Introducing the zoo of paper beasts David Simonsen, WAYF, david@wayf.dk
Today’s walk in the zoo
Today’s walk in the zoo • Federation policy and interfederation policies
Today’s walk in the zoo • Federation policy and interfederation policies • Agreements
Today’s walk in the zoo • Federation policy and interfederation policies • Agreements • Contracts and contractual relations
Today’s walk in the zoo • Federation policy and interfederation policies • Agreements • Contracts and contractual relations • Users’ consent
Today’s walk in the zoo • Federation policy and interfederation policies • Agreements • Contracts and contractual relations • Users’ consent • Attribute Release Policies (ARP’s)
Today’s walk in the zoo • Federation policy and interfederation policies • Agreements • Contracts and contractual relations • Users’ consent • Attribute Release Policies (ARP’s) • Memorandums of Understanding (MoU’s)
Today’s walk in the zoo • Federation policy and interfederation policies • Agreements • Contracts and contractual relations • Users’ consent • Attribute Release Policies (ARP’s) • Memorandums of Understanding (MoU’s) • Charters
What is a federation?
A circle of trust
What is an IdP? (identity provider) Authentication and attribute releasing entity
What is an SP? (service provider) Attribute consuming entity
Federation goals
Federation goals • Scalable and better access management
Federation goals • Scalable and better access management • Scalable better identity management
Federation goals • Scalable and better access management • Scalable better identity management • More services to the users - and vv.
Federation goals • Scalable and better access management • Scalable better identity management • More services to the users - and vv. • Better services
(USA) FØD. (AU)
Basic concept Service Institution WAYF ----- ----- 1 2 1 X 3 LOGIN
Basic concept Service Institution WAYF Authorisation ----- ----- 1 2 1 X 3 LOGIN
Loosely coupled, Shibboleth Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF
Loosely coupled, Shibboleth Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF
POLICY Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF
Contracts
Contracts • Bi-lateral, between legal bodies
Contracts • Bi-lateral, between legal bodies • Defines responsabilities, duties, court, etc.
Contracts • Bi-lateral, between legal bodies • Defines responsabilities, duties, court, etc. • What is your legal entity? • for the institutions • for the federation?
Contracts • Bi-lateral, between legal bodies • Defines responsabilities, duties, court, etc. • What is your legal entity? • for the institutions • for the federation? • All Swedish universities is ONE legal entity?
Loosely coupled, Shibboleth Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF
POLICY Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF
POLICY Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF
Central login Services Institutions 1 X LDAP 2 Y SAML2 LOGIN LDAP LDAP 3 Z
Central login Services Institutions 1 X LDAP 2 Y SAML2 LOGIN LDAP LDAP 3 Z
Central login Services Institutions 1 X e l b LDAP i s n o p s e r 2 Y a SAML2 t LOGIN LDAP a D LDAP 3 Z
Central login Services Institutions Contracts 1 X e l b LDAP i s n o p s e r 2 Y a SAML2 t LOGIN LDAP a D LDAP 3 Z
Decentral login Services Institutions LOGIN X 1 Trusted 3rd party LOGIN 2 Y LOGIN UN/Passwd Z 3 X.509 Possible OTP agreement
Decentral login Services Institutions LOGIN X 1 Trusted 3rd party LOGIN 2 Y LOGIN UN/Passwd Z 3 X.509 Possible OTP agreement
Decentral login Services Institutions LOGIN X 1 Trusted 3rd party LOGIN 2 Y LOGIN UN/Passwd Z 3 X.509 Possible OTP agreement
Decentral login Services Institutions Data processor LOGIN X 1 Trusted 3rd party LOGIN 2 Y LOGIN UN/Passwd Z 3 X.509 Possible OTP agreement
Decentral login Services Institutions Data processor LOGIN X 1 Trusted 3rd party LOGIN 2 Y LOGIN Contracts UN/Passwd Z 3 X.509 Possible OTP agreement
Attribute Release Policies The personal information the service gets
Attribute Release Policies The personal information the service gets Metadata distribution WAYF CONSENT Shib- Shib-SP IdP WAYF CONSENT Shib- Shib-SP IdP WAYF
Attribute Release Policies The personal information the service gets Metadata distribution ARP (one-size) WAYF CONSENT X 1 Shib- Shib-SP IdP WAYF 2 Y CONSENT Z 3 Shib- Shib-SP IdP WAYF
Users’ informed consent to exchange of personal data
Users’ informed consent to exchange of personal data
EU directive Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
EU directive It conserns us all... Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Principles for data exchange
Principles for data exchange Transparency
Principles for data exchange Transparency Legitimate purpose
Principles for data exchange Transparency Legitimate purpose Proportionality
The consent must be...
The consent must be... Volentary (no arm-twisting)
The consent must be... Volentary (no arm-twisting) Specific (one purpose)
The consent must be... Volentary (no arm-twisting) Specific (one purpose) Informed (understandable)
Volentary If you do not consent we will say ‘NI’
Volentary WRONG If you do not consent we will say ‘NI’
Volentary WRONG If you do not consent we will say ‘NI’ Do you consent to sending a personal pseudonym (non-identifiable pointer) to Microsoft?
Volentary WRONG If you do not consent we will say ‘NI’ t h g i Do you consent to sending a personal pseudonym R (non-identifiable pointer) to Microsoft?
Specific All services may recieve your email-adress
Specific WRONG All services may recieve your email-adress
Specific WRONG All services may recieve your email-adress BBC will recieve your email-adress
Specific WRONG All services may recieve your email-adress t h g i R BBC will recieve your email-adress
Informed If you do not consent we will not not decline from not delivering no services
Informed WRONG If you do not consent we will not not decline from not delivering no services
Informed WRONG If you do not consent we will not not decline from not delivering no services If you do not consent you will not get access
Informed WRONG If you do not consent we will not not decline from not delivering no services t h g i R If you do not consent you will not get access
Consent in a Shib-føderation WAYF T N E S N O Shib- C Shib-SP IdP WAYF T N E S N O C Shib- Shib-SP IdP WAYF
Hub-and-spoke Services Institutions X 1 2 Y Z 3
Interfederation
(USA) FØD. Interfederation (AU)
(USA) FØD. Interfederation (AU)
(USA) FØD. Interfederation (AU)
(USA) FØD. Interfederation (AU)
(USA) FØD. Interfederation (AU)
Connecting federations
Connecting federations Confederate
Connecting federations Confederate Cross federate
Connecting federations Confederate Cross federate Interfederate
Connecting federations Confederate Cross federate Interfederate Unite
Connecting federations Confederate Cross federate Interfederate Unite
Connecting federations Confederate Cross federate Interfederate Unite
Connecting federations Confederate Cross federate Interfederate Unite
Recommendations
Recommendations Use (expensive) lawyers (do not let the lawyers write your code - and don’t write their code)
Recommend
More recommend