Embed Size (px)
Citation preview
Federated Access: Identity Management and Access to Protected Resources
Renée Woodten Frost
Associate Director, Middleware & Security
Copyright Renee Woodten Frost 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Topics
• Challenges of Access to Resources
• Identity Management
• Federated Identity Management
• Federations
• InCommon Federation
Challenges• Faculty, students, and staff are no longer located
exclusively on campus
• User community has expanded, is more remote: alumni, parents, admitted students, donors, etc
• Research and education are increasingly complex, globally interdependent, and online
• Security and protection of personal identity information is paramount & increasingly regulated (FERPA, HIPAA, Gramm-Leach-Bliley, etc.)
Challenges
• Business processes and applications are increasingly outsourced and/or distributed• Digital collections and data• Course materials and management• Financial management• Remote instrumentation• Computational resources such as Grids• Music, Software• Travel resources• Government resources
Desirable Solutions
• Develop solutions that efficiently use existing information infrastructures securely and safely
• Reduce the time and resources spent on all the “one off” requirements for each partner provider and streamline interoperation with each partner
• Reduce help desk calls & number of user accounts to provision with these numerous partnerships
• Maximize the control, security, and privacy of personally identifiable, sensitive information
• Make online services richer, easier to use, and safer for students, faculty, and staff
This is what Federated Identity Management does
Identity Management Basic Components• Reflect: Data of interest from systems of
record into registry, directory• Join: Identity information across systems• Manage: Credentials, group memberships,
affiliations, privileges, services, policies• Provide: Identity & Access Mgmt info via • relay thru run-time request/response • provisioning into App/Service stores
• Authenticate: Claimed identities• Authorize: Access or denial of access• Log: Usage for audit
Authentication
• Process of validating credentials presented in particular security context
• Identification and registration processes preceding authentication are important
• Possession of credentials does not grant access to resources
Authorization
• Process of controlling user access to resources; based on business rules
• Accessing a resource is two-step process• Authentication• Authorization
• Authorization decisions often be based on group membership
Federated Identity Management Model
•Enterprises provide local authentication and attributes
•Uses variety of end-entity local authentication: PKI, username/password, Kerberos, two-factor
•Enterprises within a vertical sector federate to coordinate Levels of Assurance (LOA), namespaces, metadata, etc.
•Provides a scalable alternative to multiple bi-lateral technical relationship management
Identity & Access Management Federations
• A definition of Federation: A collaboration of independent entities that give up a certain degree of autonomy to a central authority in pursuit of a common set of goals.
• Central Authority: Federations set common policies, interoperability criteria (vocabulary for exchanges, technology), and provide central services to establish and maintain trust (registration, authoritative metadata and certificates, dispute resolution)
• Common Set of Goals:Federations enable secure, trustworthy, scalable online partnerships
Federation Fundamentals• Members sign a contract to join.• Members must still create Business Relationships
with each other• Bilateral relationships can impose additional policy• The Federation does NOT Collect or assert anything, except the necessary
metadata about member signing keys, etc. Authenticate end users Provide services, though it may be associated
with groups or buying clubs
Research and Education Federations
• Growing national federations• UK, France, Germany, Switzerland, Netherlands,
Norway, ,Finland, Spain, Denmark, Australia, etc.• Stages range from fully established to in development;
scope ranges from higher ed to further education• Many are Shibboleth-based; all speak Shib on the outside…• Several million users in the U K - JISC and BECTA
• US Federations• InCommon• State-based and University System-based
• Texas, University of California System, Maryland, etc.• For library use, for roaming access, for payroll and benefits, etc.
US Government Federal e-Authentication Initiative
• A federation of US Gov agencies to provide services to each other and to the general population
• Services to be provisioned include NSF Fastlane, National Park Research and Camping Permits, Social Security management, export permits, etc
• Based on SAML protocol and Credential Service Providers to businesses and the general public
http://www.cio.gov/eAuthentication
InCommon Which of your critical resources require protection? • Unpublished research collaboration• Remote instruments• Licensed content• Financial, HR systems
Which user population requires identity protection and validation?• Students• Faculty• Staff
Purpose of the InCommon Federation?
• Establishes Prerequisites: • Official Enterprise Directory, Web Single Sign On, • Middleware: Identifier, Attributes, Federating Software
(Shibboleth), Trusted Certificate Authorities
• Operates common services required for interoperability (Authentication, Certificate Authority, Metadata)
• Helps resolve problems and disputes• Shares policy and practice requirements of its
participants: Participant Operational Practices (POP)
Music Service
ID #4 j.o.123
Joe OvalPsych Prof.
DOB: 4/4/1955
Password #4
Grant Admin Service
ID #2 Joval
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Password #2
Grading Service
ID #3 Jo456
Dr. Joe Oval
Psych Prof.Password #3
Home
Circle [email protected]. Joe OvalPsych Prof.SSN 456.78.910
Password #1
???? IT patch 1
IT patch 2
IT patch 3
Service IDsChallenging Way
Home
Circle University
Anonymous ID#
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle [email protected]. Joe OvalPsych Prof.SSN 456.78.910
Password #1
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
!
1. Single Sign On
2. Services no longer manage user accounts & personal data stores
3. Reduced Help Desk load
4. Standards-based Technology
5. Home Org controls privacy
Federated Way
Home
Circle University
Anonymous ID#
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
AffiliationEPPNGiven/SurNameTitleSSN
Password #1
Circle University
ID # 123-321
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
!
Role of the Federation
1. Agreed upon Attribute Vocabulary & Definitions: Member of, Role, Unique Identifier, Courses, …
2. Criteria for IdM practices (user accounts, credentialing, etc.), personal information stewardship, interoperability standards, technologies
3. Digital Certificates
4. Trusted “notary” for all universities and partners
VerifiedBy the
Federation
VerifiedBy the
Federation
VerifiedBy the
Federation
VerifiedBy the
Federation
Home
Circle University
Anonymous ID#
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
AffiliationEPPNGiven/SurNameTitleSSN
Password #1
Circle University
ID # 123-321
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
!
VerifiedBy the
Federation
VerifiedBy the
Federation
VerifiedBy the
Federation
VerifiedBy the
Federation
federation metadata
University AIdP: name, key, url, contacts, etc.SP1: name, key, url, contacts, etc.SP2: name, key, url, contacts, etc.
University B IdP: name, key, url, contacts, etc.SP1: name, key, url, contacts, etc.
University CIdP: name, key, url, contacts, etc.
Partner 1SP1: name, key, url, contacts, etc.
Partner 2 SP1: name, key, url, contacts, etc.SP2: name, key, url, contacts, etc.
Partner 3 …
bronze LoA
silver LoA
silver LoA
future
User Experience Flows
Multiple Partners - Identity Providers (IdPs) and Service Providers (SPs) - in Action:
• Authentication vs. Authorization• Federation WAYF• Single Sign On to multiple services• Anonymous Identifiers• Clearing Sessions• IdP to SP without a WAYF
User Experience Flows
• First access the resource, then the Federation WAYF (“Where Are You From”) home organization discovery page• Internet2 Intranet (InCommon)• Wireless (UT System)
• First access the resource’s own customized WAYF• ScienceDirect• Spaces.internet2.edu Wikis• OhioLINK
• First access the Identity Provider• Penn State & WebAssign
Value of FederationsBroad Strokes
• Identity Providers (Home Institutions) control user accounts and the release (and spillage) of personal information
• Online Service Providers focus on their online resources and not on user account provisioning
• Users have easy, private, global access• Partners have finely-tunable access controls
and can quickly and securely deploy new collaborations and service relationships
Value of InCommon Federation
• Governance by a Representative Steering Committee establishes:• Criteria for participation• Policy and shared direction • Services meet business needs with appropriate security
levels and legal requirements• Scalable operational standards and practices
• Legal Agreement• Official Organizational Designees, Establishment of Trust,
Conflict and Dispute Resolution, Basic Protections & Responsibilities
• Trust “Notary”• InCommon verifies the identity of Organizations and their
delegated Officers;
Value of InCommon Federation
• Trusted Metadata• InCommon verifies & aggregates location and security data for
each participant’s servers, systems, and support contacts
• Certificate Authority• InCommon issues server certificates to Participants for secure
communications
• Standards for Policies and Practices• Now: each Participant decides, self-declare their practices to other
Participants. • Coming soon: Optional Bronze and Silver Levels of Assurance
(Audit Criteria)
• Technical Interoperability (Technical Advisory Committee)• InCommon defines shared attributes, standards (SAML), federating
software (Shibboleth+)
Internet2Internet2
InCommon Governance
FederationOperator
FederationOperator
TechnicalAdvisory
Committee
TechnicalAdvisory
Committee
NominationsCommittee
NominationsCommittee
InCommon LLC:Steering Committee
RepresentingHigher Ed & its Partners
InCommon LLC:Steering Committee
RepresentingHigher Ed & its Partners
Directio
nD
irection
Directio
nD
irection
CandidateApprovals
AdviceAdvice
InCommon Growth
0
10
20
30
40
50
60
Mar-
05
Ap
r-0
5
May-0
5
Jun
-05
Jul-
05
Au
g-0
5
Sep
-05
Oct-
05
No
v-0
5
Dec-0
5
Jan
-06
Feb
-06
Mar-
06
Ap
r-0
6
May-0
6
Jun
-06
Jul-
06
Au
g-0
6
Sep
-06
Oct-
06
No
v-0
6
Dec-0
6
Jan
-07
Feb
-07
Mar-
07
Ap
r-0
7
May-0
7
2004 Pilot
2005
2006
52 Current InCommon ParticipantsHigher Education (37)• Case Western Reserve University• Clemson University• Cornell University• Dartmouth• Duke University• Florida State University• Georgetown University• Johns Hopkins University• Indiana University• Miami University• Michigan State University• New York University• Northwestern University• Ohio State University• Ohio University• Penn State University• Stanford University• Stony Brook University• SUNY Buffalo• Texas A & M University• University of Alabama at Birmingham• University of California, Davis• University of California, Irvine• University of California, Los Angeles• University of California, Merced• University of California, Office of the President• University of California, Riverside• University of California, San Diego• University of Chicago• University of Maryland• University of Maryland Baltimore County• University of Maryland, Baltimore• University of Rochester• University of Southern California• University of Virginia• University of Washington• University of Wisconsin - Madison
Sponsored Partners (15)• Cdigix• EBSCO Publishing• Elsevier ScienceDirect• Houston Academy of Medicine - Texas Medical Center
Library• Internet2• JSTOR• Napster, LLC• OCLC• OhioLink - The Ohio Library & Information Network• ProtectNetwork• RefWorks, LLC• Symplicity Corporation• Thomson Learning, Inc.• Turnitin• WebAssign
NEXT• Libraries & their partners• Student Services (Registrars, Financial Aid officers, others)• U.S. Agencies:
• NSF (FastLane, …)• NIH (Libraries, Grants Administration, …)• Dept. of Education (Student Financial Aid, …)
• Federations within the InCommon Federation• University Systems• State & Regional Systems• Coalitions of Universities organized around Networks,
Grids, others…
Joining InCommonManagement Process
1. Eligibility: Higher Ed (accreditation) and Sponsored Partners (sponsors)
2. Agreement: InCommon Participation Agreement [PDF]: • Delegating your trusted Executive• Signed by an authorized
representative of the organization3. Pay Fees ($700 registration,
$1,000 annual)4. Federation I.D. Proofing of
Executive, appointment of Admin5. Privacy and Security Policies and
Processes articulated, documented, and posted (Participant Operational Practices)
Technical Process1. Official Organization Directory
(Identity Management system)2. Web Single Sign On (SSO)3. Common Language: EduPerson
schema4. Federating Software: Shibboleth
IdP and/or SPs5. Federation I.D. Proofing of
Admin6. Submit Metadata, Certificate
Signing Request, and POP URL7. Install Certificate8. Test with Partners and Attribute
Release Policies9. Deploy10. Repeat steps 8 & 9
Federation Benefit
• Federation enables communities to share information about individuals’ identity, reducing the overall work required to maintain connections and reduce the friction in cross-community interactions.
• Burton Group, Federating a Distributed World: Asserting Next-Generation Identity Standards
InCommon Federation Benefit• “To meet the increasing campus demand for using
external applications and online resources, we developed and implemented solutions that efficiently use our existing information infrastructures securely and safely in such a way that we maintain control over the release of personal information for people at Penn State. InCommon is a vitally important part of this infrastructure and helps put us in a position to provide a richer, easier to use, safer online experience for Penn State students, faculty, and staff.” -Kevin Morooney, vice provost, Penn State University
• Scalability: Leverage your investments and your “next times”
Acknowledgements
• Middleware Architecture Committee for Education (MACE), Internet2
• Andrea Bessing, Cornell University
• John Krienke, InCommon Federation
QUESTIONS
