university of washington identity and access management ieeaf – renu network design workshop...

University of WashingtonIdentity and Access Management

IEEAF – RENU Network Design Workshop

Seattle - 29 Nov 2007

Lori Stevens, Director, Distributed SystemsIan Taylor, Manager, Security Middleware

‘RL’ Bob Morgan, ArchitectAnne Hopkins, Lead

Zephyr McLaughlin, Lead

Overview

IAM Mission and Scope IAM Practices UW IAM Service Set International Collaboration in IAM Q & A

IAM Mission

UW Mission “preservation, advancement, dissemination of

knowledge” people-based processes, increasingly online

Identity management provides ... institutional means to know who can, should

and did access online (and physical) resources

IAM Scope

IAM supports the whole institution teaching, research, outreach, healthcare, student life, alumni,

collaborators, affiliates, local, regional, global

UW Identity and UW NetID Statistics 43,000 students at three campuses – Undergraduate,

Graduate and Professional Plus an Extension Enrollment of 27,000 more 28,000 Faculty and Staff Two Medical Centers, Neighborhood Clinics, SCCA, etc. K-20 network 385,000 Active UW NetIDs (11/28/07)

IAM Practices

One identity per person Many affiliations per person Not just people (applications, groups, roles,

organizations, ...) Manage entire identity lifecycle Level of Assurance (LoA) varies depending on

population and application needs

IAM Practices (cont.)

Compromise of credentials will happen

Business needs often must be balanced with compliance requirements

Identity theft is a serious problem

UW Identity and Access Management Service Set Identity Management

Person Registry UW NetID Service

Authentication UW Kerberos Realm UW Windows Infrastructure Weblogin Service (Pubcookie / Shibboleth) SecurID UW Certificate Authority

UW Identity and Access Management Service Set (cont.) Authorization and Aggregation

ASTRA Groups Service Subscriptions

Enterprise Directory Services Person Directory Groups Directory White Pages Directory

Federation

Use university identity for external service access for web resources, using SAML standard Internet2 Shibboleth federation software widely deployed

R&HE Federations create trust communities agree on standards, vet institutions, exchange keys InCommon Federation in US many national R&HE federations in Europe and Australia global service providers (eg Elsevier, Microsoft) join work starting on global interfederation

Other Identity Collaborations

eduroam access to university wireless for HE visitors 802.1x and RADIUS technology deployed throughout Europe and Asia/Pacific

grid supporting large e-science projects X.509 technology IGTF provides global linkage of grid CAs work on linking grid access to SAML/Shib federation

Q & A

Thank you for your interest. We welcome your questions. Lori Stevens, lrs@u.washington.edu Ian Taylor, iant@u.washington.edu Bob Morgan, rlmorgan@u.washington.edu Anne Hopkins, annehop@u.washington.edu Zephyr McLaughlin, zephyrmc@u.washington.edu

Shibboleth Flow Overview

User connects to resource and is redirected to WAYF

User authenticates at his home organization User gets authenticated and redirected to

web server of resource Attribute request – user is granted access to

resource

1. User connects to resource

and is redirected to WAYF

2. User authenticates at his home organization

3. User gets authenticated and redirected to web server of resource

4. Attribute request – user is granted access to resource

Shibboleth Demo

https://spaces.internet2.edu Login via Shibboleth

http://www.switch.ch/aai/demo/expert.html Excellent technical introduction