Embed Size (px)
Citation preview
Federated Identity:What It Brings to Open Government
Dr Ken KlingensteinDirector, Internet2 Middleware and Security
Topics• The State of Federated Identity
• Growth• Interfederation• The emergence of privacy managers and trust-based transparency• The Attribute Ecosystem and the Tao of Attributes
• What it brings to Open Government• Consistency of implementations• Key constituencies• Multiple and flexible LOA• Roles• Privacy and attributes• Collaboration
A bit of background
• Internet identity work began in 2000 in the R&E sector• Spread quickly into corporate sector via OASIS standards
processes• Corporate use cases limited to bi-lateral relationships• R&E sector carried on multi-lateral federation work
• Created SAML, Shibboleth, InCommon, etc• Widespread deployments began 2004-5 with exponential growth• Building federations and trust more work than developing
protocols
Growth of Federated Identity• InCommon continues exponential growth, greater than 4M
users, 200 major universities, research centers, and companies• Internationally, growth is even more rapid; 25+ countries
representing > 100M users• Typical organization (Penn State) does 700,000 transactions a
day with trust based on InCommon; reduces help desk cost by 85%
• Used for financial transactions, scholarly content access, access to national scientific resources, collaboration tools, social networking, etc.
Federation Soup
• Many US federations • InCommon at the national R&E level• UCTrust, Texas, CIC federation, etc at system
and association level• NCTrust, NJEdge, etc at comprehensive state
levels• Consistency in policies, technologies; diverse in
communities served, standard attributes, etc.
Interfederation
• Connecting autonomous federations• Critical for global scaling, accommodating state and
local federations, integration across vertical sectors• Has technical, financial and policy dimensions• Elegant technical solution being developed in the
eduGAIN project of Geant• Policy activities in Kalmar2 Union, Kantara, Terena
MDX – metadata exchange protocol• Institutions and organizations will pick a registrar to give
their metadata to• Institutions and organizations will pick an aggregator (or
several) to get their partners metadata from• Aggregators exchange metadata with each other and
registrars • If this sounds like DNS registration and routing, it is, one
layer up• In the land of data, metadata is king; imagine many new
kinds of metadata
Trust, Identity and the Internet
• Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities
• http://www.isoc.org/isoc/mission/initiative/trust.shtml• ISOC initiative to introduce trust and identity-leveraged
capabilities to many RFC’s and protocols• First target area is DKIM; subsequent targets include SIP
and firewall traversal (trust-mediated transparency)
The Attribute Ecosystem• Authentication is very important, but identity is just one of
many attributes• And attributes provide scalable access control, privacy,
customization, linked identities, federated roles and more• We now have our first transport mechanisms to move
attributes around – SAML and federations• There will be many sources of attributes, many consumers of
attributes, query languages and other transport mechanisms• Together, this attribute ecosystem is the “access control”
layer of the Internet
Attribute use cases are rapidly emerging
Disaster “first responders” attributes and qualifications dynamically
Access-ability use cases
Public input processes – anonymous but qualified respondents
Grid relying parties aggregating VO and campus attributes
The “IEEE” problem
The “over legal age” and the difference in legal ages use cases
Self-asserted attributes – friend, interests, preferences, etc
Key Issues
• Attribute aggregation• Metadata of attributes, LOA, etc• Sources of authority and delegation• Schema management, mapping, etc• User interface• Privacy and legal issues
The Tao of Attributes workshop 属性之道
• Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc.
• Participants were the best and brightest – the folks who invented LDAP, SAML, OpenId, etc.
• Webcast at http://videocast.nih.gov/PastEvents.asp
• Twittered at TAOA• http://middleware.internet2.edu/tao-of-attributes/
What Federated Identity Delivers
• Consistency of implementations• Key constituencies• Roles• Multiple and flexible LOA• Privacy and attributes• Collaboration
Consistency of implementations
• SAML 2.0 is a heavily-referenced and widely implemented OASIS standard
• Metadata format (ala Shibboleth) is a standard• Interoperability among federations is well-
established
Key constituencies served
• Researchers, graduate students, etc• Research administration, management, etc• Students, patients, etc• Note that coverage in each of these constituencies is
100% - all organizational identities in a federation are federated
• Unaffiliated and general public via “homes for the homeless” providers, on a free or paid basis – eg UK, Denmark, ProtectNetwork, etc
Multiple and Flexible LOA
• LOA 1 – 4 all readily available (LOA 1 username/password to LOA 4 with holder of key)
• Federated two factor authentication (LOA 3) a VERY powerful concept; work now starting on approaches, leveraging new NIST standards
• Privacy and secrecy valuable by-products of the architecture
Roles
• Scaling is based on roles, not identity
• Roles are flexible and dynamic – PI, admin, collabmin, etc
• Roles provide opportunities to offload NIH of administrative burdens in tracking changes
• Audit controls provided by institution
Privacy and attributes
• Attributes are the real win – for fine-grain access control, for privacy, for secrecy
• Permit access control decisions to be made at relying party or at identity provider (entitlements)
• Can deliver identity, opaque identifiers, non-correlating identifiers, etc
• EU guidelines on privacy are more nuanced than the US
Collaborations and Virtual Organizations• IdM is a critical dimension of collaboration, crossing many
applications and user communities• Virtual organizations represent critical communities of
researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world.
• Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.
