Innovation through participation
Identity Federation Policy – template document
EuroCAMP, Vienna 15th October 2012 Marina Vermezovic, Academic Network of Serbia
Innovation through participation
Who am I
! Working for AMRES as head of department for development of user services
! Working on edugain and eduroam GN3 tasks
! We are boosting AMRES Identity Federation
! We are testing technical solutions, but we need a policy !
Innovation through participation
Our work
! Understanding and setting up Identity Federation Policy document is a big barrier for emerging Identity Federations
! eduGAIN task interests : ! increasing number of new Identity Federations => more Identity
Federations participating in eduGAIN ! emerging Identity Federations have Policy which is "compatible"
with eduGAIN ! one step towards harmonizing federation policies
! eduGAIN task is helping emerging Identity Federations by : ! writing Identity Federation Policy Template document which could
be easily used and optionally changed for local conditions ! organizing series of workshops, with presenters who are experts in
this area ! continue working with participants to help them implement the
template document
Innovation through participation
Our work
! The outcome - a policy template expected to be changed for local conditions.
! Geographical scope - can be used by any federation globally, not limited to EU
! Existing federations - they can use it if they want to change or update their existing policies
! REFEDS - synchronize with refeds federation harmonization work
Innovation through participation
Template document
! International working group (Finland, UK, Austria, Serbia)
! Took 2 months to develop, induced a lot of discussions
! There are still some discussions that are not closed J
! Gathered experience from existing Identity Federations in what not to
put, and what to put in a Policy
! We hope to get feedback from federations implementing this template,
and to keep evolving the template document
Innovation through participation
Inital assumptions Allows multiple technologies
! There are multiple Federation Technologies which can make use of Identity Federation: eduroam, WebSSO, Project Moonshoot
! Identity Federation Policy should cover all these and allow for future adding new technologies
! Organizations join Identity Federation only one time and then pick out which Federation service they want to implement
Make the Policy in such a way that it allows for multiple technologies to be served using the same policy structure
Innovation through participation
Inital assumptions Makes changes easy way
! There could be a need in a working Identity Federation lifetime to make changes to the Policy
! Important issue than can make effect on how easily can a policy be changed is what members sign when they join the Identity Federation:
1. Member fills in a form agreeing to be bound by the Policy document
2. Member signs a copy of the actual policy (there are placeholders for signatures at the end the policy document)
Make the Policy document in such a way to avoid the need for
repeated changes to the Policy document and to enable changing stuff easy
Innovation through participation
Identity Federation Policy document suite
Identity Federation Policy document
Identity Federation Policy (main)
Appendices
Technology Profile eduroam
Technology Profile Web single sign-on
Level of Assurance Profiles
Data Protection Profile
Federation Operational Practices
Appendix Governance
Appendix Fees
Innovation through participation
How is the document used
! Every section contains ! Description Explains what is the subject of the section, which issues the section is addressing and gives additional clarifications if needed ! Example Wording contains text which could be easily reused for your policy
! It is expected that federation addapt the text for their policy, since some sections depend on local circumastances, country’s regulations, governing and funding of the federation etc.
All organisations should seek local legal advice before implementing
a policy based on this template
Innovation through participation
Copyright
! Template document is based on "SWAMID Federation Policy v2.0" and being published under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0)
! If you are using the example wording from the template, you must release your policy document under the same licence.
! You are free: to Share — to copy, distribute and transmit the work to Remix — to adapt the work
! Under the following conditions: Attribution — You must attribute the work in the manner specified by the author or licensor Noncommercial — You may not use this work for commercial purpose Share Alike — If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
Innovation through participation
Template document Section Structure
1 Definitions and Terminology 2 Introduction 3 Governance and Roles
3.1 Governance 3.2 Obligations and Rights of Federation Operator 3.3 Obligations and Rights of Federation Members
4 Eligibility 5 Procedures
5.1 How to Join 5.2 How to Withdraw
6 Legal conditions of use 6.1 Termination 6.2 Liability and indemnification 6.3 Jurisdiction and dispute resolution 6.4 Interfederation 6.5 Amendment
Innovation through participation
Definitions and Terminology
! Defines basic terms that are used in the document. ! There is no single common definition of those terms ! It is assumed that additional terms (such as Identity Provider, SAML,
RADIUS) will be introduced in related Technology Profiles. ! The definition of “End User” is a sensitive question as it defines who can
have a digital identity in your federation. ! In broader definition End User can be:
! a natural person who belongs to an organization (typically an employee, researcher or student)
! a legal person ! a virtual artifact (e.g. a computer process, an application) ! a tangible object (e.g. a device) ! a group
Innovation through participation
Introduction
! Definition of an Identity Federation, its purpose and the benefits it provides to the members are introduced in this section.
! You can introduce a specific name for your Identity Federation, some ideas (full list https://refeds.terena.org/index.php/Federations) :
AT ACOnet Identity Federation AU Australian Access Federation AAF CH SWITCHaai CZ eduID.cz DK WAYF (Where Are You From) FI Haka (means Hook) NO FEIDE ( Felles Elektronisk IDEntitet ) SE SWAMID ( Swedish Academic Identity) UK UK Access Management Federation for Education and Research
! Definition of Policy document is also introduced in this section. It should be made clear that this document, together with all its appendices makes the Identity Federation Policy.
Innovation through participation
Governance
! Defines role and obligation of the body that is governing the federation
! What you need to decide is : ! How the governing body is structured and elected - you should
specify this in an appendix Governing Body Constitution. ! What is the name of the Governing Body ! Rights that are appointed to the governing body
Innovation through participation
Governance
! Sample list is presented in the example wording: ! Criteria for membership for the Federation. ! Application for membership in the Federation ! Whether a Federation Member is entitled to act as Home Organization. ! Revoking the membership of a Federation Member ! Future directions and enhancements for the Federation ! Entering into interfederation agreement. ! Formal ties with relevant national and international organisations. ! Approving changes to the Federation Policy ! Address financing of the Federation. ! Approves the fees to be paid by the Federation Members ! Deciding on any other matter referred to it by the Federation Operator.
Innovation through participation
Obligations and Rights of Federation Operator
! Defines obligations and rights of the Federation Operator. ! Sample list of Federation Operator responsibilities is presented in the
example wording: ! Secure and trustworthy operational management of the Federation ! Provides support services for Federation Members’ ! Acts as centre of competence for Identity Federation ! Prepares and presents issues to the *governing body* ! Maintaining relationships with national and international stakeholders in
the area of Identity Federations ! Promoting the idea and concepts implemented in the Federation
Innovation through participation
Obligations and Rights of Federation Operator
! Sample list of Federation Operator rights is presented in the example wording: ! Temporarily suspend individual Technology Profiles for a Federation
Member that is disrupting secure and trustworthy operation of the Federation.
! Publish a list of Federation Members along with information about which profiles they implement
! Publish some of the data regarding the Federation Member using specific Technology Profile.
Innovation through participation
Obligations and Rights of Federation Members ! Defines obligations and rights of the Federation Members. ! In general, there are some obligations and rights that are appointed to
all Federation Members ! Then there are some that are specific if a Member is acting as Home
Organization, Attribute Authority or Service Provider. ! According to that, first obligations and rights for all Members can be
stated out, following with more specific ones depending on roles a Member is taking.
Innovation through participation
Obligations and Rights of Federation Members - ALL
! Shall appoint and name an administrative contact. ! Must cooperate with the Federation Operator and other Members in
resolving incidents and should report incidents. ! Must comply with the obligations of the Technology Profiles which it
implements. ! Must ensure its IT systems that are used in implemented Technology
Profiles are operated securely. ! Must pay the fees. Prices and payment terms are specified in appendix
Fees. ! If a Federation Member processes personal data, Federation Member
will be subject to applicable data protection laws and must follow the practice presented in Data Protection Profile.
Innovation through participation
Obligations and Rights of Federation Members – HO
! Is responsible for delivering and managing authentication credentials for its End Users and for authenticating them, as may be further specified in Level of Assurance Profiles.
! Submit its Identity Management Practice Statement to the Federation Operator.
! Ensures an End User is committed to the Home Organization’s Acceptable Usage Policy.
! Operates a helpdesk for its End Users regarding Federation services related issues
Innovation through participation
Obligations and Rights of Federation Members – AA or HO
! Is responsible for assigning Attribute values to the End Users and managing the values in a way which ensures they are up-to-date.
! Is responsible to releasing the Attributes to Service Providers.
Innovation through participation
Obligations and Rights of Federation Members - SP
! Is responsible for making decision on which End Users can access the services they operate and which access rights are granted to an End User.
! It is Service Providers responsibility to implement those decisions.
Innovation through participation
Eligibility
! Defines which organizations are eligible to become a Member of your Federation, and which Member is eligible to act as Home Organization
! Depending on your country’s regulations for education and research sector and administrative/political circumstances, you should define which organizations are eligible to become a Member in your federation.
! However, as eligibility criterion is something you may want to adapt and change over time, it is the best to keep this section very short, and publish the eligibility criteria in some other place - this could simply be the website, or in separate appendix.
Innovation through participation
How to Join
! Procedure for an organization joining the federation. ! It shouldn’t define each step of this procedure in detail as it is likely you
would want to change some details in future. ! Should only briefly describe the joining process and publish all details
for example on web site of the federation.
Innovation through participation
How to withdraw
! This section defines procedure for members voluntarily withdrawing from the Federation.
! There are two scenarios that can happen: ! Member withdraws from the Federation. This process can be ended in reasonable time interval in which Federation Operator cancels all Technology Profiles that Member is using. ! Federation Operator withdraws from the Federation Federation Operator should ensure that Federation is running some more time before its termination so Members can find some other way to establish cooperation.
Innovation through participation
Termination
! Termination of the membership if a Member breaks the terms of the Federation Policy.
! In such a case, the Federation Operator should inform the Member and, depending of the severity of the breach, Federation Operator should give some time frame for the Member to comply.
! If after this time Member doesn’t comply to the Federation Policy, governing body can revoke the membership in the Federation.
! Also, in this point the governing body of the federation may give the final decision for revocation, as it is written in the example wording.
Innovation through participation
Liability and indemnification
! This section defines liability for damage and limitation of liability that should be defined in following relations :
Member
Member
Operator Member-to-Member
Member-to-Operator
Operator-to-Member
Other Federations and their entities
Innovation through participation
Liability and indemnification
! There are two models that we were able to recognize: • Limitation of liability to the fullest extent only in regard to Federation
Operator • Limitation of liability in regard to Federation Operator and Federation
Member
Innovation through participation
Limitation of liability to the fullest extent only in regard to Federation Operator
! Without liability for Federation Operator and *governing body* for any faults and defects
! This limitation of liability does not however apply in the case of gross
negligence or intent shown by Federation Operator personnel. ! Federation Operator maximum liability for damages under the
agreement per calendar year is limited to *enter the sum of money*
Innovation through participation
Limitation of liability in regard to Federation Operator and Federation Member ! Neither the Federation Operator nor the *governing body* shall be liable
for damage caused to the Federation Member or its End Users.
! The Federation Member shall not be liable for damage caused to the Federation Operator or the *governing body* due to: ! the use of the Federation services, service downtime or other
issues relating to the use of the Federation services.
! For any other damage, the liability for damages in case of a breach is limited to *enter the sum of money*.
Innovation through participation
Limitation of liability in regard to Federation Operator and Federation Member
! Federation Operator and Federation Members remain bound only by their own respective laws and jurisdictions.
! The Federation Member and Federation Operator shall refrain from
claiming damages from entities in other federations involved in an interfederation agreement.
Innovation through participation
Limitation of liability in regard to Federation Operator and Federation Member ! Unless agreed otherwise in writing between Federation Members, the
Federation Member will have no liability to any other Federation Member solely by virtue of the Federation Member’s membership of the Federation.
! The Federation Member may, in its absolute discretion, agree variations
with any other Federation Member to the exclusions of liability. Such variations will only apply between those Federation Members.
Innovation through participation
Jurisdiction and dispute resolution
! Disputes are usually resolved: ! primarily through negotiation, or ! if the issue cannot be resolved through negotiation, by submitting to
the courts of law. You should determine which court of law has jurisdiction (e.g. the ordinary court at the domicile of the Federation Operator)
! In some federations time limit for negotiations is also set out, so in example wording the time frame of four weeks is given.
! In this section you may also state a provision „if any clause of this Federation policy is ruled unlawful, then the rest of it remain in force”.
Innovation through participation
Interfederation
! Enables federation to enter into interfederation agreements. ! Technical and administrative issues related to interfederation are
dependent of Technology Profile, and should be described there. ! Federation Members will interact with entities which may be bound by
very different rules and laws than the Members in this Federation. ! A fundamental idea of an interfederation is that Members are bound by
their local federation policies only and if anyone has a problem with the behavior of an entity in an Interfederation, he/she should go and check what the entity’s own Federation’s policy stipulates on it.
Innovation through participation
Amendment
! Procedures required to get changes to the Federation Policy implemented
! Keep things simple and have the same procedure for all documents that make up the Federation Policy.
! Give Federation Members a notification of the upcoming changes well in advance, allowing for feedback and resolution of potential points of contention before the changes come into force.
Innovation through participation
Thanks for your attention !
! Questions ?
Top Related