0 as default protocol 2. SimpleSAMLphp 1.0 released. 3. WAYF.dk launched.
  • 4. Federated Access 1.0 • History of Federated Access (academic sector) 2009: Edugate pilot commences. 2010: Edugate production federation launched
  • 5. Federated Access 1.0 • Academic Federations – US: 4 Million ID’s covered – SWISS: 95% of ID’s – UK: 850 Members
  • 6. Federated Access 1.0 • Academic Federations
  • 7. Federated Access 2.0 1. Confederation 2. Inter-federation 3. Use outside web-browser 4. Wide application support, incl. Cloud 5. Levels of Assurance (LoA) 6. Cross institutional group management 7. SAML Metadata extensions. 8. Reporting 9. Attribute Aggregation 10. Protocol pluralism
  • 8. Federated Access 2.0 Production confederation commenced April 2011 Standard Attribute Schema – displayName, cn, mail – eduPersonAffiliation and eduPersonScopedAffiliation – schacHomeOrganization and schacHomeOrganizationType Standard SAML Protocol (SAML2 Interoperable Profile) – Persistent NameID format mandatory, support for Transient format optional – Either format should be accepted by relying services. – AuthRequests >HTTP-Redirect binding, AuthResponses using HTTP-POST – SAML 2 Metadata standard and Discovery recommendations. Standard Policy – Data Protection profile for personal and non-personal data – Federation joins eduGAIN, federation members opt-in.
  • 9. Federated Access 2.0 Union Standards Attribute Schema Standard SAML Protocol (SAML2 Int.) Opt-in model – 20+ IdP’s – 30+ SP’s
  • 10. Federated Access 2.0 2. Inter-federation – Technically similar to confederation – Bilateral agreement between two federations.  Members Opt-in (or opt-out)  UK-Ireland under investigation
  • 11. Federated Access 2.0 3. Wide application support – Google Apps, Salesforce.com since 2009 – Microsoft Live@edu via WIF since 2010 – More recently...  WebEx, Workday & Zendesk – SAML recommended – Account provisioning still proprietary  SCIM proposed by Ping ID and others to standarise account provisioning using choice of REST & SAML
  • 12. Federated Access 2.0 3. Wide application support – MS ADFS can be configured with SAML IdP’s  Opens up SAML access to Sharepoint and Dynamics CRM – Microsoft WIF SAML 2 support in Beta  No need for ADFS gateway to federated Sharepoint – Blackboard join InCommon
  • 13. Federated Access 2.0 4. Use outside browser – Networks  NAC, SSL VPN, Web-redirect based wifi – Desktop clients  OpenSSH, Jabber – 1.0  browser plugin ( Mindterm SSH applet) – 2.0  GSS-API or GSS-SASL  SAML Attributes conveyed within protocol messages.
  • 14. Federated Access 2.0 5. Levels of Assurance – InCommon Bronze and Silver  Align with ICAM* Bronze/Silver. – WAYF.dk approximates to NIST levels 1-4
  • 15. Federated Access 2.0 6. Cross institutional group management – How can an identity provider assert that a user is a member of a cross institutional group that the identity provider doesn’t control? – How can a service provider create a group from identities that reside at different institutions? What about cross-federation groups?
  • 16. Federated Access 2.0 Supporting Services •SURFfederatie •SURFteams •OpenSocial Campus Services External Services
  • 17. Federated Access 2.0 7. User experience improvements – Metadata  Logo, Organisation name  Required and desired attributes, Privacy URL – Standard defined for login  ‘Login’ on top-right  Discovery embedded on providers page.  List institution logo, and provide incremental search  Institution login page displays logo of requester
  • 18. Federated Access 2.0 8. Reporting – Identity Providers  Can I switch off my IdP?  Can I cross-charge for use of the IdP?  What services do my users use the most?  How many authentication success/failures per day? – Service Providers  From where do my users come?  Do users prefer federated login or local login?  How many authentication success/failures per day?
  • 19. Federated Access 2.0 9. Attribute aggregation – The institutional account is but one part of the a users digital identity.  Shouldn’t a user be able to self-assert attributes from non-institutional account? – Glenn.wearen – Glennamddy – glennwearen@gmail.com – http://ie.linkedin.com/in/glennwearen
  • 20. Federated Access 2.0 10. Pluralism of protocols – SAML2, the federated access protocol for edu. – What about supporting protocols other than SAML2?  OpenID, OAuth2  A-Select, PAPI, eID
  • 21. Federated Access 2.0  Confederation  Inter-federation  Use outside web-browser  Wide application support, incl. Cloud  Levels of Assurance (LoA)  Cross institutional group management  SAML2 and SAML2 Metadata extensions.  Reporting  Attribute Aggregation  Protocol pluralism
  • 23. Edugate Edugate 1. Funding 2. Find early adopters 3. Switch to production
  • 24. Edugate 1. Funding  Long lasting research infrastructure  ...needs a long lasting identity access system – Establishment of identity service at each institution must have local campus benefits to ensure longevity
  • 25. Edugate 2. Find early adopters – Extol the benefits of Federated Access  Diverse range of identity providers  Campus IDM first concern, intra-campus secondary. Initial effort to deploy IdP services HEAnet’s part. – Find applications  HEAnet’s own web applications (TCS, Media)  Web applications open to large range of institutions  Web applications that participate in other federations  Services suffering from high user attrition – ‘Register here’ / ‘forgot password’, infrequent use
  • 26. Edugate • Extol Benefits for identity providers – Add value to existing user account  Multiple accounts => low value placed in account – Potential to use identity for;  Cloud services, Shared services  Alliances  Campus Single-Sign-On – Potential for strong password policy or two- factor authentication, less handling of passwords
  • 27. Edugate • Extol Benefits for service providers  Standard platform for your service to access market  Potential to re-use your implementation worldwide.  Improved service offering for users  Digital ID card Vs. Physical ID card  Distinguish staff from student and 6 others  Personalisation capability (personal or non-personal)  Use as one-time provisioning or validation system  Use as just-in-time access system.
  • 28. Edugate 3. Switch to production 1. Establish Governance Committee 2. Define Member agreement, attribute schema 3. Establish production infrastructure 4. Sign-up members 5. Launch service 6. Migrate pilot participants (October 2011) 7. Deploy new IdP’s, support new Service Providers 8. Gain critical mass (+50% of identities).
  • 29. Edugate Service Provider production joining steps – Must provide service of benefit to staff/students – ...or be contracted provide service to identity member – Complete Edugate membership contract  Identities must be used for AuthZ/AuthN – Pay the membership fee of €1 – Add support for Shibboleth2/SAML2 – Decide and declare attribute requirements
  • 30. Edugate Identity providers production joining steps – Must be part of HEAnet (except schools) – Complete membership agreement  Account cannot be a generic shared account, disabled or compromised account  Student must be treated as student for all campus services. – Deploy SAML2 Identity Provider service – Decide what user attributes to release – Offer service to departments
  • 31. Edugate Current status – Service Providers  20+ providers, 1 using Edugate for student discount – Identity providers  80% of HEI’s, 100% target for September 2011 http://www.edugate.ie/content/edugate-federation-members
  • 32. Edugate Edugate 1. Funding 2. Find early adopters 3. Switch to production 4. Add 2.0 features where there is demand
  • 33. Edugate  Confederation  Inter-federation  Use outside web-browser  Wide application support, incl. Cloud  Levels of Assurance (LoA)  Cross institutional group management  SAML Metadata extensions.  Reporting.  Attribute Aggregation  Protocol pluralism
  • 34. Edugate • Conclusion 1. Federated Access is maturing  2.0 is not far from here 1. Edugate  1.0 Federation but using SAML2.