the application and the ecosystem. kjk@internet2.edu acknowledgments home and scott cantor
Post on 20-Jan-2016
220 Views
Preview:
TRANSCRIPT
The Application and the Ecosystem
kjk@internet2.edu
Acknowledgments
• https://spaces.internet2.edu/display/fedapp/Home and Scott Cantor
kjk@internet2.edu
Federating Applications
• What are the issues apps are finding in adapting to a federated world?
• What issues will they need to learn about in an attribute ecosystem• Sooner• Later
kjk@internet2.edu
Federated Applications – The Core Issue
• We are still treating federation as an afterthought when this design would improve all web applications.
• The core problem is application developers still think their application must reimplement common business logic better resolved elsewhere – its not just passwords we should externalize.
kjk@internet2.edu
Topics Areas Being Worked on Today
kjk@internet2.edu
Applications and Federated Life - Today
• IdP discovery
• User Identification
• Session Management
• The Boarding Process
• Interfederation
kjk@internet2.edu
IdP Discovery – The Problem Space
• Federation creates the IdP discovery problem – where do you send them to authenticate? • In federations, we cannot expose user credentials to
authentication systems controlled by unrelated organizations.
• As a result, the authentication source has to be selected before credentials are supplied, either explicitly through user choice, or by deriving something from a user identifier.
• Need better coordination amongst providers before this becomes too complex for users.
kjk@internet2.edu
IdP Discovery Models
Models • SP/Embedded – e.g .Elsevier• Centralized/Shared
• SP-centric - e.g. NIH Federated Login gateway vs. federation/IdP centrice.g. WAYF, InCommon
•Common UI "trigger" for consistency
kjk@internet2.edu
IdP Discovery Work Arounds
• Workarounds • Initiating at the IdP – e.g. PSU gets to NIH
through the PSU research web site.• Hand out Per-IdP URLs (e.g. Google)
• Shared hints• Limiting discovery to expected IdPs• Geolocation
kjk@internet2.edu
GeoLocation Hints - EDUCAUSE
kjk@internet2.edu
Oasis Work on Discovery
kjk@internet2.edu
Web Authentication – Problem Space
• Web authentication involves proving the identity of a client and server to each Invokes lots of issues when externalized• Discovery• Authentication attributes & practices• Error Handling• Logout• Timers
kjk@internet2.edu
Non-Web Authentication – Problem Space
• Authentication for non-web • TLS• OTP over TLS• SASL / GSS-API
• Project Moonshot• Tie to web authentication – iTunes example.
kjk@internet2.edu
Project MoonShot –project-moonshot.org
kjk@internet2.edu
Identity Assurance – Problem Statement
• Does 800-63 assurance levels adequately reflect good risk abatement techniques in a federated world, especially outside gov.• If not, is there anything better to use?
• Transitive trust arrangements
• LOA over time
• Self-service password resets
kjk@internet2.edu
The Next Round of Application Issues
• Logout• Provisioning and Deprovisioning• Metadata exchange - uApprove• Account Linking – transitive trust• Identity Assurance from the app view• Error handling • Federated Security Incident Handling
kjk@internet2.edu
Acknowledgments
• https://spaces.internet2.edu/display/fedapp/Home and Scott Cantor
top related