OMG, Another Simple, Lightweight Authentication Service???

Slides:



Advertisements
Similar presentations
22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.
Advertisements

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.
Identity Network Ideals – Heterogeneity & Co-existence
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
REFEDS. Rome, October 2009 The OpenID Case Why It’s Not a Bad Idea to Play with The Big Guys.
7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.
 Introduction to: Claudio Sanchez | LinkedIn.com/in/ClaudioASanchez Single Sign On Evolved.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
NASA NEX & OpenID -- Observations -- Andreas Matheus Secure Dimensions.
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
VO Identity, Attributes, and Infrastructure: Some Basics.
Integrating with UCSF’s Shibboleth system
Copyright ©2012 Ping Identity Corporation. All rights reserved.1.
Chad La Joie Shibboleth’s Future.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.
Real Life Solution, Real Life Problems: A-Select, An Open Source Federated Identity Management Solution An Identity 1.0 story Maarten Koopmans SURFnet,
May 7, 2013 CEOS WGISS-35 Meeting 1 GEOSS Authentication and Single Sign-On Steven F. Browdy OMS Tech, Inc. IEEE.
Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Federated Identity Graduates Nate Klingenstein Internet2 APAN 27 高雄台湾, March 3, 2009.
Adxstudio Portals Training
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.
Advanced CAMP Emerging from the mists: Requirements for supporting VOs voReqs ppt Keith Hazelton
b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.
SAML & OAuth V2 Nov 19/09. Goals Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz.
Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.
Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.
SharePoint Authentication and Authorization
Access Policy - Federation March 23, 2016
GEOSS Federated Single Sign-On
Containers as a Service with Docker to Extend an Open Platform
Azure Active Directory - Business 2 Consumer
LIGO Identity and Access Management
Introduction to Windows Azure AppFabric
AAI for a Collaborative Data Infrastructure
Federation made simple
Shibboleth Roadmap
eduTEAMS platform for collaboration Niels Van Dijk
Consent-Informed Attribute Release (CAR) Serving SAML and OIDC/Oauth
e-Infrastructure Workshop 28th March 2006, University of Leeds
OpenID Connect Working Group
AARC2 JRA1 Nicolas Liampotis
InAcademia Simple Validation Service Niels van Dijk
OpenID Connect Working Group
OpenID Connect Working Group
Topics The simple life The Simple Life GUI The full IdM life
A few recent days in the news…
Authentication and Authorization Federation
UK Federation 101 Ian A. Young EDINA, University of Edinburgh (and the UK Federation) Internet2 Fall Member Meeting, 7 Dec Shibboleth Development.
A(nother) view on federation issues
VO Identity, Attributes, and Infrastructure: Some Basics
Single Sign-On (SSO) Authentication
Community AAI with Check-In
Shibboleth Deployment Overview
Appropriate Access InCommon Identity Assurance Profiles
Shibboleth 2.0 IdP Training: Introduction
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

OMG, Another Simple, Lightweight Authentication Service??? Keith Hazelton University of Wisconsin-Madison Internet2 MACE Jasig, Denver, 25 May 2011

BUT… (.org) Bamboo sites want to accept user authentication From SAML identity providers e.g. Univ. members of InCommon running Shib) And from Social Identity providers (e.g. Google, Yahoo, Facebook, OpenID,...) BUT…

But each week brings a cool new Social identity Service Developers know how to configure & run SAML Service and Resource Providers No free cycles for social development They don't want to give up that big federation win

is a green field project no legacy code our developers are eager to hear recommendations on good practices

Sad but true Gateways that convert social-identity-based authentication into SAML assertions are a necessary part of the picture given current state of affairs.

But Relying Parties (Bamboo sites) want control Control over the gateway operations E.g., "do not allow authN via FB” They will (initially at least) run their OWN Bamboo gateway.

Over time, that will mean LOTS of gateways

UNLESS We are able to agree on common solutions The SAML assertion from the Gateway must minimally include the following information Identifier for the gateway, identifier for the identity provider, identifier for the authenticated user The value of the user identifier for person A from a given IdP should be the same regardless of the gateway being traversed

UNLESS We are able to agree on common solutions Those pieces of information should be expressed as consistently as possible by different gateways Decisions are required on how attr/values appear in the app space Means forging community agreements on attributes and values for carrying that information Those recommendations are being developed as we speak

The Bamboo RPs should support discovery Helping the user specify their choice of IdP Keeps the existence of the gateway invisible to the user, so if gateways go away someday.... Application developers may not like this: “Why can’t the gateway do the discovery bit?”

The Bamboo app should not have to know anything about SAML or Oauth 1.0 or Oauth 2.0 or OpenID OpenID ABC or… The application developers don't care and should not have to care about the protocol

OK, expert, did Bamboo hear you correctly?