The Finnish Haka Federation

1
The Finnish Haka Federation

• Mikael Linden
• mikael.linden_at_csc.fi
• 16th May, 2005

2
Outline

• Status of the Federation
• Organisation of the Federation
• Data protection directive and how it is followed
  in Haka
• Quality of institutional identity management

3
Background

• The Finnish higher education
• 20 universities, 29 polytechnics (all are public
  institutions)
• 300 000 students, 40 000 employees
• CSC, the Finnish IT Center for Science
• Non-profit company owned by the ministry of
  education
• Mission centralised IT infrastructure for higher
  education
• Funet network, high performance computing
• CSC and user administration
• Users and services are in higher education
  institutions (HEI)
• Role of CSC coordinate and support HEIs

4
Status of the Haka Federation

• pilot federation operational 12/2003
• 5 IdPs, 7 SPs
• production level federation 5/2005
• Federation agreement was drafted last winter
• Currently (status on Friday) 3 universities have
  signed the agreement, waiting for some more
  before the official launch

5
Service Providers

• Libraries
• national library portal Nelli (Ex Libris
  Metalib)
• under work library management system (Endeavour
  Voyager)
• shown interest content providers (Elsevier)
• eLearning
• Learning management systems (Moodle, WebCT,
  others)
• service for applying as a visiting student in
  another university
• National Services
• under work Academy of Finland applying for
  research funding
• shown interest student health service foundation
• ASP in the administration of the universities
• Electronic circulation of invoices and travel
  expense reports

6
Outline

• Status of the Federation
• Organisation of the Federation
• Data protection directive and how it is followed
  in Haka
• Quality of institutional identity management

7
Organisation of a federationAlternative 1
Federation as a consortium
Federation
HEI1
HEI2
HEI7
CSC (operator)
Outsourcing
HEI3

HEI6
HEI4
HEI5
A federation as a consortium that outsources
operations of the AAI to some external
organisation(s).
8
Organisation of a federationAlternative 2
Federation as a service
Federation
HEI1
HEI2
HEI8
CSC (operator)
HEI7
HEI3
HEI4
HEI6
HEI5
Federation as a service provided by an
operator. The way chosen by InCommon, SWITCHaai
and Haka.
9
Organisation of the Haka infrastructure is
similar to SWITCHaai
Operator
CSC scientific computing ltd
Central AAI services
Federation partners
Federation members
Advisory comm.
Operations comm.
IdP
Palvelu
Palvelu
IdP
Palvelu
Palvelu
Palvelu
IdP
SP
SP
Palvelu
SP
SP
SP
SP
10
Outline

• Status of the Federation
• Organisation of the Federation
• Data protection directive and how it is followed
  in Haka
• Quality of institutional identity management

11
Data protection directiveDefinitions (Article 2)

• Personal data any information relating to an
  identified or identifiable natural person
• Personal data he is Bob Smith
• Not personal data he is a medicine student
• Processing of personal data any operation on
  personal data, such as collection, storage,
  retrieval, dissemination etc
• for an Identity Provider, release of attributes
  is processing of personal data
• for an Service Provider, collecting attributes
  can be processing of personal data

12
Data protection directiveRequirement 1 Which
SPs may join the federation

• Article 6 Personal data must be collected for
  specified, explicit and legitimate purposes and
  not further processed in a way incompatible with
  those purposes.
• Purpose for processing personal data in HEIs
  roughly To support research and education
• Release of personal data to a Service Provider
  shall not be incompatible with the purpose
• IdPs may release personal data only to SPs who
  are processing data to support research and
  education

Haka only Service Providers that are supporting
research and education are accepted to the
federation
13
Data protection directive Requirement 2 What
attributes may be released

• Article 6 Personal data must be adequate,
  relevant and not excessive in relation to the
  purposes for which they are collected and/or
  further processed.
• only relevant attributes may be released from IdP
  to SPs
• both IdP and SP have to consider, what are
  actually the relevant attributes from the service
  point of view

Haka administrational contact person of the
federation member checks a new SP and the
relevance of the attributes claimed before CSC
adds the SP to the federation metadata. CSC
maintains and distributes Site ARPs to IdPs.
14
Data protection directive Requirement 3 User
consent

• Article 7 Personal data may be processed only
  ifa) the data subject has unambiguously given
  his consent orb) processing is necessary for
  the performance of a contract to which the data
  subject is party etc
• Article 11 Where the data have not been obtained
  from the data subject, controller or his
  representative must at the time of undertaking
  the recording of personal data or if a disclosure
  to a third party is envisaged, no later than the
  time when the data are first disclosed provide
  the data subject with at least the following
  information...

• Haka Finnish data protection ombudsman
• Always ask user consent before first attribute
  release (Article 7)
• When you do that, the user will be informed
  (Article 11)

15
Outline

• Status of the Federation
• Organisation of the Federation
• Data protection directive and how it is followed
  in Haka
• Quality of institutional identity management

16
Institutional idenitity management as a
requirement

• Cant do inter-institutional identity management
  if intra-institutional IdM is not taken care of
  properly!
• Many institutions have problems with data quality
  in the institutional enterprise directory
• Reason links between student registy, HR
  registry and the directory are missing
• SPs expect that the attributes released are of
  high quality

• Haka having up-to-date data in the enterprise
  directory is a requirement for an IdP joining the
  federation
• Self-audit for IdPs joining the federation
• Based on the self-audit, operator makes the
  decision

17
School in user administrationSupporting HEIs
in improving institutional IdM

• set of 3 one-day-workshops for staff in IT
  departments in HEIs
• organised by CSC
• 1st day 1/2005
• Theory, best practices, commercial/open source
  products
• First homework evaluate your current
  institutional IdM
• 2nd day 5/2005
• homeworks gone through
• The concept of an identity federation introduced
• Second homework set target for your
  institutional IdM
• 3rd day 12/2005
• Again, homeworks gone through
• More best practices and products

18
More information

• http//www.csc.fi/suomi/funet/middleware/english/
• TNC05 conference paper Organising Federated
  Identity in Finnish Higher Education, available
  http//www.terena.nl/conferences/tnc2005/programme
  /presentations/show.php?pres_id77