South African Identity Federation

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Standard License Expression CNI Meeting Arlington, VA April 4, 2006 Christopher McKenzie John Wiley & Sons, Inc.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

PERFORMANCE FOR ALL The Project & the System. A HE project co-ordinated by University of Bristol, open to HE internationally. Developing the requirements.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

Bringing XBRL tax filing to the UK Jeff Smith, Customer Contact, Online Services,

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

FIM-ig Federated Identity Management Interest Group.

SWITCHaai Team Federated Identity Management.

Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,

Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.

Electronic Theses at Rhodes University presented by Irene Vermaak Rhodes University Library National ETD Project CHELSA Stakeholder Workshop 5 November.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.

The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.

A centre of expertise in digital information managementwww.ukoln.ac.uk Search Facilities For Web Sites A Discussion Group Session Brian Kelly UKOLN University.

b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.

Trust and Identity Infrastructure Services Above the Network Ann Harding, SWITCH/GÉANT UbuntuNetConnect 2014.

NASSH NOVEMBER 22nd 2012 MARY NEATE. What is a Trust School? A foundation school with a charitable trust The school(s) and partners work together for.

Project Moonshot Daniel Kouřil EGI Technical Forum

RCUK International Funding Name Job title Research Councils UK.

Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.

Authentication and Authorisation for Research and Collaboration TeSS Service Provider Training, Manchester Authentication and Authorisation.

Integrating your Community with your AMS and showing ROI Rob Kaighn TMA Resources, Inc.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Community of Practice K Lead Project Team: الالتزامالتحفيز التفكير المؤسسي المرونةالتميزالشراكةالاستقامة.

Introduction to SHERPA RoMEO and its Significance for Publishers

Access Policy - Federation March 23, 2016

Introducing orcid What, why and how

Law Enforcement Information Sharing Program (LEISP) Federated Identity Management Pilot February 27, 2006.

Cross-sector and user-centric AAI

Project Management: Messages

BIM 360 Glue Migration to BIM 360 Account Administration (HQ)

Analyn Policarpio Andrew Jazon Gupaal

Shibboleth Roadmap

Use case: Federated Identity for Education (Feide)

Cryptography and Network Security

GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –

Choosing the Discovery Model Martin Forsberg

ORCID y la comunidad global

ESA Single Sign On (SSO) and Federated Identity Management

Progress leisure OCR GCSE ICT.

What’s changed in the Shibboleth 1.2 Origin

The DAMe’s First Steps: eduroam and NAS-SAML

GALILEO & OpenAthens: 21st Century Authentication for GALILEO Participating Libraries Christopher Holly Director of SaaS Innovation, EBSCO

GALILEO & OpenAthens: 21st Century Authentication for GALILEO Participating Libraries Christopher Holly Director of SaaS Innovation, EBSCO

Christy Shorey Southern Miss

Creating Your New Account From a Computer

Distributed Ledger Technology (DLT) and Blockchain

Penn State and AES/PHEAA: e-Authentication

Appropriate Access InCommon Identity Assurance Profiles

Shibboleth 2.0 IdP Training: Introduction

4th Annual Conference on Technology and Standards Washington

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

South African Identity Federation Library IT Network Usage Enhancement Workshop 2016/08/30

Identity Federations An introduction

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems Federated Identity Explain the concepts of identity, attributes, and identity management systems https://en.wikipedia.org/wiki/Federated_identity

The problem we’re trying to solve

Federated Identity vs Single Sign-On Key concept to use the same set of credentials to obtain access to multiple resources Specifically tries to avoid duplication of credentials Key concept is to provide credentials once and obtain access to multiple resources Each system may maintain its own set of credentials (e.g. password synchronisation) Separate concepts, but a single technology may achieve both goals People sometimes use the terms interchangeably, because it’s common to solve both problems together

End User Federation Actors The end user is typically a real person who belongs to one or more organisations, and would like access to one or more resources or services Federation Actors End users have personal information associated with them – their name, address, job title, etc

Identity Provider Federation Actors An Identity Provider knows the End User, and can provide information about that user with a high degree of certainty Typically an organisation to which the End User belongs or works for – e.g. students at a university, staff at a research council Also known as their Home Organisation Federation Actors Examples of personal information held about a student (name, student number, email address, degree registered for, etc)

Service Provider Federation Actors A Service Provider operates a resource the End User wishes to gain access to, and needs/wants information about the End User Can be a third party (e.g. a publisher or research facility) Also known as the Visited Organisation Federation Actors Examples of information a service provider might want – display name, email, etc. Talk about need vs want

Federation Operator Federation Actors A Federation Operator acts as a trusted intermediary between the Identity Provider and the Service Provider Provides the glue (metadata) that makes the federation work Also known as the Roaming Operator Federation Actors

Academic Identity Federations

Why not just use Google? donald.trump17@gmail.com All the major social network platforms provide federated identities… … so why don’t we just use these? They all have one major drawback – they are self asserted This means you cannot trust any of the attributes This is often okay, but… Why not just use Google? Would you allow Donald.trump17@gmail.com access to sensitive medical records? donald.trump17@gmail.com

Academic Identity Federations Academic identity federations exist to solve the trust problem Your home organisation – university, research council, etc – knows a lot about you They also know stuff specific to higher education More importantly, most of this information has been checked and may be subject to audit This makes them ideal to act as identity providers Academic Identity Federations

Academic Federation Operators All federations have operators Facebook Inc operates Facebook Connect Academic federations are usually operated by the National Research and Education Network Typically only one per country 63 known academic federations worldwide International collaboration through REFEDS Academic Federation Operators

Academic Identity Federations Around the World https://refeds.org/federations/federations-map

Inter-federation is the linking of one (academic) federation to another Through inter-federation we can gain access to services that are not available in our own country Service providers can gain access to customers Inter-federation

Federation Technologies Social networks tend to favour OAuth But OAuth does not lend itself to interfederation Academic federations tend to favour SAML2 This is commonly misnamed as Shibboleth Shibboleth was an early version of the SAML protocol – no longer in use Shibboleth is also the name of a software vendor who makes SAML2 software Federation Technologies

SAFIRE – South African Identity Federation

SAFIRE History Project started as a pilot 2.5 years ago Joint project of ASAUDIT, SANReN Competency Area & TENET Functional pilot, but… … struggled to gain traction Eight universities agreed to fund SAFIRE (NWU, RU, SU, UCT, UJ, UKZN, UP, UWC) TENET nominated as juristic body of record Appointed a full time project director in April 2016 SAFIRE History

Policy, practice statements, and other governance documentation has been developed Technology roadmap available Covers next ~ 18 months, to full production First phase of implementation underway Preparing to join eduGAIN Had some discussions with ORCID University IT departments should know all this SAFIRE Status

Why does all of this matter? AKA What is in it for us?

Use cases Many libraries are providing access to electronic resources Often there’s a demand for off campus access to these Current mechanisms for doing so are dated and problematic There may be benefit from supporting more granular licensing structures What if only academic staff could access it? Use cases Access to electronic resources Talk about the problems with IP based access control, SSL certs, etc. Talk about integration alternatives. Talk about resources already federated.

Use cases Access to electronic resources Scaled by number of federations the publisher is a member of Rhodes University Library & eduGAIN MET

Use cases Many universities are making use of shared systems Libraries have OPACs, repository systems, etc. But also research management, funding, etc. Typically these have their own credentials, which leads to confusion for end users And those identities need to be maintained Use cases Shared systems SEALS, Calico. But also research partnerships. Mention ORCID

Libraries who publish (e. g Libraries who publish (e.g. journals) may want to become service providers Get reliable data about end users and affiliations Makes access control simpler – one mechanism for all participants Simplify login / sign-up mechanisms Through eduGAIN you can gain access to international markets Use cases Library publishers

Benefits of federating Reduced integration costs / economies of scale Easier access to resources Fewer data inconsistencies No / less end user identity management Improved user experiences e.g. off campus users Benefits of federating

Questions? safire@tenet.ac.za