EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM...
Transcript of EuroCAMP Summary - TERENA · • How to do LDAP properly – Attribute extensions • How to do IDM...
EuroCAMP Summary(in 15 mins)
Diego
• We are at the teenager stage of IDM• IDM is maturing• Welcome to the schema Onion
• Jasmina• Welcome to LDAP [the syntax]• Flat tends to be better than hierarchical
• Feed your LDAP automatically• No manual LDAP updates
Miroslav• Welcome to LDAP [semantics]• Don’t re-purpose a schema
Victoriano • Can you trust the applications that your users enter passwords into?
• Don’t let your users enter passwords into applications outside your control
Roland (rhubarb, rhubarb, rhubarb)• How to do LDAP properly
– Attribute extensions• How to do IDM properly• Sun’s 10 best practices (see also Cameron’s 7 laws of identity)
• Get sponsorship for your strategy, and aim for quick wins.
Gerard• Challenges• Hopes
Roland (rhubarb, rhubarb, rhubarb)
• Cutting edge homebrew IDM system based on standards.
• Sweden’s Universities are one legal entity
• Jasmina• Guest accounts
• Make sure you deprovision• Make sure you know who the guest is
Panel• Don't come up with your own schema if an existing standard can be used
• Don't put sensitive data in your directory, – Unless you are prepared to meet the regulatory obligations
• The standard schemas may not be enough
Kevin• Management view• What is a user, person• Level Of Assurance• If your do a good job, your IDM system will become authorative
David• The Zoo of beasts• Intro to federation
– Conventional– Hub-spoke
• Legal– MoU’s– Contracts– charters– Consent
•Engage lawyers, don't write each others code•Talk to your date and consumer protection agencies•Define your federations legal body (NREN or otherwise)•Read the JISC legal document on federation policies
Victoriano • eduPerson
– Good starting point– Pseudononymous id
• SCHAC– Designed for specific European uses
Jacob
• WAYF.dk Style SSO– CAS – SAML, – LDAP.
• The scary fish <SimpleSAMLphp>– Simple– Simple– simple
• Making the case with a killer app–efficiency–collaboration–compliance–new business model
• Business case for federation is the same as the case you would use for an IDM, butwith the context that goes beyond the cam
• More services off your ID the better for your ID• More services in your federation, the better forIdP (and thus IDM).
• The more your accounts are used, the better)
Kevin
Miro
• eduroam– RADIUS– Monitoring
• as a means to show that your service is valuable
– Tools • to show that you can troubleshoot
– Future plans• GN3-SA3(t2) & JRA3
Diego
SIR• Why PAPI?
– (years+)– Connectors to lower the entry barrier for institutions, so not just PAPI
• Simple Policy– To lower the entry barrier– Explicit description of data protec...
• Interconnected with– OpenID – eduGAIN
• SAML Services– External, managed, outer, outsourced
• Regional Federations
Victoriano, Rok, Michal
SAML with non-webSAML with kerberos
Entitlements