federated identity: what it brings to open government dr ken klingenstein director, internet2...
TRANSCRIPT
![Page 1: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/1.jpg)
Federated Identity:What It Brings to Open Government
Dr Ken KlingensteinDirector, Internet2 Middleware and Security
![Page 2: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/2.jpg)
Topics• The State of Federated Identity
• Growth• Interfederation• The emergence of privacy managers and trust-based transparency• The Attribute Ecosystem and the Tao of Attributes
• What it brings to Open Government• Consistency of implementations• Key constituencies• Multiple and flexible LOA• Roles• Privacy and attributes• Collaboration
![Page 3: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/3.jpg)
A bit of background
• Internet identity work began in 2000 in the R&E sector• Spread quickly into corporate sector via OASIS standards
processes• Corporate use cases limited to bi-lateral relationships• R&E sector carried on multi-lateral federation work
• Created SAML, Shibboleth, InCommon, etc• Widespread deployments began 2004-5 with exponential growth• Building federations and trust more work than developing
protocols
![Page 4: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/4.jpg)
Growth of Federated Identity• InCommon continues exponential growth, greater than 4M
users, 200 major universities, research centers, and companies• Internationally, growth is even more rapid; 25+ countries
representing > 100M users• Typical organization (Penn State) does 700,000 transactions a
day with trust based on InCommon; reduces help desk cost by 85%
• Used for financial transactions, scholarly content access, access to national scientific resources, collaboration tools, social networking, etc.
![Page 5: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/5.jpg)
Federation Soup
• Many US federations • InCommon at the national R&E level• UCTrust, Texas, CIC federation, etc at system
and association level• NCTrust, NJEdge, etc at comprehensive state
levels• Consistency in policies, technologies; diverse in
communities served, standard attributes, etc.
![Page 6: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/6.jpg)
Interfederation
• Connecting autonomous federations• Critical for global scaling, accommodating state and
local federations, integration across vertical sectors• Has technical, financial and policy dimensions• Elegant technical solution being developed in the
eduGAIN project of Geant• Policy activities in Kalmar2 Union, Kantara, Terena
![Page 7: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/7.jpg)
MDX – metadata exchange protocol• Institutions and organizations will pick a registrar to give
their metadata to• Institutions and organizations will pick an aggregator (or
several) to get their partners metadata from• Aggregators exchange metadata with each other and
registrars • If this sounds like DNS registration and routing, it is, one
layer up• In the land of data, metadata is king; imagine many new
kinds of metadata
![Page 9: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/9.jpg)
Trust, Identity and the Internet
• Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities
• http://www.isoc.org/isoc/mission/initiative/trust.shtml• ISOC initiative to introduce trust and identity-leveraged
capabilities to many RFC’s and protocols• First target area is DKIM; subsequent targets include SIP
and firewall traversal (trust-mediated transparency)
![Page 10: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/10.jpg)
The Attribute Ecosystem• Authentication is very important, but identity is just one of
many attributes• And attributes provide scalable access control, privacy,
customization, linked identities, federated roles and more• We now have our first transport mechanisms to move
attributes around – SAML and federations• There will be many sources of attributes, many consumers of
attributes, query languages and other transport mechanisms• Together, this attribute ecosystem is the “access control”
layer of the Internet
![Page 11: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/11.jpg)
Attribute use cases are rapidly emerging
Disaster “first responders” attributes and qualifications dynamically
Access-ability use cases
Public input processes – anonymous but qualified respondents
Grid relying parties aggregating VO and campus attributes
The “IEEE” problem
The “over legal age” and the difference in legal ages use cases
Self-asserted attributes – friend, interests, preferences, etc
![Page 12: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/12.jpg)
Key Issues
• Attribute aggregation• Metadata of attributes, LOA, etc• Sources of authority and delegation• Schema management, mapping, etc• User interface• Privacy and legal issues
![Page 13: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/13.jpg)
The Tao of Attributes workshop 属性之道
• Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc.
• Participants were the best and brightest – the folks who invented LDAP, SAML, OpenId, etc.
• Webcast at http://videocast.nih.gov/PastEvents.asp
• Twittered at TAOA• http://middleware.internet2.edu/tao-of-attributes/
![Page 14: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/14.jpg)
What Federated Identity Delivers
• Consistency of implementations• Key constituencies• Roles• Multiple and flexible LOA• Privacy and attributes• Collaboration
![Page 15: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/15.jpg)
Consistency of implementations
• SAML 2.0 is a heavily-referenced and widely implemented OASIS standard
• Metadata format (ala Shibboleth) is a standard• Interoperability among federations is well-
established
![Page 16: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/16.jpg)
Key constituencies served
• Researchers, graduate students, etc• Research administration, management, etc• Students, patients, etc• Note that coverage in each of these constituencies is
100% - all organizational identities in a federation are federated
• Unaffiliated and general public via “homes for the homeless” providers, on a free or paid basis – eg UK, Denmark, ProtectNetwork, etc
![Page 17: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/17.jpg)
Multiple and Flexible LOA
• LOA 1 – 4 all readily available (LOA 1 username/password to LOA 4 with holder of key)
• Federated two factor authentication (LOA 3) a VERY powerful concept; work now starting on approaches, leveraging new NIST standards
• Privacy and secrecy valuable by-products of the architecture
![Page 19: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/19.jpg)
Roles
• Scaling is based on roles, not identity
• Roles are flexible and dynamic – PI, admin, collabmin, etc
• Roles provide opportunities to offload NIH of administrative burdens in tracking changes
• Audit controls provided by institution
![Page 20: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/20.jpg)
Privacy and attributes
• Attributes are the real win – for fine-grain access control, for privacy, for secrecy
• Permit access control decisions to be made at relying party or at identity provider (entitlements)
• Can deliver identity, opaque identifiers, non-correlating identifiers, etc
• EU guidelines on privacy are more nuanced than the US
![Page 21: Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security](https://reader035.vdocuments.net/reader035/viewer/2022062423/56649ead5503460f94bb4ed5/html5/thumbnails/21.jpg)
Collaborations and Virtual Organizations• IdM is a critical dimension of collaboration, crossing many
applications and user communities• Virtual organizations represent critical communities of
researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world.
• Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.