Identity & Access Managment Federations
advertisement
InCommon Identity & Access Management Federation John Krienke Operations Manager, InCommon Assistant Director, Internet2 jcwk@internet2.edu 1 The Partnership Challenge Higher education’s • Staff, students, and faculty are no longer located exclusively on campus • Research and missions are increasingly complex, globally interdependent, and on line • Security and protection of personal identity information is paramount and increasingly regulated (FERPA, HIPAA, Gramm-Leach-Bliley, SOX, etc.) • Business processes and applications are increasingly outsourced and/or distributed – – – – – – – – Digital collections and data Course materials and management Financial management Remote instrumentation Computational resources such as Grids Music, Software Travel resources Government resources 2 The Partnership Solution • Develop solutions that efficiently used existing information infrastructures securely and safely • Reduce the time and resources spent on all the “one off” requirements for each partner and streamlined interoperation with each partner • Reduce help desk calls and the number of user accounts to provision throughout our many partnerships • Maximize the control, security, and privacy of personally identifiable, sensitive information • Make online services richer, easier to use, and safer for students, faculty, and staff This is what I/A/M federations do 3 Identity & Access Management Federations • A definition of Federation: A collaboration of independent entities that give up a certain degree of autonomy to a central authority in pursuit of a common set of goals. • Central Authority: Federations set common policies, interoperability criteria (vocabulary for exchanges, technology), and provide central services to establish and maintain trust (registration, authoritative metadata and certificates, dispute resolution) • Common Set of Goals: Federations enable secure, trustworthy, scalable online partnerships 4 Examples of the Federation Spectrum eAuth (US) Homogeneous (vanilla) InCommon Heterogeneous (rocky road) Centralized Independent Conscription Subscription Requirements High Cost Expectations Suggestions Declarations Low Cost 5 Federating Software • “When is a duet an orchestra?” • Not all federated software supports multi-party federated collaboration. National Arts Centre Orchestra Gala 2007 CBC Radio 6 Challenging Way Home Service IDs Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #1 ???? 7 Federated Way Home ! Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #1 1. Single Sign On 2. Services no longer manage user accounts & personal data stores 3. Reduced Help Desk load 4. Standards-based Technology 5. Home Org controls privacy 8 Role of the Federation 1. Agreed upon Attribute Vocabulary & Definitions: Member of, Role, Unique Identifier, Courses, … ! Verified By the Federation Verified By the Federation Home Affiliation EPPN Given/SurName Title SSN Password #1 Verified By the Federation 2. Criteria for IdM practices (user accounts, credentialing, etc.), personal information stewardship, interoperability standards, technologies 3. Digital Certificates 4. Trusted “notary” for all universities and partners Verified By the Federation 9 Verified By the Federation federation metadata University A IdP: name, key, url, contacts, etc. name, key, url, contacts, etc. name, key, url, contacts, etc. ! future bronze LoA Verified SP1: By the SP2: Federation Home University B Affiliation IdP: name, EPPNkey, url, contacts, etc. SP1: name, key, url, contacts, etc. Given/SurName Title SSN University C Partner 1 Partner 2 IdP: name, key, url, contacts, etc. Password #1 Verified By the Federation SP1: name, key, url, contacts, etc. silver LoA silver LoA SP1: name, key, url, contacts, etc. SP2: name, key, url, contacts, etc. Partner 3 … Verified By the Federation 10 User Experience Flows • First visit the SP then Federation WAYF (“Where Are You From” home organization discovery page) – Wireless (UT System) [screencast] • First visit the SP’s own customized WAYF – ScienceDirect – Spaces.internet2.edu Wikis – OhioLINK • First visit the IdP – Penn State & WebAssign [screencast] 11 User Experience Flows Multiple IdPs and SPs in Action: [screencast] • Authentication vs. Authorization • Federation WAYF • Single Sign On to multiple services • Anonymous Identifiers • Clearing Sessions • IdP to SP without a WAYF 12 The Value of InCommon Broad Strokes • Identity Providers (Home Institutions) control user accounts and the release (and spillage) of personal information • Online services focus on their online resources and not on user account provisioning • Users have easy, private, global access • Partners have finely-tunable access controls and can quickly and securely deploy new collaborations and service relationships 13 The Value of InCommon Detail • Governance by a Representative Steering Committee establishes: – – – – • Legal Agreement – • InCommon issues server certificates to Participants for secure communications Standards for Policies and Practices – • InCommon verifies & aggregates location and security data for each participant’s servers, systems, and support contacts Certificate Authority – • InCommon verifies the identity of Organizations and their delegated Officers; Trusted Metadata – • Official Organizational Designees, Establishment of Trust, Conflict and Dispute Resolution, Basic Protections & Responsibilities Trust “Notary” – • Criteria for participation Policy and shared direction Services meet business needs with appropriate security levels and legal requirements Scalable operational standards and practices How high is the bar? Right now, each Participant decides. Participants self-declare their practices to other Participants. Coming soon: Optional Bronze and Silver Levels of Assurance (Audit Criteria) Technical Interoperability (Technical Advisory Committee) – InCommon defines shared attributes, standards (SAML), federating software (Shibboleth+) 14 InCommon Governance InCommon LLC: Steering Committee Representing Higher Ed & its Partners Direction Direction Nominations Committee Candidate Approvals Advice Technical Advisory Committee Federation Operator Internet2 15 16 Jan-08 Dec-07 Nov-07 Oct-07 Sep-07 Aug-07 Jul-07 Jun-07 May-07 Apr-07 Mar-07 Feb-07 Jan-07 Dec-06 Nov-06 Oct-06 Sep-06 Aug-06 Jul-06 Jun-06 May-06 Apr-06 Mar-06 Feb-06 Jan-06 Dec-05 Nov-05 Oct-05 Sep-05 Aug-05 Jul-05 Jun-05 May-05 Apr-05 Mar-05 Growth 90 80 70 60 50 40 30 20 10 0 78Current InCommon Participants Higher Education (54) Sponsored Partners (21) • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Case Western Reserve University Clemson University Cornell University Dartmouth Duke University Florida State University Georgetown University Johns Hopkins University Indiana University Miami University Michigan State University New York University Northwestern University Ohio State University Ohio University Penn State University Stanford University Stony Brook University SUNY Buffalo Texas A & M University University of Alabama at Birmingham University of California, Davis University of California, Irvine University of California, Los Angeles University of California, Merced University of California, Office of the President University of California, Riverside University of California, San Diego University of Chicago University of Maryland University of Maryland Baltimore County University of Maryland, Baltimore University of Rochester University of Southern California University of Virginia University of Washington University of Wisconsin – Madison ….. Apple – iTunes U Cdigix Cengage Learning (Formerly Thomson Learning) EBSCO Publishing Elsevier ScienceDirect Houston Academy of Medicine - Texas Medical Center Library Internet2 JSTOR Microsoft NAS Recruitment Communications Nelnet – Next Generation Division OCLC OhioLink - The Ohio Library & Information Network ProtectNetwork RefWorks, LLC Students Only, Inc. SumTotal Systems Symplicity Corporation Turnitin University Tickets WebAssign Gov. and Nonprofit Labs, Research Centers, and Agencies (3) • • • National Institutes of Health Lawrence Berkeley National Laboratory Moss Landing Marine Laboratories NEXT • • • • Libraries & their partners Student Services (Registrars, Financial Aid officers, others) U.S. Agencies: – NIH (Libraries, Grants Administration, …) – NSF (FastLane, …) – Dept. of Education (Student Financial Aid, …) Federations on top of the InCommon Federation – University Systems 17 – State & Regional Systems – Coalitions organized around Networks, Grids, others… Join or Create? Or Both? University of California System creates UCTrust within InCommon David Walker, UCOP • Interoperability: UC's solution had to fit seamlessly into higher education's broader solution • Not reinventing the wheel: policy, criteria, operations • Not inventing new wheels: how will multiple federations interoperate? 18 Joining Management Process 1. Eligibility: Higher Ed (accreditation) and Sponsored Partners (sponsors) 2. Agreement: InCommon Participation Agreement [PDF]: – – Delegating your trusted Executive Signed by an authorized representative of the organization 3. Pay Fees ($700 registration, $1,000 annual) 4. Federation I.D. Proofing of Executive, appointment of Admin 5. Privacy and Security Policies and Processes articulated, documented, and posted (Participant Operational Practices) Technical Process 1. Official Organization Directory (Identity Management system) 2. Web Single Sign On (SSO) 3. Common Language: EduPerson schema 4. Federating Software: Shibboleth IdP and/or SPs 5. Federation I.D. Proofing of Admin 6. Submit Metadata, Certificate Signing Request, and POP URL 7. Install Certificate 8. Test with Partners and Attribute Release Policies 9. Deploy 10. Repeat steps 8 & 9 19 InCommon Benefit • Federation enables communities to share information about individuals’ identity, reducing the overall work required to maintain connections and reduce the friction in cross-community interactions. • Burton Group, Federating a Distributed World: Asserting NextGeneration Identity Standards 20 InCommon Benefit • “To meet the increasing campus demand for using external applications and online resources, we developed and implemented solutions that efficiently use our existing information infrastructures securely and safely in such a way that we maintain control over the release of personal information for people at Penn State. InCommon is a vitally important part of this infrastructure and helps put us in a position to provide a richer, easier to use, safer online experience for Penn State students, faculty, and staff.” -Kevin Morooney, vice provost, Penn State University • Scalability: Leverage your investments and your “next times” 21 Questions? • jcwk@internet2.edu • incommon-admin@incommonfederation.org 22 Shibboleth Attribute-Based Authorization OK, I will now redirect your request to your home org. Where are you from? I don’t know you or your home organization. I redirect your request to the InCommon WAYF WAYF I don’t know you. Please authenticate Using your Web login 5 initiates a request 6 Identity Provider 2 4 3 1 7 Resource Provider Website user ID+Password HS 8 ACS 9 Handle AA Attributes AR Resource Handle User DB OK, I know you now. I redirect your request to the Resource, along with a handle Resource Manager Handle 10 Attributes I trust you. I’ll pass the attributes the user has allowed me to release I don’t know the attributes of this user. Let’s ask the Attribute Authority OK, based on the attributes, I grant access to the resource 23 © Switch
