Guest IdP and Social login Eefje van der Harst SURFnet Once upon a - - PowerPoint PPT Presentation

Guest IdP and Social login

Eefje van der Harst SURFnet

Once upon a time…in 2010

• SURFfederatie: 50 IdPs & 500k users
• Potential:160 IdPs 1.000.000 users

What about non-fed users?

• They wanted to access our services
• Main driver: SURFmedia (video service)
• So we created a guest IdP:

SURFguest

SURFguest

• Not part of SURFfederatie
• No trust!
• At first to facilitate access to SURFnet-services only

– Full member (check: e-mail validation) – Member

• But soon it became much more…

Now…almost two years later

• We have a collaboration infrastructure:

SURFconext

• With multiple connected collaboration tools
• Guests need access to those services

(not just the SURFnet ones anymore)

Key figures 2012

• We have 90 IdPs with 800.000 users

(out of maximum 160 IdPs and 1.000.000 users)

• SURFguest: already 9.000 users

(but not all active)

• SURFmedia is about to stop

(end 2012)

Time to rethink our strategy

• SURFguest statistics showed us:

% for test purposes % for not-yet-federated users % for ‘real guests’ that are not eligible to join our federation

• If we do not stop it now…are we stuck forever?

Considerations

• Is it our role to deliver a Guest IdP?
• Do users want yet another ID?
• Why not let Social ID providers take up on this

role?

Decision time

• Keep SURFguest running for SURFnet-guests,

but persuade them to run their own IdP:

– Support team sponsored by SURFnet – Commercial Identity-as-a-service providers

• Let ‘real guests’ use one of their Social IDs
• Authorization by SP, use group-membership to

support this

Challenges

• What if one of the social ID-providers stops?

How can users still access their content?

• How to map multiple (social) IDs?
• Do content licenses allow guest users?
• How to build trust

Eefje.vanderharst[at]surfnet.nl @evanderharst Creative Commons “Attribution” license: http://creativecommons.org/licenses/by/3.0/