Embed Size (px)
Citation preview
INTRODUCTION
INTRODUCTION APAN – Identity and Access Management Task Force The Identity and Access Management (IAM) Working Group has established a taskforce to tackle Federation Deployment in the Asia Pacific Region. All interested parties, individuals or organisations are invited to participate.
The goals of the Task Force to: • Develop and establish national identity federation services within participating
economies in the Asia Pacific region
• Enable the participating economies national identity federation services to join eduGAIN
• Enable participating economies to deploy eduroam
Subscribe: [email protected]
COURSE CONTENT
S U N D A Y
• What is an Identity Federation
• Federation Registries
• Explore an existing federation
• Federation tools
• Rules, policy and compliance
M O N D A Y
• Technical • Setting up and IdP • Setting up a SP
• Taking Identity Federation to your nation
• Support and Assistance
Laptoprequired
EXPECTED OUTCOMES
The objectives of this training event is to provide to participants information and knowledge which and on return to their nation can be share with their research and higher education institutions with the aim of instigating and deploying a pilot federation that leads to a national identity federation.
To start or continue build a Nation Identity Federation
HOUSEKEEPING
Please sign the attendance sheet or email [email protected]
[Name, Email, Organisation, Job Title] Questions any time
4 sessions per day, 90 minutes each Lunch is provided for those at the conference
Other conferences events: • IAM Working group meeting – Wednesday • APAN / REDCLARA (MAGIC Project) – Thursday 11:00 – 12:30 • Closing Plenary – Liz Coulter – Thursday 13:30 – 15:00
WHY ARE YOU ATTENDING?
Participants please introduce yourself
Name Country / Nation
Organisation Role
What you expect from the training Federation Status
FEDERATION OVERVIEW
QUESTIONS?
OVERVIEW OF FEDERATIONS
AGENDA
• What is Federated Identity Management? • What is a Federation? • What are the components that constitute a
Federation? • Quick tour of a Federation (The AAF)
IDENTITY DOMAIN PATTERNS
Isolated Identity Domain Isolated identity domains are created when systems or service produce and manage identities with no reference to identities in other systems. The main advantages of isolated domains are that they limit the effects of malevolent access and safeguard privacy.
Centralised Identity Domain Centralised identity domains provide special-purpose systems that produce common services for use by a number of system. Usually, a centralised identity domain is closely bound to an organisation’s network security infrastructure, and recognition and identification is limited to systems with shared access to a common security architecture entailing certificate servers, network host registries, directories and local authentication services.
Federated Identity Domain Federated identity domains uncouple identity provision from entitlement management (service provision). During an access request an identity provider attests to the authenticity of the requesting identity. The service provider then decides the entitlements it will grant the identity holder – often based on additional information provided by the identity provider. In other words, federation is designed to extend the domain in which an identity can be recognised.
“User-Centric” Identity Domains User-centric identity domains give users greater control over their personal information. Users are allowed to choose identity providers independently of service providers. Identity providers act as trusted third parties to store user account and profile information and authenticate users, and service providers accept assertions or claims about users from identity providers.
FEDERATED IDENTITY MANAGEMENT
Federated identity management (FIM) is an arrangement that can be made among multiple enterprises that lets subscribers use the same identification data to obtain access to the networks of all enterprises in the group. The use of such a system is sometimes called identity federation.
Organisation
Service Provider
Identity Provider Users
Federation
FEDERATED IDENTITY
In Federated Identity Management: • Authentication (AuthN) takes place where the user is known
• An Identity Provider (IdP) publishes authentication and identity information about its users • Authorization (AuthZ) happens on the service's side
• A Service Provider (SP) relies on the AuthN at the IdP, consumes the information the IdP provided and makes it available to the application
• An entity is a generic term for IdP or SP
The first principle within federated identity management is the active protection of user information
• Protect the user’s credentials • only the IdP ever handles the credentials
• Protect the user’s personal data, including the identifier • a customized set of information gets released to each SP • federation rules are used prevent the leakage of personal data
BENEFITS OF FEDERATED IDENTITY MANAGEMENT
• Provides Single-Sign-ON • Users generally find the resulting single sign-on experience to be nicer than logging in
numerous times with numerous credentials
• Reduces work • Reduction in Support desk Authentication-related calls (lost password, etc) • Simplified process of integrating new services
• Provides current data • Studies of applications that maintain user data show that the majority of data is out of
date.
• Improves Security • Insulation from service compromises. With FIM data gets pushed to services as needed.
An attacker can’t get everyone’s data on a compromised server. • Only the IdP needs to be able to contact user data stores. All effort can be focused on
securing this single connection instead of one (or more) connection per service.
• Improves Usability • the authentication process is consistent regardless of the service accessed.
WHAT IS A FEDERATION?
• A group of organizations running IdPs and SPs that agree on a common set of rules and standards
• It’s a label - to talk about such a collection of organizations • An organization may belong to more than one federation at a time
• The grouping can be on a regional level (e.g. AAF) or on a smaller scale (e.g. large campus)
WHAT DO FEDERATIONS DO?
At a minimum a federation maintains the list of which IdPs and SPs are in the federation
Most federations also • Define agreements, rules, and policies • Provide some user support (documentation, email list, etc.) • Operate a central discovery service and test infrastructure
Some federations • Provide self-service tools for managing IdP and SP data (Resource Registry)
• Provide application integration support
• Host or help with outsourced IdPs (IdP in the Cloud, hosted IdP
• Provide tools for managing "guest" users
• Develop custom tools for the community
FEDERATION COMPONENTS
Component Description
Identity Provider Where authentication occurs and (IdP) publishes authentication and identity information about its users
Service Provider A Service Provider (SP) relies on the AuthN at the IdP, consumes the information the IdP provided and makes it available to the application
Federation Tools Tools to ease the operation of the federation. Federation Registry, Virtual Home, Status, Testing, etc
Metadata An XML document that describes every federation entity. Provides the technical trust in the Federation
Discovery Lets the user choose the home organization the user belongs to. Tells the Service Provider which Identity Provider to use for authentication and attribute retrieval
A QUICK WALK THROUGH
Exploring the Australian Access Federation using your training username and password.
Component Description AAF Dashboard http://dashboard.aaf.edu.au/
A simple dashboard of AAF Tools and Information
Attribute Validator A tool that validates the Attributes an IdP has sent back by the IdP after authentication
Discovery Service Select your organisation where you will login – Use AAF Virtual Home for this exercise
AAF Virtual Home IdP run by the AAF for users who are not affiliated with any organisation in the federation
Attribute Validator (again) Attributes released about you by the IdP are on display at this simple verification service
Federation Registry https://manager.aaf.edu.au/federationregistry/ Tool that manages all of the entities in the federation. Login to see the dashboard.
NeCTAR Research Cloud https://dashboard.rc.nectar.org.au/auth/login/ A CloudStack instance that provides compute the researchers in Australia. You will be creating two services as part of this training. An IdP and an SP in the AAF Test Federation.
The Service Catalogue http://aaf.edu.au/servicecatalogue/ A simple catalogue of services in the AAF. This list is automatically maintained by the Federation Registry.
QUESTIONS?
TYPES OF FEDERATIONS
THE STRUCTURE OF YOUR FEDERATION
You start with the building blocks, IdP and SP then add them to your chosen architecture.
This section will look an a number of architectural options for an Identity federation, the costs, risks and benefits of each.
COMMON FEDERATION ARCHITECTURES
Mesh: Full mesh federations are the most common and straight forward to implement federations because everything is distributed and there is no need for a central component that has to be protected specifically against failover.
Hub-and-spoke: Hub & Spoke federations with distributed login rely on a central hub or proxy via which all SAML assertions are sent.
Centralized: Hub & Spoke federations with central login are a special case in the sense as there is only one single Identity Provider in the federation.
Mashups: A combination of both Mesh and Hub-and-spoke
THE MESH FEDERATION
THE HUB AND SPOKE
ADVANTAGES OF HUB-AND-SPOKE
IdP advantages:
1. Metadata needs to be updated much less frequently. IdP only need the metadata of the single hub service operated by the federation;
2. Release of attributes is simply, "release all" to the hub as opposed to needing explicit release policies for every service in the federation;
3. New services become available as soon as the Hub enables them, the IdP doesn't need metadata/release-policy updates etc which is where we often see support tickets;
4. As an IdP operator when I have a problem I don't have to work with operator support and specific SP admins, I talk to the hub operator in the middle who can diagnose all the flows.
ADVANTAGES OF HUB-AND-SPOKE
SP advantages: 1. Metadata needs to be updated much less frequently. SP only need the
metadata of the single hub IdP operated by the federation; 2. Requested attributes, once approved by the hub, will flow from all IdP without
further fault finding required; 3. New IdP become available as soon as the Hub enables them. The SP doesn't
need to wait for IdP propagation which is where we often see support tickets; 4. As a SP operator when I have a problem I don't have to work with operator
support and specific IdP admins, I talk to the hub operator in the middle who can diagnose all the flows;
5. Dynamic service registration becomes a possibility, we can't do this with the Mesh as we need to wait for metadata propagation. With a Hub that has an appropriate API a new service could be registered on the fly and operating within a minute. Important for services who want to provide an offering where dynamic application instances can be launched and destroyed. For example, a short term Galaxy instance which is a real NeCTAR VL requirement today.
ADVANTAGES OF HUB-AND-SPOKE
Operator advantages: 1. All flows/data transit the hub. This makes diagnosing faults much easier. With
the mesh approach our administrators often have trouble accessing specific log files to fully diagnose a fault between two points and need to wait for remote admins;
2. Consent is handled in a single, centralized UI. Ensuring all end-users get the same experience, which can be tailored as UX issues are identified or privacy policies are adapted;
3. The hub operator will receive much more accurate (and real time) usage statistics for flows going across the federation;
4. Social login, eduGAIN and similar concerns may be better handled with a centralised, do it once, approach.
DISADVANTAGES
Of course the hub operator will have some disadvantages as well: 1. All flows transit the hub potentially exposing end user activity. Consideration
for log scrubbing and anonymity are required here, potentially requiring external audit;
2. The hub must be highly available, if it goes away the entire federation dies. 24/7 on-call as well as more expensive deployment models will add to costs.
CENTRALIZED FEDERATION
SP
SP
SP
SP SP
SP
THE MASHUP
• Combinations of Hub-and-Spoke and Mesh
• AAF is a mashup starting as a pure Mesh federation. With the introduction of RAPID Connect it is now a Mash-up.
• RAPID Connect provides a bridge between SAML and JSON Web Tokens (JWT)
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA.
QUESTIONS ?
TRUST FRAMEWORK
THE FEDERATION IS BUILT ON TRUST Technical Interoperability
• Supported protocols • User authentication
mechanisms • User attribute
specifications • Accepted X.509 server
certificates
Legal Interoperability
• Membership agreement or contract
• Federation operation policies
• Requirements on identity management practices
Others
• Common/best operational practices e.g. http://switch.ch/aai/bcp
TECHNICAL INTEROPERABILITY
SAML2 Protocol, Authentication methods, Attributes, …
METADATA: The federation Metadata provides the technical trust in the federation.
• XML Documents defined by the SAML 2.0 standards
• Generated by the Federation operators
• Cryptographically signed by the Federations operators
• Optionally transported over the internet using SSL
• Contains technical information on all participating entities
LEGAL INTEROPERABILITY
All participants must… • Agree to and Sign the Federation Rules
• Be legal entities or sponsored by a legal entity
• Regular compliance
Provides legal recourse if something goes wrong • Auditing • Expulsion • Sanctioning users
Roles and responsibilities of the Federation operator
QUESTIONS?
EDUROAM
WHAT IS EDUROAM? Eduroam is a location independent wireless network, allowing mobility between participants wireless infrastructure with seamless federated user authentication and enforcement of local security policy.
EDUROAM IS
• Seamless wireless access Eduroam allows users from participating institutions to gain secure access to wireless network access using their standard username (email format)/password credentials as they do at their home institution for wireless access.
• Eduroam IdPs and SPs
Eduroam is based on a federated authentication model where your username and password are validated at your home institution (identity provider) and access to authorised network services are controlled by the visited institution (service provider).
EDUROAM COVERAGE
EDUROAM OVERVIEW
HI = Home Institution VI = Visited Institution IdP = Identity Provider SP = Service Provider
EDUROAM IS NOT
Web based Federated Identity! Many similarities but eduroam is for wireless access, FIM is for web based access and authorization.
eduroam ≠ FIM
They can and do operate side by side at many institutions, this is encouraged.
QUESTIONS?
WHAT IS REFEDS ?
WHAT IS REFEDS ?
the Research and Education FEDerations group Mission: is to be the voice that articulates the mutual needs of research and education identity federations worldwide. The group represents the requirements of research and education in the ever-growing space of access and identity management, working with and influencing the direction of other organisations on behalf of our participants.
WHAT DO REFEDS DO ? Yearly Work plan • The work of REFEDS is prioritised by the REFEDS Steering Committee based
on the requirements of REFEDS participants.
Tools • Through its annual work plan, REFEDS has developed a series of live and pilot tools
that are openly available for use.
Documents and White papers • From time to time, REFEDS issues White Papers to support those involved in federated
identity management. • The Discovery Guide • REEP - REFEDS repository for ‘end point entities’ • MET - REFEDS Metadata Explorer Tool • Entity Categories – The core Entity Categories that can be used by Federations
Promote Federations
REDEFS OUTREACH
Links from the REFEDS web site (https://refeds.org)
• Mailing lists (see About)
• Blog
• Wiki
• Meetings
FEDERATIONS GLOBALLY
Production (43)
Pilot (18)
QUESTIONS ?
