Child pages
  • WS AAI
Skip to end of metadata
Go to start of metadata


David Simonsen
Session chairDavid Simonsen
TrackWS Track 1
DateTuesday, 5 May 2015
Time09:00 - 10:30
DescriptionPresentations are accessible from this url:

The 'Grids' were established more than a decade ago with a specific goal in focus: access management for very expensive compute- and storage pools available only for high-energy physics (HEP). The chosen technology is non-web, namely X.509 certificates. Large investments have been made in secure and highly trust-worthy policy frameworks that work well for this particular group of experts. It has so far not been possible to reach a level of usability where user groups outside the HEP community are also able to access the scientific resources connected to the Grids.

'Federations' are large scale web-based infrastructures that build on entire institutional user management directory services and therefore typically covers all users at any connected institution. The federation policies, which appear to almost always to have national coverage (as opposed to e.g. a international scientific community like HEP) have been written to encompass many institutions and many different use cases, typically for lower-end services like learning management systems, publishers etc. Hence the broader scope and the generally lower requirements for identity proofing than seen in the Grid-community. The technology is predominantly XML-based protocols like SAML.

The task is now to harvest the benefits from both worlds, the Grids and the federations: maintain the high degree of trust in user identity management and access control policies established by the Grids while at the same time provide the wealth of services and breadth of the federated user bases of the federations.

One idea would be to establish services that translate X.509 certificates into SAML-assertions and vice versa. Another may be to re-combine existing infrastructure components like project Moonshot which aims a federating non-web services based on existing services like eduroam and web based federations.

Your suggestion is as good as anyone's and warmly welcomed.

What is a federation?
* Basic introduction, 15 min walk-through by David Simonsen, WAYF

* Exampels of technologies deployed: X.509, SAML1.1, SAML2, SAML2int, OpenIDConnect etc.

* Examples of federation operator practices: Attribute-release management, user consent

* Examples of inter-federation infrastructures: Kalmar2, eduGAIN, Safe BioPharma etc.

* Policy coordination, evolving models of global trust fabrics and the federation operations, David Groep, 15 min

On-going and coming projects, 10 min walk-through by [TBD]
- Moonshot, non-web-Single-Sign-On, goal and status
- ABC4Trust, modern crypto-systems for privacy protection
- Authentication and Authorization for Research and Collaboration:
  sharing resources through interoperable identity federation for researchers, educators and students with AARC, 19 partners, starting May 1st. (David Groep)

Code of Conduct, 10 min walk-through by Mikael Linden, CSC
Effort to foster trust, especially for international scenarios, by selfdeclaration of good practices, based on EU legislation.

FIM4R - Federated Identity Management 4 Research, 10 min walk-through by Mikael Linden, CSC
Common requirements for federated identity management solutions, gathered among prominent research infrastructures like CERN, ESA and others.

Trends in federation architecture, 10 min walk-through by David Simonsen, WAYF
- Hybrids of peer-2-peer and hub-and-spoke federations
- Hosted IdP-solutions (Swedish eduID, Swizz eduID)