New trends in Identity Management · The user data have only to be stored at the home organisation There are two main functionalities (roles of organizations): Identity Provider (IdP),

2-1 (c) March 2007 DAASI International GmbH

New trends in Identity Management

Peter Gietz, DAASI International [email protected]

Track on Research and Education Networking in South East Europe,

Yu Info 2007, Kopaionik, Serbia14 March 2007


Agenda

Introduction to (Federated) Identity Management Standards in IdM IdM and Grid Computing


Introduction to (Federated) Identity

Management


The dark world before Identity Management

Historically grown IT infrastructures and processes Isolated directories and data bases contain the same

information about persons (staff, students, etc.) No interaction and no trust between the systems No overall view on the whole infrastructure and data

Every application has its own user management, every new application makes things worse

Such redundancy of data and administration means higher costs


more deficiencies

Processes for provisioning accounts are very slow User get access to resources too late Even worse: users keep access rights after leaving the

university There is no real security in this chaos


IdM is the solution Definition of Spencer C. Lee:

Identity Management refers to the process of implementing new technologies for the administration of information on the identities of users and of access control to resources

The aim of identity management is to increase productivity and security while reducing the costs of managing users, their identities, attributes and access rights


Was is new then? User management exists since the early times of computing

etc/passwd in Unix is also user management! So the problems are old

Identity Management Systems take care, so you have to develop a concept for your entire IT infrastructure data come from authoritative sources and don't have to be

administrated redundantly user management becomes highly automated

IT processes synchronize information from data sources to applications so that access to resources can be granted quickly but also are taken away immediately after the

user leaves the organisation


Components of IdM

Data sources and applications Directories are a central component, which store identity information,

passwords, policy Standards: X.500, LDAP As metadirectories they are used as the base for the

synchronization of data, for identifying persons, and for password management

Connectors do the actual data synchronization, data conversion and logging of the processes

Auditing tools provide the overview


What do you get from IdM? You have identities instead of accounts

The student who is also staff member is stored under the same identity

This increases the personalisation functionality Unified Login / Single Log On

Integrative central user management Application can directly use LDAP data or be

provisioned with account information Users only have to remember one password

Single Sign On User only have to authenticate once per day

Single Log Off with one log off process all open

sessions are being closed


Federated Identity Management

Definition of Peter Valkenburg, et.al (SURF): Collective term for all processes, standards and

technologies, which support the exchange of identity data across organisational borders

The user data have only to be stored at the home organisation

There are two main functionalities (roles of organizations): Identity Provider (IdP), connected to the local user

management of the home organizations, provide authentication status and attribute information

Service Provider (SP), use these information to make decisions about access to resources


What is needed for Federated Identity Management?

Requirement is a federated trust model, organized by contracts between IdPs and SPs.

It is best to have an intermediate organisation (e.g. NRN) to prevent n to n contracts to manage central services that provide authoritative

meta data about the members of the federation Agreement on a set of authorization attributes

interesting attributes are eduPersonAffiliation, eduPersonEntitlement, eduPersonTargetedId

A certain standard in IdM of the participating organisations FidM technologies are, e.g., Liberty Alliance, Shibboleth,

WS-Security


Motivation for Federated Identity Management Students become more and more mobile and want to study

at different universities Course of studies have to become more compatible, so that

(con)federations can support the Bologna process Research gets more and more internationally interconnected

eScience und Grid-Computing Researchers from different universities need access to

distributed resources licenses for data base usage, etc. often need detailed

attributes about users is the user student of the faculty of physics? such questions can be answered

without loosing privacy


Standards for FIdM 1

LDAP (Lightweight Directory Access Protocol) IETF-Standard for storage of person information and for

authentication processes SAML (Security Assertion Markup Language) (OASIS)

XML-Documents contain assertions about user:• Authentication Statements (when and how did a user authenticate)• Authorization Statement (what is the user allowed to access)• Attribute Statement (what attributes, roles, etc. does the

authenticated user have) Profiles specify how assertions are exchanged between IdP

and SP


Standards for FidM 2

XACML (eXtensible Access Control Markup Language) (OASIS) XML-Documents contain messages about authorization

decisions or policies SPML (Service Provisioning Markup Language (OASIS)

XML-Documents contain account information in a standardized way so that they can be exchanged across organizational borders.

SOAP (Simple Object Access Protocol) XML-Protocol for exchanging all those XML documents

between IT-processes on different networks (RPC with XML means)

Web Services paradigm


Federations implemented with Shibboleth Shibboleth

Production ready open source software for implementing SAML based federations

Created by the US higher education community (Internet2/MACE, NMI)

Supports Single Sign On More and more applications get „shibbolized” It is very concerned with privacy

• Attribute release policies defined by IdP and by the single user• EU data protection directive (95/46/EC) can be fulfilled

New features like Single Logout will be available in Shibboleth 2.0

Compatibility with Liberty Alliance is also on its way http://shibboleth.internet2.edu


Shibboleth


Shibboleth and Grid Computing

Shibboleth also got noticed in the Grid Computing communities

Grid uses PKI certificates for authentication difficult task if user base grows Shibboleth may help here GridShib is an implementation of Shibboleth for the

Web Services based open source grid Infrastructure Globus Toolkit

Virtual Organisations (VOs), like international research projects share grid resources (CPUs, Storage, Services) need federated Identity management


Alternatives

PAPI created by RedIRIS (Spain) interorganizational Access control leaving authentication at the home organisation interoparable with shibboleth see http://papi.rediris.es/

A-Select created by Surfnet (Netherlands) framework where users can be authenticated by several

means with Authentication Service Providers see http://a-select.surfnet.nl/

http://papi.rediris.es/

http://a-select.surfnet.nl/


Who uses Shibboleth in Europe?

SWITCH-AAI in Switzerland HAKA in the Finish Research network Denmark is starting UK started pilots on Shibboleth DFN-AAI will become productive this year D-Grid (German Grid community) is partly using it already

TERENA played a major role in creating consciousness about FidM and products like shibboleth TERENA Task Force EMC2 (European Middleware

Coordination and Cooperation) Sub activity SCHAC for common European schema TERENA campus middleware

workshops


References

TERENA task forces:http://www.terena.nl/tech/index_middleware.html

Good information resources at SwitchAAI:http://www.switch.ch/aai

Internet2http://middleware.internet2.eduhttp://shibboleth.internet2.edu

http://www.terena.nl/tech/index_middleware.html

http://www.switch.ch/aai

http://middleware.internet2.edu/

http://shibboleth.internet2.edu/


Thank you for your attention!

QUESTIONS?

For later questions:[email protected]

DAASI International GmbH http://www.daasi.de [email protected]