This document discusses federated identity and accessing worldwide services using a campus ID. It introduces federated identity services like eduroam and identity federations that allow users to access resources across organizations securely using their campus credentials. These services build on existing campus identity management systems and provide benefits like a single network for users on and off campus without needing separate guest accounts.

1. Federated Identity,
Accessing World-Wide Services
with your Campus Id
Brook Schofield
Project Development Officer, TERENA
schofield@terena.org
27 September 2012, edutic Chile
Innovation through participation

2. About me…
Brook Schofield
mailto:schofield@terena.org
skype://brookschofield
tel:+31651553991
http://terena.org/~schofield
linkedin.com/in/brookschofield
Australian living in The Netherlands. Grew up on the
island state of Tasmania (named after a Dutchman).
Task Leader in the GN3 Project for eduGAIN.
Secretary of the Global eduroam Governance Committee.
Innovation through participation

3. Campus Identity Management
Bad old days
Islands of Identity
Email System, File Server, Student Enrolment,
Library Catalogue
Often run by different divisions
Good old days
LDAP for everything! (or most things)
Centralisation of services under a single unit
Future
Services are outside your campus
Innovation through participation

4. Accessing International Resources
Freely available to all - Wikipedia
IP Address Authorisation
Library Journals and Databases
Reverse Proxy or VPN to simulate “on campus”
User confusion, Library Portal vs Google Search
Personal Subscriptions/Payment
Negates community purchasing power
Guest Access Required
Another account, poor password choices or reuse
User mobility
Innovation through participation

5. A family of federated services
Innovation through participation

6. eduroam: 10 years of development
…now available in Chile

7. Promotional video (available in Spanish)
7

8. Two (2) options explored …and rejected
• VPN
– Open WiFi
– Route traffic back to your home organisation via VPN
• Benefit that “internet” traffic was from the home institution
– Access Control is problematic
• You don’t really know who is using it (just that they have a
VPN)
• Web Redirect / Splash-screen Portal
– Popular at airports, cafés and hotels
– No “over the air” security
8

9. The solution: eduroam
WiFi RADIUS server RADIUS server
Access Point University A User University B User
DB DB
user@unib.cl NREN
Employee Visitor
VLAN VLAN Central RADIUS
Student Proxy server
VLAN
• Trust based on national policy
signaling • Security based on 802.1X/RADIUS
data
• VLAN assignment to separate users
9

12. Eduroam Benefits
• Builds on your existing campus wifi
– Not new equipment – just new configuration
• Use eduroam @ home
– Only 1 campus wifi network for all!
• No guest accounts
– Helpdesk + identity verification is expensive
• Improved support services in development
– Global improvements benefit your campus
12

13. Identity Federation Technologies
Innovation through participation

14. Slide 14

15. 34 Federations
2114 IdPs
…and Virtual IdPs
Denmark, Norway &
Croatia are 1 IdP
3434 SPs

17. Federation Interoperability
Innovation through participation
wayf.dk

18. Federation Login Workflow
Innovation through participation

19. Connect your campus services…
simpleSAMLphp
PHP (is an IdP, SP and Bridge)
Multi-lingual support
Linux, Windows or Mac
Shibboleth
IdP is Java (Apache Tomcat)
SP is C (Apache + IIS Support)
Both are free software.
They are interoperable with each other
Innovation through participation

20. Benefits of Federated Login
Chicken & Egg
Identity Providers with People
Service Providers with Resources
How can I be an identity provider?
Do you have information on people?
Choose some software…
Success!
What about service providers?
REUNA/COFRE is in talks with publishers
There are other resources available too…
Image from http://www.flickr.com/photos/71218130@N00/1412804148/
Innovation through participation

21. IdP IdP
SP SP MDS SP SP
Interconnecting federations…
Your Federation 2 Other
Federation
3
Downstream eduGAIN
Metadata
Federation C
SP SP
eduGAIN SP
SP IdP
Declaration IdP
SP
Federation B
Constitution
Good MDS SP
Practice
IdP
Web SSO SP IdP
Metadata IdP
SP
Federation A
Terms of Use
Attributes Service Provider Identity Provider
Solves the scaling problem
eduGAIN entities are a subset of a federation
Profiles and policies to harmonize environment
Upstream Federation
More info at http://eduGAIN.org/Metadata
21 1 1
connect •B
Innovation through • collaborate
communicate participation 21
A
IdP IdP
SP SP MDS SP SP

22. eduGAIN status (in numbers)
15 participant federations
2 candidate federations & 2 pilot participants
7 European federations not participating
AT, DK, EE, IE, PT, SI, UK
8 federations not participating
AU, CL, CN, IN, JP, NZ, OM, US
14 GN3 Partners without a federation (18 GN3+)
Innovation through participation

23. More services require a trade-off…
eduroam Identity Federation/eduGAIN
Decentralised identity Decentralised identity
Secure alternative to splash Secure alternative to central
screen portals auth or guest services
Privacy Preserving Can be privacy preserving
Consistent Brand Brand Differentiation
1 service (Network Access) Multiple Services (Web)
Consistent user experience Multiple Interfaces (Web)
Minimal User Information Rich Attribute AuthNZ
Interfederation by default Interfederation by opt-in
Innovation through participation

24. linkedin.com/in/brookschofield
facebook.com/brook.schofield
skype://brookschofield
brook@terena.org
@BrookSchofield
+31651553991
Slide 24