Guest IdP and Social login Eefje van der Harst SURFnet
Once upon a time…in 2010 • SURFfederatie: 50 IdPs & 500k users • Potential:160 IdPs 1.000.000 users
What about non-fed users? • They wanted to access our services • Main driver: SURFmedia (video service) • So we created a guest IdP: SURFguest
SURFguest • Not part of SURFfederatie • No trust! • At first to facilitate access to SURFnet-services only – Full member (check: e-mail validation) – Member • But soon it became much more…
Now…almost two years later • We have a collaboration infrastructure: SURFconext • With multiple connected collaboration tools • Guests need access to those services (not just the SURFnet ones anymore)
Key figures 2012 • We have 90 IdPs with 800.000 users (out of maximum 160 IdPs and 1.000.000 users) • SURFguest: already 9.000 users (but not all active) • SURFmedia is about to stop (end 2012)
Time to rethink our strategy • SURFguest statistics showed us: % for test purposes % for not-yet-federated users % for ‘real guests’ that are not eligible to join our federation • If we do not stop it now…are we stuck forever?
Considerations • Is it our role to deliver a Guest IdP? • Do users want yet another ID? • Why not let Social ID providers take up on this role?
Decision time • Keep SURFguest running for SURFnet-guests, but persuade them to run their own IdP: – Support team sponsored by SURFnet – Commercial Identity-as-a-service providers • Let ‘real guests’ use one of their Social IDs • Authorization by SP, use group-membership to support this
Challenges • What if one of the social ID-providers stops? How can users still access their content? • How to map multiple (social) IDs? • Do content licenses allow guest users? • How to build trust
Eefje.vanderharst[at]surfnet.nl @evanderharst Creative Commons “Attribution” license: http://creativecommons.org/licenses/by/3.0/
Recommend
More recommend