introducing the zoo of paper beasts
play

Introducing the zoo of paper beasts David Simonsen, WAYF, - PowerPoint PPT Presentation

Introducing the zoo of paper beasts David Simonsen, WAYF, david@wayf.dk Todays walk in the zoo Todays walk in the zoo Federation policy and interfederation policies Todays walk in the zoo Federation policy and interfederation


  1. Introducing the zoo of paper beasts David Simonsen, WAYF, david@wayf.dk

  2. Today’s walk in the zoo

  3. Today’s walk in the zoo • Federation policy and interfederation policies

  4. Today’s walk in the zoo • Federation policy and interfederation policies • Agreements

  5. Today’s walk in the zoo • Federation policy and interfederation policies • Agreements • Contracts and contractual relations

  6. Today’s walk in the zoo • Federation policy and interfederation policies • Agreements • Contracts and contractual relations • Users’ consent

  7. Today’s walk in the zoo • Federation policy and interfederation policies • Agreements • Contracts and contractual relations • Users’ consent • Attribute Release Policies (ARP’s)

  8. Today’s walk in the zoo • Federation policy and interfederation policies • Agreements • Contracts and contractual relations • Users’ consent • Attribute Release Policies (ARP’s) • Memorandums of Understanding (MoU’s)

  9. Today’s walk in the zoo • Federation policy and interfederation policies • Agreements • Contracts and contractual relations • Users’ consent • Attribute Release Policies (ARP’s) • Memorandums of Understanding (MoU’s) • Charters

  10. What is a federation?

  11. A circle of trust

  12. What is an IdP? (identity provider) Authentication and attribute releasing entity

  13. What is an SP? (service provider) Attribute consuming entity

  14. Federation goals

  15. Federation goals • Scalable and better access management

  16. Federation goals • Scalable and better access management • Scalable better identity management

  17. Federation goals • Scalable and better access management • Scalable better identity management • More services to the users - and vv.

  18. Federation goals • Scalable and better access management • Scalable better identity management • More services to the users - and vv. • Better services

  19. (USA) FØD. (AU)

  20. Basic concept Service Institution WAYF ----- ----- 1 2 1 X 3 LOGIN

  21. Basic concept Service Institution WAYF Authorisation ----- ----- 1 2 1 X 3 LOGIN

  22. Loosely coupled, Shibboleth Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF

  23. Loosely coupled, Shibboleth Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF

  24. POLICY Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF

  25. Contracts

  26. Contracts • Bi-lateral, between legal bodies

  27. Contracts • Bi-lateral, between legal bodies • Defines responsabilities, duties, court, etc.

  28. Contracts • Bi-lateral, between legal bodies • Defines responsabilities, duties, court, etc. • What is your legal entity? • for the institutions • for the federation?

  29. Contracts • Bi-lateral, between legal bodies • Defines responsabilities, duties, court, etc. • What is your legal entity? • for the institutions • for the federation? • All Swedish universities is ONE legal entity?

  30. Loosely coupled, Shibboleth Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF

  31. POLICY Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF

  32. POLICY Institutions Services CENTRAL WAYF CONSENT Service Shib- Shib-SP IdP login WAYF CONSENT Service Shib- Shib-SP IdP login WAYF

  33. Central login Services Institutions 1 X LDAP 2 Y SAML2 LOGIN LDAP LDAP 3 Z

  34. Central login Services Institutions 1 X LDAP 2 Y SAML2 LOGIN LDAP LDAP 3 Z

  35. Central login Services Institutions 1 X e l b LDAP i s n o p s e r 2 Y a SAML2 t LOGIN LDAP a D LDAP 3 Z

  36. Central login Services Institutions Contracts 1 X e l b LDAP i s n o p s e r 2 Y a SAML2 t LOGIN LDAP a D LDAP 3 Z

  37. Decentral login Services Institutions LOGIN X 1 Trusted 3rd party LOGIN 2 Y LOGIN UN/Passwd Z 3 X.509 Possible OTP agreement

  38. Decentral login Services Institutions LOGIN X 1 Trusted 3rd party LOGIN 2 Y LOGIN UN/Passwd Z 3 X.509 Possible OTP agreement

  39. Decentral login Services Institutions LOGIN X 1 Trusted 3rd party LOGIN 2 Y LOGIN UN/Passwd Z 3 X.509 Possible OTP agreement

  40. Decentral login Services Institutions Data processor LOGIN X 1 Trusted 3rd party LOGIN 2 Y LOGIN UN/Passwd Z 3 X.509 Possible OTP agreement

  41. Decentral login Services Institutions Data processor LOGIN X 1 Trusted 3rd party LOGIN 2 Y LOGIN Contracts UN/Passwd Z 3 X.509 Possible OTP agreement

  42. Attribute Release Policies The personal information the service gets

  43. Attribute Release Policies The personal information the service gets Metadata distribution WAYF CONSENT Shib- Shib-SP IdP WAYF CONSENT Shib- Shib-SP IdP WAYF

  44. Attribute Release Policies The personal information the service gets Metadata distribution ARP (one-size) WAYF CONSENT X 1 Shib- Shib-SP IdP WAYF 2 Y CONSENT Z 3 Shib- Shib-SP IdP WAYF

  45. Users’ informed consent to exchange of personal data

  46. Users’ informed consent to exchange of personal data

  47. EU directive Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

  48. EU directive It conserns us all... Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

  49. Principles for data exchange

  50. Principles for data exchange Transparency

  51. Principles for data exchange Transparency Legitimate purpose

  52. Principles for data exchange Transparency Legitimate purpose Proportionality

  53. The consent must be...

  54. The consent must be... Volentary (no arm-twisting)

  55. The consent must be... Volentary (no arm-twisting) Specific (one purpose)

  56. The consent must be... Volentary (no arm-twisting) Specific (one purpose) Informed (understandable)

  57. Volentary If you do not consent we will say ‘NI’

  58. Volentary WRONG If you do not consent we will say ‘NI’

  59. Volentary WRONG If you do not consent we will say ‘NI’ Do you consent to sending a personal pseudonym (non-identifiable pointer) to Microsoft?

  60. Volentary WRONG If you do not consent we will say ‘NI’ t h g i Do you consent to sending a personal pseudonym R (non-identifiable pointer) to Microsoft?

  61. Specific All services may recieve your email-adress

  62. Specific WRONG All services may recieve your email-adress

  63. Specific WRONG All services may recieve your email-adress BBC will recieve your email-adress

  64. Specific WRONG All services may recieve your email-adress t h g i R BBC will recieve your email-adress

  65. Informed If you do not consent we will not not decline from not delivering no services

  66. Informed WRONG If you do not consent we will not not decline from not delivering no services

  67. Informed WRONG If you do not consent we will not not decline from not delivering no services If you do not consent you will not get access

  68. Informed WRONG If you do not consent we will not not decline from not delivering no services t h g i R If you do not consent you will not get access

  69. Consent in a Shib-føderation WAYF T N E S N O Shib- C Shib-SP IdP WAYF T N E S N O C Shib- Shib-SP IdP WAYF

  70. Hub-and-spoke Services Institutions X 1 2 Y Z 3

  71. Interfederation

  72. (USA) FØD. Interfederation (AU)

  73. (USA) FØD. Interfederation (AU)

  74. (USA) FØD. Interfederation (AU)

  75. (USA) FØD. Interfederation (AU)

  76. (USA) FØD. Interfederation (AU)

  77. Connecting federations

  78. Connecting federations Confederate

  79. Connecting federations Confederate Cross federate

  80. Connecting federations Confederate Cross federate Interfederate

  81. Connecting federations Confederate Cross federate Interfederate Unite

  82. Connecting federations Confederate Cross federate Interfederate Unite

  83. Connecting federations Confederate Cross federate Interfederate Unite

  84. Connecting federations Confederate Cross federate Interfederate Unite

  85. Recommendations

  86. Recommendations Use (expensive) lawyers (do not let the lawyers write your code - and don’t write their code)

Recommend


More recommend