edugain federation operator training edugain policy
DESCRIPTION
eduGAIN federation operator training eduGAIN policy. eduGAIN training in Vienna 17-18 Oct 2011 [email protected]. Outline. Background eduGAIN Policy Framework Data protection issues and the data protection good practice profile. Federation is all about trust. - PowerPoint PPT PresentationTRANSCRIPT
Innovation through participation
eduGAIN federation operator trainingeduGAIN policy
eduGAIN training in Vienna 17-18 Oct [email protected]
Innovation through participation
Outline
BackgroundeduGAIN Policy FrameworkData protection issues and the data protection good practice profile
Innovation through participation
Federation is all about trust
SP needs to trust the IdPLoA: quality of identities and authentication are as agreedSchema: attributes and their semantics are as agreed
IdP needs to trust the SPPrivacy: That the SP does not infringe the privacy laws
Everyone needs to trust the federation operatorSecurity: Operations are done securelyRules: Operations follow the federation rules
These issues are covered in the federation policy (agreement)
No federation policy => no federationc.f. PEER, a pure SAML metadata delivery service
Innovation through participation
Starting point for eduGAIN interfederation service
Heterogenious national federationsSectors covered: universities, research institutions, schools…Level of Assurance (LoA): reliability of identities/authenticationAttributes. Recommended attributes. Semantics (ePAffiliation)Privacy mechanisms: attribute release policies, consent modulesIncident handling mechanismsLiability, indemnification, other typical contractual issues
eduGAIN didn’t want to make the national federations to change policiesWould have caused too much trouble/hallse for the federations
Innovation through participation
eduGAIN’s approach
Keep the bar low for federations to joinDon’t exclude anyoneKeep the basic level of trust lowIntroduce optional profiles for higher levels of trust
Data protectionLevel of Assurance
Pol
icy
of F
ed 1
Pol
icy
of F
ed 2
Pol
icy
of F
ed 3 eduGAIN
basic level
Innovation through participation
And the result was
Interfederation, not confederationeduGAIN is mostly a metadata exchange serviceIdPs and SPs are bound only by their national federation’s policyAny complaints about an IdP or SP will be covered locally in its home federationSide effect: Provider in fed 1 doesn’t necessarily trust provider in fed 2
Þ opt-in needed by Entities
EduGAIN
fed1
fed2
fed3
fed4
fed5
IdP
SP
SP
SPSP
SP
SPSP
SP
IdP
IdP
IdP
IdP
IdP
SP
SP
SP
IdP
SP
SP
IdPSP
Innovation through participation
Opt-in for Entities
1. ”Uplink”: Entity opts in for being exposed to eduGAIN
2. ”Downlink”: Each peer Entity decides if it wants to on-board the metadata of an entity that has been exposed to eduGAIN
• IdP needs to consider the privacy risks of releasing Personal Data to foreign SPs
• SP needs to consider LoA and attribute semantics of foreign IdPs• Everyone needs to consider if they are happy with the peer Provider’s
federation agreement
Innovation through participation
eduGAIN policy framework
Innovation through participation
eduGAIN policy ver 1.0 www.edugain.org/policy
1. Policy Declaration2. Constitution3. Metadata Terms of Access
and Use
See also: Introduction to the eduGAIN policy framework
Profiles:4. Metadata profile (MUST)5. WebSSO profile (MAY)6. Attribute profile (SHOULD)7. Data protection good practice profile (MAY)
Policy Declaration(signed by Federation 3)
Policy Declaration(signed by Federation 2)
Policy Declaration(signed by Federation 1)
Profiles, optional(TSG approves/changes)
Profiles, recommended(TSG approves/changes)
Profiles, required(NREN PC approves/changes)
Profiles, required(NREN PC approves/changes)
Profiles, recommended(TSG approves/changes)
Profiles, optional(TSG approves/changes)
refers to is supplemented by
eduGAIN Constitution(NREN PC approves/changes)
Innovation through participation
1. eduGAIN Declaration
• Cannot be changed later• Two pages of text• Joining federation signs and presents to Operational Team (OT)• Essential issues of the policy
• Metadata exchange• Entities are bound by their local federation policies only• No new legal rights or obligations for Entities (e.g. liabilities)
Innovation through participation
2. Constitution
Goal of eduGAIN”to support NREN constituency by interfederation service”
Bodies NREN PC, GEANT EXEC, Technical steering group, OT
Requirements and process for joiningPolicy violationBranding and trademarksQuality of identities and attributes
dispute resolution for user identities, freshness of attributesAudits for Entities and federations (none) and eduGAIN operations
Innovation through participation
3. Metadata Terms of Use
<!— Use of this metadata is subject to the Terms of Use at http://www.edugain.org/policy/metadata-tou_1_0.txt-->
URL Attached to all published eduGAIN metadata”license” agreement of the metadata fileSecondary; participant federations’ policies override this”use at your own risk”
Innovation through participation
4. SAML2 Metadata profile (MUST)
MUST: <mdrpi:PublicationInfo>MUST: publisherMUST: <mdrpi:UsagePolicy> with a link to Metadata ToUSHOULD: creationInstant or publicationID
<md:EntityDescriptor> elementsMUST: <md:ContactPerson> with contactType="technical“– MUST: <md:EmailAddress>
MUST: <mdrpi:RegistrationInfo>– MUST: registrationAuthority– SHOULD: registrationInstant, <mdrpi:RegistrationPolicy>
SHOULD: <md:Organization> with English and native values:– <md:OrganizationName>,<md:OrganizationDisplayName>,<md
:OrganizationURL>
Innovation through participation
4. SAML2 Metadata profile (c’d)
If <md:EntityDescriptor> contains <md:IDPSSODescriptor> or <md:AttributeAuthorityDescriptor> or <md:SPSSODescriptor>
SHOULD: <mdui:DisplayName> and <mdui:Description> in English and native language(s)
If <md:EntityDescriptor> contains <md:SPSSODescriptor>MAY:<md:AttributeConsumingService>
Aggregated <md:EntityDescriptor> SHOULD: <mdrpi:PublicationPath>
MUST: Conformance to SAML V2.0 Metadata Interoperability Profile
Innovation through participation
5. WebSSO profile (OPTIONAL)
”Currently, the only allowed SAML 2.0 protocol profile to be used for Web Single Sign-on in eduGAIN is saml2int (ver 0.2) ”
Innovation through participation
6. Attribute profile (SHOULD)
RECOMMENDED attributes: displayName, common name, mail, eduPerson(Scoped)Affiliation), schacHomeOrganization and schacHomeOrganizationType
At least one schacHomeOrganizationType SHOULD be from international vocabulary urn:mace:terena.org:schac:homeOrganizationType:int
MUST: eP(S)A vocabulary: member,faculty,student,alum,affiliate,library-walk-in
Semantics as defined by REFEDS comparison ver 0.13SAML2 persistent ID is RECOMMENDED as the unique ID
Placed in SAML assertion’s subject/nameID element and attribute statement
Innovation through participation
Data protection issues and 7. Data protection good practice profile (OPTIONAL)
Innovation through participation
eduGAIN Data protection good practice profile (DP profile)
EU Data protection directive: The IdP takes a legal risk when it releases personal data (PII) to the SP
eduGAIN DP profile uses SAML2 metadata to mediate SP’s privacy related properties to the IdP in a structured way
<RequestedAttribute> element<mdui:privacyStatementURL> elementNew <mddp:Category> and <mddp:LegalGrounds> elements
IdP uses the elementsto decide if attributes can be released to the SPto fulfill its related obligations
For details, see the full DP profile in www.edugain.org/policy
Innovation through participation
eduGAIN Data protection profile: 1/4: Two kinds of SPs
Category non-PII: SP receives no personal dataeduPersonAffiliation, schacHomeOrganization…Data protection laws not applied
Category PII: SP receives personal dataeduPersonPrincipalName, mail, CN…Data protection laws applied
SAML2 metadata indicates the SP’s category:
<SPSSODescriptor> <md:Extensions> <mddp:DataProtectionProperties> <mddp:Category>PII</mddp:Category> </mddp:DataProtectionProperties> </md:Extensions>
Innovation through participation
eduGAIN Data protection profile:2/4: Relevance of attributes released
Data protection laws: attributes an SP receives must be adequate, relevant and not excessive in relation to the purpose of the SP
Þ The IdP must not release attributes the SP does not need
SP’s SAML metadata indicates the attributes the SP declares relevant for its needs
<SPSSODescriptor> <AttributeConsumingService ...> <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri“ Name="urn:oid:2.5.4.4" isRequired="true"/> <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri“ Name="urn:oid:2.5.4.42" isRequired="false"/> </AttributeConsumingService>
Innovation through participation
eduGAIN Data protection profile:3/4: Legal grounds
Data protection laws: releasing attributes to an SP is based on eitherUser’s consent, orNecessity (for performing a contract, for performing a task carried out in the public interest, for legitimate interests…)
SP proposes the legal grounds in SAML 2.0 metadataIf the legal grounds is consent, the IdP asks the user to consent to the attribute release (cf. Consent modules such as uApprove)
<SPSSODescriptor> <md:Extensions> <mddp:DataProtectionProperties>
<mddp:LegalGrounds>consent</mddp:LegalGrounds> </mddp:DataProtectionProperties> </md:Extensions>
In July, 2011 The WP29 Data Protection Working Party of EU published its opinion on Consent. Related modifications to the profile are being drafted.
Innovation through participation
eduGAIN Data protection profile:4/4: Informing the data subject
When releasing personal data to the SP, the data controller must tell the end user
What personal data will be released, to whom and for what purposes, etc
SP places its privacy policy URL to its SAML metadata’s MDUI elementThe IdP provides the link to the user (e.g. when s/he consents to attribute release)
<SPSSODescriptor> <md:Extensions> <mdui:UIInfo>
<mdui:PrivacyStatementURL xml:lang="en"> http://www.example.org/privacypolicy.html </mdui:PrivacyStatementURL>
</mdui:UIInfo> </md:Extensions>
Innovation through participation
Luckily, the level of security is relative to the risks
the controller must implement appropriate technical and organizational measures to protect personal data...... such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.Most collaboration services (wikis…) need just CN, mail and ePTID
IdP SPSAML assertion
CN, mail, ePTID
Innovation through participation
Future policy work
GN3 project asked eduGAIN task to prepare an updated ConstitutionTo find a long-term solution to the governance model
Level of Assurance issuesStrong identity, strong authentication…?c.f. REFEDS work item ref6C.f. NIST 800-63, inCommon bronze/silverCurrently looking at Kantara IAF (LoA 1 and 2?)
Data protection issuesJoined forces with REFEDS attribute release WGSupporting eduGAIN Data Protection Good Practice Profile in IdP-side implementations