Identity Federations:Here and Now David L. Wasley Thomas Lenggenhager Peter Alterman John Krienke
Agenda • Brief Federation overview • Higher Ed & Research federations in Europe • US Federal eAuthentication federation • InCommon: the US Higher Ed federation • Inter-federation • Q&A
Federations • Otherwise independent entities that give up a certain degree of autonomy in order to achieve a common set of goals. • Working together requires • Common way to express meaning • Agreed upon ways to convey information • Acceptable governance and trust models
Identity Federations • Authenticate locally • Campus or other Identity Service Provider • IdP provides trustworthy needed identity information to Resource Providers • Part of access management decision • Trust established through Federation Operator by means of standards, rules, and participation agreements
Federations and Trust • Requires common IdP and RP practices • Federation governance roles include • Establishing the rules • Overseeing adherence • Degrees of trust may be inherent/useful • Allows flexibility in IdP and RP services • What happens when trust is violated? • Liability and indemnification
Not all Federations are the same ... • Identity federations may have different rules or constraints on identity release • For example in Europe ... • Some may choose to offer on-line services as well, or hold contracts for resources on behalf of members • Some are for specific business purposes or industries, etc.
Linking Federations • How can federations interoperate? • Information models must be compatible • Conversion may be difficult • Communication protocols • Gateways are hard • and may break trust models • Governance and trust models • Must be equivalent at some level
Governance & Linking Federations • Governance sets community standards • May need to enhance or redefine somewhat • Must uphold inter-federation agreement • Responsible for trust between federations • May require stronger role within federation • May affect existing participation agreements • May incur new liabilities, etc. • Federation services might not interoperate
Linking InCommon and eAuthentication • Higher Ed is an important community for Federal many agency applications • Both have federations in place • Have been working together for ~ a year • Compatible technology • Similar identity attributes • InCommon has richer set • InCommon includes privacy protections
Linking InCommon and eAuthentication ... • Trust issues • eAuth defines 4 levels of identity assurance • InCommon allows ‘best effort’ • will need to define at least one compatible LOA • Privacy . . . • Operational issues • Will need to include LOA in identity assertions • Will need to tag metadata, etc...
Linking InCommon and eAuthentication ... • Where we are now • Draft Memorandum of Agreement • Draft “InCommon Bronze” requirements • Based on eAuth Level 1 • Three campuses already known to qualify • Working on inter-federation assessment • Goal • Interoperability by Fall of this year