What is Federated ID Management and Why Should You Care?

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

NRL Security Architecture: A Web Services-Based Solution

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

K20 Middleware Case Study: NC Pilot Project on Federated Identity Management Internet2 Fall Meeting – San Antonio, Texas - October 5, 2009 Tim Poe - MCNC,

Outsourcing IAM in North Carolina

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

NJVid New Jersey Video Portal 1 Grant partners. NJVid New Jersey Video Portal 2 NJTrust - New Jersey Identity Trust Federation NJViD Advisory Board Meeting.

SWITCHaai Team Federated Identity Management.

State of Information Technology Presentation for Faculty Council November 14, 2013 Mike Carlin Vice Chancellor for IT and CIO.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SWITCHaai Team Introduction to Shibboleth.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

Building Strong K-20 Initiatives: NCTrust K-20 Federation Pilot Internet2 Spring Meeting – April 29, 2009 Mark Scheible – NC State University Co-Chair,

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

DEPARTMENT OF PUBLIC INSTRUCTION / MCNC The National Report: State, K-12, and Federal Government CAMP: June 23 rd, 2010, 10:45-11:45 Presenters: Tim Poe.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

 What is intranet What is intranet  FeaturesFeatures  ArchitectureArchitecture  MeritsMerits  applicationsapplications  What is ExtranetWhat is.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Federated ID Management Task Force DRAFT version 1 November 6, 2009 Executive Summary of NCTrust Federated ID Management.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Shibboleth: An Introduction

Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.

Tim Poe & Steve Thorpe {tpoe, MCNC All-Staff Meeting March 19, 2009 What is Federated ID Management and Why Should You Care?

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

THE CAMPUS IDENTITY SYSTEM Lucy Lynch, NSRC. Learning Objectives Discovering the key role campus networks play in trusted identities for R&E Authoritative.

IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.

Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.

Access Policy - Federation March 23, 2016

Quantum Leap Project Management

Federated Identity Management at Virginia Tech

Introduction to Windows Azure AppFabric

Federation made simple

Federated Identity Management

California State University CSUconnect Federation

Data and Applications Security Developments and Directions

SaaS Application Deep Dive

John O’Keefe Director of Academic Technology & Network Services

Recommendation 6: Using ‘cloud computing’ to meet the societal need ‘Faster and transparent access to public sector services’ Cloud computing Faster and.

InCommon Steward Program: Community Review

Federated Identity Management for Researchers (FIM4R)

CLARIN Federated Identity Vision

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

THE STEPS TO MANAGE THE GRID

Shibboleth Implementation in EZproxy

ESA Single Sign On (SSO) and Federated Identity Management

PASSHE InCommon & Federated Identity Workshop

Scott Thorne & Chuck Shubert

Fei Huang Prof. Soon Chun ISI490 Spring 2018

The National Report: State, K-12, and Federal Government

Shibboleth 2.0 IdP Training: Introduction

Day 2, Session 2 Connecting System Center to the Public Cloud

Baseline Expectations for Trust in Federation

Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8

Presentation transcript:

What is Federated ID Management and Why Should You Care? 11/28/2018 What is Federated ID Management and Why Should You Care? Tim Poe & Steve Thorpe {tpoe, thorpe}@mcnc.org MCNC All-Staff Meeting March 19, 2009

Outline Motivation Example Services Benefits Underlying Technology NCTrust Federation Pilot Demo

Motivation Many NC institutions desire access to remote protected web-based services 17 UNC system institutions 115 LEAs, 2,500+ K-12 schools 58 community colleges 36 independent colleges / universities Plus many other government / educational / commercial organizations Desire is for access to be efficient, cost effective, quick, secure, and user-friendly. Federated ID Management technologies enable such access

ATM machines - An Early Example of Federated ID Management Thousands of banks - Federated Millions of users (bank customers) User login (ATM card) and password (PIN) maintained by the user’s home institution (Bank) Other institutions give service ($) access to remote users, based on trusting the login and password that’s maintained by the home institution Today we’re doing something similar, only we’re providing Web-based services rather than $

Example – Confluence Confluence is a web-based wiki service that fosters collaboration among multiple institutions Federated ID Management technologies can alleviate MCNC’s current need for in-house management of accounts for outside users Each home institution would manage their *own* accounts

Example - NCLive NCLive provides access to eJournals, etc. for libraries, higher-ed and increasingly K-12 Want ease of resource accessibility yet must adhere to licenses of various products being distributed, e.g. certain content might be allowed only for: Students K-20 staff Chemistry teachers etc.

Examples - VCL NCSU’s Virtual Computing Lab (VCL) is a web service that allows reservations of a computer with a desired set of applications, then remote access over the Internet You can use applications such as Matlab, Maple, SAS, Solidworks, and many others. Linux, Solaris and numerous Windows environments are available Due to licensing and resource limitations, access must be limited to certain user communities

Other Examples How about a service for elementary school kids to access privately licensed PBS, CSPAN, and Discovery Learning video content through the internet? How about a service to enable cross-institutional course registration for access to distance learning from a different university in the UNC system? Federated ID Management technologies can facilitate resource utilization across NCREN by enabling these and other web-based services much more efficiently, saving $ for MCNC and the NCREN community

Benefits of Federated ID Prevents users from having to know yet-another password Prevents system administrators from having to add yet- another account Avoids logins becoming out of date Enables easier scaling of web-based applications to include multiple additional users/organizations Confidence that users are who they say they are, with up-to-date accuracy Home institutions reliably manage their own user accounts

Underlying Technology: Shibboleth Shibboleth is open source software for web single sign-on across or within organizational boundaries Allows informed authorization decisions for protected web service access in a privacy-preserving manner Uses Security Assertion Markup Language (SAML) to provide federated single sign-on and attribute exchange framework Provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application

Obligatory Geek Diagram - Simplified (the only one, we promise ! ) 1. Student is at Starbucks 4. IdP/SP communication via SAML attributes exchanged through the browser session 3. Protected Web Service is at a university 2. IdP is at his school Shibboleth Identity Provider (IdP) Shibboleth Service Provider (SP) (mod_shib gets attributes from shibd and protects web apps) Access to protected service (web app) is controlled by shib gatekeeper (IdP is a J2EE app) (shibd daemon maintains state) LDAP Server

NCTrust Federation Pilot DPI North Carolina Learning Object Repository ? (tbd) UNC-GA is a “Friend of NCTrust” MCNC and partners have convened the NC Trust Pilot Goal: create a Federation to test web resource sharing among several K-20 organizations within NC Adding K-12 into the mix is a unique aspect NCTrust utilizes the national InCommon Federation infrastructure Provides a trust mechanism allowing each organization to certify its operational practices MCNC is helping partners with tech / installation support

Shibboleth Training Workshops 1.5 day workshops were hosted by MCNC in October 2008 and February 2009 Instructors: Shilen Patel and Rob Carter (Duke), Gonz Guzman (MCNC) Approximately 45 participants total There’s an excellent video archive of the workshop, thanks to Bryon and Chad

MOU and InCommon Paperwork in Various Stages of Completion… Paperwork is MUCH harder / slower than technical work! (though the technical parts are certainly not trivial) First demos starting now!

Demo As thorpe@mcnc.org: As srthorpe@unc.edu: As srthorpe@ncsu.edu: Access Internet2’s Confluence site Log onto test service, to see attributes As srthorpe@unc.edu: Log onto NCSU’s VCL site, check for images As srthorpe@ncsu.edu: Log onto NCSU’s VCL site, check for images and see a different list based on my NCSU status

Future Steps Connect services among the NCTrust community VCL NCLive MCNC’s confluence site is a likely candidate Others? Integrate with the recently created UNC Federation Recommendations on best model of state-wide federation to meet the needs of the K-20 educational community in North Carolina To cover funding, operations, governance, etc. Pilot runs through December 2009

Key Takeaways We believe Federated ID Management can enable more effective resource sharing among the NCREN community Secure Efficient Scalable Accessible Saves $ Not to mention it’s a GREEN technology Fostering adoption of FIM technologies is another way of Connecting North Carolina’s Future Today

Thank You Special thanks to MCNC’s Gonz Guzman, Tom Throckmorton, Kambiz Aghaiepour, Neal Bullins, Carole Bruhn, Keith Venters, Chris Caswell, Bryon Coltrane, Chad Pritchard, and John Moore who all helped this effort Also thanks to the many Federated ID Task Force members from throughout the NCREN community that are participating with us in the NCTrust pilot project Finally thanks to a “Friend of NCTrust”, Steven Hopper from UNC-GA Questions?