The document summarizes the Dutch Identity Federation for Higher Education called SURFfederatie. It discusses how SURFfederatie uses a central gateway protocol to interconnect multiple identity providers and service providers. It also describes SURFfederatie's integration with eduGAIN to enable single sign-on across international federations and its plans to further support new technical standards, consent models, and applications beyond web single sign-on.

1. Inter-federating SURFfederatie And other developments in the Dutch Identity Federation for Higher Education FAM11 – Federated Access Management Conference 9 November 2011

2. Content SURFfederatie SURFconext Interfederation efforts tiqr Future changes

4. Federation models (communication/login, not metadata) 1-1 Business US: SAML 1.x de-facto NxN Shared trust , pt2pt Education US/Europe 2xN Central gateway (CFC) protocol translation SURFfederatie = CFC, IDP, SP CFC IDP SP IDP SP IDP SP IDP SP IDP SP IDP SP IDP SP

5. Functional view (Since August 2008) Identity Providers Service Providers SURFfederatie CFC Applications Credentials Central Federation Components A-Select Cross A-Select Cross Shibboleth SAML 2.0 WS-Fed / ADFS SAML 2.0 WS-Fed / ADFS

6. IDP Protocols

7. IDP Products

8. Some numbers IdPs (83) 42 SAML 2.0 28* WS-Federation (ADFS) (* 8 proxied) 7 A-Select SPs (55+) Google apps, foodle, live@edu, CLARIN (7), several publishers, libraries, webshops, SURFconext, … ≈ 700k users ≈ 20k logins/sso per (working) day (Technically) connected to eduGAIN

9. Metadata & proxying IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF A-1 A-2 A-3 B-1 B-2 B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all}

10. WAYF/WAYF-less operation IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF

11. Why Hub & Spoke? “Federation as a Service” Protocol translation Decouples IDPs from SPs: easier to migrate adapt to specific IDP/SP requirements Minimal overhead for IDPs One single connection to maintain for IDPs/SPs Less expertise required for IDP/SP Extra features easier to do Web services Group support Easy to monitor Easy to do statistics

12. SURFconext – Collaboration Infrastructure

13. SURFfederatie SAML SURFteams (grouper) OpenSocial Collaboration tools + + + =

16. SURFfederatie vs SURFconext SURFfederatie SURFconext federation x federation y IDP 1 IDP 2 IDP 3 SP 4 SP 5 SP 1 SP 2 SP 3 proxy

17. Traditional Organisations Supporting Services SURFfederatie SURFteams OpenSocial Apps.Erasmus Apps.Groningen Apps.Leiden

18. Virtual Organisations Netherlands BioInformatics Centre (NBIC) Supporting Services SURFfederatie SURFteams OpenSocial N=6 N=10 N=30 Guests N=20 N=66 NBIC Group Apps.NBIC.nl My Experiment PubMed Grid res. Publishers Virtual IdP

19. eduGAIN Enables Web SSO across federations Opt-in model for IDPs and SPs

20. Inter-federation efforts Kennisnet Federatie 2011 pilot selected services CLARIN SP federation since 2010 Kalmar 2 2012? eduGAIN since Juli 2011

21. Implementing eduGAIN support Policy abondon SP fees! Technical attributes metadata Operational pull metadata from mds.edugain.org publish metadata (for eduGAIN to pull from) None of these required at our SPs/IDPs, except for opt-in procedure!

22. Importing eduGAIN SPs IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff eduGAIN SP z A-1 A-2 A-3 A-z B-1 B-2 B-3

23. Exporting IDPs IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff IDP3=B-3 eduGAIN A-1 A-2 A-3 A-z B-1 B-2 B-3

24. Exporting SPs to eduGAIN IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 eduGAIN A-1 A-2 A-3 A-z B-1 B-2 B-3 IDP z

25. SP auth list (optional) IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz eduGAIN A-1 A-2 A-3 A-z B-1 B-2 B-3 IDP z Per SP auth list SP3: - IDP1 - IDP2 - IDPz

26. Secure yet user friendly way to authenticate to (web)sites using your mobile phone Mobile App behaves as a Challenge/Response token, using open standards “ Handsfree” – no codes to retype. Uses 2D-barcodes (QR) and Internet connection Open Source, Apps available for both iPhone and Android See: https://tiqr.org /

27. How does it work? SURFnet. We make innovation work

28. Future plans Integrate with SURFconext Procedural/organisational Technical (level of integration TBD) Change of consent model Opt-in  Opt-out Addition of User Consent Web Service support Needed for (scientific) workflows Rich client/beyond web SSO/mobile support Rethink procedures/management Keys/signing in Hardware Security Module (HSM)

29. Thank you! ? Joost van Dijk joost.vandijk [at] surfnet.nl @joostd Presentation released under the Creative Commons “Attribution” license: ( http://creativecommons.org/licenses/by/3.0/ )