The Rise of Federations…Almost Everywhere

Topics

• Federation Basics• Drivers

• Components

• International and pulic sector developments

• InCommon and its uses

• Next steps for federations• Peering, confederation, and similar issues

• Support for collaboration and virtual organizations

• Development of other aspects of the attribute ecosystem

• Libraries and federations in the US• Issues and opportunities

• Next steps

Middleware vision in one slide

• Build a campus/enterprise core middleware infrastructure that• Serves the overall enterprise IT environment, providing business

drivers and institutional investment for sustainability and scalability

• Is designed from the start to support the research and instructional missions • Implies consistent approaches and common practices across campuses

and internationally

• Build, plumb, and replumb the tools of research on top of that emergent infrastructure• Domain-specific middleware (grids, sensor nets, etc)

• Common collaboration tools (video, protected wikis, shared calendaring, audioconferencing, etc.)

Federated identity

• Leveraging enterprise identity management beyond the enterprise

• Creates general purpose interrealm trust fabrics

• Standards (SAML) and open source (Shibboleth) well aligned and gaining broad adoption

• Persistent and broad R&E federations in many countries now

Drivers

• Campuses want to allow their community to use their local credentials to access external partners in academia, government, businesses, etc.

• Relying Parties want to use campus authn • For economies

• Not another sso to incorporate into the app• Avoid much of the costs of account management

• For scaling in users• Interest is tempered by legal considerations,

policy considerations, and unintended disruptive economic consequences

Uses - Content

• To protect IPR (the JSTOR incident…)• To open up markets• Popular content – Ruckus, CDigix, etc• MS• Scholarly content – Google, OCLC

WorldCat• Scope of IdM may be an issue

Services

• Student travel, charitable giving, web learning and testing, plagiarism testing service, etc.

• Allure for alumni services and other internal businesses

• Student loans, student testing, graduate school admissions, etc.

• The Teragrid

Government

• NSF Fastlane Grant Submission• Dept of Agriculture Permits• Social Security• NIH• Dept of Ed

Components of Federation

• Federating Software• Federation operator and metadata• Participants

• Policies on identity management• Policies on privacy

• Shared set of attributes, including LOA• Legal agreements among participants• Management and governance• (Peering, economics,…)

International Federations

• Widespread in Europe (over 15 countries), emergent in Australia, nascent in Asia.

• The UK federation (http://www.ukfederation.org.uk/) already has over five million active users and intends to grow to all of higher ed, K-12 and further education.

• Used for academic content access, research support, national level services, etc

• Clear needs for peering; some need for confederation or dynamic relationships.

Public sector federations

• http://www.public-cio.com/story.php?id=2007.02.02-103751

• State-based among health agencies (NY), presenting a SSO to citizens (Washington), etc.

• GSA EAuthentication• NSF, NIH, and the Dept of Ed…

• State university federations - Texas, California, Maryland, etc

• InCommon

UTexas Federation Apps

• Project Tracking (CHA)• Monthly Financial Reporting

(BUD)• TIXX (GOV)• UT Plane (ADM)• Compliance Training (ADM)• Research Projects Tracking

(ACA)

• Academic Affairs Jobs (ACA)

• Degree Programs (ACA)• Grad Registration (ACA)• System Administration

Wireless (OTIS)

• Legal Tracking (OGC)• Parking Management (APS)• Signature Authority (APS)• Bid Specification (OFPC)• Project Time Reporting

(OFPC)• Student Couponing (UT

Austin)• Online Education via

Blackboard (UTHSCH)• Board of Regents Agenda

(BOR) 12/06• Budget Change Request

(BUD) 12/06• UTANOP (BUD) 12/06

InCommon

• US R&E Federation

• www.incommon.org

• Members join a 501(c)3

• Addresses legal, LOA, shared attributes, business proposition, etc issues

• Approximately 50 members and growing

• A low percentage of national Shib use…

InCommon Members 2/27/07

• Case Western Reserve University • Clemson University • Cornell University• Dartmouth • Duke University • Florida State University• Georgetown University• Miami University• New York University • Ohio University • Penn State • Stanford University • Stony Brook University • SUNY Buffalo • The Ohio State University • The University of Chicago • University of Alabama at Birmingham • University of California, Irvine • University of California, Los Angeles • University of California, Merced • University of California, Office of the President • University of California, Riverside • University of California, San Diego

• University of Maryland• University of Maryland Baltimore County• University of Maryland, Baltimore • University of Rochester • University of Southern California • University of Virginia • University of Washington • University of Wisconsin - Madison • Cdigix • EBSCO Publishing • Elsevier ScienceDirect • Houston Academy of Medicine - Texas Medical Center

Library • Internet2 • JSTOR • Napster, LLC • OCLC• OhioLink - The Ohio Library & Information Network • ProtectNetwork • Symplicity Corporation • Thomson Learning, Inc.• Turnitin • WebAssign

Key aspects of InCommon

• Federating software• Shib 1.2+ (other possibilities in the future)

• Shared attributes and schema• eduPerson right now

• Levels of authentication• POP (participant operational practices)• InCommon Bronze and Silver will map to LOA 1 & 2

• Management• Steering committee of members IT executives• Operations staffed by Internet2

Shibboleth

• Shib 1.3 widely deployed; 1.2 still common• Along the way, other capabilities added:

• ADFS compatibility for WS-Fed, (MS $)• Eauthentication certification (with waiver form:))

• Shib 2.0 completes the SAML+Shib integration• More compatible with COTS SAML 2.0 products than

they are with each other• A Shib/SAML to TCP/IP analogy isn’t bad; Shib adds

multi-party federation support through metadata, ARPS, etc.

• Also eases support for n-tier, non-web and other capabilities

• Alpha in April

The Shibboleth 2.0 Sidebar

• Support for the attribute ecosystem• attribute handling, including policy, in both SP and IdP• designed to be reusable for other protocols (eg CardSpace) • sets stage for further work on multiple attribute sources,

reputation management, etc. • All Java SP (in addition to current Java/Apache), easing

integration for some applications• Trust management

• PKI still seems too hard, even at the simpler enterprise level• Supports a broad set of trust choices – CA’s, certs, plain

keys, managing site metadata (naming, acquisition, validating)

• A product of years of painful experience

InCommon Management/Governance

• Steering Committee of campus/vendor CIO’s and policy people – sets policies for membership, business model, etc.

• Technical advisory committee - Sets common member standards for attributes (eduPerson 2.0) , identity management good practices, etc.

InCommon Uses

• Access control to content• Popular content – Ruckus, CDigix, etc• Scholarly content – Google, OCLC WorldCat• Downloads – Microsoft

• Access to external services• Student travel, charitable giving, web learning and testing,

plagiarism testing service, etc.• Allure for alumni services and other internal businesses• Student loans, student testing, graduate school admissions,

etc.• Access to national services

• The National Science Digital Library• The Teragrid pilot

Inter-federation key issues

• Peering, peering, peering• At what size of the globe? • Confederation, overlapping, leveraged

• Tightly coupled autonomous federations

• How do vertical sectors relate? How to relate to a government federation?

• On what policy issues to peer and how?• Legal framework

• Treaties? Indemnification? Adjudication

• How to technically implement• Wide variety of scale issues

• WAYF functionality• Virtual organization support

Virtual Organizations

• The big team science efforts, and smaller collaborations across a broad set of disciplines with real resources to be managed seriously

• Have their own IdM issues• Collaboration tools• Domain science identity management

• Today’s solutions are non-existent, insecure or widely despised…

• Could leverage federated identity for both ease of use and better security

Peering

Parameters:

•LOA•Attribute mapping•Legal structures• Liability• Adjudication•Metadata

•VO Support•Economics•Privacy

VOs plumbed to federations

The Attribute Ecosystem

• We now understand, we think, an overall “attribute ecosystem”• Shibboleth is the real-time transport of

attributes from an IdP to an SP for an authorization decision

• Other, “compile-time” means are used to ship attributes from sources of authority to IdP

• Or to the SP, or to the various middlemen (portals, proxies, etc.)

• And a user needs to be manage all of this

Libraries and Shib in the US

• Not the driver that it is overseas• Content acquisition at local versus national levels

• Poor communication between campus IT management and library management• Many universities have Shib in some form of

deployment; very few use it for library content access• Preference of patron db for authentication and

authorization over central directory services• Failure of Internet2 to publicize the many hybrid

models available (eg IP address on campus, Shib for off campus, with or without SSO)

Libraries and Shib in the US

• Misunderstandings on Shibboleth and privacy• Shibboleth is privacy preserving• Institutions and users can change that

• “Extra step” of authentication• Confusion about the relationship of federations

and licenses• Shibboleth is not worth the work since some form

of IP address control will always be needed• Too many publishers• Additional features not worth the work

The “Stepping Up” Group

• University of Chicago, Penn State University, UCSD, and the University of Maryland System Library Consortium

• InCommon-library-services• Identity issues in technology, user

experience, policy, and practices for access to external licensed resources

• (Identify opportunities for value-added services that leverage infrastructure)

• Report back…

First thoughts…

• Internal SP’s• Different policies for walk-ins and remote• People not in the institutional db – paid

alumni…• PKI management in trust• Students working as RA’s and proxies for

faculty• Looking up ARP’s for various SP

Opportunities

• Integration with repositories• NITLE and its offerings…• NSDL type collaborations• Collaboration tool platforms• New joint licensing possibilities