UK federation development Access Management Transition Meeting, 30 May 2007. Josh Howlett, UKERNA.

Overview Improving Discovery Extending our use of metadata Shibboleth 2.0 Other access management products Inter-federation Integration with eduroam

Improving Discovery

Extending our use of metadata

Shibboleth 2.0

Other access management products

Inter-federation

Integration with eduroam

Discovery What is the ‘discovery problem’? SAML 1.x ‘ IdP-first’ only Intended for small numbers of known partners; discovery is managed by the application. Shibboleth 1.x Shibboleth Authentication Request Profile is ‘SP-first’. Intended for large numbers of possible partners; discovery is typically managed by the WAYF service. WAYF issues: usability and scalability

What is the ‘discovery problem’?

SAML 1.x

‘ IdP-first’ only

Intended for small numbers of known partners; discovery is managed by the application.

Shibboleth 1.x

Shibboleth Authentication Request Profile is ‘SP-first’.

Intended for large numbers of possible partners; discovery is typically managed by the WAYF service.

WAYF issues: usability and scalability

Discovery Service Provider side discovery Preferred approach. SPs know their customers. Shibboleth 2.0 SP will probably provide some assistance. Discovery service Enables an SP to hand over discovery to a third-party. Potential for use of heuristics such as IP address of user agent.

Service Provider side discovery

Preferred approach.

SPs know their customers.

Shibboleth 2.0 SP will probably provide some assistance.

Discovery service

Enables an SP to hand over discovery to a third-party.

Potential for use of heuristics such as IP address of user agent.

Metadata What is federation metadata? “ In architecture, a keystone is the stone at the top of an arch. It the supporting element for the entire arch — without it the arch would collapse.” – Wikipedia Functions A directory of federation participants – where ? A description of their capabilities – what ? Establishment of technical trust – who ?

What is federation metadata?

“ In architecture, a keystone is the stone at the top of an arch. It the supporting element for the entire arch — without it the arch would collapse.” – Wikipedia

Functions

A directory of federation participants – where ?

A description of their capabilities – what ?

Establishment of technical trust – who ?

Metadata Trust PKI trust (today) Entity metadata gives the claimed “KeyName”. The “KeyName” must match that given in an entity’s certificate, issued by a trusted CA. Problems Trust validation is expensive and contains redundancy. PKI can be difficult  support problems. Some SAML 2.0 features (eg. attribute encryption) require access to entities’ public keys.

Trust

PKI trust (today)

Entity metadata gives the claimed “KeyName”.

The “KeyName” must match that given in an entity’s certificate, issued by a trusted CA.

Problems

Trust validation is expensive and contains redundancy.

PKI can be difficult  support problems.

Some SAML 2.0 features (eg. attribute encryption) require access to entities’ public keys.

Metadata Trust Direct key operation Public keys embedded directly in metadata (or wrapped within certificate in metadata). Available in Shibboleth 1.3+. Hybrid operation Use both PKI trust and direct key. Currently in testing; may be made more widely available in the future.

Trust

Direct key operation

Public keys embedded directly in metadata (or wrapped within certificate in metadata).

Available in Shibboleth 1.3+.

Hybrid operation

Use both PKI trust and direct key.

Currently in testing; may be made more widely available in the future.

Shibboleth 2.0 Shibboleth 2.0 Virtually a complete re-write. Support for (some of) SAML 2.0 Web SSO and Single Log-out profiles. Additional capabilities likely in future releases. IdP More powerful ARP expression. Scripting for enhanced attribute resolution.

Shibboleth 2.0

Virtually a complete re-write.

Support for (some of) SAML 2.0

Web SSO and Single Log-out profiles.

Additional capabilities likely in future releases.

IdP

More powerful ARP expression.

Scripting for enhanced attribute resolution.

Other AM solutions Shibboleth is the recommended AM software. Designed for education and research. Many other SAML implementations exist. The moves towards Shibboleth 2.0 and SAML 2.0 should improve interoperability. We need to understand more about these other products and their suitability.

Shibboleth is the recommended AM software.

Designed for education and research.

Many other SAML implementations exist.

The moves towards Shibboleth 2.0 and SAML 2.0 should improve interoperability.

We need to understand more about these other products and their suitability.

Shibboleth on Windows Shibboleth IdP currently runs on Windows, although installation is complex. Windows installer is in development. We’re looking for: Ideas, wish lists, etc. Guinea pigs.

Shibboleth IdP currently runs on Windows, although installation is complex.

Windows installer is in development.

We’re looking for:

Ideas, wish lists, etc.

Guinea pigs.

Inter-federation Multiple emerging federations for education and research. Diverse policy and technological strategies. Use cases Reduce burden on publishers Facilitate cross-federation access to resources such as wikis, VLEs, etc.

Multiple emerging federations for education and research.

Diverse policy and technological strategies.

Use cases

Reduce burden on publishers

Facilitate cross-federation access to resources such as wikis, VLEs, etc.

Inter-federation Inter-federation Leveraged federation Group within a group Federation peering Bilateral agreement Confederation Federation of federations

Inter-federation

Leveraged federation

Group within a group

Federation peering

Bilateral agreement

Confederation

Federation of federations

Integration with eduroam RAGS Experimental out-sourced IdP using eduroam for authentication. RADIUS-SAML Internet2 proposal to use SAML for eduroam authorisation.

RAGS

Experimental out-sourced IdP using eduroam for authentication.

RADIUS-SAML

Internet2 proposal to use SAML for eduroam authorisation.

Thank you for your attention Any questions, ideas or requirements?

Any questions, ideas or requirements?