EuroCAMP: Porto
An Introduction to Identity and Access
Management
Ken Klingenstein
Director, Internet2 Middleware and Security
Borrowed from
Keith Hazelton ([email protected])
Sr. IT Architect, University of Wisconsin-Madison
EuroCAMP: Porto
Topics
• What is Identity Management (IdM)?
• The IdM Stone Age
• A better vision for IdM
– An aside on the value of affiliation / group /
privilege management services
• Basic IdM functions mapped to open source
components
• Demands on IT and how IdM services help
2
EuroCAMP: Porto
Identity and Access Management
(IAM) defined
• What is Identity Management?
“Identity management is the set of business processes,
and a supporting infrastructure, for the creation,
maintenance, and use of digital identities.” The Burton
Group (a research firm specializing in IT infrastructure for
the enterprise)
• Identity Management in this sense is often called
“Identity and Access Management” (IAM)
• What problems do Identity and Access Management
address?
3
IAM is…
EuroCAMP: Porto
• “Hi! I’m Lisa.” (Identity)
• “…and here’s my NetID / password to prove it.”
(Authentication)
• “I want to do some E-Reserves reading.”
(Authorization : Allowing Lisa to use the
services for which she’s authorized)
• “And I want to change my grade in last semester’s Physics
course.”
(Authorization : Preventing her from doing
things she’s not supposed to do)
4
EuroCAMP: Porto
IAM is also…
• New hire, Assistant Professor Alice
– Department wants to give her an email
account before her appointment begins so
they can get her off to a running start
• How does she get into our system and get set
up with the accounts and services appropriate to
faculty?
5
EuroCAMP: Porto What questions are common
to these scenarios?
• Are the people using these services who they
claim to be?
• Are they a member of our campus community?
• Have they been given permission?
• Is their privacy being protected?
• Policy/process issues lurk nearby
6
EuroCAMP: Porto
The IAM Stone Age
• List of functions:
• AuthN: Authenticate principals (people,
servers) seeking access to a service or
resource
• Log: Track access to services/resources
7
EuroCAMP: Porto
The IAM Stone Age
• Every application for itself in performing these
functions
• User list, credentials, if you’re on the list,
you’re in (AuthN is authorization (AuthZ)
• And some identifiers are assigned nationally,
with uncertain value locally
8
EuroCAMP: Porto
Vision of a better way
to do IAM
• IAM as a middleware layer at the service of any
number of applications
• Requires an expanded set of basic functions
– Reflect: Track changes to institutional data from
changes in Systems of Record (SoR) & other IdM
components
– Join: Establish & maintain person identity across SoR
– Credential: issue digital credentials to people in the
community
–…
9
EuroCAMP: Porto
Systems of Record
Basic IAM functions mapped to the
NMI / MACE components
Enterprise Directory
Stdnt
Other
10
LDAP
Registry
HR
EuroCAMP: Porto
Your Digital Identity and
The Join
• The collection of bits of identity information about
you in all the relevant IT systems at your institution
• For any given person in your community, do you
know which entry in each system’s data store carry
bits of their identity?
• If more than one system can “create a person
record,” you have identity fragmentation
11
EuroCAMP: Porto
The pivotal concept of IAM:
The Join
• Identity fragmentation cure #1: The Join
• Use business logic to
– Establish which records correspond to the same
person
– Maintain that identity join in the face of changes
to data in collected systems
12
EuroCAMP: Porto
Identity Information Access
• Some direct from the Enterprise Directory via
reflection from SoR
• Other bits need to be made reachable by
identifier crosswalks
Registry ID Sys A ID
Sys B ID
Sys C ID
Sys D ID
3a104e59
fsmith32
86443
freds
864164
8c2f916d
abecker1 45209
amyb
752731
13
EuroCAMP: Porto
Identity Fragmentation Cure #2
• When you can’t integrate, federate
• Federated Identity & Access Management
– Rely on the Identity Management infrastructure of one or
more institutions or units
– To authenticate and pass authorization-related information
to service providers or resource hosts
– Via institution-to-provider agreements
– Facilitated by common membership in a federation (like
InCommon)
• Shibboleth is a way to move the authNZ info
between parties
14
EuroCAMP: Porto Basic IAM functions mapped to the
NMI / MACE components
Apps / Resources
Enterprise Directory
Systems of Record
A-Select,
CAS, etc
Grouper Signet
Shibboleth
15
EuroCAMP: Porto
Vision of a better way to do IAM
• More in the expanded set of basic functions
– Mng. Affil.: Manage affiliation and group
information
– Mng. Priv.: Manage privileges and permissions at
system and resource level
16
EuroCAMP: Porto
Managing Roles & Privileges
Role-Based Access
Control (RBAC) model
• Users are placed into
groups
• Privileges are assigned
to groups
• Groups can be arranged
into hierarchies to
effectively bestow
privileges
• Signet manages
privileges
• Grouper manages, well,
groups
Grouper
17
Signet
EuroCAMP: Porto
Vision of a better way to do IAM
• More in the expanded set of basic functions
– Provision: Push IAM info out to systems and
services as required
– Relay: Make access control / authorization
information available to services and resources at
run time
– AuthZ: Make the allow deny decision
independent of AuthN
18
EuroCAMP: Porto
Provisioning
• Getting identity information where it needs to
be
• For “Apps with Attitude,” this often means
exporting reformatted information to them in a
form they understand
• Using either App-provided APIs or tricks to
write to their internal store
• Change happens, so this is an ongoing
process
19
EuroCAMP: Porto
Two modes of app/IdM integration
• Domesticated applications:
– Provide them the full set of IdM functions
• Applications with attitude (comes in the box)
– Meet them more than halfway by provisioning
20
EuroCAMP: Porto
Reflect
Join
Credential
Manage Affil/Groups
Manage Privileges
Provision
Relay
Authenticate
Authorize
Log
IAM functions
Data of interest
Identity across SoR
NetID, other
AuthZ info
More AuthZ info
Gen. AuthNZ info into app space
AuthZ info to app on request
Identity claim
access decision (allow/deny)
usage for audit, accounting,…
21
EuroCAMP: Porto
Alternative packaging of basic IdM
Apps / Resources
Enterprise Directory
Systems of Record
Kerberos
LDAP
Directory
Plug-ins
22
EuroCAMP: Porto
Alternative packaging of
basic IdM functions:
Single System of Record as Enterprise Directory
23
LDAP
Registry
Student
-HR
Info
System
EuroCAMP: PortoSingle
SoR as Enterprise Directory
• Who “owns” the system?
• Do they see themselves as running shared
infrastructure?
• Will any “external” populations ever become
“internal?”
– What if hospital negotiates a deal?
• Stress-test alternative packaging by thinking
through the list of basic IdM functions
24
EuroCAMP: Porto
Same IdM functions, different packaging
• Your IdM infrastructure (existing or planned)
may have different boxes & lines
• But somewhere, somehow this set of IdM
functions is getting done
• Gives us all a way to compare our solutions
by looking at various packagings of the IdM
functions
25
EuroCAMP: Porto From Construction to Integration
• Construction
– Raw materials into systems
• Integration
– Subsystems into whole systems
– Multiple systems into ecosystems
• We’re all moving from construction to
integration
• Let’s review state of middleware systems’
readiness for integration
26
EuroCAMP: Porto
IAM and Application Integration
27
EuroCAMP: Porto
•
•
•
•
Middleware -- Application
Integration
ERPs
SAKAI
uPortal
…
28
EuroCAMP: Porto
As for Lisa
• Sez who?
– What Lisa’s username and password are?
– What she should be able to do?
– What she should be prevented from doing?
– Scaling to the other 40,000 just like her on
campus
29
EuroCAMP: Porto
As for Professor Alice
• What accounts and services should faculty
members be given?
• At what point in the hiring process should these
be activated?
• Methods need to scale to 20,000 faculty and
staff
• In all of these, a full IAM infrastructure would
provide the technical part of a solution
30
EuroCAMP: Porto Policy issues re “credential” function:
NetID
•
•
•
•
•
When to assign, activate (as early as possible)
Who gets them? Applicants? Prospects?
“Guest” NetIDs (temporary, identity-less)
Reassignment (never; except…)
Who can handle them? Argument for WebISO.
31
EuroCAMP: Porto
Inter-institutional integration:
the transport function
• Federations
• Peering of federations
– Levels of assurance
– Attribute mapping
– WAYF functionality
• Virtual Organization (VOs)
32
EuroCAMP: Porto
Alternatives to IP Address Based Access
Restriction
1. User-based access restriction
A. Each service provider manages credentials for
all of its users
B. One big credential database of all users used by
all service providers
C. Each user has a “home organization” whose
credential database can, by magic, be used by
each service provider
2. ???
33
EuroCAMP: Porto
Federated Identities
• “Federated identities” is option C on previous slide
– A hierarchical approach to decompose the problem into
manageable pieces
– Analogous to the problem that IAM addresses, and rests
upon IAM infrastructure
• “Federating technology” is the “magic” part of option
C
• “Identity federation” (noun) is a set of service
providers, identity providers, and other context in
which the magic happens
34
EuroCAMP: Porto
Federating Technologies
• SAML implementations
• Liberty Identity
Federation
implementations
– Security Assertion Markup
Language
– Shibboleth
– Bodington/Guanxi
– AthensIM
– SourceID
– SAMUEL
– MS ADFS
– Other proprietary
– SourceID
– Lasso
– Proprietary
• Others
– MS Inter-Forest Trust
35
EuroCAMP: Porto
IAM functions & big pictures
Manage Grps
AuthZ
Reflect
Provide/run-time
Join
Credential
Manage Privs
Provide/provision
(AuthN)
36
Log
EuroCAMP: Porto
A closer look at managing affiliations,
groups and privileges
• How does this help the harried IT staff?
37
EuroCAMP: Porto
What is IT being asked to do?
• Automatic creation and deletion of computer
accounts
• Personnel records access for legal compliance
• One stop for university services (portal)
integrated with course management systems
38
EuroCAMP: Porto
What else is IT being asked to do?
• Student record access for life
• Submission and/or maintenance of information
online
• Privacy protection
39
EuroCAMP: Porto
More on the To Do list
• Stay in compliance with a growing list of policy
mandates
• Increase the level of security protections in the
face of a steady stream of new threats
40
EuroCAMP: Porto
More on the To Do list
• Serve new populations (alumni, applicants,…)
• More requests for new services and new
combinations of services
• Increased interest in eBusiness
• There is an Identity Management aspect
to each and every one of these items
41
EuroCAMP: Porto
How full IdM layer helps
• Improves scalability: IdM process automation
• Reduces complexity of IT ecosystem
– Complexity as friction (wasted resources)
• Improved user experience
• Functional specialization: App developer can
concentrate on app-specific functionality
42
Download

Identity and Access Management Model: A Functional