John O’Keefe Director of Academic Technology & Network Services

Slides:



Advertisements
Similar presentations
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Advertisements

IAM Online Friday, February 12, 2010 “Introduction to Federated Identity Management” John O’Keefe, Lafayette College Questions either via Adobe Connect.
Supporting and Hosting Web- Based Learning Systems Educause 2001 Charlene Douglas – Director Kathryn Gomm - Training Manager Sharon McCarrager – Accessibility.
Copyright Dickinson College This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Brown University Shibboleth at Brown University James Cramton March 5, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.
Copyright Statement © Jason Rhode and Carol Scheidenhelm This work is the intellectual property of the authors. Permission is granted for this material.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Sharing MU's SharePoint Experience 2005 Midwest Regional Conference Innovative Use of Technology: Getting IT Done Wednesday, March 23, 2005.
Dot.edu: An e-learning Infrastructure for the University of Wisconsin System and Beyond CUMREC 2002 Charlene Douglas – Director Kathryn Gomm – Training.
InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb
Managing Intellectual Property for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the University System.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)
Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.
Federated Authentication at NIH: Trusting External Credentials at Known Levels of Assurance Debbie Bucci and Peter Alterman November, 2009.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Integration is Critical for Success Curriculum Course Delivery Ongoing Support Instructor & Learner.
Federated Identity Management at NIH…NIH Login and Beyond Debbie Bucci September 2009.
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
InCommon Federation: Federating Relationships. Topics Administration Library Research Student Services Personal and Collaborative Applications Federal.
© Scottsdale Community College Leveraging the Power of E-Learning Taking your course to a higher level Presented by Sidne Tate Director, Instructional.
Resources to CAMP: Charting Your Authentication Roadmap.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
University of Southern California Identity and Access Management (IAM)
Tom Barton, Senior Director for Integration, University of Chicago
Access Policy - Federation March 23, 2016
David Millman—Columbia January 2005
How to Use Social Media, Identity Management, and Your Campus Portal to Efficiently and Effectively Communicate with Students Sarah Alpert, Senior Project.
SupportU 24x7: Implementing and Maintaining a Co-Managed Help Desk
Jill Forrester and David Kelly| October 20, 2011
Federated Identity Management at Virginia Tech
Julian Hooker Assistant Managing Director Educause Southwest
Applications of Virtualization & Automation
University of Texas System
Identity and Access Management:
Federating with NIH, NSF, and the National Student Clearinghouse
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Federated Identity to Support Collaboration in the CIC
Copyright Notice Copyright Bob Bailey This work is the intellectual property of the author. Permission is granted for this material to be shared.
University of Southern California Identity and Access Management (IAM)
Project for OnLine Instructional Support (POLIS)
PASSHE InCommon & Federated Identity Workshop
Open Source Web Initial Sign-On Packages
October 20, 2004 CAMP: Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle Stage 1: Establishing a Relationship.
myIS.neu.edu – presentation screen shots accompany:
Identity & Access Management
An App A Day Copyright Tina Oestreich and Brian Yuhnke This work is the intellectual property of the author. Permission is granted for this material.
October 20, 2004 CAMP: Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle Stage 1: Establishing a Relationship.
IAM Online Friday, February 12, 2010 “Introduction to Federated Identity Management” John O’Keefe, Lafayette College Questions either via Adobe Connect.
Shibboleth 2.0 IdP Training: Introduction
Enabling Applications to Use Your IdMS
Presentation transcript:

Providing Secure Access to On and Off-Campus Resources: A Case Study in Federated Identity John O’Keefe Director of Academic Technology & Network Services Lafayette College https://spaces.internet2.edu/display/~okeefej@lafayette.edu/Presentation+on+FIdM

Why Does IdM and FIdM Matter?

Why is IdM So Important? Many systems, many logins Access, Authorization, Accounting Regulations Seamless access to internal apps (Single Sign-On) Business process improvement

Strong Foundational IdM Leads to FIdM Use Federation and Shibboleth guidelines as you develop IdM systems Extending schemas Developing business practices Automation of provisioning and de-provisioning must be your goal

What is Federated Identity Management? A Federation is “An association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.” FIdM includes both practices and technologies relative to this exchange.

FIdM Practices Account creation and termination procedures Properly maintained and secured identity store Attribute Release Policy (ARP) Cooperation from key administrative units (HR, Admissions) Policies and procedures to match Level of Assurance (LoA)

FIdM Technologies Microsoft CardSpace OpenID Shibboleth

Shibboleth Most common in Higher Education Based on eduPerson InCommon Federation Tomcat/Java/OpenLDAP/AD/eDirectory SAML - Security Assertion Markup Language

Shibboleth’s Two Heads Identity Provider (IdP) - Sharing authentication and person attributes with others Service Provider (SP) - Sharing hosted services with others

Why Federated IdM? Access to content, resources, and services both inside and outside the institution Facilitates collaboration

Access to Content & Services Library content (Jstor, RefWorks) Federal agencies (NSF, Dept. of Ed) Student enrollment verification Hosted applications off campus (Google, Microsoft, etc) Single Sign-On (SSO) for web based applications I2 computing and instrumentation resources

Facilitates Collaboration Enables faculty and students both within and beyond your institution to use a common set of applications Enables faculty and students both within and beyond your institution to access, share, and manipulate a common set of data Enables faculty and students both within and beyond your home institution to access research tools over the Internet and Internet2

Case Study @ Lafayette College

The Beginning Net@EDU 2003: Introduction to Shibboleth 1.0 ITS/Library merge 2005: 11 different username/password combinations Users demanding better service

Centralize Identity Store Decide on single, central Identity Store (OpenLDAP) Migrate to and secure Identity Store Develop policies for data stewardship, password management, Help desk, ARP Provision and de-provision accounts according to established policies

Moving Towards Federated Identity Management Implemented eduPerson schema extensions (for Moodle, iTunesU) Used Shibb/InCommon as a guide Implement Shibboleth March 2007 Joined InCommon June 2007

Lafayette and FIdM In Production

Our Installation RedHat Enterprise 5 Tomcat 5.5.2.6 Apache 2.2 Shibboleth 2.1.1 (SP and IdP, each running on a blade server) Member of InCommon since 2007 30% of 1 FTE

What We Do With Federated Identity Today DreamSpark Internal network management apps Library Applications (Jstor, RefWorks) Moodle Spaces (Lafayette’s collaborative Moodle instance) Spaces (I2 wiki) University Tickets Online University of Washington Technology Wiki

What’s Next for LC and FIdM: Internal Apps Drupal MediaWiki Secure websites (replace htaccess files) Single Sign-On WordpressMU Zimbra

What’s Next for LC and FIdM: External Apps Collaborations with other schools Financial Aid Applications Google Apps GridShibb iTunesU NITLE services NSF & Grant Application/Management

Projects On The Horizon Automate account creation/termination procedures Encourage others to implement Shibboleth More hooks and info into identity vault Comply with Silver Level of Assurance (LoA) for Federal applications

Challenges and Lessons Learned Support Promotion/Explaining FIdM Training (CAMP, NITLE conference) Finding others to work with

All relevant links can be found at: Links & Resources All relevant links can be found at: https://spaces.internet2.edu/display/~okeefej@lafayette.edu/Links+and+Resources

Copyright John O’Keefe January 2009 This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.