US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.

Slides:



Advertisements
Similar presentations
Federated Identity for Grid Architects Tom Scavo NCSA
Advertisements

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
The E-Authentication Initiative: A Status Report Presented at Educause Meeting June 16, 2004 The E-Authentication Initiative.
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.
Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
E-Authentication: The Need for Open-Standards in Implementing E-Government October 6, 2004 The E-Authentication Initiative.
The InCommon Federation The U.S. Access and Identity Management Federation
Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.
(Inter)Federation as Identity Management Policy Driver? RL "Bob" Morgan University of Washington.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
E-Authentication: Enabling E-Government Presented to PESC May 2, 2005 The E  Authentication Initiative.
E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.
Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)
Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.
Government-University Identity Management Opportunities Peter Alterman, Ph.D. Chair, U.S. Federal PKI Policy Authority and Assistant CIO/E-Authentication,
Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
The Feds and Shibboleth Peter Alterman, Ph.D. Asst. CIO, E-Authentication National Institutes of Health.
Identity Federations and the U.S. E-Authentication Architecture Peter Alterman, Ph.D. Assistant CIO, E-Authentication National Institutes of Health.
Middleware Futures Internet2 Member Meeting Arlington VA, April 2006 RL “Bob” Morgan, University of Washington and Internet2.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Origins: The Requirements of Participating in Federations CAMP Shibboleth June 29, 2004 Barry Ribbeck & David Wasley.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.
E-Authentication briefing for 11th Fed/Ed PKI Meeting Thursday June 16th, 2005.
Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority Meet FedFed.
Interfederation: From Demo to Eternity RL “Bob” Morgan, University of Washington and Internet2 Internet2 Member Meeting, Chicago December, 2006.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
Federal Identity Management Overview and Current Status Dr. Peter Alterman, Chair Federal PKI Policy Authority.
Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
The Venn of Levels RL “Bob” Morgan, University of Washington / Internet2 / InCommon TERENA/Refeds, October 2009 Rome, IT.
EAuthentication – Update on Federal Initiative Jacqueline Craig IR&C September 27, 2005.
Shibboleth Roadmap
Federation Systems, ADFS, & Shibboleth 2.0
U.S. Federal e-Authentication Initiative
Federal Requirements for Credential Assessments
Appropriate Access InCommon Identity Assurance Profiles
Presentation transcript:

US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005

2 Topics US E-Authentication Program E-auth and Internet2 Interfederation Interoperability Working Group Assessment can be fun (aka getting CAFed and liking it) An initial E-Auth application usPerson schema project

3 US E-Authentication for authoritative info facilitates trusted access to e-government e-auth elements credential providers (CSPs), agency apps (AAs) credential assessment framework (CAF), application risk assessment, defined LoAs approved technologies, products (X.509, SAML) e-auth ops: membership, portal (aka “Fed fed”) agency mandates E-Authentication Partnership advisory group

4 InCommon + E-Auth alignment promote interop for widespread higher-ed access to USG applications grants process, research support, student loans... process project started Oct 2004, thru Dec 2005 compare federation models propose alignment steps validate with federation members, via concrete application trials implement via next e-auth, InCommon phases

5 IIWG elements federation comparison (E-Auth, InCommon) modify Shib software to work with E-Auth part of Shib 1.3 universities undergo trial by CAF assess whether compliance is likely across HE deploy HE access to a real USG app NSF FastLane; learn from this experience propose alignment steps for E-Auth and InC propose interfederation structure

6 E-Auth + InC alignment points Basic divergence: loose vs tight coupling membership: IdP-centric vs SP-centric E-auth driven by requirements of e-government AAs some CSPs will be govt agencies, but mostly external InCommon driven by requirements of university IdPs, encouraging SPs to federate with us assurance: facilitated vs guaranteed InCommon IdPs publish their processes, SPs decide whether they're OK E-auth participants audited, approved by GSA level of assurance is fundamental characteristic, of both agency apps and credential services based on NIST-defined criteria

7 Alignment points 2 user identity: application-supporting attributes vs fixed identifier set InCommon relies on Internet2-defined eduPerson, promotes attribute-based authorization E-Authentication specifies delivery of identifiers only operation: metadata-centric vs portal-centric InCommon-managed metadata supports direct interaction between IdPs and SPs E-auth portal mediates flow, adds user navigation and LoA adaptation point

8 Alignment points 3 technology: SAML and profiles InCommon specifies minimal Shib profile of SAML 1.1 E-Auth specifies extensive profile on top of SAML 1.0 (also supports cert authentication for higher LoAs) intend to converge on SAML 2.0

9 NSF FastLane via E-Auth FastLane: a good first application used by 300,000 HE users, PIs and research admins early E-Auth participant assessed at Level 1 NSF seeking process improvement Process: 4 campuses get CAFed, deploy Shib 1.3, join E-A NSF deploys E-Auth capable FastLane campus users “account link” once by authenticating via E-A, entering old account/password

10 Campus Compliance Issues Level 1 is pretty easy be a real organization, with basic docs have a user database (but no ID proofing reqts) run a secure authentication system Password-guessing protection is the hurdle system should protect against brute-force guessing implies guessing-limitation, -monitoring, lockout none of participant campuses doing this today various plans: monitor, remove e-auth authz only need apply to E-Auth application users

11 E-Auth support in Shibboleth Shibboleth protocol interaction is SAML 1.1 with various choices to enable interop, eg name formats, common attributes, metadata, req message demonstrated interop with other SAML 1.1 products E-Auth/SAML is today a profile of SAML 1.0 using Artifact method, attribute push, etc Shibboleth version 1.3 supports E-Auth profile can run in parallel with traditional Shib profile motivated changes in IdP structure Shib 1.3 SP intended to be compliant too

12 SAML 2 SAML 1.x doesn't cover many interop elements SAML 2.0 covers the waterfront authentication request logout identifier management WS-Federation SAML alternative promoted by some big vendors will it be brought into E-Auth approved tech space?

13 US person schema motivated by HE interest in attribute-based authorization for E-Auth modeled on Educause/Internet2 eduPerson spec and its use in Shibboleth and InCommon not list of attributes, but framework on which agency/app definitions can be built not just SAML, but generic information model, mapped to LDAP, SAML, XML provisioning starting by looking at improved processes for NSF, USDA applications, using campus-sent attributes, also national schema efforts from EU countries ambitious? yes... proposal due June 2006

14 E-Auth and InCommon peering E-Auth doesn't want 1000 university members or 1000 banks, or anything else rather, wants to peer with federations in these industry sectors federation peering is new territory though some prior reusable work in PKI Bridge CA interop/mapping

15 Conclusion E-Authentication is strong standardizing factor in many industry sectors US HE is working to ensure that E-Auth meets our needs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.