Scalable attribute release for IdPs in federation and interfederation
Note: The slides in this module have been presented and discussed at TNC16. The feedback and suggestions received during the workshop will be reflected soon in the slide decks.
The content of this training module is intended for organisations that run Identity Providers (IdPs). These organisations are the home organisations of the users, e. g. universities for students, researchers and teachers, research institutes, libraries, member organisations of National Research and Education Networks (NRENs), and other organisations linked to research scopes.
Partners in the AARC project are e-infrastructures, such as EGI and EUDAT, research collaborations, namely ELIXIR and DARIAH, and international laboratories and facilities e.g CERN and STFC. All these partners need to provide services to federated users. As these services are complex, they need attributes released by the identity providers.
The analysis of requirements led by AARC from the users communities highlighted the need of a training module targeted to identity providers in order to adopt a scalable attribute release configuration in the federation and interfederation.
Insufficient attribute release by IdPs is considered by user communities as the major problem today in the eduGAIN space. Therefore, there was a clear requirement in AARC to produce a training that helps to mitigate the attribute release problem.
The aim of this training module is to help identity providers to understand the issues bound to their current configurations, inform them about theoretical and practical solutions to the issue, both from the technical and legal point of view, give them the tools that ease the identity provider configuration for a possibly scalable attribute release.
The level of this training is for experts already familiar with identity federations and know how to run an identity provider. Readers who are not familiar with the concept of AAI should first read the ‘Federations 101’ training module that explains the basic concepts of AAI. Readers that would like to know how to deploy an identity provider can read one of the many tutorial available on the web, e.g. “HOWTO Install Shibboleth IDP 3.2.1 on Ubuntu Linux 16.04”.
The main part of the module is delivered in presentation format and a link to the slides is provided below.
The module is designed for a three-hour face to face training, but is also feasible to deliver it in webinar or elearning, slicing the material in shorter chunks.
Main goals of the training
During the training, the participants are expected to learn:
- What the Key Performance Indicators (KPIs) for identity federations are and how to measure the KPIs of the federation to which they belong
- How important is for researchers to access resources offered by Research Infrastructures (RIs) and how this is linked to high KPIs of federations
- Understand that one of the main KPIs is the ability to release attributes in a scalable fashion
- Understand that the problem of attribute release lacking resides in an inefficient IdP management
- What the benefits carried by entity categories (ECs) are for attribute release
- How the entity categories work
- What the Research and Scholarship (R&S) EC is and how it works for IdPs
- What the Data Protection Code of Conduct (DP_CoCo) EC is and how it works for IdPs
- Introduction to legal concerns that can be raised and how to respond
- How to improve attribute management with Dynamic Attribute Definition
- How to retrieve and use modular Attribute Release Policies based on EC and arranged by your federation operator
- How to benefit from using a Registry for refining the attribute release
Participants should have a basic understanding of federations and federated identity management, including the related terminology, and have an awareness of its benefits.
As the training is designed to solve a problem that afflict identity providers, it is targeted mainly to identity provider operators of research and education federations.
Attribute Release Training (last updated Jun 16, 2016)
One of the two main objectives of our Network Activity in the AARC project is to offer training following the train-the-trainers model, on the technical and policy aspects of federated access and addressing specific challenges. The trained people will in turn organise training for their community or their country.
In the case of the specific challenge of attribute release the ideal people that should run the training are the federation operators that are called to train identity provider operators in their federations.
The following module can be used in the train-the-trainers model directed to federation operators to introduce the topics and motivate in providing such a training to identity operators in their own federations.
Contents of the Train-the-trainers introduction
- The federation operator role in guiding IdP operators
- Setting up of tools to ease IdP operators configurations
The federation operator role (last updated Jun 16, 2016)