Discovery & Login Status Some thoughts for federation operators.Rod Widdowson EDINA
Status Next generation software is here or nearly here. Shibboleth: EDS V1.0. IdP 2.3. SP 2.4. DiscoJuice. But the work now moves to federation operators.
Take-aways from this talk “Discovery & Login” Extensions are really important: Make recommendations about them. Start collecting them. Engage with entity operators about them. ... And don’t forget your own discovery service
Discovery Extensions? A picture may be worth 1024 words (which is between 1024 and 4096 octets depending on the architecture in question)
Discovery extensions? Or “SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0” as it likes to be known. http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf User Information Hinting Information
User Info Things used in the UI to ease discovery and login. Display Name. Display Description. Logos. Keywords. Information & Privacy Statement URLs.
Logo But what sizes? Shibboleth recommendations: IdPs https://wiki.shibboleth.net/confluence/display/EDS10/4.+Metadata+Considerations SPs https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMDUIRecommendations Your CDS will also have recommendations. As will policy.
Hinting Geo: “If you physically close to a campus you may prefer that IdP”. IP: “If you are on an campus IP address you may prefer that IdP”. DNS: “If you machine has a campus DNS, you may prefer that IdP”.
Take-aways From this talk “Discovery & Login” extensions really matter. Make recommendations about them. Start collecting them. Engage with entity operators To add the extensions. To exploit the extensions: There is software already shipping to do this. Not just Shibboleth. ... And don’t forget your own discovery service.
Federation Discovery Service Based on UK experience: Try to down play it within your organization. You don’t show off your toilets to your house guests: It’s just something you have to have. Think about the continuing story. Add SP co-branding. Add IdP branding. Remove your own branding. Remember to consider accessibility. Start thinking about cross federation discovery.
Questions Rod Widdowson email@example.com
Discovery isn’t About scale. About the operators’ branding. About accounting. About a central service. Confined to your domain.
Discovery is Never perfectly addressed. Going to get harder. About the first user. About a seamless experience. About commonality of experience. Everyone’s job.
Discovery isn’t about scale Actually it might be. But not yet
Discovery isn’t About accounting No matter how tempting it might be to assume it, not every transaction goes via the DS. About a single central service Well it is, but we would like it not to be. And we are going to have to move away from that.
Discovery is Never perfectly addressed We can just make it less bad via a series of aproximations. About the first user The first ever user The first user at this site Consistency Between discovery pages at different sites. Give the feeling of an ongoing story.
Discovery isn’t about the operator’s branding It just confuses the first time user
Suggestions for OperatorsSPs Work with your SP to deploy their own discovery solutions Shibboleth SP SPs using the Shibboleth CDS Other types of SP which use the Shibboleth EDS SimpleSAMLphp Get SP operators to contribute discovery & login information.
Suggestions for OperatorsIdPs Work with your IdPs to add SP co-branding on the login page Shibboleth: Always been feasible Default page in 2.3 Other IdPs Get IdP operators to contribute discovery & login information.