Day 3: Rolling out the federation
Also see
- CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 1
- CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 2
- o Obviously, must sell to stakeholders — including your own IT org, Play the innovation card — use buzz in trades and expert orgs — start small but scalable — sell the flexibility
- o be aware that your initial test install might have to be production service
- o policy stakeholders — risk management, information privacy officer, trademarks and brands, office of general council, internal audit, information security officer
- o do you need a federation?
- o are your apps ready for lonnnnnnng identifiers, fro ‘swl’ to b884773773ty3gg3ttgdhjjya7jjdjlllaiiisij4j4j4@stanford.edu
- o Judges 12:6 — an example of security policy
The Gileadites took the fords of the Jordan against the Ephraimites. It was so, that when any of the fugitives of Ephraim said, Let me go over, the men of Gilead said to him, "Are you an Ephraimite?" If he said, "No;" then said they to him, "Now say’Shibboleth;’" and he said "Sibboleth;" for he couldn’t manage to pronounce it right: then they laid hold of him, and killed him at the fords of the Jordan. At that time, forty-two thousand of Ephraim fell.
identity meets reality
- identity must exist, but we don’t know what it is (philosophical statement)
- incommon federation: trust federation for US higher education operated by internet2 based on saml (specifically shibboleth). Slow steady growth, lessons learned, legal and liability issues, maturing technical specs
- US E-Authentication (EAI), chartered to support e-government,access to gov apps for citizens, employess, contractors, etc. big legal agreement. SAML for level 1,2; client certs for level 3-4
- EAI/InCommon interfederation, access to USG apps for HE members: grants management, dept of ed, research collaborartions — still in development
- when will apps be federated? blogs and wikis on the way to being webSSO-enabled now, so shib could be easy. vendor apps starting about to talk about it. Key HE aps are Sakai, BB, GridShib
- web services (SOAP) how are these secured? Look up WS_Security, whatever that is. or Liberty WSF. Shib support not well defined
- convergence of identity interests: phishing, ordinary people as resource owners (blogs, wikis, photos/music, RSS, social networks, blogspam); personal privacy. Technical solutions being promoted OpenID (http://openid.net/, developed to fight blogspam) and information cards (Microsoft-promoted) — formerly InfoCard, aka identity metasystem, identities visable to users as cards, user generated or third-party provided, typical signon, creditcard purchase cases, supported by WS-Trust protocol, shib support questionable