Federated Identity, Shibboleth, and InCommon Tom Barton University of Chicago © 2009 The University of Chicago.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation EDUCAUSE 2006 October.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Federated Access: Identity Management and Access to Protected Resources Renée Woodten Frost Associate Director, Middleware & Security
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
InCommon and Federated Identity Management 1
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
SWITCHaai Team Federated Identity Management.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The InCommon Federation The U.S. Access and Identity Management Federation
Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Integrating with UCSF’s Shibboleth system
InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
1 InCommon Identity & Access Management Federation John Krienke Operations Manager, InCommon Assistant Director, Internet2
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
COmanage and InCommon: Present and Future Activities and Interactions Heather Flanagan, COmanage Project Coordinator, Internet2.
Federations 101 John Krienke Internet2 Fall 2006 Internet2 Member Meeting.
Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
The InCommon Federation The U.S. Access and Identity Management Federation
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
State of e-Authentication in Higher Education August 20, 2004.
E-Authentication in Higher Education April 23, 2007.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
1 Support For Research & National Identity Snapshot Jim Leous, Penn State Ann West, Internet2/InCommon Federation.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
SEPARATE ACCOUNTS FOR PROSPECTS? WHAT A HEADACHE! Ann West Assistant Director, InCommon Assurance and Community Internet2 at Michigan Tech.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Tom Barton, Senior Director for Integration, University of Chicago
Access Policy - Federation March 23, 2016
Using Your Own Authentication System with ArcGIS Online
LIGO Identity and Access Management
Shibboleth Roadmap
John O’Keefe Director of Academic Technology & Network Services
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Appropriate Access InCommon Identity Assurance Profiles
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

Federated Identity, Shibboleth, and InCommon Tom Barton University of Chicago © 2009 The University of Chicago

 Sr Dir, Integration  Shepherding  Data management  Security  Storage  Identity management  Policy & informational stuff  Internet2/MACE  Middleware architect  WG chair  InCommon TAC 2 Who Am I? 2 June 2009

 Many usernames and passwords for users  Many copies of personal data (held by third parties)  Duplication of effort among service providers  Difficulty sharing resources (between institutions)  Anytime, anywhere access to resources  Compliance with legislation (FERPA, GLB…) and institutional policy  In short, the yet another account problem 2 June What problem does (Federated) Identity Management address?

No coordination Proprietary code Batch uploads Service Providers 2 June 20094

5

 Efficient scalability  Highly leveraged centralized operations  Common identifiers  Authentication  Access information management  Accuracy & timeliness  Auditability  Service providers still do access control  Security and privacy 2 June 20096

1. Single sign on 2. Services no longer manage user accounts & personal data stores 3. Reduced help-desk load 4. Standards-based technology 5. Home org and user control privacy 2 June 20097

 Shibboleth  InCommon Federation  Grouper  Comanage  Identity services & application domestication  Privilege & access management  MACE-Paccman working group  eduPerson & edu* schema, white papers, etc  MACE-Directories working group 8 Internet2/MACE Identity & Access Management 2 June 2009

 Open source standards-based web single sign-on  Supports SAML v1.1 & SAML v2  SAML = Security Assertion Markup Language, OASIS standard  Supports the Federated Identity model  Identity Provider (IdP) authenticates the browser user and provides Assertions about the user  Service Provider (SP) validates the Assertions, makes an Access Control decision, and provides Resources  Each player is identified by a unique entityID and authenticated by reference to independently established metadata  Leverages enterprise identity management system 9 What is Shibboleth? 2 June 2009

Federated Identity "IdP""SP" ala Shibboleth 102 June 2009

 SSO access to both campus and external web- based applications  Protects user privacy  Selective attribute release  Pseudonymous identifiers available  Integrates well with other SAML2 software  Many commercial Service Providers are SAML2 friendly  Adoption by 20+ Higher Education/Research federations around the world  Commercial professional services and technical support increasingly available 112 June 2009

Shibboleth U Chicago 122 June 2009

 U Chicago application (portal)portal  Library remote access (Acta Mathematica)Acta Mathematica  Internet2 wiki (CAMP Program Cmte)CAMP Program Cmte  CIC SharePoint (more about this later)more about this later 2 June Demo U Chicago Shibboleth SSO

 my.uchicago.edu  Start of SSO – U Chicago login. No WAYF needed.  My roles, groups, name, , etc, sent from U Chicago IdP to campus portal.  E-journal  U Chicago Library e-journal finder linked to U Chicago shibbolized web proxy. No WAYF needed.  Non-shib access to vendor site, to change soon.  Internet2 wiki  InCommon Federation’s WAYF invisible due to persistent cookie.  Only attribute released is my name.  CICme  CIC members all belong to InCommon.  CIC-specific WAYF.  Name & attributes released. 2 June What just happened?

 CIC = Big Ten + U Chicago  Hundreds of committees and work groups  1-5 members per institution each  ~1900 total CICme users  Provosts to operational staff  Avoid the “yet another account” problem  Demonstrate feasibility & value of federation in support of other CIC activities  Minimize impact to member campus IT 15 Committee on Institutional Cooperation: “CICme” Federated SharePoint 2 June 2009

162 June 2009

 A group of member organizations who agree to a set of rules  End-user organizations act as identity providers (IdPs), authenticate end users, release information (attributes) about individuals to service providers per policy or contract  Service providers (SPs) accept assertions from IdPs and use to authorize access  An independent body managing the trust relationships between members  An efficient way to scale identity management across organizations  A community or marketplace, when successful What’s a Federation? 2 June

 Register members  Validate organizational identifiers  Authenticate organizational contacts  Execute participation agreement  Distribute federation metadata  Establish standards or provide guidance  Federating technologies  Attribute syntax & semantics  Identity Assessment Framework - Level of Assurance  Problem resolution  Outreach  Community support What’s a Federation Operator do? 2 June

The Role of the Federation 1. Agreed upon attribute vocabulary & definitions: member of, role, unique identifier, courses, … 2. Criteria for identity management practices (user accounts, credentialing, etc.), privacy stewardship, interop standards, technologies 3. Trusted exchange of participant information 4. Trusted “notary” for all federation members Verified By the Federation Verified By the Federation Verified By the Federation Verified By the Federation 2 June

 US R&E Federation, a 501(c)3  Members are universities, government agencies, national labs, and their partners  146 organizations and growing  Surpassed 3 million faculty, staff, and students in February 2009  Operations managed by Internet2  2 June InCommon Federation: Essential Data

 Execute Participation Agreement  Pay fees (NB. Non-normative info!)  Application - $700  Annual membership - $1000 per 20 entityIDs  Provide Participant Operating Practices statement  Description of Identity Management practices (for Identity Provider membership)  Attribute requirements and associated practices (for Service Provider)  Not audited – self declared  Admin & technical contacts  Provide initial IdP or SP metadata 2 June Joining InCommon

 InCommon Identity Assurance Profiles  Bronze compatible with NIST Level of Assurance 1  Silver compatible with NIST Level of Assurance 2  Specifies criteria used to assess identity providers  Written for and by HE community  Contrast with OMB’s CAF: not all Assertions about all Principals need have the same LoA  Participant’s internal audit performs assessment  Auditor sends attestation letter to InCommon  New program – no one’s cleared the hurdle yet  Several are in process 22 InCommon Identity Assurance Framework 2 June 2009

Circle University Dr. Joe Oval Psych Prof. 23 Home Circle University Anonymous ID# Affiliation EPPN Given/SurName Title SSN Password #1 Circle University ID # Psych Prof. Verified By the Federation Verified By the Federation Verified By the Federation Verified By the Federation College A IdP: name, key, url, contacts, etc. SP1: name, key, url, contacts, etc. SP2: name, key, url, contacts, etc. University B IdP: name, key, url, contacts, etc. SP1: name, key, url, contacts, etc. University C IdP: name, key, url, contacts, etc. Partner 1 SP1: name, key, url, contacts, etc. Partner 2 SP1: name, key, url, contacts, etc. SP2: name, key, url, contacts, etc. Partner 3 … Federation Metadata Bronz e Silver 2 June 2009 InComm on Assuran ce Levels

 We’re told to. Security controls in the FIPS 199 sense  We need to. The marketplace created by a federation needs a standard by which Service Providers and Identity Providers can talk about how loose or tight their practices are  We want to. Federated access to scientific grids  Mapping between InCommon POP, Bronze, Silver and International Grid Trust Federation policies 2 June Why bother with LoA?

Campus Science Gateway InCommon Federation provision accounts run monitor attributes run monitor TeraGrid Resources 252 June 2009