User Authentication and Metrics Parallel Session 4b - Friday, May 4 at 09:00 in Room 4 - Session Leaders: Steve Browdy, Lucia Lovison AIP-5 Kickoff.

Slides:

Advertisements

Similar presentations

AIP-2 Kickoff Workshop [Your Topic] Session Overview [Session co-lead names] GEOSS AIP-2 Kickoff September 2008.

Advertisements

March 28-29, AIP-6 Data Sharing Working Group Breakout Steven F. Browdy OMS Tech, Inc. IEEE.

Agenda Session (75 minutes duration, Friday sessions are 90 minutes) Co-lead introduces the session (5 minutes) –repeat of one chart from opening plenary.

High level summary and recommendations from AIP-3 George Percivall Open Geospatial Consortium Task lead AR-09-01B ADC-16, May 2011.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

WSO2 Identity Server Road Map

AIP Data Sharing investigations for GEOSS Summary of AIP-3 Data Sharing Guidelines Working Group George Percivall AIP Task Leader Open Geospatial Consortium.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Naam van de Auteur 7 januari 2008 Kennisnet Entree: federated authentication Pieter BruringTechnical Product Manager.

Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education

Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section 15.2 Identify guidelines.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Shibboleth 2.0 IdP Training: Authentication January, 2009.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

GEOSS Common Infrastructure Internal Structure and Standards Steven F. Browdy (IEEE)

Shibboleth: An Introduction

May 7, 2013 CEOS WGISS-35 Meeting 1 GEOSS Authentication and Single Sign-On Steven F. Browdy OMS Tech, Inc. IEEE.

All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

January 19-21, 2011 Washington, D.C. GEOSS Data Sharing Task Force 2011 Scoping Meeting 1 GEOSS Data CORE and the GCI User Registration.

Discussion Issues for IIB Presented by Steve Browdy.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

Standards and Interoperability Forum SIF Update and Status Steven F. Browdy, Chair.

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.

OpenID Connect Working Group May 10, 2016 Mike Jones Identity Standards Architect – Microsoft.

GEOSS Future Products Workshop: Session 5 – Interoperability and Resource Discovery NOAA, Silver Spring, MD 27 March 2013 Moderator: Steve Browdy Rapporteur:

Web SSO with Cloud Resources using AD Federation Services

Access Policy - Federation March 23, 2016

GEOSS Federated Single Sign-On

New York regional information centers

Session 4A: Federated Catalogs and GEOSS Clearinghouse

LIGO Identity and Access Management

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Federation made simple

Shibboleth Roadmap

Shibboleth Integration Fairfield University

AR report to ADC 14 May 2007 Presented by Hiroyuki Ichijo (JMA)

Data and Applications Security Developments and Directions

Identity Management and Authorization

SaaS Application Deep Dive

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

CNI Spring 2006 Task Force Meeting

Scalability of trust and metadata exchange across federations

George Percivall September 2008

Building a National Access Management Infrastructure

Section 15.1 Section 15.2 Identify Webmastering tasks

Addressing the Beast: Single Sign-On II

Identity Management and Authorization

AIP-5 Kick-off Workshop Summary 3-4 May 2012, UNEP, Geneva

Shibboleth Implementation in EZproxy

ESA Single Sign On (SSO) and Federated Identity Management

Managing Digital Identity

PSC Group, LLc Office 365/SharePoint Online Migration traps and tricks

Data Sharing Guidelines

Access and Information Protection Product Overview October 2013

Office 365 Identity Management

AIP Disaster Management Using Single-Sign-On

GEOSS AIP-5 Data Sharing Working Group

Device Registration and Multi-Factor Authentication

Shibboleth 2.0 IdP Training: Introduction

OpenID Connect Working Group

OpenID Connect Working Group

Microsoft 365 Business Technical Fundamentals Series

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Microsoft Virtual Academy

Presentation transcript:

User Authentication and Metrics Parallel Session 4b - Friday, May 4 at 09:00 in Room 4 - Session Leaders: Steve Browdy, Lucia Lovison AIP-5 Kickoff Workshop UNEP Geneva 3-4 May 2012

Session Agenda Session Introduction (5 minutes) Self introductions (5 minutes) Primary presentations (30 minutes) identify what problem are you solving emphasis on the end-to-end use case: publish, find, bind, workflow, decision listing of services and data contributions Open discussion (20 minutes) Interactive discussion of design and interoperability arrangements Develop a work plan (30 minutes) review and comment on AIP Master Schedule identify session specific milestones what is missing and still needed: service and data gaps what would result in a paradigm shift to meeting our objectives rather than a simple evolutionary path.

Authentication Key Points User Authentication is a 2012 IIB priority Research began in AIP-3 Goal is to operationalize this going into 2013 User Authentication entails: User registration Single Sign-On (SSO) There exist multiple options: Federated (lightest impact on GCI) Centralized (heaviest impact on GCI) Hybrid ??? Solutions that have been considered: OpenID OAuth Shiboleth At this point, there is only interest in authentication, not access control Could there be a “GEOSS User” ?

Metric Key Points User metrics is a 2012 IIB priority Goal is to operationalize this going into 2013 User metrics initially discussed in early 2011 by DSTF (now DSWG) Does not need to be coupled to registration and authentication, but could be May aggregate metrics, but no individual tracking User metrics reports: Provider used Resource accessed Date/time of access Other metadata, as desired and within reason

High Level Requirements Single Sign-On (SSO) Metrics Duration of login without activity Password longevity Resources accessed Implementation Impact Desired Light impact for data providers Light impact for GCI Realistic Tradeoff between data providers and GCI One will most likely have much more to do than the other AIP still looking into this (will continue in AIP-4)

High Level Requirements Data user perspective Easy to register Possibly identified as “GEOSS User” No repeat logins desired Legal perspective User privacy issues Data provider access issues (time to logout)

When Should It Be Done (Development/Test/Deploy Schedule) Process DSTF -> ADC -> IIB -> AIP -> GCI-CT … Development Specification to be written (no matter how small) GCI component providers to develop (AIP-4) AIP to experiment/test GCI-CT to update and test against consolidated requirements Make sure that all technical goals have been met DSWG Sign-off Make sure that all data sharing goals have been met Deploy into the GCI Code release Maintenance on existing users (if necessary)

Current Status AIP-3 assumed SSO from two perspectives: Federated solution Impact on data providers (possibly non-trivial) Virtually no impact on GCI GCI-centric solution Light impact on data providers Heavy impact on GCI Two technologies researched OpenID Shibboleth

Current Status OpenID Federated solution User must register at an OpenID server Use OpenID itself Use some other implementation of OpenID server (possibly in the GCI) Somewhat light impact on data provider Checking authentication, not authorization However, Most notable OpenID solutions leverage external identity providers such as Google, Yahoo, and Paypal. Metrics across multiple providers will be problematic without heavier impact on providers. Machine-to-machine issues may exist, but haven’t been tested yet.

Current Status

Current Status Shibboleth Federated solution There must exist an Identity Provider (IdP) Needs to be provided by GCI or some other provider. Not provided by trusted 3rd parties, such as Google, Yahoo, etc. works in conjunction with a user directory Active Directroy LDAP Very heavy impact on data provider and potentially the GCI Checking authentication and authorization However, Metrics across multiple providers will be problematic without a GCI-provided IdP. Machine-to-machine issues may exist without a GCI-provided IdP.

GCI-Centric Solution

Things to Consider Relative impact between data providers and GCI If a GCI component is deemed the way to go, then it needs to be written into the AIP-4 CFP. As seamless and painless as possible for users and providers. Will require a complete implementation guideline for data providers. Should there be a “GEOSS User”? Work continues with AIP-5, how soon is it needed?

Yesterday Things to Consider Relative impact between data providers and GCI If a GCI component is deemed the way to go, then it needs to be written into the AIP-4 CFP. As seamless and painless as possible for users and providers. Will require a complete implementation guideline for data providers. Should there be a “GEOSS User”? Work continues with AIP-5, how soon is it needed? Yesterday