Identity and Access Management (IAM) WG Session
Chairs : Motonori Nakamura (NII, Japan)
Kazu Yamaji (NII, Japan)
Members :
Objectives : This session will encourage the collaborations of developers/operators those who responsible for identity management with directory services and a variety of services with access control to discuss ways to get campuses ready for advanced authentication technologies so that end users can connect to the network and access resources (online journals, collaborative services, grid applications, wireless roaming, etc.) in a secure, scalable and manageable way.
Target Audience : Open for any attendees, especially researchers, application developers and operators working on academic networks, AAI, Grid and NREN.
Expected Number of Participants : 30
Agenda : Session1: 14.00 - 15.30
Brook Schofield
14:00-14:15 Update on Japanese Identity Federation: GakuNin in FY2014
Motonori Nakamura (National Institute of Informatics, Japan)

The Japanese academic access federation, GakuNin, is deploying federated identify in Japan using the SAML 2.0 standard, primarily with Shibboleth software. GakuNin entered production operation in 2010, and has grown today to about 120 IdPs and 130 SPs. This talk summarizes the GakuNin progress in recent years and the future plan, especially how to accelerate the federation activity by means of academic cloud services and also how to expand our server certificate program.

14:15-14:30 Identity Management and Federation in Malaysia: Development of EduShib Virtual Appliance and Update of and Related Activities
Suhaimi Napis (Universiti Putra Malaysia, Malaysia)
Muhammad Farhan Sjaugi ((Perdana University, Malaysia)

Efforts towards developing national identity management and federation (IMF) for Malaysia continue to progress as planned despite encountering several technical and financial challenges. The biggest challenge is on the state of readiness of learning institutions and other organizations in several key technical areas as well as staff expertise. From our survey, only a small number of universities have developed institutional directory service and central authentication system with financial being the main issue apart from the lack of expertise of the IT staff. We realised the need to push together examplar services/applications so that the research and education community can see the real benefit and readily support our IMF effort. Eduroam was chosen as one of the examplar service to demonstrate the benefit of IMF with the development of EduShib VA (Virtual Appliance). EduShib VA is a rapid deployment tool for eduroam and Shibboleth Identity Provider (IdP) which help the IT administrators to install and configure IdP for both eduroam and Shibboleth in a reasonably short time and less hassle. EduShib VA is developed by Academic Grid Malaysia and SIFULAN Academic Access Federation and we have included it in our local training workshop curriculum. We also worked very closely with GAKUNIN Japan in organising IMF training workshop for ASEAN participants funded by TEIN*CC Project. The first TEIN IMF workshop was held last January in Bandung and we succeeded in securing the funding for a second workshop in Malaysia in Q4 of 2014. GAKUNIN and are both desirous to collaborate together and with other partners/potential partners to develop ASEAN Catch-All Federation. We also collaborated with CESNET in deploying PERUN and also with INFN for Grid Certificates and IdP. Report on the above and present status of and other related activities will be presented.

14:30-15:00 Various configurations of eduroam IdPs and a disruption-/disaster-tolerant architecture
Hideaki Goto (Tohoku University, Japan)
Motonori Nakamura (National Institute of Informatics, Japan)
Hideaki Sone (Tohoku University, Japan)

Two centralized eduroam IdP services have been in operation in Japan for years. One is a Shibboleth-based account issuer called "eduroam-shib" and the other is the Delegate eduroam Authentication System (DEAS). They have some benefits over the standard local RADIUS IdP at each institution in the views of early eduroam deployment in a country, simplifying the eduroam operations, and guest account managements for conferences and meetings. This talk summarizes various configurations of eduroam IdPs and operational tips, and also introduces a disruption- /disaster-tolerant architecture which would be quite useful for areas suffering from frequent power/network outages and/or natural disasters.

15:00-15:30 Status update of HPCI operation
Kazutaka Motoyama (National Institute of Informatics, Japan)
Kento Aida (National Institute of Informatics, Japan)
Eisaku Sakane (National Institute of Informatics, Japan)

High Performance Computing Infrastructure (HPCI) is a distributed supercomputers infrastructure, which connects nation-wide HPC resources in Japan. The production level operation started in Sep. 2012. HPCI offers single sign-on service for accessing supercomputers and storages. The single sign-on service is realized by Shibboleth and Grid Security Infrastructure. We will report current status of HPCI operation and our countermeasures for openssl heartbleed vulnerability.

Session1: 16.00 - 17.30
Hideaki Sone
16:00-16:30 GN3plus Joint Research on Attributes and Groups in the AAI environment
Maarten Kremers (SURFnet, Netherland)

It is widely acknowledged that federated access is a key aspect of supporting collaboration for large-scale research initiatives, whilst providing mechanisms to guarantee users' privacy and security. On the other hand there is consensus that the existing authorization model does not reflect the collaborative nature of the research and education community: not only the Identity Providers should provide attributes and group information, but also by the collaborative projects. While accounting in homogeneous environments (such as single applications, specific infrastructures, etc.) is rather common, this is not the case for highly distributed and heterogeneous infrastructures.

Within the European GN3plus project [1] one of the joint research tasks (JRA3-T1)[2][3] is exploring this field of attributes and groups for AAI in this heterogeneous environment.

The task focuses on two topics. A) The exchange of group information: Traditionally, a group administrator must create and maintain a group for each service, which is cumbersome and error-prone. To ease the usage and to simplify maintenance, the use of an external group provider is a possible solution. In this way a group can be maintained in one place. This task continues the work on the VOOT protocol, a protocol for exchanging external group information. This task started restructuring the protocol to be a profile of SCIM.

B) New e-research use cases have emerged that require a different approach to attributes. Currently, attributes are provided by the users' Identity Providers. However, this approach does not scale very well. A better approach would be to enable third parties (i.e., collaboration projects) to provide specific attributes about the users in the context of the collaboration. Work started amongst other in using Grouper in a cross organizational context as well creating an overview of current attribute authority solutions.

In this presentation we will give an overview of the results, use cases and outcomes from this task, which runs from April 2013 to March 2015.

[3] Under construction

16:30-17:00 Tools for the successful operation of a federation
Terry Smith (Australian Access Federation Inc., Australia)

This presentation will provide a brief overview of the type of tools that can aid in the successful operation of a national identity federation, covering their function, intended audience and integration points. The Australian Access Federation has deployed and continues to develop federation tools which enables the successful operation of a federation with a small, dedicated team.

17:00-17:30 ELCIRA: Developing Federated Identity Services in Latin America
Brook Schofield (TERENA)

The ELCIRA project started in 2012 and promoted the uptake of Federated Identity Services to support the research and education collaboration between Latin America and Europe.

In that time the growth of eduroam and WebSSO/SAML Identity Federations and their participation in eduGAIN has far outstripped any other world region.

As the ELCIRA project comes to an end, what lessons can be learnt from the past 2 years? ...and How can these benefit APAN participants now and in the future?

Seating Arrangement : U Shape or Classroom
Video Conferencing Facility : May be Yes
Remarks :