SLIDE 1
Introducing the zoo of paper beasts
David Simonsen, WAYF, david@wayf.dk
Introducing the zoo of paper beasts David Simonsen, WAYF, - - PowerPoint PPT Presentation
Introducing the zoo of paper beasts David Simonsen, WAYF, - - PowerPoint PPT Presentation
Introducing the zoo of paper beasts David Simonsen, WAYF, david@wayf.dk Todays walk in the zoo Todays walk in the zoo Federation policy and interfederation policies Todays walk in the zoo Federation policy and interfederation
SLIDE 2
SLIDE 3
Today’s walk in the zoo
- Federation policy and interfederation policies
SLIDE 4
Today’s walk in the zoo
- Federation policy and interfederation policies
- Agreements
SLIDE 5
Today’s walk in the zoo
- Federation policy and interfederation policies
- Contracts and contractual relations
- Agreements
SLIDE 6
Today’s walk in the zoo
- Federation policy and interfederation policies
- Contracts and contractual relations
- Agreements
- Users’ consent
SLIDE 7
Today’s walk in the zoo
- Federation policy and interfederation policies
- Contracts and contractual relations
- Attribute Release Policies (ARP’s)
- Agreements
- Users’ consent
SLIDE 8
Today’s walk in the zoo
- Memorandums of Understanding (MoU’s)
- Federation policy and interfederation policies
- Contracts and contractual relations
- Attribute Release Policies (ARP’s)
- Agreements
- Users’ consent
SLIDE 9
Today’s walk in the zoo
- Memorandums of Understanding (MoU’s)
- Federation policy and interfederation policies
- Contracts and contractual relations
- Attribute Release Policies (ARP’s)
- Agreements
- Charters
- Users’ consent
SLIDE 10
What is a federation?
SLIDE 11
A circle of trust
SLIDE 12
What is an IdP?
(identity provider)
Authentication and attribute releasing entity
SLIDE 13
What is an SP?
(service provider)
Attribute consuming entity
SLIDE 14
Federation goals
SLIDE 15
Federation goals
- Scalable and better access management
SLIDE 16
Federation goals
- Scalable and better access management
- Scalable better identity management
SLIDE 17
Federation goals
- Scalable and better access management
- More services to the users - and vv.
- Scalable better identity management
SLIDE 18
Federation goals
- Scalable and better access management
- More services to the users - and vv.
- Better services
- Scalable better identity management
SLIDE 19
FØD. (USA) (AU)
SLIDE 20
Basic concept
X
WAYF
- 3
1
LOGIN
Service Institution
1 2
SLIDE 21
Authorisation
Basic concept
X
WAYF
- 3
1
LOGIN
Service Institution
1 2
SLIDE 22
Shib- IdP CONSENT Shib- IdP CONSENT Service Shib-SP WAYF Service Shib-SP WAYF CENTRAL WAYF login login
Services Institutions
Loosely coupled, Shibboleth
SLIDE 23
Shib- IdP CONSENT Shib- IdP CONSENT Service Shib-SP WAYF Service Shib-SP WAYF CENTRAL WAYF login login
Services Institutions
Loosely coupled, Shibboleth
SLIDE 24
Shib- IdP CONSENT Shib- IdP CONSENT Service Shib-SP WAYF Service Shib-SP WAYF CENTRAL WAYF login login
Services Institutions
POLICY
SLIDE 25
Contracts
SLIDE 26
Contracts
- Bi-lateral, between legal bodies
SLIDE 27
Contracts
- Defines responsabilities, duties, court, etc.
- Bi-lateral, between legal bodies
SLIDE 28
Contracts
- Defines responsabilities, duties, court, etc.
- Bi-lateral, between legal bodies
- What is your legal entity?
- for the institutions
- for the federation?
SLIDE 29
Contracts
- Defines responsabilities, duties, court, etc.
- Bi-lateral, between legal bodies
- What is your legal entity?
- for the institutions
- for the federation?
- All Swedish universities is ONE legal entity?
SLIDE 30
Shib- IdP CONSENT Shib- IdP CONSENT Service Shib-SP WAYF Service Shib-SP WAYF CENTRAL WAYF login login
Services Institutions
Loosely coupled, Shibboleth
SLIDE 31
Shib- IdP CONSENT Shib- IdP CONSENT Service Shib-SP WAYF Service Shib-SP WAYF CENTRAL WAYF login login
Services Institutions
POLICY
SLIDE 32
Shib- IdP CONSENT Shib- IdP CONSENT Service Shib-SP WAYF Service Shib-SP WAYF CENTRAL WAYF login login
Services Institutions
POLICY
SLIDE 33
Central login
X
1 2 3
Services
Y Z
Institutions
LOGIN LDAP LDAP LDAP SAML2
SLIDE 34
Central login
X
1 2 3
Services
Y Z
Institutions
LOGIN LDAP LDAP LDAP SAML2
SLIDE 35
Central login
X
1 2 3
Services
Y Z
Institutions
LOGIN LDAP LDAP LDAP SAML2
D a t a r e s p
- n
s i b l e
SLIDE 36
Central login
X
1 2 3
Services
Y Z
Institutions
LOGIN LDAP LDAP LDAP SAML2
Contracts D a t a r e s p
- n
s i b l e
SLIDE 37
Decentral login
X 1 2
Services
Y Z
Institutions
Trusted 3rd party
3
UN/Passwd X.509 OTP LOGIN
Possible agreement
LOGIN LOGIN
SLIDE 38
Decentral login
X 1 2
Services
Y Z
Institutions
Trusted 3rd party
3
UN/Passwd X.509 OTP LOGIN
Possible agreement
LOGIN LOGIN
SLIDE 39
Decentral login
X 1 2
Services
Y Z
Institutions
Trusted 3rd party
3
UN/Passwd X.509 OTP LOGIN
Possible agreement
LOGIN LOGIN
SLIDE 40
Decentral login
X 1 2
Services
Y Z
Institutions
Trusted 3rd party
3
UN/Passwd X.509 OTP LOGIN
Possible agreement
LOGIN LOGIN
Data processor
SLIDE 41
Decentral login
X 1 2
Services
Y Z
Institutions
Trusted 3rd party
3
UN/Passwd X.509 OTP LOGIN
Possible agreement
LOGIN LOGIN
Data processor Contracts
SLIDE 42
Attribute Release Policies
The personal information the service gets
SLIDE 43
Attribute Release Policies
The personal information the service gets
Shib- IdP CONSENT Shib- IdP CONSENT Shib-SP WAYF Shib-SP WAYF WAYFMetadata distribution
SLIDE 44
Attribute Release Policies
The personal information the service gets
Shib- IdP CONSENT Shib- IdP CONSENT Shib-SP WAYF Shib-SP WAYF WAYF X 1 2 Y Z 3Metadata distribution ARP (one-size)
SLIDE 45
Users’ informed consent to exchange of personal data
SLIDE 46
Users’ informed consent to exchange of personal data
SLIDE 47
EU directive
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing
- f personal data and on the free
movement of such data
SLIDE 48
EU directive
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing
- f personal data and on the free
movement of such data
It conserns us all...
SLIDE 49
Principles for data exchange
SLIDE 50
Principles for data exchange
Transparency
SLIDE 51
Principles for data exchange
Transparency Legitimate purpose
SLIDE 52
Principles for data exchange
Transparency Legitimate purpose Proportionality
SLIDE 53
The consent must be...
SLIDE 54
The consent must be...
Volentary (no arm-twisting)
SLIDE 55
The consent must be...
Volentary (no arm-twisting) Specific (one purpose)
SLIDE 56
The consent must be...
Volentary (no arm-twisting) Informed (understandable) Specific (one purpose)
SLIDE 57
Volentary
If you do not consent we will say ‘NI’
SLIDE 58
Volentary
If you do not consent we will say ‘NI’
WRONG
SLIDE 59
Volentary
If you do not consent we will say ‘NI’
WRONG
Do you consent to sending a personal pseudonym (non-identifiable pointer) to Microsoft?
SLIDE 60
Volentary
If you do not consent we will say ‘NI’
WRONG
Do you consent to sending a personal pseudonym (non-identifiable pointer) to Microsoft?
R i g h t
SLIDE 61
Specific
All services may recieve your email-adress
SLIDE 62
Specific
All services may recieve your email-adress
WRONG
SLIDE 63
BBC will recieve your email-adress
Specific
All services may recieve your email-adress
WRONG
SLIDE 64
BBC will recieve your email-adress
Specific
All services may recieve your email-adress
WRONG
R i g h t
SLIDE 65
Informed
If you do not consent we will not not decline from not delivering no services
SLIDE 66
Informed
If you do not consent we will not not decline from not delivering no services
WRONG
SLIDE 67
If you do not consent you will not get access
Informed
If you do not consent we will not not decline from not delivering no services
WRONG
SLIDE 68
If you do not consent you will not get access
Informed
If you do not consent we will not not decline from not delivering no services
WRONG
R i g h t
SLIDE 69
Consent in a Shib-føderation
Shib- IdP C O N S E N T Shib- IdP C O N S E N T Shib-SP WAYF Shib-SP WAYF WAYF
SLIDE 70
Hub-and-spoke
X 1 2
Services
Y Z
Institutions
3
SLIDE 71
Interfederation
SLIDE 72
Interfederation
FØD. (USA) (AU)
SLIDE 73
Interfederation
FØD. (USA) (AU)
SLIDE 74
Interfederation
FØD. (USA) (AU)
SLIDE 75
Interfederation
FØD. (USA) (AU)
SLIDE 76
Interfederation
FØD. (USA) (AU)
SLIDE 77
Connecting federations
SLIDE 78
Connecting federations
Confederate
SLIDE 79
Connecting federations
Confederate Cross federate
SLIDE 80
Connecting federations
Confederate Cross federate Interfederate
SLIDE 81
Connecting federations
Confederate Cross federate Interfederate Unite
SLIDE 82
Connecting federations
Confederate Cross federate Interfederate Unite
SLIDE 83
Connecting federations
Confederate Cross federate Interfederate Unite
SLIDE 84
Connecting federations
Confederate Cross federate Interfederate Unite
SLIDE 85
SLIDE 86
SLIDE 87
Recommendations
SLIDE 88
Recommendations
Use (expensive) lawyers
(do not let the lawyers write your code - and don’t write their code)
SLIDE 89
Recommendations
Use (expensive) lawyers
(do not let the lawyers write your code - and don’t write their code)
Talk to data and consumer protection agencies
SLIDE 90
Recommendations
Use (expensive) lawyers
(do not let the lawyers write your code - and don’t write their code)
Talk to data and consumer protection agencies Define your federations’ legal body
SLIDE 91
Recommendations
Use (expensive) lawyers
(do not let the lawyers write your code - and don’t write their code)
Talk to data and consumer protection agencies Define your federations’ legal body http://www.jisclegal.ac.uk/access/index.html