2. SAML
OpenID
Connect
UMA
How can states support numerous applications
who want to use their open interfaces for
authentication and authorization?
Websites
SaaS
Apps
Mobile Apps
3. Multi-Party Federation Approach…
• Federations provide the “tools” and “rules” to
protect privacy while driving down the costs
for both the State and application developers
• Federations are a proven approach: they are
widely used in Higher Education and
government
– http://www.gluu.co/.hdr8
4. To be successful federations have to
“Ease the On-boarding”
with a simple process to Join
– Provide Registration
• Applicants agree to the participation agreement and
submit their certificate via a management website
– Vet participants
• The federation reviews the application, and ensures the
applicant qualifies to participate in the federation
– Collect fee
• It is common to collect setup and subscription fees to
offset the cost of managing the federation
infrastructure
5. The Participation Agreement
– Specifies Privacy Protections
• Species the Levels of Assurance (LOA) from the identity
provider that an accurate authentication has been
achieved
• Specifies the Level of Protection (LOP) from the website
or mobile application as to what security is in place to
protect a person’s data from loss
• The Level of Control (LOC) a person has to access,
correct or remove their data
– Standardize Terms and Conditions
– Clarify Policies and Operating Procedures
6. The Federation publishes the schema or
words used by the Participants
– Attributes of the Person
• Piece of information about the person
• AKA “user claims”
– mail, phone, address, state, grade, age…
– Authentication Mechanisms
• You need to make sure the apps request the right kind of
authentication
– http://www.example.com/schema/authn/auth_mode/myMobileToken
– http://www.example.com/schema/authn/auth_level/9
– Authorization Scopes
• You need to make sure the apps request the right kind of
authentication
– http://www.example.com/schema/authz/grade1
– http://www.example/schema/authz/teacher
– http://www.example.com/schema/authz/principal
7. The federation publishes the nightly
“metadata”
– A file that contains the official list of the
participants of the federation (at the time of
publication)
• http://www.incommon.org/federation/metadata.html
– Publishes the certificate of each participant
– A place for the federation to publish other
information about the participant’s role
8. Federation Registry
– Provides scalable administration interface for the
federation operator
– Open source web application developed by the
Australian higher education federation
– Deployed in several other countries: Ireland,
Switzerland
– Enables websites to enter all the information that
is needed by the federation and handles the
approval workflow
9. What does the Gluu Federation Registry
Subscription Include
– Deployment of the Federation Registry application
on an existing customer IAAS or Gluu Server
– Quick start generating the Participation
Agreement—will require review and modification
by the State
– Creation of initial schema for attributes,
authentication, and authorization
– Development of a operations guide for Registry
Administrators
– Monitoring / Support of the Federation Registry
Server
10. Future proofing…
– Current federations are defined using SAML,
however federations are not limited to supporting
one protocol
– OpenID Connect Federation standards are
evolving :
• http://www.gluu.co/multi-openid-wiki