The Art of Federations

Topics

• Federations of what…

• Federated identity versus federations

• Federations in other sectors – business, gov, ad hoc

• R&E Federations

• Peering and confederation

• -------------------

• International Grid Trust Federation

Lots of things can federate

• Data sets• Search engines and catalogues• Grid resources• Primary identity providers• Secondary identity providers

Federated identity and federations

• Federated identity –passing of information from an identity provider (IdP) to a relying party or service provider (SP) for an access control decision

• Bi-lateral, likely appended to an existing business relation

• Usually uses SAML

• Federation – bi-lateral or compound passing of information from several IdP and others to a SP

• Multi-institutional, broad communities with multiple IdP and SP

• Needs metadata management, more sophisticated attributes (including scoped), multi-lateral trust management, agreements on standards, more sophisticated AAP and ARP mechanisms, etc.

• Usually uses Shibboleth or a compatible

Federations in other sectors

• Corporate• Internal federations within large, diverse

companies• Limited use for vertical sector operations

• Government

R&E Federations

• Rapidly growing sector, with many countries deploying and federation size increasing

• General scope is higher education, with coverage ranging from complete (e.g. Switzerland, Finland, Norway) to well underway (e.g. Denmark, France, UK, Germany, Australia) to planning

• Largest and most ambitious is the UK Access Management Federation, scoped to all higher education, K-12 and further education

In the US

• Growing number of state based federations• University of Texas, University of California,

University of Maryland, Ohiolink, etc.• Easy to build on top of existing relationships

• Ad hoc federations – eg FEMA and Hurricane Katrina

• InCommon

InCommon

• US R&E Federation

• www.incommonfederation.org

• Members join a 501(c)3

• Addresses legal, LOA, shared attributes, business proposition, etc issues

• Approximately 45 members and growing

• A low percentage of national Shib use…

InCommon Uses

• Dartmouth, and others, to get to ScienceDirect at Elsevier

• Penn State, and others, to get to WebAssign, an outsourced testing service

• University of Washington, and others, to get to CDigex

• Univ of Chicago, and others, to get to TurnItIn, a plagiarism testing service

• All members of InCommon, to get to spaces.internet2.edu

• (Soon, all members to get to the TeraGrid.)• (Soon, all members to get to Fastlane and NIH

and…

Policy components

• Participant operational practices• To help SP decide on amount of trust to have

• IdM and local administration• May or may not be audited

• Standard Attributes• Metadata agreements• Contract between institution and federated

operator• Easy except for limited liability and dispute

resolution

Peering and Confederation

• For federations to be fully-scalable• Peering - relationship between two autonomous

federations• Work underway in peering between InCommon and

US Federal EAuthentication Federation• MOU addresses metadata exchange, liability and

dispute resolution, economics, technical mappings as addendum

• Confederation – a union of federations• Addresses discovery, conversion of protocols and a

more unified set of services• Seemingly a natural structure for Europe• eduGain, a Geant project, is working on this