The SDSS Federation

1
The SDSS Federation

• Fiona Culloch
• EDINA23 March 2005

2
Talk Outline

• What is federated identity?
• Why is it useful?
• What is the SDSS project doing?

3
First Came Unfederated Identity
N sites x users per site large
U1 U2 U3 UN
UserID/password1N
ServiceProvider(SP)
Password consistency issues if multiple SPs
User directly logs into SP
SP deals with end users (lost passwords etc.)
4
Centralised ID (Classic Athens)
SP1
U1
Central DBUserID/password1N
U2
SP2
U3


SPM
UN
5
Federated Identity
SP1
IdP1
SPM
IdP manages users (lost passwords etc.)
SP2
IdP2
IdPK
Therefore, SP must trust IdP (and v.v.)
The federation simplifies trust from N2 to N,
where NMK
6
Shibboleth

• Technology chosen for UK
• Does neither authn nor authz itself
• Conveys security assertions from IdP to SP
• Security assertions (SAML) about
• User authentication
• User attributes
• Privacy preserving

7
Benefits to Institutions (IdPs)
IdP
Enables proliferation of secure services
8
Devolved Management

• Local user management and choice of
• Authentication (passwords, certs, )
• SSO system (pubcookie, CoSign, )
• Attribute store (LDAP, SQL, )
• Vendor for all the above
• What attributes are stored (and names)
• Cost is integration effort required
• Smaller institutions may contract out to regional
  or central IdP (e.g., Athens)

9
Benefits to Service Providers
medium term50 UK sites
ed.ac.uk
ncl.ac.uk

IdP1
IdP3
IdP2
IdPN
SP
Hide NxM users behind N IdPs
Trusted IdPs improve on IP checking
(spoofable)
1 username/pass per institution(!)
10
What Does a Federation Do?

• TTP to vet new members (manually)
• Are they who they say they are?
• Do they speak for their organisation?
• Do they agree to federation policies?
• Maint. list of members (metadata)
• erewhon.ed.ac.uk, lock.ncl.ac.uk,
• Set policies, e.g., acceptable CAs

11
Federation Defined

• A grouping of identity providers and service
  providers following defined rules.
• More social construct than technical one.
• Components
• Participant agreement ? trust
• Federation signup ? metadata service
• WAYF service (optional)

12
SDSS Project Context

• JISC Core Middleware Programme
• Technology development (15 projects)
• Infrastructure (JISC IE EDINA, MIMAS)
• Early Adopters
• Assisted take-up service

13
SDSS Project

• Shibboleth Development and Support Services
  (CMTD)
• Goal is to provide a basic national
  infrastructure for use by other projects
• Operate a development Shibboleth federation
• Shibboleth access to EDINA MIMAS services
• General support
• Technology watch

14
SDSS Federation Compared

• Not like InQueue
• Some barriers to entry to give basis for trust
• Not production (InCommon, SWITCHaai)
• Requires defined level of service guarantees
• May require stronger participant guarantees
• Administration scalable to all UK institutions
• Somewhere in between
• Enough trust for delivery of licensed content
• Low entry hurdle for development projects

15
SDSS Federation Policy

• Agreement
• Best practices
• Best efforts
• Privacy protection
• X.509 Certificates
• GlobalSign certificates required
• Temporary SDSS CA certificates available

16
SDSS Federation Policy V1.0

• All members of the federation must
• Observe best practice in the handling and use of
  your digital certificates and private keys
• All identity providers (origins) must
• Make reasonable attempts to ensure that only
  members of your institution are provided with
  credentials permitting authentication to your
  handle server, and that the assertions made to
  service providers by your attribute authority are
  correct.
• All service providers (targets) must
• Agree not to aggregate, or disclose to other
  parties, attributes supplied by identity
  providers.

17
SDSS Identity Providers (9)

• AMIE
• IAMSECT
• SDSS
• SPIE

• Edinburgh
• LSE
• MIMAS
• Newcastle
• Oxford (OUCS)

18
SDSS Services

• EDINA
• BIOSIS, life sciences
• EMOL, film and video
• UPDATE, farming, environment
• Internet2
• Shibboleth Wiki
• Other (mainly tests)
• AMIE, MIMAS, SDSS, SPIE

19
BIOSIS Login Page
20
SDSS WAYF
21
Authenticate at Home Institution
22
BIOSIS Search Result
23
eduPersonScopedAffiliation

• MACE-Dir eduPerson attribute
• Example member_at_ed.ac.uk
• Gives subjects relationship to a security domain
• Semantics member of institution
• Many resources licensed on these terms
• Definition a little vague working with MACE-Dir
  on this.

24
eduPersonEntitlement

• MACE-Dir eduPerson attribute
• Examples
• urnmaceac.uksdss.ac.ukentitlementresource
• http//provider.co.uk/resource/contract.html
• Claims subjects entitlement to a particular
  resource
• Service provider must trust identity provider to
  issue any particular entitlement
• Good fine grained fall-back approach.

25
Update Login Page
26
Update Search Results
27
Update Saved Searches
28
eduPersonTargetedID

• MACE-Dir eduPerson attribute
• Example sObw8cK7JJ6qqwj2v9O1tpidV4U_at_ed.ac.uk
• A persistent pseudonym for the user, specific to
  a given service, intended to enable personal
  customisation
• Value is an opaque string
• Allows personalisation and saved state without
  compromising privacy
• Issues about stored vs. generated forms.

29
SDSS Federation Collateral

• Web site http//sdss.ac.uk/
• Live sites list
• Policies and procedures
• Details of how to join
• Metadata download
• Registries (URN, OID, attributes)
• Wiki (living documentation)
• Root and signing certificates

30
To-do List

• More external providers (call to action!)
• More EDINA services
• More commercial CAs
• Continue to improve documentation and packaging
• Encapsulate experience with authorisation
• Suggested service attribute requirements
• Suggested attribute release policies
• Collate service information

31
EDINA Contacts

• edina_at_ed.ac.uk
• Attn SDSS Team
• Project http//sdss.ac.uk/
• Project manager sandy.shaw_at_ed.ac.uk

32
Scoped Attributes

• This is a MACE-Dir concept, embodied in the
  eduPerson specification.
• Scoped attributes have two parts
• Scope security domain
• Value relative to that scope
• Example member_at_ed.ac.uk
• A principal may have multiple attribute values
• within the same scope
• in different scopes.
• Definitely not the answer to all questions of
  attribute scoping work continues.