[PPT] - eID federations APAN 29, February 10th 2010, Sydney David Simonsen PowerPoint Presentation

SLIDE 1

eID federations

David Simonsen APAN 29, February 10th 2010, Sydney

SLIDE 2

Today's menu

eID federations introduction & overview

About WAYF, the Danish eID federation (funding organisation, staff etc.)

Federation architectures (characteristics of three known variations)

Institutional branding (how to put the institutions in the 'front row')

Interactions with government programs for citizen authentication

Legal status (liability, audit requirements)

Legal requirements and solutions

Contractual models for federations (to be 'data processor' or 'data responsible')

Opt-out or opt-in (basic concepts for agreements and federated data flow)

Ease of connecting institutions and services

Single-point-of-contact (enabling one-to-many relations to all participants)

Protocol translation / independence, protocol security

Interfederation (things to consider when interconnecting eID federations)

Extending web single-sign-on (enhancing existing SSO-systems)

Levels of assurance (handling multiple strengths of authentication)

Consent to data exchange (legal aspects, usability, user and dataflow)

SLIDE 3

Introduction & overview

SLIDE 4

What's the problem?

SLIDE 5

What's the problem?

Still more (self)services required

SLIDE 6

What's the problem?

Still more (self)services required
Un-manageble identity management

SLIDE 7

What's the problem?

Still more (self)services required
Un-manageble identity management
Expensive system integration

SLIDE 8

What's the problem?

Still more (self)services required
Un-manageble identity management
Expensive system integration
Privacy regulations

SLIDE 9

What's the problem?

Still more (self)services required
Un-manageble identity management
Expensive system integration
Privacy regulations
Complex and growing protocol landscape

SLIDE 10

What's the problem?

Still more (self)services required
Un-manageble identity management
Expensive system integration
Privacy regulations
Complex and growing protocol landscape
Use external services

SLIDE 11

What's the problem?

Still more (self)services required
Un-manageble identity management
Expensive system integration
Privacy regulations
Complex and growing protocol landscape
Use external services
(Re)use IdM systems

SLIDE 12

What's the problem?

Still more (self)services required
Un-manageble identity management
Expensive system integration
Privacy regulations
Complex and growing protocol landscape
Use external services
(Re)use IdM systems
Standard interfaces

SLIDE 13

What's the problem?

Still more (self)services required
Un-manageble identity management
Expensive system integration
Privacy regulations
Complex and growing protocol landscape
Use external services
(Re)use IdM systems
Standard interfaces
Get started...

SLIDE 14

What's the problem?

Still more (self)services required
Un-manageble identity management
Expensive system integration
Privacy regulations
Complex and growing protocol landscape
Use external services
(Re)use IdM systems
Standard interfaces
Get started...
Speak the lingua franca(s), let others translate

SLIDE 15

If it doesn't simplify life, don't use it

SLIDE 16

What is a federation?

SLIDE 17

SLIDE 18

A circle of trust regarding user information

SLIDE 19 FØD.

SLIDE 20 FØD.

SLIDE 21 FØD.

SLIDE 22 FØD.

SLIDE 23

Who's in here ?

SLIDE 24

Who's in here ?

Services Institutions Users WAYF's legal stuff Browsers User info

SLIDE 25

Basic concept

X

WAYF

2

1

LOGIN

3 1

SLIDE 26

Authorization

Basic concept

X

WAYF

2

1

LOGIN

3 1

SLIDE 27

Basic concept

X

WAYF

2

1

LOGIN 3 1

SLIDE 28

Basic concept

Service X in Australia

X

WAYF

2

1

LOGIN 3 1

SLIDE 29

Basic concept

Service X in Australia Institution 1 in Denmark

X

WAYF

2

1

LOGIN 3 1

SLIDE 30

What stays the same?

SLIDE 31

What stays the same?

Authorisation (access control) at the service

SLIDE 32

What stays the same?

Business relations (where the bill goes to ...)
Authorisation (access control) at the service

SLIDE 33

Growing federations

SLIDE 34

About WAYF

Publicly funded, 750.000 AUD/Year, -> 2012
Started in 2005, higher education
Reached production level in early 2008
3 full time persons, 3 part time developers

SLIDE 35

Sectors connected

~ 900.000 eID's

SLIDE 36

Sectors connected

Universities

~ 900.000 eID's

SLIDE 37

Sectors connected

Universities
University colleges

~ 900.000 eID's

SLIDE 38

Sectors connected

Universities
University colleges
High Schools

~ 900.000 eID's

SLIDE 39

Sectors connected

Universities
University colleges
High Schools
All public school pupils (testing, no decision yet)

~ 900.000 eID's

SLIDE 40

Sectors connected

Universities
University colleges
High Schools
All public school pupils (testing, no decision yet)
Ministries, government agencies

~ 900.000 eID's

SLIDE 41

Sectors connected

Universities
University colleges
High Schools
All public school pupils (testing, no decision yet)
Ministries, government agencies
State institutions (libraries, museums etc.)

~ 900.000 eID's

SLIDE 42

Sectors connected

Universities
University colleges
High Schools
All public school pupils (testing, no decision yet)
Ministries, government agencies
State institutions (libraries, museums etc.)
Citizen eID (banking ID) (~ 3.4 million eIDs)

~ 900.000 eID's

SLIDE 43

Federation architectures

SLIDE 44

Shibboleth

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

SLIDE 45

FEIDE, Norway

WAYF

X

Services

Y

Institutions

2 1

login

SLIDE 46

Denmark, Holland, Spain ...

WAYF

X

Services

Y

Institutions

2

login

1

login

SLIDE 47

Denmark, Holland, Spain ...

WAYF

X

Services

Y

Institutions

2

login

1

login

IdP-list at service: SAML2-scoping

SLIDE 48

SSL tunnels, data encryption possible

WAYF

3 4 IDP LOGIN

Service Institution

SP 1 2 1 - AuthN. req. Encrypted (SSL), signed 2 - Encrypted (SSL), signed 3 - Encrypted (SSL), not signed (yet) 4 - Encrypted (SSL), signed

Trusted Third Party == 'man in the middle' (with Alzheimer)

X WAYF

3

1 LOGIN Service Institution 1 2

SLIDE 49

Ease of connecting

SLIDE 50

Single point of contact

WAYF

X

Services

Y

Institutions

2

login

1

login

SLIDE 51

Single point of contact

WAYF

X

Services

Y

Institutions

2

login

1

login

SLIDE 52

Single point of contact

WAYF

X

Services

Y

Institutions

2

login

1

login

No metadata management

SLIDE 53

Shibboleth

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

SLIDE 54

Shibboleth

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

Metadata management

SLIDE 55 WAYF Institutions NIAS Aarhus Uni - CMS AULA (elæring) Bibliotek.dk Base13 Brugeoprettelse, SB Cambridge Uni Press Connect, F-net Dansk reklamefilm Dermatologi-atlas KB MS Dreamspark Elsevier eduMedia Erhvervsjura Filesender Fronter Forlaget Andersen Foodle IT-sikkerhedsquiz Gyldendal Google Apps

Fed. desktop

MSDNAA Metapress JobZippers Ordbogen.com PU:RE Scribo WAYF samtykker 35.000

75.000

130.000

20.000

55.000 100.000 100.000 30.000 15.000 45.000 140.000

40.000
40.000

90.000 15.000 35.000

15.000

30.000 30.000 15.000

40.000

60.000 Total integration cost: 1234567890 Aalborg Uni 50.000 Services Aarhus Uni 30.000 CBS 40.000 DTU 45.000 Islands Uni 70.000 IT Universitetet 40.000 Københavns Uni 65.000 Reykjaviks Uni

RUC

25.000 Syddansk Uni 25.000 Ingeniørskolen, Århus 15.000 UC Vest 35.000 UC Syd 38.000 UC Sjælland 35.000 UC Lillebælt 35.000 UC Nordjylland 35.000 UC Capital 50.000

Prof. Metropol

60.000 Ingeniørskolen, Kbh 35.000 UC VIA 35.000 Det Kongelige Bibliotek 35.000 Tietgenskolen 35.000 Kbh's erhvervsakademi 45.000 Erhvervsakademiet i Århus 35.000 Ålborg Handelsskole 35.000 Nykøbing Katedralskole 35.000 IT Servicefællesskabet 35.000 IT Center Fyn 35.000 Dronninglynd gymnasium 35.000 Statsbiblioteket 35.000 Nota 35.000 UniLogin 60.000 UNI-IT 50.000 NemLogin 120.000 Nationalmuseet 35.000 Kunstakademiet 35.000 Integration cost saved: 1234567890

SLIDE 56

Attribute release policies

SLIDE 57

SLIDE 58

SLIDE 59

Differentiated ARP's

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

SLIDE 60

Differentiated ARP's

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

Reduced negotiation power

SLIDE 61

Single attribute release policy

SLIDE 62

Single attribute release policy

One Attribute Release Policy per service

WAYF

X

Services

Y

Institutions

2

login

1

login

SLIDE 63

Branding

SLIDE 64

Institutional branding

SLIDE 65

Institutional branding

SLIDE 66

Institutional branding

SLIDE 67

Institutional branding

SLIDE 68

Institutional branding

WAYF

X

Services

Y

Institutions

2

login

1

login WAYF X

Services

Y

Institutions

2 1

login

SLIDE 69

Extending single-sing-on

SLIDE 70

WAYF

X

Services

Y

Institutions

2

login

1

login

Extending single-sing-on

SLIDE 71

WAYF

X

Services

Y

Institutions

2

login

1

login

Extending single-sing-on

SLIDE 72

WAYF

X

Services

Y

Institutions

2

login

1

login

Extending single-sing-on

SLIDE 73

WAYF

X

Services

Y

Institutions

2

login

1

login

Extending single-sing-on

HEIMAT - transparent login to federation from local SSO

SLIDE 74

The LMS as dashboard

Service collections,

also external services, via federated access

SLIDE 75

The LMS as dashboard

Service collections,

also external services, via federated access

SLIDE 76

Citizens' login service

SLIDE 77

Citizens' login

All >18 years (with a bank account)
3.5 mio people (out of 5.5 mio)

DK bank login Citizens' login service

Commercial services Public/gov services

SLIDE 78

Citizens' login

All >18 years (with a bank account)
3.5 mio people (out of 5.5 mio)

DK bank login Citizens' login service

Commercial services Public/gov services

SLIDE 79

External (strong) authentication

WAYF

X

Services

Y

Institutions

2

login

1

login

SLIDE 80

External (strong) authentication

WAYF

X

Services

Y

Institutions

2

login

1

login

SLIDE 81

External (strong) authentication

WAYF

X

Services

Y

Institutions

2

login

1

login

SLIDE 82

External (strong) authentication

WAYF

X

Services

Y

Institutions

2

login

1

login

Enrolment of students Password reset self service Expensive services ...

SLIDE 83

Level of Assurance

Classification of authentication strength
Classification of trust-levels

SLIDE 84

Strength of authentication

Initial authentication
Login session
Follow national / EU / USA standard ?

SLIDE 85

Shibboleth

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

SAML1.1 SAML 2 Shib 1.2 Shib 1.3 Shib 2

SLIDE 86

Protocol translation

WAYF

X

Services

Y

Institutions

2 1

SAML2 Shib 1.3 SAML2 CAS

SLIDE 87

Protocol translation

WAYF

X

Services

Y

Institutions

2 1

SAML2 Shib 1.3 SAML2 CAS

s i m p l e S A M L p h p i n s i d e

http://rnd.feide.no/simplesamlphp

SLIDE 88

Multi-protocol support

SAML 2.0 as Service Provider

SAML 2.0 as Identity Provider
Shiboleth 1.3 as Service Provider
Shiboleth 1.3 as Identity Provider
A-Select as Service Provider
A-Select as Identity Provider
CAS for remote authentication
OpenID Provider support (experimental)
OpenID Consumer support (experimental)
WS-Federation as a Service Provider
LDAP, Multi-LDAP
SQL
InfoCard
PAPI as Service Provider
PAPI as Identity Provider

SLIDE 89

SAML2 profiles

SLIDE 90

SAML2 profiles

SLIDE 91

SAML2 profiles

http://saml2int.org/

SLIDE 92

Attributes

SLIDE 93

$

SLIDE 94

Attribute release profiles

SLIDE 95

Set or calculated attributes

SLIDE 96

Set or calculated attributes

(Schac)HomeOrg (ruc.dk)

WAYF X

Services

Y

Institutions

2 login 1 login

SLIDE 97

Set or calculated attributes

(Schac)HomeOrg (ruc.dk)
(Schac)YearOfBirth

WAYF X

Services

Y

Institutions

2 login 1 login

SLIDE 98

Set or calculated attributes

(Schac)HomeOrg (ruc.dk)
(Schac)YearOfBirth
(eduPerson)TargetedID

WAYF X

Services

Y

Institutions

2 login 1 login

SLIDE 99

SchacHomeOrg

SLIDE 100

SchacHomeOrg

WAYF

X

Services

Y

Institutions

2

login

1

login

Inst2.dk

SLIDE 101

Targeted ID's

SLIDE 102

Targeted ID's

SLIDE 103

Targeted ID's

SLIDE 104

Targeted ID's

WAYF

Result

X Y

1

p7Herw39Jkybg& a97kll32JHJJH2 Attributtes

Formula Userdata

SLIDE 105

Shibboleth, TargetedID

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

SLIDE 106

Shibboleth, TargetedID

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

SLIDE 107

Attribute aggregation

SP Virtual IdP / attribut collector for CPH Uni IdP 1 CPH Uni WAYF Login 1 2 3 4 5 6 8 9 12 13 14 7 IdP 2 University Library Login 10 11

SpringFika (attribute aggregation)

http://code.google.com/p/springfika/

SLIDE 108

Attribute mapping

WAYF

X

Services

Y

Institutions

2

login

1

login

OID's

urn:oid:2.5.4.42

URN's

urn:mace:dir:attribute-def:givenName

Employee Staff <- Meaning -> <- Format ->

SLIDE 109

The users' consent

SLIDE 110

Users’ informed consent to exchange of personal data

SLIDE 111

Users’ informed consent to exchange of personal data

SLIDE 112

Principles for data exchange

SLIDE 113

Principles for data exchange

Transparency

SLIDE 114

Principles for data exchange

Transparency Legitimate purpose

SLIDE 115

Principles for data exchange

Transparency Legitimate purpose Proportionality

SLIDE 116

Users’ informed consent

The consent must be:

SLIDE 117

Users’ informed consent

The consent must be:

Volentary (no arm-twisting)

SLIDE 118

Users’ informed consent

The consent must be:

Volentary (no arm-twisting)
Specific (one purpose)

SLIDE 119

Users’ informed consent

The consent must be:

Volentary (no arm-twisting)
Specific (one purpose)
Informed (understandable)

SLIDE 120

Users’ informed consent

The consent must be:

Volentary (no arm-twisting)
Specific (one purpose)
Informed (understandable)

Qui tacet concentire videtur?

SLIDE 121

Users’ informed consent

The consent must be:

Volentary (no arm-twisting)
Specific (one purpose)
Informed (understandable)

Qui tacet concentire videtur?

NO!

SLIDE 122

Volentary

If you do not consent we will take your money

SLIDE 123

Volentary

If you do not consent we will take your money

W R O N G

SLIDE 124

Volentary

If you do not consent we will take your money

W R O N G

Do you consent to sending a personal pseudonym (non-identifiable pointer) to Microsoft?

SLIDE 125

Volentary

If you do not consent we will take your money

W R O N G

Do you consent to sending a personal pseudonym (non-identifiable pointer) to Microsoft?

R i g h t

SLIDE 126

Specific

All services may recieve your email-adress

SLIDE 127

Specific

All services may recieve your email-adress

W R O N G

SLIDE 128

Fraunhofer Inst. will recieve your email-adress

Specific

All services may recieve your email-adress

W R O N G

SLIDE 129

Fraunhofer Inst. will recieve your email-adress

Specific

All services may recieve your email-adress

W R O N G

R i g h t

SLIDE 130

Informed

If you do not consent we will not not decline from not delivering no services

SLIDE 131

Informed

If you do not consent we will not not decline from not delivering no services

W R O N G

SLIDE 132

If you do not consent you will not get access

Informed

If you do not consent we will not not decline from not delivering no services

W R O N G

SLIDE 133

If you do not consent you will not get access

Informed

If you do not consent we will not not decline from not delivering no services

W R O N G

R i g h t

SLIDE 134

Shibboleth, consent

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

SLIDE 135

Shibboleth, consent

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

SLIDE 136

Central consent service

WAYF

X

Services

Y

Institutions

CONSENT

2

login

1

login

SLIDE 137

Central consent service

WAYF

X

Services

Y

Institutions

CONSENT

2

login

1

login CONSENT withdrawel

SLIDE 138

Opt-out

SLIDE 139

Opt-out

WAYF

X

Services

Y

Institutions

2

login

1

login

+ +

SLIDE 140

Opt-out

WAYF

X

Services

Y

Institutions

2

login

1

login

+

SLIDE 141

Opt-out

WAYF

X

Services

Y

Institutions

2

login

1

login

JANUS - Joint Administration Netbased User Selfservice http://sites.google.com/site/simplesamlphpam/

+

SLIDE 142

Paper work

SLIDE 143

Entering the jungle...

SLIDE 144

Entering the jungle...

Federation policy and interfederation policies

SLIDE 145

Entering the jungle...

Federation policy and interfederation policies
Agreements

SLIDE 146

Entering the jungle...

Federation policy and interfederation policies
Contracts and contractual relations
Agreements

SLIDE 147

Entering the jungle...

Federation policy and interfederation policies
Contracts and contractual relations
Agreements
Users’ consent

SLIDE 148

Entering the jungle...

Memorandums of Understanding (MoU’s)
Federation policy and interfederation policies
Contracts and contractual relations
Agreements
Users’ consent

SLIDE 149

Entering the jungle...

Memorandums of Understanding (MoU’s)
Federation policy and interfederation policies
Contracts and contractual relations
Agreements
Charters
Users’ consent

SLIDE 150

Federation policy - liability

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

SLIDE 151

Federation policy - liability

X Y

WAYF WAYF

2

login

1

login

Services Institutions

WAYF

Partners Members Members Partners

SLIDE 152

Legal status - liability

SLIDE 153

WAYF

X

Services

Y

Institutions

2

login

1

login

Legal status - liability

Data controller Data controller

SLIDE 154

WAYF

X

Services

Y

Institutions

2

login

1

login

Legal status - liability

Data processor Data controller Data controller

SLIDE 155

Contracts

SLIDE 156

Contracts

Bi-lateral, between legal bodies

SLIDE 157

Contracts

Defines responsabilities, duties, court, etc.
Bi-lateral, between legal bodies

SLIDE 158

Contracts

Defines responsabilities, duties, court, etc.
Bi-lateral, between legal bodies
What is your legal entity?
for the institutions
for the federation?

SLIDE 159

Contracts

Defines responsabilities, duties, court, etc.
Bi-lateral, between legal bodies
What is your legal entity?
for the institutions
for the federation?
All Swedish universities is ONE legal entity?

SLIDE 160

Interfederation

SLIDE 161 FØD.

SLIDE 162 FØD.

SLIDE 163 FØD.

SLIDE 164 FØD.

SLIDE 165 FØD.

SLIDE 166 FØD.

SLIDE 167 FØD.

SLIDE 168 X WAYF Y WAYF WAYF 2 login 1 login

Easy inter-federation

WAYF X Y 2 1 login WAYF X Y 2 login 1 login

O n e I d P O n e I d P

SLIDE 169 INSTITUTIONS Inst A Inst B Inst C Inst D Inst E Inst F Inst G Inst H Inst I Inst J Inst K Inst N Inst S SERVICES Service 1 Service 7 Service 11 Service 15

Kalmar Union

Metadata aggregate

WAYF, Denmark INSTITUTIONS Inst A Inst B Inst C Inst D Inst E Inst F SERVICES Service 1 Service 2 Service 3 Service 4 FEIDE, Norway INSTITUTIONS Inst G Inst H Inst I Inst J Inst K SERVICES Service 5 Service 6 Service 7 Service 8 HAKA, Finland INSTITUTIONS InstL Inst M Inst N Inst O Inst P SERVICES Service 13 Service 14 Service 15 Service 16 SWAMI, Sweden INSTITUTIONS Inst Q Inst R Inst S Inst T Inst U SERVICES Service 9 Service 10 Service 11 Service 12

SLIDE 170

www.kalmar2.org

SLIDE 171

Future work

SLIDE 172

Future work

What if a service never authorizes users from IdP X?

SLIDE 173

Future work

What if a service never authorizes users from IdP X?
What if an institution opt’ed out for SP 1?

SLIDE 174

Future work

What if a service never authorizes users from IdP X?
What if an institution opt’ed out for SP 1?
Why should users trust the trusted third party?