moderator nathan dors in-depth theme - external … · why do we differentiate digital identities...
Post on 13-Jul-2020
2 Views
Preview:
TRANSCRIPT
IN-DEPTH THEME - EXTERNAL IDENTITIES SPEAKER WARREN ANDERSON LIGO Scientific CollaborationSPEAKER JIM BASNEY University of Illinois at Urbana-ChampaignSPEAKER KAREN HERRINGTON Virginia Polytechnic Institute and State UniversitySPEAKER MICHAEL DOMINGUES University of IowaSPEAKER CHRISTOS KANELLOPOULOS GÉANTMODERATOR NATHAN DORS University of Washington
[ 2 ]
ABSTRACTIN-DEPTH THEME - EXTERNAL IDENTITIES
Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or technical constraints, or both? Identity federations like InCommon, eduGAIN, and eduroam are powerful tools for providing access to resources across organizations. But what's a campus or research organization to do about providing access to resources that aren't readily federated? A network share? A desktop computer? A building door?
This in-depth session will explore use cases, practices, and activities in the research and education community focused on solutions for external identities. Attendees will gain insights into how campuses, research organizations, and national and international working groups are shifting external identity architectures toward more choice and inclusion, while maintaining appropriate control and security. Demos and discussion will focus on understanding these solutions, and their benefits and impact.
[ 3 ]
CONTEXTIN-DEPTH THEME - EXTERNAL IDENTITIES
● FIM4R paper● InCommon - External Identities Working Group● AARC - Design for Deploying Solutions for “Guest Identities”● REFEDS - IdoLR WG● FIM4R update
[ 4 ]
OBJECTIVESIN-DEPTH THEME - EXTERNAL IDENTITIES
• Campus/institution - what would you like out of this session?• Service providers - • Research communities - • E-infrastructure provider - • Federation operator - • Others -
[ 5 ]
AGENDAEXTERNAL IDENTITIES
• Welcome• Overview• Karen Herrington - Who is “Us”?• Michael Domingues - Invite-Based Identity Provisioning for External Collaborators• Warren Anderson - External Identities for Research Virtual Organizations• Jim Basney - CILogon 2.0 - Enabling research apps to use external IDs• Christos Kanellopoulos - External Identities in AARC and GÉANT• Discussion & Conclusions• Adjourn
[ 6 ]
Who is “Us”?The answers aren’t as easy as they used to be...Karen HerringtonDirector, Identity Strategy & AdministrationVirginia Polytechnic Institute and State University
• Use Cases• Solutions• Drivers and Goals
[ 7 ]
Identity Use Cases at Virginia Tech
• Student applicants• Ross and St. George Vet Med students, Wake Forest
Biomedical students, Undergraduate researchers from other universities
• “Pre-hires” – Almost employees, but not quite• Medical School faculty• VT Cyber Range• Advancement donors• Scholarship sponsors• Event attendees• Shoppers at store-front applications
[ 8 ]
Solutions: Guest Management System
• In-house developed• “Sponsored” – Guests invited via email• Admissions and Parents • Guest account is third-party email address• Self-service account provisioning and password resets• Entitlements for authorization• Integration with Academic Works for access to Financial Aid
awards• Third-party email address made an odd eppn
@gmail.com@vt.edu• Changes made to capture and assert VT ID Number
[ 9 ]
Solutions: Enterprise Directory Groups
• In-house developed Group Management System• Web user interface and web service interface• Central instantiation of groups with subsequent delegated
management• Wake Forest students maintained as a group by Biomedical
Engineering• Challenges
– Groups can only contain PIDs– Some services rely only on affiliations for authorization – unaware
of the group
[ 10 ]
Solutions: Zero-Pay Jobs
• Process distributed to department level• Temporary, expiring jobs for new hires• Allows for early setup of access• Replaced by permanent job when hiring complete• Triggers cleanup of access if hiring is not completed• Can be a “pre-hire” more than once• Renewable zero-pay jobs for Medical School faculty• Allows entry and maintenance of identities by the authoritative
entity
[ 11 ]
Solutions: Social Identities
• Examples: Google, Facebook, LinkedIn• Enables reuse of existing identities• Good fit for Advancement donors, Scholarship sponsors, Event
attendees, Store-front shoppers • Social-to-SAML gateway allows for integration into existing
federated environment• Allows flexibility in choosing identity to use• Challenging to deal with different provider protocols and which
ones are the popular providers at any point in time• Little control over what identity information is captured
[ 12 ]
Drivers and Desired Goals
• Giving Non-traditional Students/Employees access to needed resources – Email, Canvas, Library, Blacksburg Transit Bus, Labs– Timely Provisioning
• Maintaining/Increasing VT’s security posture– Appropriately establishing external identities in our identity
management system – Consistently deprovisioning access– Reducing the number of unattended institutional accounts
[ 13 ]
Drivers and Desired Goals• Enhancing the User Experience
– Desire to reuse identities– Ease of onboarding
• Increasing efficiency, effectiveness of Business Processes– Being financially competitive in attracting students– Removing administrative burden of local account management
• Managing Customer Relationships more effectively– Targeted marketing– Student recruitment
[ 14 ]
Invite-Based Identity Provisioning for External CollaboratorsMichael DominguesSenior Application DeveloperUniversity of Iowamichael-domingues@uiowa.edu
[ 15 ]
A Familiar Problem
“People need access to my institution’s resources!”
[ 16 ]
A Familiar Problem (Revised)
“People (not formally affiliated with my institution) need access to its resources!”
[ 17 ]
A Familiar Problem (Revised)
“People (not formally affiliated with my institution) need access to its resources!”
Who?What does this even mean?
How do we manage this access? What kinds of resources are we
talking about?
Why?
[ 18 ]
Approaches to A Familiar Problem
Local / Per-System AccountsHijack Existing Business ProcessesGuest Account System / Separate Credential StoreFederation / Bring Your Own Credential
[ 19 ]
A Familiar Problem (Problematized)
“Anybody (not formally affiliated with my institution) needs access to any of its resources!”
What does this even mean?
How do we manage this access?
Why?
[ 20 ]
A Solution?
“Why don’t we just give anybody an account?”
[ 21 ]
A (Better) Solution?
“Why don’t we just let anybody create an identity?”
[ 22 ]
Background
University of IowaEnterprise Active Directory since 2002Many distributed administratorsLarge portfolio of internally developed applicationsCentral Identity Data WarehouseOne institutional credential to rule them all … for
institutional people
[ 23 ]
Project Methodology
Approached by Research ServicesMet with wide variety of campus constituenciesIdentified common requirements and use-casesDesigned and built solution API First
[ 24 ]
Solution Requirements
Able to capture customized set of demographic informationSupports multiple interaction modalitiesTracks sponsorship informationCreates and flow full identities in real-timeIntegrates with existing access management processes
[ 25 ]
Claims
People need access to sets of resourcesNon-traditional users defy traditional categorizationMany lack educational affiliationRelationships change over timeFunctional hurdles will be overcomeUX matters (a lot)
[ 26 ]
[ 27 ]
Demo
[ 28 ]
Conclusion
By bringing “external” identities directly into your IAM platforms as first-class citizens, you can provide the power and flexibility of your existing identity and access management solutions to anybody.
[ 29 ]
External Identities for Research Virtual Organizations Laser Interferometer Gravitational-wave Observatory (LIGO)
Warren Anderson - IAM Lead, LIGO Scientific Collaboration
• LIGO as an example of a Research VO• Why LIGO has primarily used internal identities for the last decade• Federated identities in LIGO’s future.
[ 30 ]
What is LIGO?
[ 31 ]
What is LIGO?
[ 32 ]
What is LIGO?
• 1600+ Scientists, researchers, and students• 110+ Research institutions• 22 Countries
• 5+ dedicated data processing centers (10,000’s cores)• 120+ Shibboleth SPs
• 44 SP admins• 18 hosting institutions
• 6 authentication technologies• Kerberos, Shibboleth, OAuth2, grid certs, ssh keys,
physical tokens (YubiKey)
[ 33 ]
LIGO IAM Past
• Dedicated effort since 2007 (a decade into the experiment)• Decided to exclusively use internal identities because:
– Not enough LIGO member institutions had federated IdPs– No readily available IdP of last resort– Insufficient interfederation via eduGAIN or other means– Not enough LIGO member institutions release identifying attributes– No framework for security for federated identities.
• However, MOUs with 700 external (non-LIGO) scientists– collaboration resources managed on gw-astronomy.org by UWM
and LIGO– federate identity exclusively for non-LIGO collaborators using
COManage– Access to wikis, mailing lists, file sharing, event databases, etc
[ 34 ]
LIGO Federated Future
• LIGO has made commitment to National Science Foundation to start using federated identities within the next four years.– Not enough LIGO member institutions had federated IdPs
• 95% of US LIGO members at InCommon participant institutions– No readily available IdP of last resort
• Free (CILogon, UnitedID) and paid (Cirrus - works for China?)– Insufficient interfederation via eduGAIN or other means
• 93% or LIGO nations in eduGAIN– Not enough LIGO member institutions release identifying attributes
• IdP/SP Proxy (SaToSa from SUNET?)– No framework for security for federated identities.
• SIRTFI adpotion gaining ground• LIGO Management has circulated an open letter supporting federated ID
[ 35 ]
CILogon 2.0 —Enabling research apps to use external IDsJim BasneySenior Research Scientist, NCSA SecurityUniversity of Illinois at Urbana-Champaign
• Experiences working with virtual organizations (VOs)• What's working? What are the challenges?
[ 36 ]
Identity Providers of Last Resort
[ 37 ]
Sign in with ORCID
[ 38 ]
Multitude of app integration needs
SAML SP
OIDC Provider
X.509 CA
HSM
OIDC SP
MFA (OATH)
LDAP
COmanage
Identities
MFA Tokens
SSH Keys
Groups
Attributes
SAML AA
Register
eduGAIN IdP
Google IdP
Science App
OAuth SPORCID
Science App
Science App
Science App
InCommon IdP
[ 39 ]
Attributes from campus, VO, ORCID
[ 40 ]
For more info about CILogon
www.cilogon.org
info@cilogon.org
jbasney@ncsa.illinois.edu
We hope to hear from you!
[ 41 ]
External Identities in AARC and GÉANT
Christos KanellopoulosProject Development OfficerGÉANT
• What is AARC?• Context: International Research Collaborations• The AARC Blueprint Architecture• Proxies, proxies, proxies…• External identities• eduTEAMS Identity Hub
Use this slide to introduce major sections
Remember to remove this tip before presenting!
[ 42 ]
The AARC project
• Two + two year EC-funded project
• 20 partners (NRENs, e-Infrastructure providers and Libraries as equal partners)
• About 3M euro budget
• May 2015-2017 (2nd edition 2017-2019)
• https://aarc-project.eu
Authentication and Authorisation for Research and Collaboration
[ 43 ]
International Research Collaborations
• Users should be able to access the all services using the credentials from their Home Organizations when available.
• Secure integration of guest identity solutions and support for stronger authentication mechanisms when needed.
• Access to the various services should be granted based on the role(s) the users have within the collaboration.
• Users should have persistent identities across all community services when needed.
• Ease of use for users and service providers. The complexity of multiple IdPs/Federations/Attribute Authorities/technologies should be hidden.
[ 44 ]
International Research Collaborations
• Users should be able to access the all services using the credentials from their Home Organizations when available.
• Secure integration of guest identity solutions and support for stronger authentication mechanisms when needed.
• Access to the various services should be granted based on the role(s) the users have within the collaboration.
• Users should have persistent identities across all community services when needed.
• Ease of use for users and service providers. The complexity of multiple IdPs/Federations/Attribute Authorities/technologies should be hidden.
[ 45 ]
AARC Blueprint ArchitectureEnabling an ecosystem of solutions on top of eduGAIN
o A Blueprint Architecture for authentication and authorization
o A set of architectural and policy building blocks on top of eduGAIN
o eduGAIN and the Identity Federations
o A solid foundation for federated access in Research and Education
[ 46 ]
AARC Blueprint Architecturehttps://aarc-project.eu/architecture/
[ 47 ]
Many implementations...
[ 48 ]
So, what are external identities?
[ 49 ]
So, what are external identities?
Depends on where one stands...
[ 50 ]
So, what are external identities?
eduGAIN / Federations / Campuses
Social IDs
eGov IDs
Community managed /
IGTF
Commercial
Depends on where one stands...
[ 51 ]
So, what are external identities?
Research Collaboration
Social IDs
eGov IDs
Community managed /
IGTF
CommercialeduGAIN
Depends on where one stands...
[ 52 ]
GÉANT eduTEAMS: Identity Hub
REST AA
SAML AA
Co
man
age
v.20
Membership Management
Identity Hub
SPs
SPs
SPsSPs
52
Infr
astr
uct
ure
AA
I pro
xy
SPs
SPs
SPs
[ 53 ]
DISCUSSION & CONCLUSIONSIN-DEPTH THEME - EXTERNAL IDENTITIES
Thank you, presenters and attendees!
top related