SIR, FedSSH and more to come

1
SIR, FedSSH and more to come
2
SIRServicio de Identidad de RedIRIS

• Provide a single entry point to digital identity
  services for the academic community
• Multiprotocol
• Simplify management
• Guarantee evolution
• Flexible
• Compatible with any level of IdM deployment
• Able to live in parallel with other
  infrastructures
• http//www.rediris.es/sir/

3
The SIR Model

• One Ring to bring
• them all and in the
• darkness bind them
• In the Land of
• Mordor where the
• Shadows lie.

4
IdPs in SIR

• Institutions in the RedIRIS constituency
• Virtual organizations related to them
• Must install a connector
• Able to produce assertions in the PAPI v1
  protocol
• Minimum set of attributes in the iris- schemas
• PHP, Java (JSP Filter), Apache mod_perl, ASP,
  Sun AM, OSSO and some specific ones
• Community process for developing new ones
• Must register for the service
• Accepting the conditions of use
• Providing their metadata

5
SIR Services

• Interconnection with SAML infrastructures
• Access to PAPI-basedservices
• eduGAIN BE
• OpenID producer
• Validation services
• Attribute exchange
• SAML
• OpenID

6
SIR SAML (including eduGAIN)

• Virtual IdP per institution
• Using simpleSAMLphp capabilities
• Metadata distribution for regional federations
• Direct integration of SAML IdPs is feasible
• Central eduGAIN BE
• Plus virtual BEs for institutions requesting them
• Commercial providers
• Microsoft
• Elsevier
• Requests ongoing for Ovid, JSTOR, EBSCO,
• Driven by the user institutions

7
SIR PAPI

• Two ways for connection
• GPoA SIR
• Virtual AS for each institution
• Access to the the national license on ISI WoK
• RedIRIS inner services
• Conferences
• Service control panel
• Portals
• Proxies

8
SIR OpenID

• Virtual producer per institution
• Additional controls
• Match URL with attribute values
• Specify acceptable RPs
• User consent for extensions related to personal
  data
• Identifiers in whatever Spanish language
• yo.rediris.es/soy/diego.lopez_at_rediris.es
• jo.rediris.es/soc/diego.lopez_at_rediris.es
• eu.rediris.es/son/diego.lopez_at_rediris.es
• ni.rediris.es/diego.lopez_at_rediris.es/naiz
• Simplified versions possible for OpenID2

9
SIR Some ideas for the future

• New protocols and identity services
• OAuth
• Cardspace
• COmanage
• New applications (beyond WebSSO)
• SSH access
• Distributed storage
• Attribute authorities (a-la-COManage)
• Grid interconnection
• SLCS
• VOMS
• Usage of DNIe
• And the PEPS

10
FedSSH

• Based on the ideas discussed byTF-EMC2 along past
  summer
• Common public key servers are updated through
  specific SPs
• A modified version of the SSH server able to use
  an external repository for public keys

11
Deploying FedSSH

• Deployed as a pilot by CONFIA, the Southern
  Spanish federation
• Applied to teaching environments
• Connected to a federated account provision system
• Plans to explore the applicability to storage
  services

12
Riding the Hype

• Make the case for identity services among the
  wider user community
• Some of the big players are behind
• Explore direct potential applications
• There are smart people working on this

13
Identity a-la-carte

• Use your identity everywhere
• Easy deployment of additional control
• Makes it more valuable to users
• OpenID identifiers for catch-all, low-LoA IdPs

14
Lightweight federation?

• No changes to the basic protocol required
• ARPs could be implemented as well
• Simpler to deploy?
• Easier to integrate?
• Closer to commercial providers?

15
OAuth for auto-registration
16
(No Transcript)