This is a work plan for GÉANT3 Identity Federations.

Table of Contents

Available resources include:

• NorduNet Nordic 4.4
• DFN Germany 3.6
• SurfNet Netherland 3.0
• CARNET/SRCE Croatia 1.2
• Terena Netherlands 1.4
• RENATER France 0.8
• CESnet Chezch 0.4
• NIIF Hungary 0.4
• PIONIER Polen 0.4
• SWITCH Switzerland 0.4
• RedIRIS Spain 0.4

Total of 16FTE.

Full list of individuals participating in year 1

• Andreas Åkre Solberg, UNINETT, Andreas.Solberg@uninett.no
• Licia Florio, Terena, florio@terena.org
• Leif Johanssson, NorduNet, leifj@sunet.se
• David Simonsen, Wayf, david@wayf.dk
• Jacob Christiansen, Wayf, jach@wayf.dk
• Mads Freek Petersen, Wayf, freek@ruc.dk
• Miroslav Milinovic, CARNET/SRCE, miro@srce.hr
• Dubravko Penezic, CARNET/SRCE, dpenezic@srce.hr
• Dubravko Voncina, CARNET/SRCE, dubravko.voncina@srce.hr
• Mijo Djerek, CARNET/SRCE, mijo.djerek@srce.hr
• Jürgen Rauschenbach, DFN, jrau@dfn.de
• Sascha Neinert, DFN, sascha.neinert@rus.uni-stuttgart.de
• Torsten Kersting, DFN, kersting@dfn.de
• Kristof Bajnok, NIIF, bajnokk@niif.hu
• Adam Lantos, NIIF, adam.lantos@niif.hu
• Janos Mohacsi, NIIF, mohacsi@niif.hu
• Tamas Frank, NIIF, tamas.frank@niif.hu
• David Simonsen, Nordunet, david@wayf.dk
• Jacob-Steen Madsen, Nordunet, jsm@wayf.dk
• Ajay Daryanani, RedIRIS, ajay.daryanani@rediris.es
• Jaime Perez, RedIRIS, jaime.perez@rediris.es
• Candido Rodriguez, RedIRIS, candido.rodriguez@rediris.es
• Daniel Garcia, RedIRIS, daniel.garcia@rediris.es
• José-Manuel Macias, RedIRIS, jmanuel.macias@rediris.es
• Mehdi Hached, RENATER, hached@renater.fr
• Lukas Hämmerle, SWITCH, lukas.haemmerle@switch.ch
• Thomas Lenggenhager, SWITCH, lenggenhager@switch.ch
• Tomasz Wolniewicz, PIONIER, twoln@umk.pl
• Maja Gorecka-Wolniewicz, PIONIER, mgw@umk.pl
• Zbigniew Ołtuszyk, PIONIER, neevor@man.poznan.pl
• Milan Sova, CESnet, sova@cesnet.cz
• Paul Dekkers, SurfNet, Paul.Dekkers@surfnet.nl
• Remco Poortinga - van Wijnen, SurfNet, Remco.Poortinga@surfnet.nl

GANNT Chart

1 User-centric Identity

Last years within the Identity field, user-centric identity has gained alot of attension. There are at least two significant user-centric technologies that is worth exploring in the context of educational federations, including:

• OpenID
• InformationCard

OpenID is already considered and tested within educational federations, and some even support it in production. InfomationCard is a far less explored area, but many thinks it will play a really big role in the future.

In the first year of Identity Federations the focus will be on investigating this new technologies, and understand how to make use of them in educational federations.

Tentative Participants:

• CARNet/SRCE
• RedIRIS
• DFN

Participants:

• Ajay Daryanani, RedIRIS, ajay.daryanani@rediris.es
• Candido Rodriguez, RedIRIS, candido.rodriguez@rediris.es
• Licia Florio, Terena, florio@terena.org
• Tomasz Wolniewicz, PIONIER, twoln@umk.pl
• Torsten Kersting, DFN, kersting@dfn.de

2 Federation Lab

Running a federation involves providing a test environment including SP and IdP facilities that SPs and IdPs can use in order to test their deployments without connecting to the live production environments. As most european federation supports the SAML 2.0 standards, european federations most likely run very similar test facilities. This task involves looking into creating a common European test facility. With joint effort we can improve the functionality of such a test facility beyond what is available today. We call this common federation test facility the “Federation Lab”.

Features to be included in the federation lab:

• Automatically registering test entities, with no manually administration by federation operators.
• Ability to test an SP against an IdP in the Federation Lab
• Ability to test an IdP against an SP in the Federation Lab
• The Federation Lab will report any misbehaviour of the entity that is beeing tested.
• The Federation Lab will test whether the entity beeing tested meet the specification of the SAML 2.0 profiles reccomended for inter-federation communication.

Tentative Participants:

• RedIRIS
• DFN
• SWITCH
• UNINETT

Participants:

• Tomasz Wolniewicz, PIONIER, twoln@umk.pl

3 Virtual Organizations

When SSO across national borders, the next functionality that is needed in order to better collaborate online is the ability to create groups of people and use those groups to define access control.

This project intends to create a privacy-preserving VO solution that works in an inter-federation context. A proof of concept service should be created, ready to be deployed in eduGAIN (SA3).

Some of the problems with existing VO solutions is:

• No standardized protocol for looking up groups or memberships.
• Privacy-invasive protocol used for looking up groups or memberships.
• Dependancy on an Identity Provider makes it almost impossible to deploy in an inter-federation context.
• We should aim to solve all these problems in a new solution.

Tentative Participants:

• CARNET/SRCE
• RedIRIS
• RENATER
• DFN
• SWITCH
• Wayf

Participants:

• Jaime Perez, RedIRIS, jaime.perez@rediris.es
• Daniel Garcia, RedIRIS, daniel.garcia@rediris.es
• José-Manuel Macias, RedIRIS, jmanuel.macias@rediris.es
• Sascha Neinert, DFN, sascha.neinert@rus.uni-stuttgart.de

4 Metadata distribution

Manually exchanged metadata does not scale on a cross-national level. An infrastructure for automatically exchanging metadata with a supplied trust-model is neccessary. This is a less in explored area as of now. More experience is needed in the area.

This item includes investigation in multiple alternative approaches to metadata distribution.

Internet2 has come up with a completely distributed metadata distribution method, referred to as Dynamic SAML. The lack of a supplying trust model to this method, has prevented it from been investigated more. This method has potential and should be investigated more in the context of European federations.

Two other models that should be investigated is the simple pull-model used in the nordic Kalmar Union, and flavours of the metadata service implemented as a part of GEANT2.

Tasks:

• Investigation on accompaning trust-models for Dynamic SAML for automated metadata distribution.
• Investigation on Kalmar model

Tentative Participants:

• CARNET/SRCE
• RENATER
• UNINETT
• RedIRIS
• SWITCH
• Wayf

Participants:

• Andreas Åkre Solberg, UNINETT, Andreas.Solberg@uninett.no
• Lukas Hämmerle, SWITCH, lukas.haemmerle@switch.ch
• Maja Gorecka-Wolniewicz, PIONIER, mgw@umk.pl
• Mehdi Hached, RENATER, hached@renater.fr
• Leif Johanssson, NorduNet, leifj@sunet.se
• Torsten Kersting, DFN, kersting@dfn.de

5 Beyond Web-SSO

Most european federations have authentication solutions focused on WebSSO only, and there is a high demand for re-using the authentication framework for other architectures, like non-web-based applications and command line utilities.

In this work item track, participants will investigate in existing solutions, and new ideas.

Josh Howlett has proposed a new idea within this field, that can be used as a proposal.

Tentative Participants:

• CARNET/SRCE
• DFN
• RedIRIS
• Wayf

6 Federation Harmonization

This project involves some independent topics that should be studied in an inter-federation context. Each of these topics should result in a short best practice document.

Managing a federated identity infrastructure involves a lot of choices. Best practice documents may guide federations to make the same choices, and hence increase tha chances for cross-federation interoperability.

The initial plan is to create best practice documents on these topics:

• SAML 2.0 Profile
• Single Log-out
• De-provisioning
• Attribute handling

Tentative Participants:

• CARNET/SRCE
• DFN
• SWITCH
• Wayf

Participants:

• Andreas Åkre Solberg, UNINETT, Andreas.Solberg@uninett.no
• Kristof Bajnok, NIIF, bajnokk@niif.hu
• Adam Lantos, NIIF, adam.lantos@niif.hu
• Leif Johanssson, NorduNet, leifj@sunet.se