Federated Identity, Accessing World-Wide Services with your Campus Id
1. Federated Identity,
Accessing World-Wide Services
with your Campus Id
Brook Schofield
Project Development Officer, TERENA
schofield@terena.org
27 September 2012, edutic Chile
Innovation through participation
2. About me…
Brook Schofield
mailto:schofield@terena.org
skype://brookschofield
tel:+31651553991
http://terena.org/~schofield
linkedin.com/in/brookschofield
Australian living in The Netherlands. Grew up on the
island state of Tasmania (named after a Dutchman).
Task Leader in the GN3 Project for eduGAIN.
Secretary of the Global eduroam Governance Committee.
Innovation through participation
3. Campus Identity Management
Bad old days
Islands of Identity
Email System, File Server, Student Enrolment,
Library Catalogue
Often run by different divisions
Good old days
LDAP for everything! (or most things)
Centralisation of services under a single unit
Future
Services are outside your campus
Innovation through participation
4. Accessing International Resources
Freely available to all - Wikipedia
IP Address Authorisation
Library Journals and Databases
Reverse Proxy or VPN to simulate “on campus”
User confusion, Library Portal vs Google Search
Personal Subscriptions/Payment
Negates community purchasing power
Guest Access Required
Another account, poor password choices or reuse
User mobility
Innovation through participation
5. A family of federated services
Innovation through participation
8. Two (2) options explored …and rejected
• VPN
– Open WiFi
– Route traffic back to your home organisation via VPN
• Benefit that “internet” traffic was from the home institution
– Access Control is problematic
• You don’t really know who is using it (just that they have a
VPN)
• Web Redirect / Splash-screen Portal
– Popular at airports, cafés and hotels
– No “over the air” security
8
9. The solution: eduroam
WiFi RADIUS server RADIUS server
Access Point University A User University B User
DB DB
user@unib.cl NREN
Employee Visitor
VLAN VLAN Central RADIUS
Student Proxy server
VLAN
• Trust based on national policy
signaling • Security based on 802.1X/RADIUS
data
• VLAN assignment to separate users
9
10.
11.
12. Eduroam Benefits
• Builds on your existing campus wifi
– Not new equipment – just new configuration
• Use eduroam @ home
– Only 1 campus wifi network for all!
• No guest accounts
– Helpdesk + identity verification is expensive
• Improved support services in development
– Global improvements benefit your campus
12
19. Connect your campus services…
simpleSAMLphp
PHP (is an IdP, SP and Bridge)
Multi-lingual support
Linux, Windows or Mac
Shibboleth
IdP is Java (Apache Tomcat)
SP is C (Apache + IIS Support)
Both are free software.
They are interoperable with each other
Innovation through participation
20. Benefits of Federated Login
Chicken & Egg
Identity Providers with People
Service Providers with Resources
How can I be an identity provider?
Do you have information on people?
Choose some software…
Success!
What about service providers?
REUNA/COFRE is in talks with publishers
There are other resources available too…
Image from http://www.flickr.com/photos/71218130@N00/1412804148/
Innovation through participation
21. IdP IdP
SP SP MDS SP SP
Interconnecting federations…
Your Federation 2 Other
Federation
3
Downstream eduGAIN
Metadata
Federation C
SP SP
eduGAIN SP
SP IdP
Declaration IdP
SP
Federation B
Constitution
Good MDS SP
Practice
IdP
Web SSO SP IdP
Metadata IdP
SP
Federation A
Terms of Use
Attributes Service Provider Identity Provider
Solves the scaling problem
eduGAIN entities are a subset of a federation
Profiles and policies to harmonize environment
Upstream Federation
More info at http://eduGAIN.org/Metadata
21 1 1
connect •B
Innovation through • collaborate
communicate participation 21
A
IdP IdP
SP SP MDS SP SP
22. eduGAIN status (in numbers)
15 participant federations
2 candidate federations & 2 pilot participants
7 European federations not participating
AT, DK, EE, IE, PT, SI, UK
8 federations not participating
AU, CL, CN, IN, JP, NZ, OM, US
14 GN3 Partners without a federation (18 GN3+)
Innovation through participation
23. More services require a trade-off…
eduroam Identity Federation/eduGAIN
Decentralised identity Decentralised identity
Secure alternative to splash Secure alternative to central
screen portals auth or guest services
Privacy Preserving Can be privacy preserving
Consistent Brand Brand Differentiation
1 service (Network Access) Multiple Services (Web)
Consistent user experience Multiple Interfaces (Web)
Minimal User Information Rich Attribute AuthNZ
Interfederation by default Interfederation by opt-in
Innovation through participation