Access and Identity Management (AIM)

Last updated: 
1 week 1 day ago
Group Manager
Members of the research and education community within the United Kingdom regularly make use of various types of online services, including web-based e-resources, wireless network access, and cloud-based applications. Many of these services require authentication of a user's identity, and many additionally require the release of attributes relating to that identity for authorisation purposes. Access and Identity management technologies and services aim to fulfil this need for robust authentication and authorisation technologies. Jisc either runs or is heavily involved with many major services offered to the UK R&E community in this space such as eduroam, the UK federation, Moonshot, and the Janet Certificate Service. This group exists for those interested in AIM and trust and identity services to discuss the latest developments, keep track of goings-on, and participate in discussions about what the community needs in this area and what Jisc should be offering. (Note that for eduroam, Moonshot, and the Janet Certificate Service specific discussions, these technologies have their own groups on this site). To learn more about Jisc's AIM services, you can see the slides and video of an overview given at Networkshop42.
Log in to request membershipHide group description

Group administrators:

Recent members:

REFEDS and Pez

20 November 2013 at 9:57am

Last week Rhys and I were in Burlingame, near San Francisco, a town no longer just famous for having a Pez museum but now also known as the host of the first Internet2 Identity Week. Given the increasing interest in identity and access management, Internet 2 took the decision to strip all the AIM related content out of their Members Meeting and have a focussed Identity Week this Autumn.

The week kicked off with a REFEDS meeting on Monday that was packed full of interesting items and useful discussions. I’ve attempted to summarise the main points and included links to the presentations, but let me know if you want some more information and I’ll try and flesh out some of my notes.

The “voice of research and education identity federations”, REFEDS was set up 9 years ago to try and ensure interoperability and similar governance as multiple SAML federations began to appear. Nicole Harris provided an update on the current REFEDS work programme:

  • REFEDS discusses relevant issues and establish working groups to address specific items. Work packages must be able to be completed within 12 months or split into smaller chunks that can be.
  • Highlights include:
  • Identity Federation Policy template doc - http://www.terena.org/activities/eurocamp/oct12/slides/Identity%20Federation%20Policy%20Template%20v0.4.pdf
  • A comparison of federation policies is on the REFEDS Wiki
  • Discovery guide - born of “horrendous user experience” on publishers websites 
  • Joint work with GÉANT:  eduGAIN policy, GÉANT Code of Conduct (see below)
  • Defining Baseline Assurance - more difficult than expected. Established federations such as UK federation and InCommon have operating policies/procedures, however these need updating.
  • Working on a new definition of Federating Operators Practice - the technical things Federation Operators do to make federations work – these are companion documents to a federation policy document. The Policy = WHO and WHAT, a Federation Operator’s Procedures (FOP) = HOW.
  • FOP is just 4 practice statements:
    • Metadata Registration Practice Statement
    • Key Management Practice Statement - very few federations have this. What do you do to sign metadata?
    • Assurance Practice Statement - InCommon Silver/Bronze, or more lightweight
    • Monitoring Practice Statement
  • Entity Categories - a way of grouping people based on a judgement of their behaviour.  There’s been lots of discussion on the REFEDS mailing list on developing a ‘Library’ entity category (summarised by Nicole at https://refeds.terena.org/index.php/Entity_Category_Library).
  • PEER (a single 'bucket' of entity metadata so you only need to update it once if in multiple federations) - problem should disappear as eduGAIN grows. REEP is an instance of PEER for R&E.

Then on to a Code of Conduct (CoC) discussion led by Steven Carmody and Valter Nordh:

  • A Code of Conduct has been developed for attribute release between EU          countries (https://refeds.terena.org/index.php/Data_protection_coc)  

  • An international CoC has been proposed as a multi-lateral agreement to which each SP outside EU/EEA and Home Organisation in EU/EEA) commits.

  • The aim of CoC is to increase trust between Home Organisations and Service Providers and to facilitate attribute release.

  • According to Stephen Carmody, the US Safe Harbor agreement specifically  excludes Higher education.
  • An international CoC has to comply with EU model contracts, but bilaterals are not needed - a universal statement can apply.
  • Stephen has asked if the registration page for next April’s Internet 2 Members Meeting will assert compliance with CoC.

As well as specific work packages, another important and useful function of REFEDS is to share updates on what different federations are up to:

  • Canadian Access Federation Chris Phillips
    • Federation in Canarie typically starts from eduroam
    • Looking to do Identity Appliances with FreeRADIUS pre-configured to eduroam and configured for Canadian Access Federation (CAF).
    • Seeing lots of interest from Universities in an Appliance - even from those currently doing federated identity management themselves. Simplifying configuration with best practice set up. – [EDIT: We would be interested in hearing from UK institutions whether you would find a managed service or appliance useful]
  • Australian Access Federation (AAF), Heath Marks
    • AAF is not directly related to AARNET (the Australian NREN), but has close links - has 71 members and 120 Services including publishers, Synchrotrons and HPC sites.
    • Operates on a subscription basis.
    • User support framework - SP Service desk Framework (www.aaf.edu.au/support-framework). 2 prongs helping SPs and IdPs provide support. Includes service scripts, common articles.
    • T0 support - self help - Federation status and targeted help for end users, tech staff and operational staff
    • Service Desk
    • Automated service catalogue
    • Virtual Home
    • Nice UI – http://Dashboard.aaf.edu.au
    • https://manager.aaf.edu.au/federationregistry/
    • Rapid Connect looks interesting - https://rapid.aaf.edu.au/ There’s no need to install a Shibboleth SP on your webserver, natively integrates into commonly used development languages. PaaS solutions like Heroku, Google App Engine and Pagoda become suitable deployment targets for AAF services. Uses JSON web token as a proxy to SAML.
    • Attribute Validator - verifies that accounts have correct attributes – generates a PDF report with green ticks or red crosses so can easily see if something is not being released.
  • InCommon, Ken Klingenstein
    • InCommon is doing eduGAIN: their lawyers are reviewing the eduGAIN agreements now.
    • Looking at binding of parents to children and teachers to children. Creating bindings to comply with COPPA have levels of assurance associated with them.
    • Shibboleth Multi Factor Authentication (MFA) handler - what apps, what devices, what factors, error handling etc. in acceptance testing
    • InCert - lifecycle certificate management client and server.
    • Cross application - eduroam, MFA, Grid, signed email etc
    • Cross platform, Windows, Mac iOS, Android etc in development.
  • SWAMID
    • Policy and metadata roll - 1.0-2.0
    • social2saml.org - a virtual set of IdPs - like a gateway to an SP
    • eduroam throughout Sweden due to buying access via the Cloud
    • www.skolfederation.se - K12 school federation and also eduroam
    • 802.11u and Hotspot2.0 will allow easier  authentication management in a few years
    • Statistics and authentication flows for eduroam and Web SSO via Fticks - http://flog.sunet.se
    • eduID.se –will build a common identity and authentication infrastructure for all students and prospective students at Swedish universities and university colleges.  
      • Will have best in class password management
      • OAUTH OTP support in authN background
      • AL2 process for all students in .SE
      • Will be Kantara certified
      • Pilot kick off 19 November
      • Production Q1 2014
      • https://portal.nordu.net/display/SWAMID/eduID.se
      • github.com/sunet

Other presentations:

  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo

Comments