How are the federations evolving? Is federation peering happening? Are there models to ease federation peering? All these issues will be addressed during the next Federation Peering Workshop, 18 May in Brugge.
Report TERENA federation peering event
Dieter Van Uytvanck, 2008-05-19
The order of the points below might seem a bit chaotic at first sight; this is mainly due to the fact that the organizers chose to have round-table discussion sessions instead of the announced presentations. The most relevant points for WP2 (standardized attributes, eduGain) were not or only minimally touched because of the full agenda – hope the future meeting with TERENA can overcome this.
- Microsoft is making its products compatible with the US inter-federation “in common” (http://www.incommonfederation.org/). Note this is a loose cooperation that emerged after the government-centered federation lost support because they charged for each transaction (and the price did not decrease when the volume went up)
- Off the record remark: next version of Active Directory Services will have federation support
- Mentioned some cross-Atlantic academic federations: MUSE (women writers project, shared wiki access between US and UK), LIGO (physicists)
- Example of large interfederation: US mobile industry (50k users, use of Shibboleth, SAML, etc)
- Introduced the concept of federation soup: a lot of heterogenious ingredients, just put together in one pot
- Examples of good end-user federation interfaces (make it understandable what the federation middleware does):
- Switch (Switzerland) interface that shows the user which attributes are passed on
- MS cardspace
- An attempt at common policy building is done via the International Grid Trust Federation (http://www.gridpma.org/)
- In some (a.o. development) countries there is a problem with the trustworthiness of Identity Providers, need for an ISOC/IETF project to address this.
- The killer app for federation technology seems to be sharepoint. More general, the best use case for interfederations seem to be ad-hoc research coorperations.
- Different quality levels in the in common federation: NIST levels (gold, silver, etc.)
General points by various speakers
- A gartner report on federations mentioned FEIDE as a good example
- In the Nordic countries VISA is interested to become an authentication service (“verified by visa”)
- Need for attribute aggregation in case of cross-federations
- Evolution in Canada: universities only perform Authorization, the Authentication is done by the government (Electronic ID)
- The Bologna treaty (related to student mobility) is pushing the federation technology forward in the academic world. Should also trigger the standardization of EduPerson attributes.
- In Finland, the use of bank IDs is very popular as an authentication mechanism (for tax declaration, 99.6% of all logons)
- Nice demonstration of FEIDE (Norwegian federation) software: wiki, foodle (= federated doodle), etc, see http://rnd.feide.no/ - they gave a very knowledgeable and enthusiast impression
- The “buyers club” concept (e.g. almost free MS software for students via a federated download service) is becoming pretty popular but poses some potential problems with regards to privacy
- In Norway software tenders nowadays require federation support (cfr FEIDE)
- Interesting point made by an Elsevier representative: the lawyers writing the contracts don’t have a clue about federation technology. This results in the following problematic situation: the publisher is hold liable in case users cannot access the publisher content, even when the problem is situated at the side of the Identity Provider (i.e. the university). Solution: adding the malfunctioning of the authentication service as an accepted risk (just like network problems etc.), without liability. This could prevent the following situation, which now is the main cause for commercial providers not to use federated access:
- University sues the publisher for not providing the content
- Publisher then sues the federation for not providing a working IdP service
- A short talk was given on privacy issues, based on EU data protection directive 95/46/EC (slides will be available online)
- Some countries have very strict rules on where personal data can be stored: e.g. in Canada personal data may only be stored in the country itselfs.
- Some commercial providers do not respect privacy at all: while only the eduPerson attribute is needed, they ask for social security nr, sex, age, email, etc.
- Nice system in Denmark to store the user consent to pass on attributes: https://www.wayf.dk/ (using PHP and PHPSimplSAML)
- Many evolutions are expected in the following 6/12 months.
- Discussion about rebranding the TERENA cross-federation working group, not really relevant to us