trust & identity: what’s next...2017/10/17 · edukeep–towards a user driven identity...
TRANSCRIPT
![Page 1: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/1.jpg)
Networks·Services·Peoplewww.geant.org
MaartenKremers
Internet2TechEx 2017,SanFrancisco,CA
GN4-2Project- NextGenerationTrust&IdentityTechnologyDevelopmentTrust&Identity:What’snext?!
16th October2017
TaskLeaderTrust&IdentityTechnologyDevelopment,GN4Project
TechnicalProductManager&ProjectmanagerT&I,SURFnet
![Page 2: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/2.jpg)
Networks·Services·Peoplewww.geant.org
Trust&IdentityOperations• eduGAIN• eduPKI• eduroam
Trust&IdentityDevelopment• eduGAINDevelopment– FederationandCampus• eduGAINDevelopment– e-ResearchandServiceProviders• Trust&IdentityTechnologyDevelopment• eduroamServiceDevelopment
2
TheGN4-2ProjectandT&I
![Page 3: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/3.jpg)
Networks·Services·Peoplewww.geant.org 3
GN4-2- Trust&IdentityTechnologyDevelopment
OpenIDConnectFederations
REFEDSAuthenticationprofiles&Step-UpService
eduKEEP – TowardsaUserDrivenIdentityFederation
eIDAS &eduGAIN
![Page 4: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/4.jpg)
Networks·Services·Peoplewww.geant.org 4
OpenIDConnectFederations
![Page 5: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/5.jpg)
Networks·Services·Peoplewww.geant.org 5
eduKEEP – TheChallenge
Overcometheorganisation-centricidentitymodelshortcomings
Identitiesaretightlycoupledwithroleandaffiliation
Poorsupportfordynamicandlooserelationships
Identitiesbootstrapping
Multipleconcurrentaffiliations
![Page 6: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/6.jpg)
Networks·Services·Peoplewww.geant.org 6
eduKEEP – TheApproach
User-driven,persistent,privacypreserving,institutionalbackedidentity(UPPII)
Theuseridentityiscreatedoutside theorganisation
Theorganisationvalidates theuseridentity
Theorganisationlink theuseridentitytoroleandaffiliation
Theorganisationbootstrap alocaluseraccountleveragingtheexternalidentity
and/or
![Page 7: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/7.jpg)
Networks·Services·Peoplewww.geant.org 7
eduKEEP – ThePossibilities
Registration/Alumni/lifelonglearners
Researchers
Teachers
ThirdPartiesServices
OneidentitytorulethemallToregister,joinanotheruniversity,becomeanalumni
Oneidentityinconcurrentprojectswithmultipleaffiliationsandforallpublicationwork
(withhelpofORCIDandfriends)
Oneidentityforinteractingwiththeirlearnersacrossmultipleuniversities
Supportslonger-termclient-relationship.Offeringsandconditionscanbebased
onrolesavailableatgiventime
![Page 8: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/8.jpg)
Networks·Services·Peoplewww.geant.org 8
eduKEEP – CurrenteduID initiatives
SWITCHEduID(Switserland)
SUNETEduID(Sweden)
GARReGOV IDs,IdP/Proxy&
Aas (Italy)
Centraluser-centricIdPtobootstrapidentitiesatHomeOrganisations
ConsideringtouseanIdp/SPProxytolinkeGOV IDstoHomeOrganisationsAttributeAuthorities
Centraluser-centricIdP,enrichingidentitieswithattributesfromHomeOrganisations
![Page 9: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/9.jpg)
Networks·Services·Peoplewww.geant.org 9
eduKEEP – Comparison
Feature SWITCHedu-ID SUNETeduIDGARRIdP/SP
Proxy
A- TargetaudienceR&ECommunity R&ECommunity R&ECommunity
B- Anewidentifierisprovided YES YES YES
B1- IdentitysuitableforAuthN YES YES NO
B2- Long-termidentity YES YES YES*
B3- Persistentidentifier YES YES YES*
B4- GloballyUniqueIdentifier YES** YES** YES*
C- IdPactingonbehalfofHomeOrganisationIdPs YES NO YES
*externaldependency**confirmedidentities
![Page 10: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/10.jpg)
Networks·Services·Peoplewww.geant.org 10
eduKEEP – Comparison
Feature SWITCHedu-ID SUNETeduIDGARRIdP/SP
Proxy
D- AccountLinking YES YES YES
D1- LinkedAccountAuthN NO NO YES
E- Self-assertedIdentity YES YES YES*
E1- IdentityAssuranceElevation YES YES YES
E2- VO-basedvetting NO NO YES
F- AttributeAggregationatIdP YES NO YES
G- AttributeReleasePolicy- DelegateManagementtoHomeOrganisations
YES NO YES*
*externaldependency**confirmedidentities
![Page 11: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/11.jpg)
Networks·Services·Peoplewww.geant.org
BestPractices•TheincrementalapproachofSWITCHeduID•TheAssuranceLevelelevationmodelofSUNETeduID•Solidpolicyandsecurity
LongLivedIdentitiesandeduIDs areonthewayforward•BYOID•1stclasscitizenship•Thepathtobefurtherdetermined
11
eduKEEP – Observations
![Page 12: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/12.jpg)
Networks·Services·Peoplewww.geant.org 12
EduKEEP – TowardsaUserDrivenIdentityFederation
eduID SWITCHeduID SUNET
GARR
ArchitecturePolicy
Features
October2017:BestCurrentPractices
Document
2018:BestCurrentPractices
Pilot
![Page 13: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/13.jpg)
Networks·Services·Peoplewww.geant.org
DevelopprofilesforAuthenticationsupportinREFEDS
DevelopStep-upservice
13
REFEDSAuthenticationprofiles&Step-UpService
![Page 14: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/14.jpg)
Networks·Services·Peoplewww.geant.org
REFEDSAssuranceFramework(RAF)
Authenticationvector•BaseLevelAuthenticationProfile
•SingleFactor(Good-Entropy)Profile
•MFAProfile
14
REFEDSProfilesforAuthentication
![Page 15: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/15.jpg)
Networks·Services·Peoplewww.geant.org
BaseLevelAuthenticationProfile
• Baseprofile• Noexplicitauthenticationrequirements
• draftdone,REFEDSconsultationpending
SingleFactor(Good-Entropy)Profile
• Requirementsforsinglefactors
• BCPforpasswordscenarios
• Inprogress
MFAProfile
• RequirementsforMFA
• Done
15
REFEDSProfilesforAuthentication
![Page 16: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/16.jpg)
Networks·Services·Peoplewww.geant.org
Primaryaudience:ResearchCollaborations
BothIdentityandAuthenticationStep-UPCollaborationwithAARC•Usecases•User/communityrequirements•Architecture
Potentialpilots(Autumns2018)
Inprogress:•Analyzingdifferentapproaches
NextSteps•Timeline• Testingscalability
16
Step-UpService
DeliverStep-UpService
![Page 17: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/17.jpg)
Networks·Services·Peoplewww.geant.org
electronicIDentification,AuthenticationandtrustServices
(UpcomingEUregulation)
LeveragetheuseofeGOV IDsforhigherLoA intheR&Efederations
Technicalinteroperabilitywithbuildproxy,technicalpilotsdone
Interoperabilitycomparisonbetweentheframeworks
17
eIDAS
![Page 18: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/18.jpg)
Networks·Services·Peoplewww.geant.org
ScenariosNationalgatewayper
nationalR&Efederationandthenationalnode
ServicewithaglobalscopethatactsasagatewaytheeduGAINinter-federationand
eduGAIN
eduGAIN SGadoptedthe
’global’approach
Thisapproachwillbetakenasbaselinein
conversationswiththeeIDAS representatives
18
eIDAS &eduGAIN
![Page 19: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/19.jpg)
Networks·Services·Peoplewww.geant.org 19
Moreinformation
https://wiki.geant.org/display/gn42jra3/Task+3%3A+Next+Generation+Trust+and+Identity+Technology+
Development+-+TrustTech
![Page 20: Trust & Identity: What’s next...2017/10/17 · eduKEEP–Towards a User Driven Identity Federation eIDAS& eduGAIN Networks · Services · People 4 OpenID Connect Federations Networks](https://reader033.vdocuments.mx/reader033/viewer/2022052103/603d42bf0c144f78ca4faf59/html5/thumbnails/20.jpg)
Networks·Services·Peoplewww.geant.org
Thankyou
Networks·Services·Peoplewww.geant.org
20