Kalmar Union lessons Findings in federation harmonisation REFEDS

Kalmar Union lessons: Findings in federation harmonisation REFEDS 7. 6. 2009 Mikael Linden, CSC

Kalmar Union: a Nordic confederation • A confederation by sharing SAML 2 metadata FEIDE SWAMID Haka WAYF 1 Id. P 7 SPs currently in Kalmar 2 Id. Ps 2 SPs 1 Id. P 3 SPs • www. kalmar 2. org • Kalmar speak on Tuesday in TNC – welcome • This speak summarises the findings

Findings in federation harmonisation 1. Harmonise attributes – mandatory attributes – semantics of attributes – unique identifiers 2. Campus Identity Management requirements – The floor for Id. M quality in the Id. P side 3. Usability and user experience 4. SAML 2. 0 profile 5. Federation business models

1. 1. Harmonise mandatory attributes WAYF MUST Haka MUST FEIDE MUST MUST Attribute name edu. Person. Principal. Name cn sn gn displayname MUST mail MUST o MUST edu. Person. Affiliation MUST edu. Person. Primary. Affiliation MUST edu. Person. Targeted. ID MUST schac. Home. Organization. Type … • Must=available for each end user (but not released to every SP) • The first question from a confederation SP: ”What is the list of attributes whose existence in any federation I can rely on? ”

1. 2. Harmonise attribute semantics edu. Person. Affiliatio n value Student Faculty Staff Employee Member Affiliate Alum The Finnish Interpretation (Haka federation) Degree student, exchange student, visiting student Academic workers (research and education workers at laboratories) Non-academic workers (administrational workers) Person actually employed by the institution (e. g. not a contractor) All above + students taking qualifying/further education courses Others, such as Open University students Graduate The British Interpretation (UK federation) Undergraduate or postgraduate student Teaching staff All staff Other than staff or faculty (e. g. a contractor) All above Relationship member Graduate short of full • too difficult if interpreting the differences is left to the admin of a confederation SP

1. 3. Harmonise unique identifiers • Currently: edu. Person. Principal. Name (e. PPN) used almost everywhere • But: it’s primary property (uniqueness) is not quaranteed over time – Some feds/Id. Ps reassign e. PPN (DK, NO) – Some feds never reassign e. PPN (SE) – The SP admin needs to adapt to the weakest policy • Or: abandon e. PPN, go for SAML 2 persistent ID (edu. Person. Targeted. ID, e. PTID)

2. Floor for Campus Id. M • In Kalmar, high requirement for Campus Id. M – Traditional Lo. A: Initial Identity proofing, password quality – Quality of attributes – accounts closed for departing users • Trade-off between – What SPs want (e. g. TERENA Grid Certificate project, CLARIN project) – What federations want to enforce to their Id. Ps • Too difficult if tackling the differences is left to SP admins

3. Usability and user experience • How to make Id. P Discovery easy? • How to inform the end user on processing his/her personal data?

4. Harmonised SAML 2 profile • Until now, most federations have used a single product (e. g. Shibboleth, Simple. SAMLphp) • For cross-product interoperability, a SAML 2 Web. SSO profile is needed • Few profiles exist – The Id. P/SP Lite of OASIS – still quite complex – SAML 2 Simple • Good news: it’s not too late to harmonise this

5. Harmonised business models • Invoicing federation members/partners differs federation-by-federation. • e. g. external SPs: – WAYF (DK) does not invoice anyone – Haka (FI) does not invoice library content providers but invoices Dream. Spark • If the model isn’t harmonised in a confederation, every SP joins the cheapest federation and gets the others for free

Summary • Harmonising federations is a boring job – A change to a productional distributed system – Backwards incompatible changes? • Without harmonisation, issues get too difficult for the confederation SP admin – S/he is an expert in his/her service – S/he is not and does not want to become an expert in understanding how foreign federations are different • If we don’t harmonise them, confederations won’t fly • High hopes on edu. GAIN to work on the issue