9M/ Ask a Federation Operator + Demos! / Nicole Roy

Session 9M

Ask A Federation Operator

Session Convener: Nicole Roy (InCommon)

Notes-taker(s): Dmitri Zagidulin

Tags / links to resources / technology discussed, related to this session:

Federation, SAML2, InCommon, IdPs

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

InCommon runs US single-sign-on federation, for authentication and global WiFi Roaming.

(Demo of InCommon's Metadata Explorer Tool)

InCommon was created by Internet 2 (CIOs of universities etc) to do a single sign-on federation. (Legal structure, governance, policies intended to create trust among the participating institutions).

REFEDS (refeds.org) - Research Education & Federation Governance group (worldwide)

eduGain - Global querying service for Web SSO

eduRoam - global WiFi Roaming service. (Connects educational institutions, regional/state networks, libraries.)

InCommon community produced a number of open-source software projects (& Docker containers)

Also provides training (on how to use all those) - https://incommon.org/academy/

Q: How easy is it for a random Relying Party to put up a 'Sign in with InCommon' SSO button?

A: Quite easy (examples with community newspapers, etc). (Demo -- 'Join InCommon' link) Eligible - Higher ed, Research organization, or (if you're a commercial org) as Sponsored partners (a lightweight process). Highlight - An RP can request that an IdP requires a particular auth security context (for example, require multi-factor auth). (Progressive step-up auth is also available.)

Change management (for giant federated systems) is incredibly challenging. (If you introduce a new protocol or feature, it takes a long time for it to be deployed/propagated).