Sharing, withholding and delegating

Sharing, withholding and delegating sounds like advice from Management 101, a first introduction to getting things done.  In the case of identity management, there are some hard cases to crack

1. Sharing metadata: getting information about the right identity provider to the right service provider, as needed
2. Withholding information about technical detail from the end user, while giving enough information to make informed choices.  One aspect of this is seamless discovery service, where the before mentioned identity provider information is available when needed, without prompting the end user to input something
3. Delegation of rights.  I may wish to delegate rights to my husband or to a process running on my behalf (webmail should be able to check my mail account via IMAP, even if IMAP is a non-web protocol)
4. Aggregation of information about me from multiple Identity Providers, while keeping my privacy and giving a user friendly interface to managing my own information

The discussions on these issues have tended to get into complicated corner cases and some heavy protocol elephantiasis.  The simple and elegant design of OAuth gives some hope, as people start experimenting and throwing connected ideas around.  An example is Andreas’ draft work on attribute aggregation.

Simple is good. Testing various ideas helps us sort out how the issues above prevents us from solving some of the use cases

• Grandfather wants access to e-learning platform, needs to check on school work and see if grandson handed in assignments.  Depends on delegation of rights from parent.  Depends on discovery service to sort this role from the primary role as professor at university.
• Parent wants to delegate limited rights to supervise schoolwork to grandfather.  Depends on attribute aggregation from multiple sources, as parent-child relation is independent of authentication method.  Depends on seamless discovery service, since this must be possible for all parents.
• Integration of Web2.0 applications without total mesh coupling.  Depends on withholding information to preserve privacy, and delegation of rights to several process keeping track of social network updates.
• Universal access to web sites, while preserving privacy.  Getting information about disabilities (sensitive information) to adjust web sites to end user needs.  Depends on aggregation of attributes from multiple sources and delegation of rights.

The issues need to be solved for user centric identities, organization centric identities and federations.  We are not there yet – but the space needs watching.

Google Wave federation friendly web2.0

A draft of federation protocols for Wave, the hot-of-hottest new collaboration tool from Google is presented in the draft General Verifiable Federation by Lea Kissner and Ben Laurie.  More white-papers are available from the Google Wave innards site.  Google Wave is announced as open source, and is  based on the principle of federation.

Wave itself is an example of what happens if the user experience is put in the driving site, and looks exciting!  The proof of the email system (and the instant message system, and document sharing, and photo sharing, and collaborative work, and sharing information) is the eating of the pudding, and I am looking forward to tasting the pudding.

Quote from the Wave presentation

Federation that was hard. So we are building this thing with live concurrent editing and chatting and instant messaging and pictures and all that stuff.  And then we throw federation into the mix, which vastly complicates things.  It would be so much easier, frankly, from an engineering point of view if we could just keep this proprietary and we control all the servers and we control all the update schedules and so on.  But we think it is worth the effort. We hope you can help us with this.  We think the world is better place if everyone can build wave systems with it.

The share abilities of federation technology is in focus.  As it should be.

The innards of wave technology remains to be auguried by resident high technologists.  But it looks cool.

Nicole’s access and identity management mantras

Nicole in the UK (JISC Access Management Team) writes her three new access and identity management mantras:

1. Content is Not King.
Access management is not about getting x user to y resource but about the management infrastructure of your website.
2. Thou shalt not make users generate accounts.
This does not just focus on the need to use organisation centric federated access management on websites, but recognise and builds in to the larger question that institutions may in the long term chose to broker user-centric identities rather than provisioning identities. Service Provider managed user accounts are generally to be seen as bad though!
3. We are all Service Providers now.
It is important for institutions to think of themselves as Service Providers to their users, and think of the controls they need around those services to provide a good service to the end user. If you expect users to have federated accounts to access content at Wiley or OUP, why not have it on your website / VLE / Library Portal?

The third point goes directly into the debate on Web 2.0, where we are truly all contributors (and thus we are all Service Providers in the SAML lingo).  However, the access management infrastructure for light-weight contributors is lagging behind.  The current federation infrastructure is organization-centric, and this makes it hard to re-use the same infrastructure.

I would restate the mantras as:

1. Infrastructure matters
   Federations regulate authentication (SSO/SLO), information sharing model (attribute definitions and semantic interoperability) and security models. Security must be good enough, and the access management federations should be exploited.  Align user management with the organizational procedures/infrastructure.
2. Thou shalt not harass thy users
   Do not force users to have more passwords than they can possibly remember, do not force users to have more user accounts than they are able to manage, do not force users to register new accounts.  Provide Single Sign On and Single Log Out to your users.  Give your users the information needed, including consent and security.  Users are smart, and will do what benefits them, if given tools to help themselves.
3. You need to participate: we are all Service Providers
   Web sites that have access control do benefit from a shared access management infrastructure.  One size does not fit all, but all that need to use Medium and Large access management should federate to provide their users with a non-harassing Single Sign On and Single Log Out environment.

eduGAIN 1.0 official launch

eduGAIN web site is up and running

The purpose of eduGAIN is to provide the means for achieving interoperation between different Authentication and Authorisation Infrastructures (AAI).

Work has been ongoing with testing and adjusting the infrastructure.  We are confident that this work will move to SAML 2.0 shortly

LoA work from JISC

Levels of Assurance is one of the hot development topics in federations. JISC published the final report of JISC LoA work in November 2007 from the ES-LoA project. The project collected requirements from service providers, identity providers and universities in the UK. They also investigated existing LoAs, and looked into requirements in higher education and research.

EuroCAMP: How to build single sign on systems

Next EuroCAMP in Cork, Ireland, May 18-19 2009 is focused on How to build single sign on systems – practical experiences.

EuroCAMP (European Campus Architecture Middleware Planning) workshops are gatherings for European universities, research and research networks. TERENA organizes the EuroCAMPs:

The TERENA EuroCAMP workshops aim to develop the knowledge and skills that are needed by staff who are involved in the set-up of identity management systems (IdMS) for authentication and authorisation. The events provide an opportunity to learn about identity management, authentication, authorisation, directories and other middleware standard technologies.