real world identity managment
DESCRIPTION
Today's IT industry is awash with offerings in the identity management space. In this session the presenter will explore real, tactical things we can do now to start solving the identity management issues in our enterprises and take a look at current efforts in the higher education community. We will consider technologies, key standards, as well as the policy and procedure issues we must address, regardless of technology, to achieve proper governance over our enterprise identities.TRANSCRIPT
![Page 1: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/1.jpg)
Real-World Identity Management Solutions
John A. LewisChief Software Architect
Unicon, Inc.
28 July 2009Campus Technology
Boston, Massachusetts
© Copyright Unicon, Inc., 2009. Some rights reserved.This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit:http://creativecommons.org/licenses/by-nc-sa/3.0/us/
![Page 2: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/2.jpg)
2
Why Makes Identity Important?
● Connects– Users
– Applications
● Lots of other things– security, privacy, spam,
– secrecy, trust, authority,
– collaboration, convenience,
– ...
![Page 3: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/3.jpg)
3
What Is Identity Management?
● Account creation, directories, authentication, authorization access controls, ...
● Includes policy, process, governance, trust● Need new ways of thinking about controlling
access to IT services
“A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” – Burton Group
![Page 4: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/4.jpg)
4
Identity Management Lifecycle
● Provisioning– Initial Account creation
– When to establish a persistent identity?
● Account updates– Self-service? For which attributes?
– Central administrative changes
● Role maintenance– Adding, changing, removing roles
● Suspending / Removing / Restoring– When to do this? How long to retain it?
![Page 5: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/5.jpg)
5
![Page 6: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/6.jpg)
6
●EDUCAUSE Top 10 IT Issues
● 2003 #3Security & Identity Management
● 2004 #3Security & Identity Management
● 2005 #2Security & Identity Management
● 2006 #1Security & Identity Management
● 2007 #4Identity / Access Management (Security at #2)
● 2008 #5Identity / Access Management (Security at #1)
![Page 7: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/7.jpg)
7
Challenge & Goal
● Challenge: Fragmented Identity Landscape– Many systems of records
– Many applications
– Many passwords
– Many overlapping roles
● Goal: Ease-Of-Use for Students/Faculty/Staff– Enable seamless access to resources
– Enforce security and privacy
– Create a sense of a unified Enterprise
![Page 8: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/8.jpg)
8
Evolution of User Identity
● Application Silos– Each with their own logins and passwords
● Common Directories / Databases– Central store for person information
● Single Sign-On– Central login system for multiple applications
● Federated Identity– Trusted identity information from others
![Page 9: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/9.jpg)
9
Emerging Best Practices
● Automate Provisioning across systems● Separate Authentication and Authorization● Use Roles for Access Control & Dynamic Rules● Provide Delegated Administration● Multiple Authoritative Sources for Attributes● Allow Account Names to change
![Page 10: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/10.jpg)
10
Federated Identities
![Page 11: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/11.jpg)
11
Developing a Coherent Cyberinfrastructure from Local Campus to National Facilities:
Challenges and Strategies
A Workshop Report and Recommendations
EDUCAUSE Campus Cyberinfrastructure Working Group and Coalition for Academic Scientific Computation
February 2009
Short Link: http://bit.ly/jsTvH
![Page 12: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/12.jpg)
12
Strategic Recommendation 2.3.1
“Agencies, campuses, and national and state organizations should adopt a single, open, standards-based system for identity management, authentication, and authorization, thus improving the usability and interoperability of CI resources throughout the nation.”
![Page 13: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/13.jpg)
13
Tactical Recommendation 2.3.1a
The global federated system for identity management, authentication, and authorization that is supported by the InCommon Federation should be adopted with an initial focus on major research universities and colleges. After an initial deployment in research-oriented functions involving research universities, such an identity management strategy for CI should be implemented generally within funding agencies and other educational institutions.
![Page 14: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/14.jpg)
14
Why Federated Identity?
● Authoritative information– Users, privileges, attributes
● Improved security– Fewer user accounts in the world
● Privacy when needed– Fine control over attribute sharing
● Saves time & money– Less work administrating users
![Page 15: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/15.jpg)
15
What Is SAML?
● Security Assertion Markup Language (SAML)● XML-based Open Standard● Exchange authentication and authorization
data between security domains– Identity Provider (a producer of assertions)
– Service Provider (a consumer of assertions)
● Approved by OASIS Security Services– SAML 1.0 November 2002
– SAML 2.0 March 2005
![Page 16: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/16.jpg)
16
Major SAML Applications
● Proquest
● Project MUSE
● Thomson Gale
● Elsevier ScienceDirect
● Google Apps
● ExLibris MetaLib
● Sakai & Moodle
● uPortal
● DSpace, Fedora
● Ovid
● Microsoft DreamSpark
● Moodle, Joomla, Drupal
● JSTOR, ArtSTOR, OCLC
● Blackboard & WebCT
● WebAssign & TurnItIn
● MediaWiki / Confluence
● National Institutes of Health
● National Digital Science Library
![Page 17: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/17.jpg)
17
How Federated Identity Works
● A user tries to access a protected application● The user tells the application where it’s from● The user logs in at home● Home tells the application about the user● The user is rejected or accepted
![Page 18: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/18.jpg)
18
IdentityIdentityProviderProvider
ServiceServiceProviderProviderUserUser
User User DirectoryDirectory
4. I'd like to login for SP
2. Where are you from?
3. Please login at home
5. Login
1. I'd like access
6. Here is data about youfor the SP – send it
7. Here is the datafrom my IdP
8. Access Granted /Access Denied
Application / Application / DatabaseDatabase
![Page 19: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/19.jpg)
19
JISC Video on Federated Identity
Short Link: http://bit.ly/YhqkD
● Great YouTube video that introduces Federated Identity & Access Management concepts
![Page 20: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/20.jpg)
20
Shibboleth
![Page 21: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/21.jpg)
21
Shibboleth
● Enterprise federated identity software– Based on standards (principally SAML)
– Extensive architectural work to integrate with existing systems
– Designed for deployment by communities
● Most widely used in education, government● Broadly adopted in Europe● 2.0 release implements SAML 2
– Backward compatible with 1.3
![Page 22: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/22.jpg)
22
Shibboleth Project
● Free & Open Source– Apache 2.0 license
● Enterprise and Federation oriented● Started 2000 with first released code in 2003● Excellent community support
– http://shibboleth.internet2.edu
![Page 23: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/23.jpg)
23
Join the Federation!
![Page 24: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/24.jpg)
24
![Page 25: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/25.jpg)
25
Role of a Federation
● Agreed upon Attribute Definitions– Group, Role, Unique Identifier, Courses, …
● Criteria for IdM & IdP practices– user accounts, credentialing, personal information
stewardship, interoperability standards, technologies, ...
● Digital Certificates● Trusted “notary” for all members● Not needed for Federated IdM,
but does make things even easier
![Page 26: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/26.jpg)
26
InCommon Federation
● Federation for U.S. Higher Education & Research (and Partners)
● Over Three Million Users● 163 Organizations● Self-organizing & Heterogeneous● Policy Entrance bar intentionally set low● Doesn’t impose lots of rules and standards● http://www.incommonfederation.org/
![Page 27: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/27.jpg)
27
Other Emerging Projects / Standards
● Groupergrouper.internet2.edu– Access Management via sophisticated group structures,
protocols● Comanage
middleware.internet2.edu/co– Collaborative Organization Management Platform with
wide variety of “domesticated” applications● XACML - eXtensible Access Control Markup Language
– declarative access control policy language and a processing model for interpret the policies
● SPML - Service Provisioning Markup Language– framework for exchanging user, resource, and service
provisioning information between organizations
![Page 28: Real World Identity Managment](https://reader033.vdocuments.net/reader033/viewer/2022051817/5480573e5906b50d298b4762/html5/thumbnails/28.jpg)
28
Questions & Answers
John A. LewisChief Software ArchitectUnicon, Inc.