Identity Management, Federating Identities, and

Federations

November 21, 2006Kevin Morooney

Jeff KuhnsRenee Shuey

Outline

‣ PSU and ITS

‣ Identity Management at Penn State

‣ Federating and Federations

A little bit about Penn State and ITS...

Penn State

Penn State

‣ Established 1855, PA’s Land Grant

‣ 24 campus locations

‣ 80K students, 10K faculty, 10K staff

‣ $640M annual research expenditure

Information Technology Servicesat

Penn State

IdM Level Set• “An integrated system of business processes, policies, and technologies that enable organizations to facilitate and control their users' access to online applications and resources — while protecting confidential personal and business information from unauthorized users. It represents a category of interrelated solutions that are employed to administer user authentication, access, rights, access restrictions, account profiles, passwords, and other attributes supportive of users' roles/profiles on one or more applications or systems. “

• The NMI-EDIT Authentication Roadmap

Identity Management at Penn State…

Components of IdMat Penn State

‣ Kerberos, DCE, Active Directory

‣ LDAP (eduPerson)

‣ Cosign (WebAccess is local branding)

‣ Shibboleth

‣ Member of InCommon Federation

‣ RSA SecurID Tokens

‣ “Access Account” - branding for Penn State identity (authn only available too), ~120K

‣ “Short Term Access Accounts” (authn only available too), 178/9104 as of 11AM today

‣ “Friends of Penn State” - branding for external identity, ~450K

Components of IdM at Penn State - ProofingStart AD20

AgreementAD54

AgreementLibrary

Agreement

Display Password

Newswire?Printing? Newswire Agreement

Printing Agreement

EndSign For Account

No

No

Yes Yes

•GPG Encrypt Signature

•Request E-mail join

•Save all agreements

Components of IdMat Penn State – Policy

‣ Student Record Policy

‣ Definition of student records

‣ Definition of student

‣ Public information regarding students

‣ Confidentiality hold

‣ Network Usage Policy

Transaction Importance

Tru

st Strength of Identity

Proofing

Improving the Quality of Our Digital Identity

‣ Join InCommon Federation

‣ Participate in the eAuthentication project (getting CAF’ed)

‣ Create new service and business models

‣ Create “governance” for IdM

‣ Expire passwords

‣ Increase password strength

Federating and Federations…

Drivers for Federating in HE

‣ Increasing dependence upon ever richer collaboration

‣ Mandates leading to more research consortia

‣ Increasing number of on-line resources and tools

‣ Access management complexities for resource and tool providers

‣ End-user experience, reliable and efficient to run infrastructure

‣ Federal and State laws & regulations (e. g., FERPA, HIPAA, Gramm-Leach-Bliley Act)

The Goal of Federating

‣ Simplified Usability for all collaborations

‣ Home organizations carefully manage the release of personal information

‣ On-line resource providers focus on the protection and authorization of use of their on-line resources.

InCommon Federation

‣ Created to support Higher Education and its research and business partners

‣ Federation operator is an LLC operated by Internet2

‣ Builds on existing campus identity management and single sign-on systems

‣ Makes use of open industry standards (SAML) and open source federating software (Shibboleth)

eAuthentication Federation

‣ Setting the standards for the identity proofing of individuals and businesses (based on risk of online services used)

‣ Building the necessary infrastructure to support common, unified processes and systems for government-wide use

‣ Helps build the trust that must be an inherent part of every online exchange between citizens and the U.S. Government

Figuring out how to work together

Before our digital world looks like this…