1. 8/27/2013
http://gluu.org
Federation Registry

2. SAML
OpenID
Connect
UMA
How can states support numerous applications
who want to use their open interfaces for
authentication and authorization?
Websites
SaaS
Apps
Mobile Apps

3. Multi-Party Federation Approach…
• Federations provide the “tools” and “rules” to
protect privacy while driving down the costs
for both the State and application developers
• Federations are a proven approach: they are
widely used in Higher Education and
government
– http://www.gluu.co/.hdr8

4. To be successful federations have to
“Ease the On-boarding”
with a simple process to Join
– Provide Registration
• Applicants agree to the participation agreement and
submit their certificate via a management website
– Vet participants
• The federation reviews the application, and ensures the
applicant qualifies to participate in the federation
– Collect fee
• It is common to collect setup and subscription fees to
offset the cost of managing the federation
infrastructure

5. The Participation Agreement
– Specifies Privacy Protections
• Species the Levels of Assurance (LOA) from the identity
provider that an accurate authentication has been
achieved
• Specifies the Level of Protection (LOP) from the website
or mobile application as to what security is in place to
protect a person’s data from loss
• The Level of Control (LOC) a person has to access,
correct or remove their data
– Standardize Terms and Conditions
– Clarify Policies and Operating Procedures

6. The Federation publishes the schema or
words used by the Participants
– Attributes of the Person
• Piece of information about the person
• AKA “user claims”
– mail, phone, address, state, grade, age…
– Authentication Mechanisms
• You need to make sure the apps request the right kind of
authentication
– http://www.example.com/schema/authn/auth_mode/myMobileToken
– http://www.example.com/schema/authn/auth_level/9
– Authorization Scopes
• You need to make sure the apps request the right kind of
authentication
– http://www.example.com/schema/authz/grade1
– http://www.example/schema/authz/teacher
– http://www.example.com/schema/authz/principal

7. The federation publishes the nightly
“metadata”
– A file that contains the official list of the
participants of the federation (at the time of
publication)
• http://www.incommon.org/federation/metadata.html
– Publishes the certificate of each participant
– A place for the federation to publish other
information about the participant’s role

8. Federation Registry
– Provides scalable administration interface for the
federation operator
– Open source web application developed by the
Australian higher education federation
– Deployed in several other countries: Ireland,
Switzerland
– Enables websites to enter all the information that
is needed by the federation and handles the
approval workflow

9. What does the Gluu Federation Registry
Subscription Include
– Deployment of the Federation Registry application
on an existing customer IAAS or Gluu Server
– Quick start generating the Participation
Agreement—will require review and modification
by the State
– Creation of initial schema for attributes,
authentication, and authorization
– Development of a operations guide for Registry
Administrators
– Monitoring / Support of the Federation Registry
Server

10. Future proofing…
– Current federations are defined using SAML,
however federations are not limited to supporting
one protocol
– OpenID Connect Federation standards are
evolving :
• http://www.gluu.co/multi-openid-wiki