Interfederation Interoperability

1
Interfederation Interoperability

• Dr. Peter Alterman
• Asst. CIO, E-Authentication
• National Institutes of Health

2
What Are Electronic Identity Federations?

• Associations of electronic identity credential
  providers and credential consumers (electronic
  service providers) who
• Agree to trust each others credentials
• Agree to hold credential providers authoritative
  for the validity of their credentials
• Agree to use common communications protocols and
  procedures to enable interoperability
• Agree to common business rules

3
Purpose of Electronic Identity Federations

• To enable trusted electronic business
  transactions between end users and service
  providers where the service provider does not
  have to issue and manage identity credentials,
  including attributes.
• Its all a matter of scaling..
• No, its also a matter of control

4
Characteristics of Identity Federations

• Credential providers
• Service providers
• Standards and protocols for technical
  interoperability among credential providers,
  services providers, end users and infrastructure
  utilities
• A governance mechanism to assert common business
  rules, ensure credentials can be used and trusted
  by all members of the federation and a central
  control point for entry and exit of members

5
What Happens When Two Federations Want to
Interoperate?

• Enable technical interoperability between members
  of different federations
• Develop mutually agreed-upon mappings for
  trusting identity credentials and elements of
  credentials
• Develop mutually agreed-upon mappings for
  business rules
• Develop peer-based conflict resolution mechanisms

6
Report Status of Interfederation
Interoperability Work Group

• inCommon Higher Education Identity Federation
• Using Shibboleth middleware technical protocols
• Policy-light
• E-Authentication US Identity Federation
• Using a variety of technical protocols
• Policy intensive

7
Accomplishments to Date

• Demonstration of proof of concept for technical
  interoperability of identity credentials and
  utilities E-Authentication SAML 1.0 and
  Shibboleth 1.2
• Production-level interoperability built into
  Shibboleth 1.3 (in beta)
• Extensive groundwork done on identifying policy
  and procedure mapping/treaty requirements
• Credential Assessment of 4 Universities

8
Work in Progress

• Development of common SAML 2.0 schemes
• Development of common USPerson profile and
  profile management infrastructure
• Development of production-quality scheme
  translator
• Ongoing work to enable cross-federation trust and
  interoperability
• NSF FastLane to accept 4 universities
  Shibboleth-based identity and attribute
  credentials

9
Unresolved Issues

• Mapping null attributes
• Ensuring privacy of attribute information in a
  variety of instances
• Portal integration
• Scaling issues for listing credential providers
• Issues of transitivity across federations
• Multiple authoritative sources/conflicting
  authoritative sources
• Vocabulary and data dictionary issues
• Liability and indemnification issues

10
Discussion?