The Application and the Ecosystem

kjk@internet2.edu

Acknowledgments

• https://spaces.internet2.edu/display/fedapp/Home and Scott Cantor

kjk@internet2.edu

Federating Applications

• What are the issues apps are finding in adapting to a federated world?

• What issues will they need to learn about in an attribute ecosystem• Sooner• Later

kjk@internet2.edu

Federated Applications – The Core Issue

• We are still treating federation as an afterthought when this design would improve all web applications.

• The core problem is application developers still think their application must reimplement common business logic better resolved elsewhere – its not just passwords we should externalize.

kjk@internet2.edu

Topics Areas Being Worked on Today

kjk@internet2.edu

Applications and Federated Life - Today

• IdP discovery

• User Identification

• Session Management

• The Boarding Process

• Interfederation

kjk@internet2.edu

IdP Discovery – The Problem Space

• Federation creates the IdP discovery problem – where do you send them to authenticate? • In federations, we cannot expose user credentials to

authentication systems controlled by unrelated organizations.

• As a result, the authentication source has to be selected before credentials are supplied, either explicitly through user choice, or by deriving something from a user identifier.

• Need better coordination amongst providers before this becomes too complex for users.

kjk@internet2.edu

IdP Discovery Models

Models • SP/Embedded – e.g .Elsevier• Centralized/Shared

• SP-centric - e.g. NIH Federated Login gateway vs. federation/IdP centrice.g. WAYF, InCommon

•Common UI "trigger" for consistency

kjk@internet2.edu

IdP Discovery Work Arounds

• Workarounds • Initiating at the IdP – e.g. PSU gets to NIH

through the PSU research web site.• Hand out Per-IdP URLs (e.g. Google)

• Shared hints• Limiting discovery to expected IdPs• Geolocation

kjk@internet2.edu

GeoLocation Hints - EDUCAUSE

kjk@internet2.edu

Oasis Work on Discovery

kjk@internet2.edu

Web Authentication – Problem Space

• Web authentication involves proving the identity of a client and server to each Invokes lots of issues when externalized• Discovery• Authentication attributes & practices• Error Handling• Logout• Timers

kjk@internet2.edu

Non-Web Authentication – Problem Space

• Authentication for non-web • TLS• OTP over TLS• SASL / GSS-API

• Project Moonshot• Tie to web authentication – iTunes example.

kjk@internet2.edu

Project MoonShot –project-moonshot.org

kjk@internet2.edu

Identity Assurance – Problem Statement

• Does 800-63 assurance levels adequately reflect good risk abatement techniques in a federated world, especially outside gov.• If not, is there anything better to use?

• Transitive trust arrangements

• LOA over time

• Self-service password resets

kjk@internet2.edu

The Next Round of Application Issues

• Logout• Provisioning and Deprovisioning• Metadata exchange - uApprove• Account Linking – transitive trust• Identity Assurance from the app view• Error handling • Federated Security Incident Handling

kjk@internet2.edu

Acknowledgments

• https://spaces.internet2.edu/display/fedapp/Home and Scott Cantor