25
Edugate Glenn Wearen HEAnet.

Edugate Futures

  • Upload
    heanet

  • View
    265

  • Download
    1

Embed Size (px)

DESCRIPTION

12 Future directions Edugate could take

Citation preview

Page 1: Edugate Futures

Edugate

Glenn Wearen

HEAnet.

Page 2: Edugate Futures

Summary

1 year Pilot Project / 2 years in production

All IoT’s, Universities, Colleges, but only half of HEAnet’s members

Core service at some institutions but light use at others

Page 3: Edugate Futures
Page 4: Edugate Futures

So, where to now?

1. Extended Attribute Schema2. Higher Identity Assurance3. Strong Authentiation4. Account Provisioning5. Cross institutional groups6. New Identity Protocols7. Statistics8. Bilateral Trusts9. Expansion beyond HEAnet10. SSO for non-web applications11. Aggregated identities12. Logout

Page 5: Edugate Futures

1. Extended Attribute Schema

Students• Do you have photos?• Can I tell if a user is part-time/full-time?• What course is the student pursuing?

Staff• Cost-center code (for eProcurement)• ResearcherID AuthorID• Availability calendar • Telephone number

Page 6: Edugate Futures

2. Higher Identity Assurance

Would you use Edugate for eProcurement?• On-campus

(cross charging for campus services)

• Shared procurement portal(Shannon Consortium Procurement Network)

• External suppliers (vikingdirect.ie/officedepot.ie)

Service Provider will seek assurances that the identity is sufficient quality to underpin a cardless financial transaction

Page 7: Edugate Futures

3. Strong Authentication

Passwords are the root of all e-vil• Easily shared• Easily forgotten• Frequently exposed• No common password policy• Password changes not enforced

Page 8: Edugate Futures

3. Strong Authentication

SSO helps to eliminate passwords• Consolidating onto a single (or single+1)

credential allows for strong authentication• 2-factor authentication / strong password policy

SSO systems can protect sensitive resources• re-authentication • ‘step-up’ authentication

Page 9: Edugate Futures

4. Account Provisioning

On-campus, provisioning is a minor problem, but, for cloud/hosted/outsourced services provisioning is a significant problem

Invitation systems require;• email address of all potential users -1 time url• approval workflows -open URL

Page 10: Edugate Futures

4. Account Provisioning

Bulk provisioning• Handling of bulk files a significant risk• Out of Sync almost immediately• De-provisioning rarely handled• Accounts created for users who might never login

Page 11: Edugate Futures

4. Account Provisioning

Just-in-Time provisioningStandards emerging

• Simple Cloud Identity Management (SCIM)

But, service Providers familiar with;• LDAP Enter username/password, authenticate, query for attributes

• Oauth Enter user ID, authenticate, get token, query for attributes • API Enter a user identifier, query for attributes, forever

Page 12: Edugate Futures

5. Cross institutional groups

Cross institutional/federation groups

(Virtual Organisations)• Identity provider doesn’t know all the collaboration

or projects that a user participates within.• This makes it authorisation difficult for Service

Providers (e.g. Project Portal)

Page 13: Edugate Futures

5. Cross Institutional Groups

Establish an Edugate group repository;• this can be queried by IdP’s during the

preparation of attributes for an assertion• this can be queried by SP’s provided the

repository has a user identifier• Self-asserted group membership• Group membership approvals or invitations.

Page 14: Edugate Futures

6. New Identity ProtocolsOpenID Connect

• Addresses weaknesses and shortcomings of OpenID

OAuth2• Allows retrieval of user data when user is not present

WIF• Predominant identity protocol for Microsoft

services

Page 15: Edugate Futures

6. New Identity Protocols

Should Edugate add new protocols?• Cost?• Benefit?

Page 16: Edugate Futures

7. Statistics and Monitoring

Are my users able to access service X?

Why are my users accessing service Y?

How come I’ve no users from institution A?

Why are we so popular with institution B?

What is the most widely used Edugate service?

What is the least most used service?

Is Edugate being used? or being used more?

Page 17: Edugate Futures

7. Statistics and Monitoring

Is IdP X up?

Are there high rates of attrition?

Are [staff|students] able to authenticate?

Page 18: Edugate Futures

8.Proliferation of bilateral trusts

There are 29 bilateral trusts in Edugate, why don’t these services join Edugate?• Maybe not required (single institution)• Tender awarded, Edugate not in the tender• SP not a legal entity

Google Apps, Millennium, Blackboard Learn.

Page 19: Edugate Futures

9. Expansion beyond HEAnet?

More identity providers will mean more service providers

•Private Colleges

•Health Services Sector (HSE/Hospitals/CPD)

•Industry Research Centers (Intel Labs / SFI participants)

•2nd Level schools

Page 20: Edugate Futures

10. SSO for non-web

SAML works well within the browser, but,

Outside the browser, it requires client support

• Native client support Outlook Claims based authentication

• Or, with Moonshot;Common library support (GSS/SASL/SSPI)

Page 21: Edugate Futures

11. Aggregated identities

Institution holds validated identity data and enrollment status. This can be aggregated or augmented with self-asserted data from other sources;• Social ID’s (Profile Pictures, friends, interests)• Group membership repository

Page 22: Edugate Futures

11. Aggregated identities

Facebook/Twitter/Google hold self-asserted identity data. This can be aggregated or augmented with verified user data from other sources

:-p

Page 23: Edugate Futures

12. Logout

Clicking on ‘Logout’ what should happen?• Logout of the application, but IdP session

persists (Local Logout)• Logout of the application, redirect to IdP

session killer page (partial logout)• Logout of the application, redirect to IdP

session killer page, trigger logout of all services• (global logout)

Page 24: Edugate Futures

12. Logout

Or should the SP force re-authentication at the IdP after the logout button has been used (if the IdP supports it.

Page 25: Edugate Futures

So, where to now?

1. Extended Attribute Schema2. Higher Identity Assurance3. Strong Authentiation4. Account Provisioning5. Cross institutional groups6. New Identity Protocols7. Statistics8. Bilateral Trusts9. Expansion beyond HEAnet10. SSO for non-web applications11. Aggregated identities12. Logout