DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Identity Network Ideals – Heterogeneity & Co-existence
CLARIN AAI, Web Services Security Requirements
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Trusted 3 rd Party Authentication & Friends: SSO and IdM NWACC Security Workshop 2013 Portland.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Understand Virtualized Clients Windows Operating System Fundamentals LESSON 2.4.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
FIM-ig Federated Identity Management Interest Group.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Energy Ecosystem Overview David Miller Chief Security Officer.
Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.
Cloud Security Julian Lovelock VP, Product Marketing, HID Global.
Trust and Shared Identity Management Across Company Borders Policies, Processes and Agreement Issues to be Considered – A Case Study Markus Salo Concept.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
Identity Management Report By Jean Carreon and Marlon Gonzales.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Employee Authentication Services (EAS) A potential pan-government service Chief Information Officer Group (CIOG) – DCSF.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
SUNY System Administration Federation Overview Gavin Hogan July 15th, 2009 A work in progress….
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
An XML based Security Assertion Markup Language
1 MIIS IAM Nationwide Journey - MIIS & IAM. 2 Agenda 1.Introduction Original objectives Definition of terms 2.MIIS 3.IAM Introduction Definition Approach.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Shibboleth: An Introduction
Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Scenario w/ WS-Federation to SAML 2.0 interop challenge for Danish public sector The following slides illustrates in a basic manner the technical/security.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Federations: The New Infrastructure Speaker Name Here Date Here Speaker Name Here Date Here.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
F5 APM & Security Assertion Markup Language ‘sam-el’
1© Copyright 2012 EMC Corporation. All rights reserved. Next Generation Authentication Bring Your Own security impact Tim Dumas – Technology Consultant.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Web SSO with Cloud Resources using AD Federation Services
Secure Single Sign-On Across Security Domains
GEOSS Federated Single Sign-On
New York regional information centers
Shibboleth Architecture
Federation Systems, ADFS, & Shibboleth 2.0
Solving the Identity Crisis
Identity Federations - Overview
Data and Applications Security Developments and Directions
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Company Overview & Strategy
ESA Single Sign On (SSO) and Federated Identity Management
Identity Infrastructure Fundamentals and Key Capabilities
Employee Authentication Services (EAS)
UK Access Management Federation
Introduction to SOA Part II: SOA in the enterprise
Presentation transcript:

DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?

What will we talk about today? A brief introduction to me A quick look at recent history of shared authentication in the UK A glance at the pressure points from the world around us now An overview of the PSIIF An example scenario walkthrough What can you do?

Lord of the tokens EAS Sponsored at the time by DCSF (ContactPoint), aimed to establish a trust-framework for registration, and an authentication infrastructure based on 2FA It also provided a shared IdP for LAs that did not want to establish their own 2FA device in the hands of all public sector employees accessing central applications What did the local authorities really want? Cost efficient CoCo compliance Freja – “One token to rule them all”

Real life World-wide financial crisis 2008 onwards Government change 2009 ContactPoint was discontinued Concerns about Government Gateway performance in conjunction with LAs A failure, or?

Positive Legacy ContactPoint was discontinued – EAS uptake was low. But… Wider public sector agreement on trust framework agreement Especially registration of user/reuse of credentials Governance and assurance approach for distributed user registration Flexible IdP implementation model Body of best practice for LA registration Newham & Salford Regional hub projects kickoff Principles of collaboration DWP/HMRC/E&H/Police working together

Today’s challenges Remote workforce PSN compliance is getting tougher and tougher More workers are working remotely a greater portion of time CO2 footprint reduction Escalating costs or not so secure solution What if one could locally issue strong, 2FA for remote workers with a potentially zero-cost authentication device? Cloud services are exploding Most with own – password based – identity systems Often complicated directory integration What if one could reuse locally issued, strong 2FA for authenticating users to such systems i.e. cloud based services with ground based authentication?

Today’s challenges, cont’d Need to collaborate with neighbours Shared services amongst boroughs are a real need But who authenticates an individual? Directory federation is difficult to setup and manage What if one could reuse locally issued, strong 2FA across partnerships? Increase internal efficiency Bringing new applications online is expensive What if one could reuse locally issued, strong 2FA for plug-and-play integration of new applications? Still need to access central government services The applications may have changed, the basic need still remains What if one could reuse locally issued, strong 2FA for accessing applications hosted by or on behalf of central government?

PSIIF – a 180 turn Not a “top-down” approach PSIIF - Standards based infrastructure on top of PSN defining exchanges between IdPs Hubs Service Providers Allows re-use of (conformant) credentials for accessing “external” services including G-Cloud, central government or services hosted by regional partners on the PSN

Information highway needs vehicles An infrastructure is only good if it is put to use Imagine if you could decide whom and how you want to collaborate with: Your employees to access G-Cloud services while retaining identity issued by you Employees of regional partners to access your systems without issuing a separate authenticator to their employees Your employees access central government services Request attributes from or release attributes to parties you select

G-Cloud service example User G-Cloud Service Freja IdP Freja SSP Freja IdP Freja SSP Freja Registration & Provisioning Where are your from? Please authenticate this user Do I recognize the service? Convince me who you are What do I know about you? How much information should I/can I release to the service? Sign an assertion Do I trust the assertion issuer? OK, what can this user do here

SSO User Cloud Service Freja IdP Freja SSP Freja IdP Freja SSP Freja Click on link to service 2 Please authenticate this user Do I recognize the service? Do I have a valid session? How much information should I/can I release to this service? Sign an assertion Do I trust the assertion issuer? OK, what can this user do here Cloud Service 2

What can you do? You get to chose whether you want to act as SP, IdP, AP or any combination thereof – no mandate A lot of software you own already supports SAML 2 integration – you can act as SP straight away A lot of G-Cloud services already support SAML 2 (or are rapidly adapted to do so) IdP functionality can be plugged into your existing authentication infrastructure with practically no disruption

Why would you? Standards-based, loosely coupled architecture – no vendor tie-in Potential for better services, to larger audiences An identity need not be established times and times again Better control of identity, better control of data access, better control of information release (please search for TheEllenShow, “Out of your password minder” on YouTube) Easier to audit

{ENTER TEXT}