An Introduction to Federation Policy(Using the words of wiser people than me)Nicole HarrisEuroCAMP Meeting,15 October 2012...
Me•   UK Access Management Focus;•   Advisor to UK federation;•   REFEDS Coordinator;•   PEER Project Manager;•   Shibbole...
3
F ED                                                                                                                      ...
What are the current problems?•   We don‟t know what to call them;•   We don‟t know what they are;•   We don‟t agree on ho...
Proposal?   Federation Policy Best Practise Approach   •   Analysis of 15 federation policies;   •   Content „blocks‟ for ...
SECTION A: StructureA: STUCTURE.GENERAL INFORMATION ABOUTHOW YOUR FEDERATION WORKS•   RFC2119.•   Definitions.•   Backgrou...
SECTION B: Terms of UseB: TERMS OF USE.WHAT EVERYONE IS ALLOWED AND NOT ALLOWED TODO•   Terms of Use (IdP).•   Terms of Us...
SECTION C: LegalC: LEGAL.ALL THE LEGAL STUFF•   Liability.•   Jurisdiction and Legal.•   Fee schedule.•   Copyright.STATUS...
10
11
EXTREME APPROACHES – THE CONTRACT    “NOW THEREFORE in consideration of the mutual covenants set out in this    Agreement ...
EXTREME APPROACHES – TERMS OF USE                                    13
WHERE DOES IT GO?• EVERYTHING I’ve mentioned needs to be defined  somewhere;• There is nothing you can ‘leave out’ of your...
WHAT’S THE DIFFERENCE?•   REFEDS work is on existing federations;•   Standardising existing problems;•   Full-scale, not l...
THE WISEST WORDS“The software knows NOTHING about federations.”                      Scott Cantor, Shibboleth Developer.“F...
Common Mistakes• What am I signing?• Eligibility mistakes;• Publication (interfederation);• Enabling exchange…….or protect...
Signing• Do I sign the policy?   • Makes it difficult to introduce even minor changes;   • Different people on different v...
Eligibility•   Be clear early on who is eligible.•   Be clear early on who DECIDES who is eligible.•   Include a catch-all...
Publication• Don‟t forget to assert the right to publish.• Don‟t restrict the right to publish.“The Member grants the Fede...
Enabling Access• The federation policy is a social construct;• The federation policy is about socialising the metadata;• F...
Writing Policy too Early• DON’T let your policy define your structure;• DO inform your policy with well made decisions;• B...
Interoperability• DON’T back yourself in to a corner:  “Any metadata file which makes use of parts of metadatapublished by...
Upcoming SlideShare
Loading in...5
×

Eurocamp nov12

130

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
130
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Eurocamp nov12

  1. 1. An Introduction to Federation Policy(Using the words of wiser people than me)Nicole HarrisEuroCAMP Meeting,15 October 2012(Happy Birthday Mum) 1
  2. 2. Me• UK Access Management Focus;• Advisor to UK federation;• REFEDS Coordinator;• PEER Project Manager;• Shibboleth Consortium Manager;• Generally opinionated about access and identity.
  3. 3. 3
  4. 4. F ED ERA T IO T he N RU L A fr am u st r al e ia t r u st w o r k an n A cc e ES e ss F w it h d el ect d su p p ed e r at in an r on o in st d b ic co r t in fr as io n p r it u t io n s et w een m m u n t r u ct o vi d e TERMO DE COMPROMISSO PARA ADESÃO À FEDERAÇÃO CAFe ic at u sa T h is in A u u st r n iv er si io n r e t o fa d al ia t ies s an d ci t o b o cu m e an d an d co ll li t at e em nt o o ve r ab ser vi et u t li r se as e se ar ch o r at io n ce p b y p ar nes th . Pelo presente, a organização identificada neste Termo, ora denominada PARTICIPANTE, r o vi d er t ic ip at in e r u les T h is s. g id an d adere a este documento e assume a responsabilidade pela utilização dos serviços d o cu en t o b li Par it y disponibilizados pela Comunidade Acadêmica Federada, doravante denominada t icip m en t an d gat io an t s su p ns simplesmente CAFe, ciente da “Política de Uso da Federação CAFe: provedores de e r se serviço”, e da “Política de Uso da Federação CAFe: provedores de identidade”, 24 M d es t he ay 2 Fed conforme adiante descrito. 011 er at io n Ru le s fo r PARTICIPANTE: [nome da instituição], com sede na [endereço], neste ato representada por [nome completo], [função], doravante denominada [sigla da instituição] O presente Termo considera que: a) A Federação CAFe é composta por um conjunto de instituições que, sobre uma infraestrutura de autenticação e autorização multidomínios, estabelece uma rede de confiança que simplifica o acesso a serviços federados oferecidos; b) A RNP tem como atribuição o gerenciamento dos processos de disponibilidade, confiabilidade e melhoria continua do Serviço da CAFe, além de apoiar a homologação visando a adesão de novos Provedores de Identidade e Provedores de Serviço na federação CAFe, bem como o suporte a atualizações e melhorias contínuas; c) a RNP e a PARTICIPANTE têm interesse comum na manutenção e desenvolvimento da Federação CAFe com o objetivo de simplificar o processo de Autenticação e Autorização entres as instituições participantes; ©A ustr alian Acces d) a PARTICIPANTE tem interesse em integrar a Federação CAFe como Provedor de s Fe dera [Identidade ou Serviço], para benefício da comunidade de educação, pesquisa e tion RedIRIS Identity Service Conditions of Use for Identity Providers Inc. cultura. Para tanto, a PARTICIPANTE dá ciência e se compromete ao que se segue: RedIRIS Identity Service Conditions of Use for Identity Providers 1 - DO OBJETO Version 1.0 – 20080220 1.1 – O presente Termo tem por objeto estabelecer as diretrizes de participação, a serem realizadas com o apoio recíproco, na CAFe; ___________________________________________________________________, as applicant for 1 the identity transfer services provided by the RedIRIS Identity Service (SIR), to be used by the identity provider identified by its URL, unique ID, and public key included at the end of this document (referred in the rest of this document as “the Applicant”) declares that: 1. Knows and accepts the rules, procedures and technical requirements for the connection of their identity management system with the RedIRIS Identity Service, as specified at http://www.rediris.es/sir/. Applicants accept the appropriate changes that may take place, and that shall be communicated with sufficient time through the service website, and directly to theUK Access Management Federation for RedIRIS Official Liaisons (“Personas de Enlace con RedIRIS”, referred as “PERs” in the rest of this document) of the corresponding affiliated institution. Education and Research 2. Knows that breaking these conditions can imply the discontinuation of the service. 3. Declares that data included in this document are accurate, apart error or omission in good faith. Rules of Membership 4. Commits to permanently update the information included in this document, informing the PERs of any change that takes place. 5. Assumes that RedIRIS, in all procedures related to service provision, will act according to the data provided in this document. 6. Knows and accepts that any falsity or error in the data included in this document can be 1st August 2011 cause of the discontinuation of the service. 7. Knows and accepts that once the service is active it can be revoked in case of violation of the requirements. 8. Knows and assumes that the service can be revoked in case of serious technical negligence. 9. Declares that, according to their best knowledge, the connection of the identity provider identified below with the RedIRIS Identity Service does not harm the rights of any third party. 10. Knows and accepts that the service is provided by RedIRIS in non-commercial terms for its users in the research and academic community, and that RedIRIS shall not be held liable for any damage caused, directly or indirectly, by the usage of the service. 11. Knows and assumes that RedIRIS will perform personal data processing according to Ley Orgánica 15/1999 on Personal Data Protection and the regulations developing it. 12. Knows and assumes that the rights to access and rectification can be exercised according to the above mentioned regulations. The rights to cancellation and opposition can only be exercised after the discontinuation of the service, since personal data processing by Red.es is required for the use of the RedIRIS Identity Service. Version 2.1 ST/AAI/UKF/DOC/001 1/2
  5. 5. What are the current problems?• We don‟t know what to call them;• We don‟t know what they are;• We don‟t agree on how to structure them;• We don‟t agree on the content;• We all start from scratch when writing them;• We ask the wrong questions…• …to the wrong people.Apart from that it is ALLLL fine. 5
  6. 6. Proposal? Federation Policy Best Practise Approach • Analysis of 15 federation policies; • Content „blocks‟ for policy areas defined; • Preferred structure / ORDER proposed; • Example wording given; • Chose your areas, leave out others.https://refeds.terena.org/index.php/Federation_Policy_Best_Practise_Approach 6
  7. 7. SECTION A: StructureA: STUCTURE.GENERAL INFORMATION ABOUTHOW YOUR FEDERATION WORKS• RFC2119.• Definitions.• Background and Purpose.• Governance.• Eligibility.• How to Join.• How to Withdraw.STATUS: COMPLETE 7
  8. 8. SECTION B: Terms of UseB: TERMS OF USE.WHAT EVERYONE IS ALLOWED AND NOT ALLOWED TODO• Terms of Use (IdP).• Terms of Use (SP).• Termination / Dispute Resolution.• Logging.• Data Protection.• Audit.• Use of Attributes.• Operator Rights / Role.• Interfederation / Publish rights.STATUS: IN PROGRESS 8
  9. 9. SECTION C: LegalC: LEGAL.ALL THE LEGAL STUFF• Liability.• Jurisdiction and Legal.• Fee schedule.• Copyright.STATUS: IN PROGRESS 9
  10. 10. 10
  11. 11. 11
  12. 12. EXTREME APPROACHES – THE CONTRACT “NOW THEREFORE in consideration of the mutual covenants set out in this Agreement and for other good and valuable consideration (the receipt and sufficiency of which is hereby acknowledged by each of the parties), the parties agree as follows:” CANADIAN ACCESS FEDERATION ‘POLICY’Nothing on:• Governance• How to Withdraw• Attributes• Publication(In this document) 12
  13. 13. EXTREME APPROACHES – TERMS OF USE 13
  14. 14. WHERE DOES IT GO?• EVERYTHING I’ve mentioned needs to be defined somewhere;• There is nothing you can ‘leave out’ of your thinking;• There are things you can leave out of your policy;• Does it go in the policy?• Does it go in appendices?• Does it just go on the website? 14
  15. 15. WHAT’S THE DIFFERENCE?• REFEDS work is on existing federations;• Standardising existing problems;• Full-scale, not lightweight;• Both processes compatible in: • Wording; • Sections; • Approach. 15
  16. 16. THE WISEST WORDS“The software knows NOTHING about federations.” Scott Cantor, Shibboleth Developer.“Federations are SOCIAL constructs.” Ian Young, Technical Architect UK federation.“Let the metadata FLOW.” Leif Johansson, Man of Many Titles.AND“That‟s not what we MEANT to do…” Everyone who has written a federation policy 16
  17. 17. Common Mistakes• What am I signing?• Eligibility mistakes;• Publication (interfederation);• Enabling exchange…….or protection your XXXX?• Writing policy without all the information;• Ignoring interoperability issues. 17
  18. 18. Signing• Do I sign the policy? • Makes it difficult to introduce even minor changes; • Different people on different versions; • Sets it up clearly as a contractual arrangement.• Do I agree to abide by „terms‟ or „rules‟? • More flexible in terms of core document; • Template letter or attached form; • Lightweight approach. 18
  19. 19. Eligibility• Be clear early on who is eligible.• Be clear early on who DECIDES who is eligible.• Include a catch-all.• IdP membership normally most difficult: • Restrict to members of the NREN? • Restrict to research and education?“Subscription to the Federation is available to organisations and institutions whichundertake or support education, research or research and development inAustralia.”“In order to become an Identity Provider in the ACOnet Identity Federation anorganization MUST be eligible for ACOnet participation and MUST become aparticipant of ACOnet.”“Eligibility for membership and the enrolment process is set out in the FederationOperator Procedures.” 19
  20. 20. Publication• Don‟t forget to assert the right to publish.• Don‟t restrict the right to publish.“The Member grants the Federation Operator the right: to publish andotherwise use and hold the Metadata for the purpose of administering theoperation of the Federation; to publish the Member’s name for the purpose ofpromoting the Federation.”“In order to facilitate collaboration across national and organisational bordersSWAMID MAY participate in interfederation agreements.”“This Agreement governs the Edugate Federation’s national accessmanagement federation only. For the avoidance of doubt this Agreement doesnot apply to interfederation access, confederation access or metadataexchange.” 20
  21. 21. Enabling Access• The federation policy is a social construct;• The federation policy is about socialising the metadata;• Federation definitions:“The ACOnet Identity Federation is introduced to facilitate and simplify theoffering of shared services across the (identity) federation.”“The purpose of the Federation is to create a framework within whichMembers can exchange access management information in a way that isresponsible and respects End User privacy.”• Federation policies do NOT to protect members from each other.• More enabling, less protecting (liability). 21
  22. 22. Writing Policy too Early• DON’T let your policy define your structure;• DO inform your policy with well made decisions;• Before you write policy be clear on: • Scope / eligibility; • Governance; • Funding models now and future; • Rights and roles of Operator; • Rights and roles of IdPs and SPs. • Future plans. 22
  23. 23. Interoperability• DON’T back yourself in to a corner: “Any metadata file which makes use of parts of metadatapublished by eduGAIN MUST include either a reference with aURL to the eduGAIN Metadata Terms of Use [ToU] or the entire ToU text. It MUST be placed at the top of the metadata file formatted as an XML comment.”"Publications under clause 1 above will be at the request of the Member who controls each Entity." 23
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×