1 / 21

The SDSS Federation

The SDSS Federation. Sandy Shaw, EDINA JISC Core Middleware Programme Meeting — 16-17 May 2005 (13). Contents. SDSS federation summary Open issues for federations. Goals. Implement a development federation to provide programme support for CM development projects and others

maia
Download Presentation

The SDSS Federation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The SDSS Federation Sandy Shaw, EDINA JISC Core Middleware Programme Meeting — 16-17 May 2005 (13)

  2. Contents • SDSS federation summary • Open issues for federations JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  3. Goals • Implement a development federation • to provide programme support for CM development projects and others • to gain experience relevant to the creation of a UK production federation JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  4. Working definition of Federation • A register of identity providers and service providers interworking in a common trust network • Basis of trust: • reasonable expectation of behaviour • common understanding of obligations and rights • …rather than technical enforcement • Registration: • validation of enrolment request • addition of technical details to federation metadata JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  5. Federation profile • Not like InQueue: • which takes all-comers with no guarantees • Not full production: • with administration scalable to all UK institutions • which requires high service level guarantees • no formal legal foundations • SDSS operates somewhere in between: • trust sufficient for supply of licensed resources • low entry barrier for development projects JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  6. Registration • Eligibility • Institutions, departments, projects • Any SP which adds value to the federation • Validation checks • Formal letter asserting authority and an undertaking to observe federation policy • Check that metadata scope assertions agree with supporting documentation • Certification JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  7. Federation members (so far) • Identity providers: • Institutions: 3 • Departments/units: 2 • Projects: 4 • Service providers • Live EDINA services: 3 • Live MIMAS services: 1 • Internet2 hosted: 1 • Pending EDINA services: 3 JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  8. Federation policy • IdPs make best efforts: • to issue credentials to members only • to ensure accuracy of assertions • SPs agree to respect the privacy of users • don't aggregate attributes or disclose to others • Both observe best practice in handling keys JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  9. Federation resources • Policies and procedures • Metadata vetting, signing, and distribution • Registries: • URN registry • OID registry • Root and signing certificates • Wiki JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  10. Attributes & interoperability • As few as possible • InCommon profile • Local attributes are fine for local use • but may be better to define eduPersonEntitlement attribute-values rather than new attributes • National attributes may be an obstacle for international operation JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  11. Recommended attributes • eduPersonScopedAffiliation • e.g. student@newark.ac.uk • eduPersonTargetedID • e.g. xdIe346Kb82hdJh)&h)je23wE=@lboro.ac.uk • eduPersonEntitlement • e.g. urn:mace:ac.uk:sdss.ac.uk:entitlement:med • edupersonPrincipalName • e.g. rmassey@liv.ac.uk JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  12. Contents • SDSS federation summary • Open issues for federations JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  13. Federations as lightweight CAs • Both sign assertions about principals • A certificate binds a name to a public key • Federation metadata binds, for each provider, • Service name (URN) • Service component DNS names • Service component URLs • IdP permitted scopes • But not equivalent: • A federation's main task is registration rather than certification JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  14. Federation metadata distribution • Federation signs aggregated metadata (details of all IdPs and SPs) in a single file • problem of metadata freshness • Could separately sign each provider's metadata as a discrete packet (SAML 2.0) • Fetch on-the-fly • does this avoid revocation checking? JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  15. Supporting virtual organisations • Examples of VOs: • Institutions sharing L&T responsibilities • Disparate groups of collaborating researchers • Relevance of GRID VO model • Derive a simpler model for use with Shibboleth? • Span federations • Reduce cost of entry JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  16. How many federations? • One federation implies: • Single administrative framework • Everyone on same development path • Single assurance level (in the simplest case) • Already three pilot UK Education Federations • So multiple federations (and multiple membership) already here JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  17. Multiple membership • WAYF problem for SPs • Current stop-gap is to ask the user 'which federation'? • For an IdP in two known federations, which is used? • Or is the metadata identical in each? • Providers would prefer to use the same metadata for each federation • How to observe different rules of engagement? • tendency tends towards levelling down of trust JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  18. Multiple identity assurance levels • To cover a wider range of requirements: • cross-institutional access to e-Learning resources • access to high value e-Science resources • Factors include: • value of resources protected • rigour of institutional identity management process • Accommodate a range of levels in one federation? • Or simply create distinct federations? JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  19. Federation interworking • Required nationally and internationally • Suggested technical models: • Peering • Hierarchies • Bridging • Borrowing from existing PKI models • Currently, a lack of operational experience JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  20. Interworking prerequisites • Common attributes • Common certification • Common scoping conventions • but much common understanding & shared goals already exist JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  21. Contacts • SDSS project: http://sdss.ac.uk • Service desk: edina@ed.ac.uk • Attention: SDSS team JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

More Related