Transcript Federated Access: Identity Management and Access to

Federated Access: Identity
Management and Access to
Protected Resources
Renée Woodten Frost
Associate Director, Middleware & Security
[email protected]
Copyright Renee Woodten Frost 2007. This
work is the intellectual property of the author.
Permission is granted for this material to be
shared for non-commercial, educational
purposes, provided that this copyright
statement appears on the reproduced
materials and notice is given that the copying
is by permission of the author. To disseminate
otherwise or to republish requires written
permission from the author.
Topics
•
•
•
•
•
Challenges of Access to Resources
Identity Management
Federated Identity Management
Federations
InCommon Federation
Challenges
• Faculty, students, and staff are no longer located
exclusively on campus
• User community has expanded, is more remote:
alumni, parents, admitted students, donors, etc
• Research and education are increasingly
complex, globally interdependent, and online
• Security and protection of personal identity
information is paramount & increasingly regulated
(FERPA, HIPAA, Gramm-Leach-Bliley, etc.)
Challenges
• Business processes and applications are
increasingly outsourced and/or distributed
•
•
•
•
•
•
•
•
Digital collections and data
Course materials and management
Financial management
Remote instrumentation
Computational resources such as Grids
Music, Software
Travel resources
Government resources
Desirable Solutions
• Develop solutions that efficiently use existing
information infrastructures securely and safely
• Reduce the time and resources spent on all the
“one off” requirements for each partner provider
and streamline interoperation with each partner
• Reduce help desk calls & number of user accounts
to provision with these numerous partnerships
• Maximize the control, security, and privacy of
personally identifiable, sensitive information
• Make online services richer, easier to use, and
safer for students, faculty, and staff
This is what Federated Identity Management does
Identity Management Basic Components
• Reflect: Data of interest from systems of
record into registry, directory
• Join: Identity information across systems
• Manage: Credentials, group memberships,
affiliations, privileges, services, policies
• Provide: Identity & Access Mgmt info via
• relay thru run-time request/response
• provisioning into App/Service stores
• Authenticate: Claimed identities
• Authorize: Access or denial of access
• Log: Usage for audit
Authentication
• Process of validating credentials
presented in particular security context
• Identification and registration processes
preceding authentication are important
• Possession of credentials does not
grant access to resources
Authorization
• Process of controlling user access to
resources; based on business rules
• Accessing a resource is two-step process
• Authentication
• Authorization
• Authorization decisions often be based on
group membership
Federated Identity Management Model
•Enterprises provide local authentication and
attributes
•Uses variety of end-entity local authentication:
PKI, username/password, Kerberos, two-factor
•Enterprises within a vertical sector federate to
coordinate Levels of Assurance (LOA),
namespaces, metadata, etc.
•Provides a scalable alternative to multiple bilateral technical relationship management
Identity & Access Management Federations
• A definition of Federation: A collaboration of independent
entities that give up a certain degree of autonomy to a
central authority in pursuit of a common set of goals.
• Central Authority:
Federations set common policies, interoperability criteria
(vocabulary for exchanges, technology), and provide
central services to establish and maintain trust
(registration, authoritative metadata and certificates,
dispute resolution)
• Common Set of Goals:
Federations enable secure, trustworthy, scalable online
partnerships
Federation Fundamentals
• Members sign a contract to join.
• Members must still create Business Relationships
with each other
• Bilateral relationships can impose additional policy
• The Federation does NOT
Collect or assert anything, except the necessary
metadata about member signing keys, etc.
Authenticate end users
Provide services, though it may be associated
with groups or buying clubs
Research and Education Federations
• Growing national federations
• UK, France, Germany, Switzerland, Netherlands, Norway,
,Finland, Spain, Denmark, Australia, etc.
• Stages range from fully established to in development;
scope ranges from higher ed to further education
• Many are Shibboleth-based; all speak Shib on the outside…
• Several million users in the U K - JISC and BECTA
• US Federations
• InCommon
• State-based and University System-based
• Texas, University of California System, Maryland, etc.
• For library use, for roaming access, for payroll and benefits, etc.
US Government Federal
e-Authentication Initiative
• A federation of US Gov agencies to provide
services to each other and to the general
population
• Services to be provisioned include NSF
Fastlane, National Park Research and Camping
Permits, Social Security management, export
permits, etc
• Based on SAML protocol and Credential
Service Providers to businesses and the
general public
http://www.cio.gov/eAuthentication
InCommon
Which of your critical
resources require
protection?
•
•
•
•
Unpublished research collaboration
Remote instruments
Licensed content
Financial, HR systems
Which user population
requires identity
protection and
validation?
• Students
• Faculty
• Staff
Purpose of the InCommon Federation?
• Establishes Prerequisites:
• Official Enterprise Directory, Web Single Sign On,
• Middleware: Identifier, Attributes, Federating Software
(Shibboleth), Trusted Certificate Authorities
• Operates common services required for
interoperability
(Authentication, Certificate Authority, Metadata)
• Helps resolve problems and disputes
• Shares policy and practice requirements of its
participants: Participant Operational Practices
(POP)
Challenging
Way
Home
Circle University
[email protected]
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Password #1
????
Service IDs
Federated
Way
Home
!
Circle University
[email protected]
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Password #1
1. Single Sign On
2. Services no longer manage user
accounts & personal data stores
3. Reduced Help Desk load
4. Standards-based Technology
5. Home Org controls privacy
Role of the Federation
1. Agreed upon Attribute Vocabulary & Definitions:
Member of, Role, Unique Identifier, Courses, …
!
Verified
By the
Federation
Verified
By the
Federation
Home
Affiliation
EPPN
Given/SurName
Title
SSN
Password #1
Verified
By the
Federation
2. Criteria for IdM practices (user accounts,
credentialing, etc.), personal information
stewardship, interoperability standards,
technologies
3. Digital Certificates
4. Trusted “notary” for all universities and partners
Verified
By the
Federation
Verified
By the
Federation
federation metadata
University A
IdP: name, key, url, contacts, etc.
name, key, url, contacts, etc.
name, key, url, contacts, etc.
!
future
bronze
LoA
Verified SP1:
By the SP2:
Federation
Home
University B
Affiliation
IdP: name,
EPPNkey, url, contacts, etc.
SP1: name,
key, url, contacts, etc.
Given/SurName
Title
SSN
University C
Partner 1
Partner 2
IdP: name, key, url, contacts, etc.
Password #1
Verified
By the
Federation
SP1: name, key, url, contacts, etc.
silver
LoA
silver
LoA
SP1: name, key, url, contacts, etc.
SP2: name, key, url, contacts, etc.
Partner 3 …
Verified
By the
Federation
User Experience Flows
Multiple Partners - Identity Providers (IdPs) and
Service Providers (SPs) - in Action:
• Authentication vs. Authorization
• Federation WAYF
• Single Sign On to multiple services
• Anonymous Identifiers
• Clearing Sessions
• IdP to SP without a WAYF
User Experience Flows
• First access the resource, then the
Federation WAYF (“Where Are You From”)
home organization discovery page
• Internet2 Intranet (InCommon)
• Wireless (UT System)
• First access the resource’s own customized
WAYF
• ScienceDirect
• Spaces.internet2.edu Wikis
• OhioLINK
• First access the Identity Provider
• Penn State & WebAssign
Value of Federations
Broad Strokes
• Identity Providers (Home Institutions) control
user accounts and the release (and spillage)
of personal information
• Online Service Providers focus on their
online resources and not on user account
provisioning
• Users have easy, private, global access
• Partners have finely-tunable access controls
and can quickly and securely deploy new
collaborations and service relationships
Value of InCommon Federation
• Governance by a Representative Steering Committee
establishes:
• Criteria for participation
• Policy and shared direction
• Services meet business needs with appropriate security
levels and legal requirements
• Scalable operational standards and practices
• Legal Agreement
• Official Organizational Designees, Establishment of Trust,
Conflict and Dispute Resolution, Basic Protections &
Responsibilities
• Trust “Notary”
• InCommon verifies the identity of Organizations and their
delegated Officers;
Value of InCommon Federation
• Trusted Metadata
• InCommon verifies & aggregates location and security data for
each participant’s servers, systems, and support contacts
• Certificate Authority
• InCommon issues server certificates to Participants for secure
communications
• Standards for Policies and Practices
• Now: each Participant decides, self-declare their practices to other
Participants.
• Coming soon: Optional Bronze and Silver Levels of Assurance
(Audit Criteria)
• Technical Interoperability (Technical Advisory
Committee)
• InCommon defines shared attributes, standards (SAML), federating
software (Shibboleth+)
InCommon Governance
InCommon LLC:
Steering Committee
Representing
Higher Ed & its Partners
Direction
Direction
Nominations
Committee
Candidate
Approvals
Advice
Technical
Advisory
Committee
Federation
Operator
Internet2
May-07
Apr-07
Mar-07
Feb-07
Jan-07
Dec-06
Nov-06
Oct-06
Sep-06
Aug-06
Jul-06
Jun-06
May-06
Apr-06
Mar-06
Feb-06
Jan-06
Dec-05
Nov-05
Oct-05
Sep-05
Aug-05
Jul-05
Jun-05
May-05
Apr-05
Mar-05
InCommon Growth
60
50
2006
40
30
2005
20
2004 Pilot
10
0
52 Current InCommon Participants
Higher Education (37)
Sponsored Partners (15)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Case Western Reserve University
Clemson University
Cornell University
Dartmouth
Duke University
Florida State University
Georgetown University
Johns Hopkins University
Indiana University
Miami University
Michigan State University
New York University
Northwestern University
Ohio State University
Ohio University
Penn State University
Stanford University
Stony Brook University
SUNY Buffalo
Texas A & M University
University of Alabama at Birmingham
University of California, Davis
University of California, Irvine
University of California, Los Angeles
University of California, Merced
University of California, Office of the President
University of California, Riverside
University of California, San Diego
University of Chicago
University of Maryland
University of Maryland Baltimore County
University of Maryland, Baltimore
University of Rochester
University of Southern California
University of Virginia
University of Washington
University of Wisconsin - Madison
•
•
•
•
•
•
•
•
•
•
•
Cdigix
EBSCO Publishing
Elsevier ScienceDirect
Houston Academy of Medicine - Texas Medical Center
Library
Internet2
JSTOR
Napster, LLC
OCLC
OhioLink - The Ohio Library & Information Network
ProtectNetwork
RefWorks, LLC
Symplicity Corporation
Thomson Learning, Inc.
Turnitin
WebAssign
NEXT
•
•
•
Libraries & their partners
Student Services (Registrars, Financial Aid officers, others)
U.S. Agencies:
•
NSF (FastLane, …)
•
NIH (Libraries, Grants Administration, …)
•
Dept. of Education (Student Financial Aid, …)
•
Federations within the InCommon Federation
•
University Systems
•
State & Regional Systems
•
Coalitions of Universities organized around Networks,
Grids, others…
Joining InCommon
Management Process
1. Eligibility: Higher Ed
(accreditation) and Sponsored
Partners (sponsors)
2. Agreement: InCommon
Participation Agreement [PDF]:
•
•
Delegating your trusted
Executive
Signed by an authorized
representative of the
organization
3. Pay Fees ($700 registration,
$1,000 annual)
4. Federation I.D. Proofing of
Executive, appointment of
Admin
5. Privacy and Security Policies
and Processes articulated,
documented, and posted
(Participant Operational
Practices)
Technical Process
1. Official Organization Directory
(Identity Management system)
2. Web Single Sign On (SSO)
3. Common Language:
EduPerson schema
4. Federating Software:
Shibboleth IdP and/or SPs
5. Federation I.D. Proofing of
Admin
6. Submit Metadata, Certificate
Signing Request, and POP URL
7. Install Certificate
8. Test with Partners and Attribute
Release Policies
9. Deploy
10. Repeat steps 8 & 9
Federation Benefit
• Federation enables communities to
share information about individuals’
identity, reducing the overall work
required to maintain connections and
reduce the friction in cross-community
interactions.
• Burton Group,
Federating a Distributed World: Asserting NextGeneration Identity Standards
InCommon Federation Benefit
• “To meet the increasing campus demand for using
external applications and online resources, we
developed and implemented solutions that efficiently
use our existing information infrastructures securely
and safely in such a way that we maintain control
over the release of personal information for people at
Penn State. InCommon is a vitally important part of
this infrastructure and helps put us in a position to
provide a richer, easier to use, safer online
experience for Penn State students, faculty, and
staff.”
-Kevin Morooney, vice provost, Penn State University
• Scalability: Leverage your investments and your “next
times”
Acknowledgements
• Middleware Architecture Committee for
Education (MACE), Internet2
• Andrea Bessing, Cornell University
• John Krienke, InCommon Federation
QUESTIONS