moderator nathan dors in-depth theme - external … · why do we differentiate digital identities...
TRANSCRIPT
![Page 1: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/1.jpg)
IN-DEPTH THEME - EXTERNAL IDENTITIES SPEAKER WARREN ANDERSON LIGO Scientific CollaborationSPEAKER JIM BASNEY University of Illinois at Urbana-ChampaignSPEAKER KAREN HERRINGTON Virginia Polytechnic Institute and State UniversitySPEAKER MICHAEL DOMINGUES University of IowaSPEAKER CHRISTOS KANELLOPOULOS GÉANTMODERATOR NATHAN DORS University of Washington
![Page 2: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/2.jpg)
[ 2 ]
ABSTRACTIN-DEPTH THEME - EXTERNAL IDENTITIES
Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or technical constraints, or both? Identity federations like InCommon, eduGAIN, and eduroam are powerful tools for providing access to resources across organizations. But what's a campus or research organization to do about providing access to resources that aren't readily federated? A network share? A desktop computer? A building door?
This in-depth session will explore use cases, practices, and activities in the research and education community focused on solutions for external identities. Attendees will gain insights into how campuses, research organizations, and national and international working groups are shifting external identity architectures toward more choice and inclusion, while maintaining appropriate control and security. Demos and discussion will focus on understanding these solutions, and their benefits and impact.
![Page 3: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/3.jpg)
[ 3 ]
CONTEXTIN-DEPTH THEME - EXTERNAL IDENTITIES
● FIM4R paper● InCommon - External Identities Working Group● AARC - Design for Deploying Solutions for “Guest Identities”● REFEDS - IdoLR WG● FIM4R update
![Page 4: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/4.jpg)
[ 4 ]
OBJECTIVESIN-DEPTH THEME - EXTERNAL IDENTITIES
• Campus/institution - what would you like out of this session?• Service providers - • Research communities - • E-infrastructure provider - • Federation operator - • Others -
![Page 5: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/5.jpg)
[ 5 ]
AGENDAEXTERNAL IDENTITIES
• Welcome• Overview• Karen Herrington - Who is “Us”?• Michael Domingues - Invite-Based Identity Provisioning for External Collaborators• Warren Anderson - External Identities for Research Virtual Organizations• Jim Basney - CILogon 2.0 - Enabling research apps to use external IDs• Christos Kanellopoulos - External Identities in AARC and GÉANT• Discussion & Conclusions• Adjourn
![Page 6: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/6.jpg)
[ 6 ]
Who is “Us”?The answers aren’t as easy as they used to be...Karen HerringtonDirector, Identity Strategy & AdministrationVirginia Polytechnic Institute and State University
• Use Cases• Solutions• Drivers and Goals
![Page 7: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/7.jpg)
[ 7 ]
Identity Use Cases at Virginia Tech
• Student applicants• Ross and St. George Vet Med students, Wake Forest
Biomedical students, Undergraduate researchers from other universities
• “Pre-hires” – Almost employees, but not quite• Medical School faculty• VT Cyber Range• Advancement donors• Scholarship sponsors• Event attendees• Shoppers at store-front applications
![Page 8: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/8.jpg)
[ 8 ]
Solutions: Guest Management System
• In-house developed• “Sponsored” – Guests invited via email• Admissions and Parents • Guest account is third-party email address• Self-service account provisioning and password resets• Entitlements for authorization• Integration with Academic Works for access to Financial Aid
awards• Third-party email address made an odd eppn
@[email protected]• Changes made to capture and assert VT ID Number
![Page 9: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/9.jpg)
[ 9 ]
Solutions: Enterprise Directory Groups
• In-house developed Group Management System• Web user interface and web service interface• Central instantiation of groups with subsequent delegated
management• Wake Forest students maintained as a group by Biomedical
Engineering• Challenges
– Groups can only contain PIDs– Some services rely only on affiliations for authorization – unaware
of the group
![Page 10: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/10.jpg)
[ 10 ]
Solutions: Zero-Pay Jobs
• Process distributed to department level• Temporary, expiring jobs for new hires• Allows for early setup of access• Replaced by permanent job when hiring complete• Triggers cleanup of access if hiring is not completed• Can be a “pre-hire” more than once• Renewable zero-pay jobs for Medical School faculty• Allows entry and maintenance of identities by the authoritative
entity
![Page 11: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/11.jpg)
[ 11 ]
Solutions: Social Identities
• Examples: Google, Facebook, LinkedIn• Enables reuse of existing identities• Good fit for Advancement donors, Scholarship sponsors, Event
attendees, Store-front shoppers • Social-to-SAML gateway allows for integration into existing
federated environment• Allows flexibility in choosing identity to use• Challenging to deal with different provider protocols and which
ones are the popular providers at any point in time• Little control over what identity information is captured
![Page 12: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/12.jpg)
[ 12 ]
Drivers and Desired Goals
• Giving Non-traditional Students/Employees access to needed resources – Email, Canvas, Library, Blacksburg Transit Bus, Labs– Timely Provisioning
• Maintaining/Increasing VT’s security posture– Appropriately establishing external identities in our identity
management system – Consistently deprovisioning access– Reducing the number of unattended institutional accounts
![Page 13: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/13.jpg)
[ 13 ]
Drivers and Desired Goals• Enhancing the User Experience
– Desire to reuse identities– Ease of onboarding
• Increasing efficiency, effectiveness of Business Processes– Being financially competitive in attracting students– Removing administrative burden of local account management
• Managing Customer Relationships more effectively– Targeted marketing– Student recruitment
![Page 14: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/14.jpg)
[ 14 ]
Invite-Based Identity Provisioning for External CollaboratorsMichael DominguesSenior Application DeveloperUniversity of [email protected]
![Page 15: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/15.jpg)
[ 15 ]
A Familiar Problem
“People need access to my institution’s resources!”
![Page 16: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/16.jpg)
[ 16 ]
A Familiar Problem (Revised)
“People (not formally affiliated with my institution) need access to its resources!”
![Page 17: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/17.jpg)
[ 17 ]
A Familiar Problem (Revised)
“People (not formally affiliated with my institution) need access to its resources!”
Who?What does this even mean?
How do we manage this access? What kinds of resources are we
talking about?
Why?
![Page 18: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/18.jpg)
[ 18 ]
Approaches to A Familiar Problem
Local / Per-System AccountsHijack Existing Business ProcessesGuest Account System / Separate Credential StoreFederation / Bring Your Own Credential
![Page 19: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/19.jpg)
[ 19 ]
A Familiar Problem (Problematized)
“Anybody (not formally affiliated with my institution) needs access to any of its resources!”
What does this even mean?
How do we manage this access?
Why?
![Page 20: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/20.jpg)
[ 20 ]
A Solution?
“Why don’t we just give anybody an account?”
![Page 21: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/21.jpg)
[ 21 ]
A (Better) Solution?
“Why don’t we just let anybody create an identity?”
![Page 22: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/22.jpg)
[ 22 ]
Background
University of IowaEnterprise Active Directory since 2002Many distributed administratorsLarge portfolio of internally developed applicationsCentral Identity Data WarehouseOne institutional credential to rule them all … for
institutional people
![Page 23: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/23.jpg)
[ 23 ]
Project Methodology
Approached by Research ServicesMet with wide variety of campus constituenciesIdentified common requirements and use-casesDesigned and built solution API First
![Page 24: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/24.jpg)
[ 24 ]
Solution Requirements
Able to capture customized set of demographic informationSupports multiple interaction modalitiesTracks sponsorship informationCreates and flow full identities in real-timeIntegrates with existing access management processes
![Page 25: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/25.jpg)
[ 25 ]
Claims
People need access to sets of resourcesNon-traditional users defy traditional categorizationMany lack educational affiliationRelationships change over timeFunctional hurdles will be overcomeUX matters (a lot)
![Page 26: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/26.jpg)
[ 26 ]
![Page 27: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/27.jpg)
[ 27 ]
Demo
![Page 28: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/28.jpg)
[ 28 ]
Conclusion
By bringing “external” identities directly into your IAM platforms as first-class citizens, you can provide the power and flexibility of your existing identity and access management solutions to anybody.
![Page 29: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/29.jpg)
[ 29 ]
External Identities for Research Virtual Organizations Laser Interferometer Gravitational-wave Observatory (LIGO)
Warren Anderson - IAM Lead, LIGO Scientific Collaboration
• LIGO as an example of a Research VO• Why LIGO has primarily used internal identities for the last decade• Federated identities in LIGO’s future.
![Page 30: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/30.jpg)
[ 30 ]
What is LIGO?
![Page 31: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/31.jpg)
[ 31 ]
What is LIGO?
![Page 32: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/32.jpg)
[ 32 ]
What is LIGO?
• 1600+ Scientists, researchers, and students• 110+ Research institutions• 22 Countries
• 5+ dedicated data processing centers (10,000’s cores)• 120+ Shibboleth SPs
• 44 SP admins• 18 hosting institutions
• 6 authentication technologies• Kerberos, Shibboleth, OAuth2, grid certs, ssh keys,
physical tokens (YubiKey)
![Page 33: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/33.jpg)
[ 33 ]
LIGO IAM Past
• Dedicated effort since 2007 (a decade into the experiment)• Decided to exclusively use internal identities because:
– Not enough LIGO member institutions had federated IdPs– No readily available IdP of last resort– Insufficient interfederation via eduGAIN or other means– Not enough LIGO member institutions release identifying attributes– No framework for security for federated identities.
• However, MOUs with 700 external (non-LIGO) scientists– collaboration resources managed on gw-astronomy.org by UWM
and LIGO– federate identity exclusively for non-LIGO collaborators using
COManage– Access to wikis, mailing lists, file sharing, event databases, etc
![Page 34: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/34.jpg)
[ 34 ]
LIGO Federated Future
• LIGO has made commitment to National Science Foundation to start using federated identities within the next four years.– Not enough LIGO member institutions had federated IdPs
• 95% of US LIGO members at InCommon participant institutions– No readily available IdP of last resort
• Free (CILogon, UnitedID) and paid (Cirrus - works for China?)– Insufficient interfederation via eduGAIN or other means
• 93% or LIGO nations in eduGAIN– Not enough LIGO member institutions release identifying attributes
• IdP/SP Proxy (SaToSa from SUNET?)– No framework for security for federated identities.
• SIRTFI adpotion gaining ground• LIGO Management has circulated an open letter supporting federated ID
![Page 35: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/35.jpg)
[ 35 ]
CILogon 2.0 —Enabling research apps to use external IDsJim BasneySenior Research Scientist, NCSA SecurityUniversity of Illinois at Urbana-Champaign
• Experiences working with virtual organizations (VOs)• What's working? What are the challenges?
![Page 36: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/36.jpg)
[ 36 ]
Identity Providers of Last Resort
![Page 37: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/37.jpg)
[ 37 ]
Sign in with ORCID
![Page 38: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/38.jpg)
[ 38 ]
Multitude of app integration needs
SAML SP
OIDC Provider
X.509 CA
HSM
OIDC SP
MFA (OATH)
LDAP
COmanage
Identities
MFA Tokens
SSH Keys
Groups
Attributes
SAML AA
Register
eduGAIN IdP
Google IdP
Science App
OAuth SPORCID
Science App
Science App
Science App
InCommon IdP
![Page 39: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/39.jpg)
[ 39 ]
Attributes from campus, VO, ORCID
![Page 40: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/40.jpg)
[ 40 ]
For more info about CILogon
www.cilogon.org
We hope to hear from you!
![Page 41: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/41.jpg)
[ 41 ]
External Identities in AARC and GÉANT
Christos KanellopoulosProject Development OfficerGÉANT
• What is AARC?• Context: International Research Collaborations• The AARC Blueprint Architecture• Proxies, proxies, proxies…• External identities• eduTEAMS Identity Hub
Use this slide to introduce major sections
Remember to remove this tip before presenting!
![Page 42: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/42.jpg)
[ 42 ]
The AARC project
• Two + two year EC-funded project
• 20 partners (NRENs, e-Infrastructure providers and Libraries as equal partners)
• About 3M euro budget
• May 2015-2017 (2nd edition 2017-2019)
• https://aarc-project.eu
Authentication and Authorisation for Research and Collaboration
![Page 43: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/43.jpg)
[ 43 ]
International Research Collaborations
• Users should be able to access the all services using the credentials from their Home Organizations when available.
• Secure integration of guest identity solutions and support for stronger authentication mechanisms when needed.
• Access to the various services should be granted based on the role(s) the users have within the collaboration.
• Users should have persistent identities across all community services when needed.
• Ease of use for users and service providers. The complexity of multiple IdPs/Federations/Attribute Authorities/technologies should be hidden.
![Page 44: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/44.jpg)
[ 44 ]
International Research Collaborations
• Users should be able to access the all services using the credentials from their Home Organizations when available.
• Secure integration of guest identity solutions and support for stronger authentication mechanisms when needed.
• Access to the various services should be granted based on the role(s) the users have within the collaboration.
• Users should have persistent identities across all community services when needed.
• Ease of use for users and service providers. The complexity of multiple IdPs/Federations/Attribute Authorities/technologies should be hidden.
![Page 45: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/45.jpg)
[ 45 ]
AARC Blueprint ArchitectureEnabling an ecosystem of solutions on top of eduGAIN
o A Blueprint Architecture for authentication and authorization
o A set of architectural and policy building blocks on top of eduGAIN
o eduGAIN and the Identity Federations
o A solid foundation for federated access in Research and Education
![Page 46: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/46.jpg)
[ 46 ]
AARC Blueprint Architecturehttps://aarc-project.eu/architecture/
![Page 47: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/47.jpg)
[ 47 ]
Many implementations...
![Page 48: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/48.jpg)
[ 48 ]
So, what are external identities?
![Page 49: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/49.jpg)
[ 49 ]
So, what are external identities?
Depends on where one stands...
![Page 50: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/50.jpg)
[ 50 ]
So, what are external identities?
eduGAIN / Federations / Campuses
Social IDs
eGov IDs
Community managed /
IGTF
Commercial
Depends on where one stands...
![Page 51: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/51.jpg)
[ 51 ]
So, what are external identities?
Research Collaboration
Social IDs
eGov IDs
Community managed /
IGTF
CommercialeduGAIN
Depends on where one stands...
![Page 52: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/52.jpg)
[ 52 ]
GÉANT eduTEAMS: Identity Hub
REST AA
SAML AA
Co
man
age
v.20
Membership Management
Identity Hub
SPs
SPs
SPsSPs
52
Infr
astr
uct
ure
AA
I pro
xy
SPs
SPs
SPs
![Page 53: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/53.jpg)
[ 53 ]
DISCUSSION & CONCLUSIONSIN-DEPTH THEME - EXTERNAL IDENTITIES
![Page 54: MODERATOR NATHAN DORS IN-DEPTH THEME - EXTERNAL … · Why do we differentiate digital identities as being “internal” or “external”? Is doing so driven by business need or](https://reader033.vdocuments.net/reader033/viewer/2022050106/5f44208beb3fc960a4632a36/html5/thumbnails/54.jpg)
Thank you, presenters and attendees!