Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Joining eduroam Wireless Roaming for Education and Research.
The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Jens Haeusser Director, Strategy IT, UBC The Future of Identity Management in Higher Education JA-SIG June 2007.
The EARNEST Foresight Study Results from the EARNEST Technical Study Licia Florio, TERENA EARNEST Workshop, Amsterdam, 8.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
NIH iTrust Peter Alterman/Debbie Bucci National Institutes of Health October 2010.
Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
New CyberInfrastructure for Collaboration between Higher Ed and NIH.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
SWITCHaai Team Federated Identity Management.
Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,
InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb
The InCommon Federation The U.S. Access and Identity Management Federation
Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.
BfB: Supporting Collaboration with Infrastructure.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Integrating with UCSF’s Shibboleth system
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Navigating the Standards Landscape Andrew Owen SEARCH.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Federated Identity Graduates Nate Klingenstein Internet2 APAN 27 高雄台湾, March 3, 2009.
Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Federated Identity in the Global Landscape. Presenter’s Name Topics Federated identity basics International deployments and issues National, local and.
InCommon® for Collaboration Institute for Computer Policy and Law May 2005 Renee Shuey Penn State Andrea Beesing Cornell David Wasley Internet 2.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
Connect communicate collaborate An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University.
AAI Interconnection with an European style Diego R. Lopez RedIRIS.
Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)
Project Moonshot Daniel Kouřil EGI Technical Forum
Access Policy - Federation March 23, 2016
Federation made simple
Shibboleth Roadmap
Federation Systems, ADFS, & Shibboleth 2.0
Data and Applications Security Developments and Directions
John O’Keefe Director of Academic Technology & Network Services
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
The DAMe’s First Steps: eduroam and NAS-SAML
Presentation transcript:

Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007

Topics Federated Identity Extending enterprise security Application to network security protocols Peer-to-Peer Identity OpenID Convergence & Divergence Web Access Federations and Network Security Do these communities meaningfully overlap?

Federated Identity Leverages local identities to access remote resources Enterprise directories & authentication Organizations trust each other Decentralized center Multiple federations Federated identity is distinct from federations Can have federated ID without federations

Technical Basis of Exchange Attributes Identity Providers (IdP) Asserts authentication and attribute information Service Providers (SP) Receives and processes attributes and authentications Metadata

Trust Basis for Exchange IdP asserts good information SP disposes of information received properly Logging Tracking down malfeasants is cooperative but always possible Everything always boils down to a bilateral exchange

Trust Basis for Exchange Centralized federation services Metadata Auditing Attribute standardization Other rules Extensions and merges of existing identities Virtual Organizations

Trust Basis for Exchange Centralized federation services Metadata Auditing Attribute standardization Other rules Extensions and merges of existing identities Virtual Organizations

SAML-based Higher Ed Federations Australia Belgium Canada China Denmark Finland France Germany Greece New Zealand Norway Spain Sweden Switzerland The Netherlands United Kingdom United States

InCommon U.S. Higher Ed Federation Multiple levels of assurance Bronze, Silver, Gold, or basic Identity information managed by central IT Where are the attributes you need? No guidance on attribute release

Security Assertion Standards SAML 1.1 (Shibboleth 1.x) SAML 2.0 ID-WSF WS-Trust WS-Security Many other WS-* Many other others

Standards Convergence ID-FF 1.1 SAML 1.0SAML 1.1 Shibboleth 1.x ID-FF 1.2 SAML

Peer-to-Peer Trust Self-issued credentials Usually bootstrapped through personal interaction Joe sent me his PKC in an IM, and I know this is Joe because of our secret handshake And I know that’s his screen-name because… Differentiate between quality of initial authentication and subsequent value Unauthenticated sure is popular…

OpenID Codification of that community trust Using URL’s A simple protocol Basic attributes Plug-ins for most web environments Many other approaches, some based on heavier technology Deployed in blogosphere and beyond No attempts to integrate with network security But growing corporate interest and support

OpenID/SAML convergence There are protocols and there are tokens WS-Trust WS-Security Cardspace Solutions address somewhat different needs Room for co-existence But interoperability would still be nice Some cooperation between the two communities in looking for convergence opportunities

Related Projects Higgins A set of interfaces that try to abstract identity management Microsoft ADFS Shibboleth interoperability XACML Layered in SAML assertions Its own protocol

Big Changes Federated Identity evolving from Web SSO to other applications Maturation of vendor products in the IdM space Increasingly, Federated IdM packages support multiple protocols; sites make choices based on “value add” Growing interest in using Levels of Assurance (LoA) Growing interest in Inter-Federation

Federated Identity for Network Authentication Traveling individuals Attribute-based access control Privacy Accountability

Current Deployments Shibboleth-based wireless authentication at University of Texas It’s a hack Use Shibboleth to populate a database that the RADIUS server can draw on Supports multiple access groups Hugely popular with the university brass /ShibbolizedWireless

Current Deployments eduroam Global RADIUS infrastructure using 802.1x Widespread adoption by European higher ed Multiple countries in Asia & Oceania U.S. under-represented Let’s look at the policies…

Revealing Challenges What security policies will be enacted on an eduroam visitor? Japan wants to mandate that once access is granted via eduroam a VPN tunnel home be established for all further traffic What information do people need to know? Which attributes are required? Does anonymity matter?

SAML, RADIUS, DIAMETER RADIUS profile of SAML DAMe project DIAMETER supporting SAML Slide theft Diego Lopez of RedIRIS

InCommon U.S. higher education federation 50 participants and counting Oriented around access to web resources EBSCO, ScienceDirect, JSTOR, Napster, Turnitin, etc. SAML-centric

Questions for You What could you do with federated identity? What information do you need to know before making your various decisions? Can InCommon address your collaboration or network authentication needs? How would you do inter-realm network security?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.