Technical Developments within the UK Access Management Federation

Copyright JNT Association 2005 1Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 1

UK federationdevelopment

Access Management Transition Meeting, 30 May 2007.

Josh Howlett, UKERNA.


Overview

• Improving Discovery

• Extending our use of metadata

• Shibboleth 2.0

• Other access management products

• Inter-federation

• Integration with eduroam


Discovery

• What is the ‘discovery problem’?– SAML 1.x

• ‘IdP-first’ only• Intended for small numbers of known partners;

discovery is managed by the application.

– Shibboleth 1.x• Shibboleth Authentication Request Profile is ‘SP-first’.• Intended for large numbers of possible partners;

discovery is typically managed by the WAYF service.

– WAYF issues: usability and scalability


Discovery• Service Provider side discovery

– Preferred approach.– SPs know their customers.– Shibboleth 2.0 SP will probably provide some

assistance.• Discovery service

– Enables an SP to hand over discovery to a third-party.

– Potential for use of heuristics such as IP address of user agent.


Metadata

• What is federation metadata?“In architecture, a keystone is the stone at the top of an

arch. It the supporting element for the entire arch — without it the arch would collapse.” – Wikipedia

– Functions• A directory of federation participants – where ?• A description of their capabilities – what ?• Establishment of technical trust – who ?


Metadata

• Trust– PKI trust (today)

• Entity metadata gives the claimed “KeyName”.• The “KeyName” must match that given in an entity’s

certificate, issued by a trusted CA.

– Problems• Trust validation is expensive and contains redundancy.• PKI can be difficult support problems.• Some SAML 2.0 features (eg. attribute encryption)

require access to entities’ public keys.


Metadata

• Trust– Direct key operation

• Public keys embedded directly in metadata (or wrapped within certificate in metadata).

• Available in Shibboleth 1.3+.

– Hybrid operation• Use both PKI trust and direct key.• Currently in testing; may be made more widely

available in the future.


Shibboleth 2.0

• Shibboleth 2.0– Virtually a complete re-write.– Support for (some of) SAML 2.0

• Web SSO and Single Log-out profiles.• Additional capabilities likely in future releases.

– IdP• More powerful ARP expression.• Scripting for enhanced attribute resolution.


Other AM solutions

• Shibboleth is the recommended AM software.– Designed for education and research.

• Many other SAML implementations exist.• The moves towards Shibboleth 2.0 and

SAML 2.0 should improve interoperability.• We need to understand more about these

other products and their suitability.


Shibboleth on Windows

• Shibboleth IdP currently runs on Windows, although installation is complex.

• Windows installer is in development.

• We’re looking for:– Ideas, wish lists, etc.– Guinea pigs.


Inter-federation

• Multiple emerging federations for education and research.

• Diverse policy and technological strategies.

• Use cases– Reduce burden on publishers– Facilitate cross-federation access to

resources such as wikis, VLEs, etc.


Inter-federation

• Inter-federation– Leveraged federation

• Group within a group

– Federation peering• Bilateral agreement

– Confederation• Federation of federations


Integration with eduroam

• RAGS– Experimental out-sourced IdP using

eduroam for authentication.

• RADIUS-SAML– Internet2 proposal to use SAML for

eduroam authorisation.


Thank you for your attention

Any questions, ideas or requirements?

Technical Developments within the UK Access Management Federation

Technology

Transcript of Technical Developments within the UK Access Management Federation