1 incommon identity & access management federation john krienke operations manager, incommon...
TRANSCRIPT
1
InCommonIdentity & Access Management
Federation
John Krienke
Operations Manager, InCommon
Assistant Director, Internet2
2
The Partnership ChallengeHigher education’s • Staff, students, and faculty are no longer located exclusively on campus• Research and missions are increasingly complex, globally interdependent,
and on line• Security and protection of personal identity information is paramount and
increasingly regulated (FERPA, HIPAA, Gramm-Leach-Bliley, SOX, etc.)• Business processes and applications are increasingly outsourced and/or
distributed– Digital collections and data– Course materials and management– Financial management– Remote instrumentation– Computational resources such as Grids– Music, Software– Travel resources– Government resources
3
The Partnership Solution• Develop solutions that efficiently used existing information
infrastructures securely and safely• Reduce the time and resources spent on all the “one off”
requirements for each partner and streamlined interoperation with each partner
• Reduce help desk calls and the number of user accounts to provision throughout our many partnerships
• Maximize the control, security, and privacy of personally identifiable, sensitive information
• Make online services richer, easier to use, and safer for students, faculty, and staff
This is what I/A/M federations do
4
Identity & Access Management Federations
• A definition of Federation: A collaboration of independent entities that give up a certain degree of autonomy to a central authority in pursuit of a common set of goals.
• Central Authority: Federations set common policies, interoperability criteria (vocabulary for exchanges, technology), and provide central services to establish and maintain trust (registration, authoritative metadata and certificates, dispute resolution)
• Common Set of Goals:Federations enable secure, trustworthy, scalable online partnerships
5
Examples of the Federation Spectrum
Homogeneous (vanilla) Heterogeneous (rocky road)
Centralized Independent
Conscription Subscription
Requirements Expectations Suggestions Declarations
High Cost Low Cost
eAuth (US) InCommon
6
Federating Software
• “When is a duet an orchestra?”
• Not all federated software supports multi-party federated collaboration.
National Arts Centre Orchestra Gala 2007 CBC Radio
7
Music Service
ID #4 j.o.123
Joe OvalPsych Prof.
DOB: 4/4/1955
Password #4
Grant Admin Service
ID #2 Joval
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Password #2
Grading Service
ID #3 Jo456
Dr. Joe Oval
Psych Prof.Password #3
Home
Circle [email protected]. Joe OvalPsych Prof.SSN 456.78.910
Password #1
???? IT patch 1
IT patch 2
IT patch 3
Service IDsChallenging Way
8
Home
Circle University
Anonymous ID#
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle [email protected]. Joe OvalPsych Prof.SSN 456.78.910
Password #1
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
!
1. Single Sign On
2. Services no longer manage user accounts & personal data stores
3. Reduced Help Desk load
4. Standards-based Technology
5. Home Org controls privacy
Federated Way
9
Home
Circle University
Anonymous ID#
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
AffiliationEPPNGiven/SurNameTitleSSN
Password #1
Circle University
ID # 123-321
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
!
Role of the Federation
1. Agreed upon Attribute Vocabulary & Definitions: Member of, Role, Unique Identifier, Courses, …
2. Criteria for IdM practices (user accounts, credentialing, etc.), personal information stewardship, interoperability standards, technologies
3. Digital Certificates
4. Trusted “notary” for all universities and partners
VerifiedBy the
Federation
VerifiedBy the
Federation
VerifiedBy the
Federation
VerifiedBy the
Federation
10
Home
Circle University
Anonymous ID#
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
AffiliationEPPNGiven/SurNameTitleSSN
Password #1
Circle University
ID # 123-321
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
!
VerifiedBy the
Federation
VerifiedBy the
Federation
VerifiedBy the
Federation
VerifiedBy the
Federation
federation metadata
University AIdP: name, key, url, contacts, etc.SP1: name, key, url, contacts, etc.SP2: name, key, url, contacts, etc.
University B IdP: name, key, url, contacts, etc.SP1: name, key, url, contacts, etc.
University CIdP: name, key, url, contacts, etc.
Partner 1SP1: name, key, url, contacts, etc.
Partner 2 SP1: name, key, url, contacts, etc.SP2: name, key, url, contacts, etc.
Partner 3 …
bronze LoA
silver LoA
silver LoA
future
11
User Experience Flows
• First visit the SP then Federation WAYF (“Where Are You From” home organization discovery page)– Wireless (UT System) [screencast]
• First visit the SP’s own customized WAYF– ScienceDirect– Spaces.internet2.edu Wikis– OhioLINK
• First visit the IdP– Penn State & WebAssign [screencast]
12
User Experience Flows
Multiple IdPs and SPs in Action: [screencast]
• Authentication vs. Authorization
• Federation WAYF
• Single Sign On to multiple services
• Anonymous Identifiers
• Clearing Sessions
• IdP to SP without a WAYF
13
The Value of InCommonBroad Strokes
• Identity Providers (Home Institutions) control user accounts and the release (and spillage) of personal information
• Online services focus on their online resources and not on user account provisioning
• Users have easy, private, global access• Partners have finely-tunable access controls
and can quickly and securely deploy new collaborations and service relationships
14
The Value of InCommonDetail
• Governance by a Representative Steering Committee establishes:– Criteria for participation– Policy and shared direction – Services meet business needs with appropriate security levels and legal requirements– Scalable operational standards and practices
• Legal Agreement– Official Organizational Designees, Establishment of Trust, Conflict and Dispute Resolution, Basic
Protections & Responsibilities
• Trust “Notary”– InCommon verifies the identity of Organizations and their delegated Officers;
• Trusted Metadata– InCommon verifies & aggregates location and security data for each participant’s servers, systems,
and support contacts
• Certificate Authority– InCommon issues server certificates to Participants for secure communications
• Standards for Policies and Practices– How high is the bar? Right now, each Participant decides. Participants self-declare their practices to
other Participants. Coming soon: Optional Bronze and Silver Levels of Assurance (Audit Criteria)
• Technical Interoperability (Technical Advisory Committee)– InCommon defines shared attributes, standards (SAML), federating software (Shibboleth+)
15
Internet2Internet2
InCommon Governance
FederationOperator
FederationOperator
TechnicalAdvisory
Committee
TechnicalAdvisory
Committee
NominationsCommittee
NominationsCommittee
InCommon LLC:Steering Committee
RepresentingHigher Ed & its Partners
InCommon LLC:Steering Committee
RepresentingHigher Ed & its Partners
Directio
nD
irection
Directio
nD
irection
CandidateApprovals
AdviceAdvice
16
Growth
0
10
20
30
40
50
60
70
80
90
Mar
-05
Ap
r-05
May
-05
Jun-
05
Jul-0
5
Aug
-05
Sep
-05
Oct
-05
No
v-05
Dec
-05
Jan-
06
Feb
-06
Mar
-06
Ap
r-06
May
-06
Jun-
06
Jul-0
6
Aug
-06
Sep
-06
Oct
-06
No
v-06
Dec
-06
Jan-
07
Feb
-07
Mar
-07
Ap
r-07
May
-07
Jun-
07
Jul-0
7
Aug
-07
Sep
-07
Oct
-07
No
v-07
Dec
-07
Jan-
08
17
78Current InCommon ParticipantsHigher Education (54)• Case Western Reserve University• Clemson University• Cornell University• Dartmouth• Duke University• Florida State University• Georgetown University• Johns Hopkins University• Indiana University• Miami University• Michigan State University• New York University• Northwestern University• Ohio State University• Ohio University• Penn State University• Stanford University• Stony Brook University• SUNY Buffalo• Texas A & M University• University of Alabama at Birmingham• University of California, Davis• University of California, Irvine• University of California, Los Angeles• University of California, Merced• University of California, Office of the President• University of California, Riverside• University of California, San Diego• University of Chicago• University of Maryland• University of Maryland Baltimore County• University of Maryland, Baltimore• University of Rochester• University of Southern California• University of Virginia• University of Washington• University of Wisconsin – Madison• …..
Sponsored Partners (21)• Apple – iTunes U• Cdigix• Cengage Learning (Formerly Thomson Learning)• EBSCO Publishing• Elsevier ScienceDirect• Houston Academy of Medicine - Texas Medical Center Library• Internet2• JSTOR• Microsoft• NAS Recruitment Communications• Nelnet – Next Generation Division• OCLC• OhioLink - The Ohio Library & Information Network• ProtectNetwork• RefWorks, LLC• Students Only, Inc.• SumTotal Systems• Symplicity Corporation• Turnitin• University Tickets• WebAssign
Gov. and Nonprofit Labs, Research Centers, and Agencies (3)
• National Institutes of Health• Lawrence Berkeley National Laboratory• Moss Landing Marine Laboratories
NEXT• Libraries & their partners• Student Services (Registrars, Financial Aid officers, others)• U.S. Agencies:
– NIH (Libraries, Grants Administration, …)– NSF (FastLane, …)– Dept. of Education (Student Financial Aid, …)
• Federations on top of the InCommon Federation– University Systems– State & Regional Systems– Coalitions organized around Networks, Grids, others…
18
Join or Create? Or Both?
University of California System creates UCTrust within InCommon
David Walker, UCOP • Interoperability: UC's solution had to fit
seamlessly into higher education's broader solution
• Not reinventing the wheel: policy, criteria, operations
• Not inventing new wheels: how will multiple federations interoperate?
19
JoiningManagement Process
1. Eligibility: Higher Ed (accreditation) and Sponsored Partners (sponsors)
2. Agreement: InCommon Participation Agreement [PDF]: – Delegating your trusted Executive– Signed by an authorized
representative of the organization3. Pay Fees ($700 registration,
$1,000 annual)4. Federation I.D. Proofing of
Executive, appointment of Admin5. Privacy and Security Policies and
Processes articulated, documented, and posted (Participant Operational Practices)
Technical Process1. Official Organization Directory
(Identity Management system)2. Web Single Sign On (SSO)3. Common Language: EduPerson
schema4. Federating Software: Shibboleth
IdP and/or SPs5. Federation I.D. Proofing of Admin6. Submit Metadata, Certificate
Signing Request, and POP URL7. Install Certificate8. Test with Partners and Attribute
Release Policies9. Deploy10. Repeat steps 8 & 9
20
InCommon Benefit
• Federation enables communities to share information about individuals’ identity, reducing the overall work required to maintain connections and reduce the friction in cross-community interactions.
• Burton Group, Federating a Distributed World: Asserting Next-Generation Identity Standards
21
InCommon Benefit
• “To meet the increasing campus demand for using external applications and online resources, we developed and implemented solutions that efficiently use our existing information infrastructures securely and safely in such a way that we maintain control over the release of personal information for people at Penn State. InCommon is a vitally important part of this infrastructure and helps put us in a position to provide a richer, easier to use, safer online experience for Penn State students, faculty, and staff.” -Kevin Morooney, vice provost, Penn State University
• Scalability: Leverage your investments and your “next times”
23
Shibboleth Attribute-Based Authorization
Res
ou
rce
WAYF
Identity ProviderResource Provider
Website
1
ACS
I don’t know you or your home organization.I redirect your request
to the InCommonWAYF3
2
Where are you from?
HS
5
6
I don’t know you.Please authenticate
Using your Web login
7
User DB
ID+Password
OK, I know you now.I redirect your requestto the Resource, along
with a handle
4
OK, I will nowredirect your
request toyour home org.
AR
Handle
Handle8
I don’t know theattributes of this user.Let’s ask the Attribute
Authority
Handle9AA
I trust you.I’ll pass the
attributes the userhas allowed me to
release
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
OK, based on theattributes, I grant
access to the resource
© Switch
user
initiates a request