IN-DEPTH THEME - EXTERNAL IDENTITIES SPEAKER WARREN ANDERSON LIGO Scientific CollaborationSPEAKER JIM BASNEY University of Illinois at Urbana-ChampaignSPEAKER KAREN HERRINGTON Virginia Polytechnic Institute and State UniversitySPEAKER MICHAEL DOMINGUES University of IowaSPEAKER CHRISTOS KANELLOPOULOS GÉANTMODERATOR NATHAN DORS University of Washington

[ 2 ]

ABSTRACTIN-DEPTH THEME - EXTERNAL IDENTITIES

Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or technical constraints, or both? Identity federations like InCommon, eduGAIN, and eduroam are powerful tools for providing access to resources across organizations. But what's a campus or research organization to do about providing access to resources that aren't readily federated? A network share? A desktop computer? A building door?

This in-depth session will explore use cases, practices, and activities in the research and education community focused on solutions for external identities. Attendees will gain insights into how campuses, research organizations, and national and international working groups are shifting external identity architectures toward more choice and inclusion, while maintaining appropriate control and security. Demos and discussion will focus on understanding these solutions, and their benefits and impact.

[ 3 ]

CONTEXTIN-DEPTH THEME - EXTERNAL IDENTITIES

● FIM4R paper● InCommon - External Identities Working Group● AARC - Design for Deploying Solutions for “Guest Identities”● REFEDS - IdoLR WG● FIM4R update

[ 4 ]

OBJECTIVESIN-DEPTH THEME - EXTERNAL IDENTITIES

• Campus/institution - what would you like out of this session?• Service providers - • Research communities - • E-infrastructure provider - • Federation operator - • Others -

[ 5 ]

AGENDAEXTERNAL IDENTITIES

• Welcome• Overview• Karen Herrington - Who is “Us”?• Michael Domingues - Invite-Based Identity Provisioning for External Collaborators• Warren Anderson - External Identities for Research Virtual Organizations• Jim Basney - CILogon 2.0 - Enabling research apps to use external IDs• Christos Kanellopoulos - External Identities in AARC and GÉANT• Discussion & Conclusions• Adjourn

[ 6 ]

Who is “Us”?The answers aren’t as easy as they used to be...Karen HerringtonDirector, Identity Strategy & AdministrationVirginia Polytechnic Institute and State University

• Use Cases• Solutions• Drivers and Goals

[ 7 ]

Identity Use Cases at Virginia Tech

• Student applicants• Ross and St. George Vet Med students, Wake Forest

Biomedical students, Undergraduate researchers from other universities

• “Pre-hires” – Almost employees, but not quite• Medical School faculty• VT Cyber Range• Advancement donors• Scholarship sponsors• Event attendees• Shoppers at store-front applications

[ 8 ]

Solutions: Guest Management System

• In-house developed• “Sponsored” – Guests invited via email• Admissions and Parents • Guest account is third-party email address• Self-service account provisioning and password resets• Entitlements for authorization• Integration with Academic Works for access to Financial Aid

awards• Third-party email address made an odd eppn

@gmail.com@vt.edu• Changes made to capture and assert VT ID Number

[ 9 ]

Solutions: Enterprise Directory Groups

• In-house developed Group Management System• Web user interface and web service interface• Central instantiation of groups with subsequent delegated

management• Wake Forest students maintained as a group by Biomedical

Engineering• Challenges

– Groups can only contain PIDs– Some services rely only on affiliations for authorization – unaware

of the group

[ 10 ]

Solutions: Zero-Pay Jobs

• Process distributed to department level• Temporary, expiring jobs for new hires• Allows for early setup of access• Replaced by permanent job when hiring complete• Triggers cleanup of access if hiring is not completed• Can be a “pre-hire” more than once• Renewable zero-pay jobs for Medical School faculty• Allows entry and maintenance of identities by the authoritative

entity

[ 11 ]

Solutions: Social Identities

• Examples: Google, Facebook, LinkedIn• Enables reuse of existing identities• Good fit for Advancement donors, Scholarship sponsors, Event

attendees, Store-front shoppers • Social-to-SAML gateway allows for integration into existing

federated environment• Allows flexibility in choosing identity to use• Challenging to deal with different provider protocols and which

ones are the popular providers at any point in time• Little control over what identity information is captured

[ 12 ]

Drivers and Desired Goals

• Giving Non-traditional Students/Employees access to needed resources – Email, Canvas, Library, Blacksburg Transit Bus, Labs– Timely Provisioning

• Maintaining/Increasing VT’s security posture– Appropriately establishing external identities in our identity

management system – Consistently deprovisioning access– Reducing the number of unattended institutional accounts

[ 13 ]

Drivers and Desired Goals• Enhancing the User Experience

– Desire to reuse identities– Ease of onboarding

• Increasing efficiency, effectiveness of Business Processes– Being financially competitive in attracting students– Removing administrative burden of local account management

• Managing Customer Relationships more effectively– Targeted marketing– Student recruitment

[ 14 ]

Invite-Based Identity Provisioning for External CollaboratorsMichael DominguesSenior Application DeveloperUniversity of Iowamichael-domingues@uiowa.edu

[ 15 ]

A Familiar Problem

“People need access to my institution’s resources!”

[ 16 ]

A Familiar Problem (Revised)

“People (not formally affiliated with my institution) need access to its resources!”

[ 17 ]

A Familiar Problem (Revised)

“People (not formally affiliated with my institution) need access to its resources!”

Who?What does this even mean?

How do we manage this access? What kinds of resources are we

talking about?

Why?

[ 18 ]

Approaches to A Familiar Problem

Local / Per-System AccountsHijack Existing Business ProcessesGuest Account System / Separate Credential StoreFederation / Bring Your Own Credential

[ 19 ]

A Familiar Problem (Problematized)

“Anybody (not formally affiliated with my institution) needs access to any of its resources!”

What does this even mean?

How do we manage this access?

Why?

[ 20 ]

A Solution?

“Why don’t we just give anybody an account?”

[ 21 ]

A (Better) Solution?

“Why don’t we just let anybody create an identity?”

[ 22 ]

Background

University of IowaEnterprise Active Directory since 2002Many distributed administratorsLarge portfolio of internally developed applicationsCentral Identity Data WarehouseOne institutional credential to rule them all … for

institutional people

[ 23 ]

Project Methodology

Approached by Research ServicesMet with wide variety of campus constituenciesIdentified common requirements and use-casesDesigned and built solution API First

[ 24 ]

Solution Requirements

Able to capture customized set of demographic informationSupports multiple interaction modalitiesTracks sponsorship informationCreates and flow full identities in real-timeIntegrates with existing access management processes

[ 25 ]

Claims

People need access to sets of resourcesNon-traditional users defy traditional categorizationMany lack educational affiliationRelationships change over timeFunctional hurdles will be overcomeUX matters (a lot)

[ 26 ]

[ 27 ]

Demo

[ 28 ]

Conclusion

By bringing “external” identities directly into your IAM platforms as first-class citizens, you can provide the power and flexibility of your existing identity and access management solutions to anybody.

[ 29 ]

External Identities for Research Virtual Organizations Laser Interferometer Gravitational-wave Observatory (LIGO)

Warren Anderson - IAM Lead, LIGO Scientific Collaboration

• LIGO as an example of a Research VO• Why LIGO has primarily used internal identities for the last decade• Federated identities in LIGO’s future.

[ 30 ]

What is LIGO?

[ 31 ]

What is LIGO?

[ 32 ]

What is LIGO?

• 1600+ Scientists, researchers, and students• 110+ Research institutions• 22 Countries

• 5+ dedicated data processing centers (10,000’s cores)• 120+ Shibboleth SPs

• 44 SP admins• 18 hosting institutions

• 6 authentication technologies• Kerberos, Shibboleth, OAuth2, grid certs, ssh keys,

physical tokens (YubiKey)

[ 33 ]

LIGO IAM Past

• Dedicated effort since 2007 (a decade into the experiment)• Decided to exclusively use internal identities because:

– Not enough LIGO member institutions had federated IdPs– No readily available IdP of last resort– Insufficient interfederation via eduGAIN or other means– Not enough LIGO member institutions release identifying attributes– No framework for security for federated identities.

• However, MOUs with 700 external (non-LIGO) scientists– collaboration resources managed on gw-astronomy.org by UWM

and LIGO– federate identity exclusively for non-LIGO collaborators using

COManage– Access to wikis, mailing lists, file sharing, event databases, etc

[ 34 ]

LIGO Federated Future

• LIGO has made commitment to National Science Foundation to start using federated identities within the next four years.– Not enough LIGO member institutions had federated IdPs

• 95% of US LIGO members at InCommon participant institutions– No readily available IdP of last resort

• Free (CILogon, UnitedID) and paid (Cirrus - works for China?)– Insufficient interfederation via eduGAIN or other means

• 93% or LIGO nations in eduGAIN– Not enough LIGO member institutions release identifying attributes

• IdP/SP Proxy (SaToSa from SUNET?)– No framework for security for federated identities.

• SIRTFI adpotion gaining ground• LIGO Management has circulated an open letter supporting federated ID

[ 35 ]

CILogon 2.0 —Enabling research apps to use external IDsJim BasneySenior Research Scientist, NCSA SecurityUniversity of Illinois at Urbana-Champaign

• Experiences working with virtual organizations (VOs)• What's working? What are the challenges?

[ 36 ]

Identity Providers of Last Resort

[ 37 ]

Sign in with ORCID

[ 38 ]

Multitude of app integration needs

SAML SP

OIDC Provider

X.509 CA

HSM

OIDC SP

MFA (OATH)

LDAP

COmanage

Identities

MFA Tokens

SSH Keys

Groups

Attributes

SAML AA

Register

eduGAIN IdP

Google IdP

Science App

OAuth SPORCID

Science App

Science App

Science App

InCommon IdP

[ 39 ]

Attributes from campus, VO, ORCID

[ 40 ]

For more info about CILogon

www.cilogon.org

info@cilogon.org

jbasney@ncsa.illinois.edu

We hope to hear from you!

[ 41 ]

External Identities in AARC and GÉANT

Christos KanellopoulosProject Development OfficerGÉANT

• What is AARC?• Context: International Research Collaborations• The AARC Blueprint Architecture• Proxies, proxies, proxies…• External identities• eduTEAMS Identity Hub

Use this slide to introduce major sections

Remember to remove this tip before presenting!

[ 42 ]

The AARC project

• Two + two year EC-funded project

• 20 partners (NRENs, e-Infrastructure providers and Libraries as equal partners)

• About 3M euro budget

• May 2015-2017 (2nd edition 2017-2019)

• https://aarc-project.eu

Authentication and Authorisation for Research and Collaboration

[ 43 ]

International Research Collaborations

• Users should be able to access the all services using the credentials from their Home Organizations when available.

• Secure integration of guest identity solutions and support for stronger authentication mechanisms when needed.

• Access to the various services should be granted based on the role(s) the users have within the collaboration.

• Users should have persistent identities across all community services when needed.

• Ease of use for users and service providers. The complexity of multiple IdPs/Federations/Attribute Authorities/technologies should be hidden.

[ 44 ]

International Research Collaborations

• Users should be able to access the all services using the credentials from their Home Organizations when available.

• Secure integration of guest identity solutions and support for stronger authentication mechanisms when needed.

• Access to the various services should be granted based on the role(s) the users have within the collaboration.

• Users should have persistent identities across all community services when needed.

• Ease of use for users and service providers. The complexity of multiple IdPs/Federations/Attribute Authorities/technologies should be hidden.

[ 45 ]

AARC Blueprint ArchitectureEnabling an ecosystem of solutions on top of eduGAIN

o A Blueprint Architecture for authentication and authorization

o A set of architectural and policy building blocks on top of eduGAIN

o eduGAIN and the Identity Federations

o A solid foundation for federated access in Research and Education

[ 46 ]

AARC Blueprint Architecturehttps://aarc-project.eu/architecture/

[ 47 ]

Many implementations...

[ 48 ]

So, what are external identities?

[ 49 ]

So, what are external identities?

Depends on where one stands...

[ 50 ]

So, what are external identities?

eduGAIN / Federations / Campuses

Social IDs

eGov IDs

Community managed /

IGTF

Commercial

Depends on where one stands...

[ 51 ]

So, what are external identities?

Research Collaboration

Social IDs

eGov IDs

Community managed /

IGTF

CommercialeduGAIN

Depends on where one stands...

[ 52 ]

GÉANT eduTEAMS: Identity Hub

REST AA

SAML AA

Co

man

age

v.20

Membership Management

Identity Hub

SPs

SPs

SPsSPs

52

Infr

astr

uct

ure

AA

I pro

xy

SPs

SPs

SPs

[ 53 ]

DISCUSSION & CONCLUSIONSIN-DEPTH THEME - EXTERNAL IDENTITIES

Thank you, presenters and attendees!