Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
2-1 (c) March 2007 DAASI International GmbH
New trends in Identity Management
Peter Gietz, DAASI International [email protected]
Track on Research and Education Networking in South East Europe,
Yu Info 2007, Kopaionik, Serbia14 March 2007
2-2 (c) March 2007 DAASI International GmbH
Agenda
Introduction to (Federated) Identity Management Standards in IdM IdM and Grid Computing
2-3 (c) March 2007 DAASI International GmbH
Introduction to (Federated) Identity
Management
2-4 (c) March 2007 DAASI International GmbH
The dark world before Identity Management
Historically grown IT infrastructures and processes Isolated directories and data bases contain the same
information about persons (staff, students, etc.) No interaction and no trust between the systems No overall view on the whole infrastructure and data
Every application has its own user management, every new application makes things worse
Such redundancy of data and administration means higher costs
2-5 (c) March 2007 DAASI International GmbH
more deficiencies
Processes for provisioning accounts are very slow User get access to resources too late Even worse: users keep access rights after leaving the
university There is no real security in this chaos
2-6 (c) March 2007 DAASI International GmbH
IdM is the solution Definition of Spencer C. Lee:
Identity Management refers to the process of implementing new technologies for the administration of information on the identities of users and of access control to resources
The aim of identity management is to increase productivity and security while reducing the costs of managing users, their identities, attributes and access rights
2-7 (c) March 2007 DAASI International GmbH
Was is new then? User management exists since the early times of computing
etc/passwd in Unix is also user management! So the problems are old
Identity Management Systems take care, so you have to develop a concept for your entire IT infrastructure data come from authoritative sources and don't have to be
administrated redundantly user management becomes highly automated
IT processes synchronize information from data sources to applications so that access to resources can be granted quickly but also are taken away immediately after the
user leaves the organisation
2-8 (c) March 2007 DAASI International GmbH
Components of IdM
Data sources and applications Directories are a central component, which store identity information,
passwords, policy Standards: X.500, LDAP As metadirectories they are used as the base for the
synchronization of data, for identifying persons, and for password management
Connectors do the actual data synchronization, data conversion and logging of the processes
Auditing tools provide the overview
2-9 (c) March 2007 DAASI International GmbH
What do you get from IdM? You have identities instead of accounts
The student who is also staff member is stored under the same identity
This increases the personalisation functionality Unified Login / Single Log On
Integrative central user management Application can directly use LDAP data or be
provisioned with account information Users only have to remember one password
Single Sign On User only have to authenticate once per day
Single Log Off with one log off process all open
sessions are being closed
2-10 (c) March 2007 DAASI International GmbH
Federated Identity Management
Definition of Peter Valkenburg, et.al (SURF): Collective term for all processes, standards and
technologies, which support the exchange of identity data across organisational borders
The user data have only to be stored at the home organisation
There are two main functionalities (roles of organizations): Identity Provider (IdP), connected to the local user
management of the home organizations, provide authentication status and attribute information
Service Provider (SP), use these information to make decisions about access to resources
2-11 (c) March 2007 DAASI International GmbH
What is needed for Federated Identity Management?
Requirement is a federated trust model, organized by contracts between IdPs and SPs.
It is best to have an intermediate organisation (e.g. NRN) to prevent n to n contracts to manage central services that provide authoritative
meta data about the members of the federation Agreement on a set of authorization attributes
interesting attributes are eduPersonAffiliation, eduPersonEntitlement, eduPersonTargetedId
A certain standard in IdM of the participating organisations FidM technologies are, e.g., Liberty Alliance, Shibboleth,
WS-Security
2-12 (c) March 2007 DAASI International GmbH
Motivation for Federated Identity Management Students become more and more mobile and want to study
at different universities Course of studies have to become more compatible, so that
(con)federations can support the Bologna process Research gets more and more internationally interconnected
eScience und Grid-Computing Researchers from different universities need access to
distributed resources licenses for data base usage, etc. often need detailed
attributes about users is the user student of the faculty of physics? such questions can be answered
without loosing privacy
2-13 (c) March 2007 DAASI International GmbH
Standards for FIdM 1
LDAP (Lightweight Directory Access Protocol) IETF-Standard for storage of person information and for
authentication processes SAML (Security Assertion Markup Language) (OASIS)
XML-Documents contain assertions about user:• Authentication Statements (when and how did a user authenticate)• Authorization Statement (what is the user allowed to access)• Attribute Statement (what attributes, roles, etc. does the
authenticated user have) Profiles specify how assertions are exchanged between IdP
and SP
2-14 (c) March 2007 DAASI International GmbH
Standards for FidM 2
XACML (eXtensible Access Control Markup Language) (OASIS) XML-Documents contain messages about authorization
decisions or policies SPML (Service Provisioning Markup Language (OASIS)
XML-Documents contain account information in a standardized way so that they can be exchanged across organizational borders.
SOAP (Simple Object Access Protocol) XML-Protocol for exchanging all those XML documents
between IT-processes on different networks (RPC with XML means)
Web Services paradigm
2-15 (c) March 2007 DAASI International GmbH
Federations implemented with Shibboleth Shibboleth
Production ready open source software for implementing SAML based federations
Created by the US higher education community (Internet2/MACE, NMI)
Supports Single Sign On More and more applications get „shibbolized” It is very concerned with privacy
• Attribute release policies defined by IdP and by the single user• EU data protection directive (95/46/EC) can be fulfilled
New features like Single Logout will be available in Shibboleth 2.0
Compatibility with Liberty Alliance is also on its way http://shibboleth.internet2.edu
2-16 (c) March 2007 DAASI International GmbH
Shibboleth
2-17 (c) March 2007 DAASI International GmbH
Shibboleth and Grid Computing
Shibboleth also got noticed in the Grid Computing communities
Grid uses PKI certificates for authentication difficult task if user base grows Shibboleth may help here GridShib is an implementation of Shibboleth for the
Web Services based open source grid Infrastructure Globus Toolkit
Virtual Organisations (VOs), like international research projects share grid resources (CPUs, Storage, Services) need federated Identity management
2-18 (c) March 2007 DAASI International GmbH
Alternatives
PAPI created by RedIRIS (Spain) interorganizational Access control leaving authentication at the home organisation interoparable with shibboleth see http://papi.rediris.es/
A-Select created by Surfnet (Netherlands) framework where users can be authenticated by several
means with Authentication Service Providers see http://a-select.surfnet.nl/
2-19 (c) March 2007 DAASI International GmbH
Who uses Shibboleth in Europe?
SWITCH-AAI in Switzerland HAKA in the Finish Research network Denmark is starting UK started pilots on Shibboleth DFN-AAI will become productive this year D-Grid (German Grid community) is partly using it already
TERENA played a major role in creating consciousness about FidM and products like shibboleth TERENA Task Force EMC2 (European Middleware
Coordination and Cooperation) Sub activity SCHAC for common European schema TERENA campus middleware
workshops
2-20 (c) March 2007 DAASI International GmbH
References
TERENA task forces:http://www.terena.nl/tech/index_middleware.html
Good information resources at SwitchAAI:http://www.switch.ch/aai
Internet2http://middleware.internet2.eduhttp://shibboleth.internet2.edu
2-21 (c) March 2007 DAASI International GmbH
Thank you for your attention!
QUESTIONS?
For later questions:[email protected]
DAASI International GmbH http://www.daasi.de [email protected]