Www.incommon.org A View into the Mi$t 1 RL "Bob" Morgan University of Washington Co-chair, InCommon Technical Advisory Committee.

Slides:

Advertisements

Similar presentations

Connected Health Framework

Advertisements

TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.

This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards.

1 Jan 2013 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered.

IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

WebFTS as a first WLCG/HEP FIM pilot

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

18 th TF-EMC2. WebEx, June 2011 Diego R. Lopez, RedIRIS On the Many Ways to Identity Exchange (Again) Digital identities are more valuable as they are.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

The InCommon Federation The U.S. Access and Identity Management Federation

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education

Identity Management Report By Jean Carreon and Marlon Gonzales.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Enforcement mechanisms for distributed authorization across domains in UMA – aka “UMA trust” Eve Maler | 22 Aug 2012 draft.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.

© 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0 Security & Identity : From present to future Matt Flaherty, IBM Mary Ruddy, Meristic.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

SIMPLIFYING THE CLOUD – the case for federation Dr. Terry Gray Assoc VP, Technology Strategy University.

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

NSTIC and the Identity Ecosystem Jim Sheire Senior Advisor NSTIC National Program Office, NIST 14 November 2012.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Don Thibeau, Executive Director, OpenID Foundation (OIDF) Drummond Reed, Executive Director, Information Card Foundation (ICF)

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

Secure Mobile Development with NetIQ Access Manager

Open Collaboration Exchange Alexander Blanc, Niels van Dijk, Jocelyn Manderveld, Remco Poortinga - van Wijnen VAMP 2013, Espoo.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

11 | Managing User Info Jeremy Foster Michael Palermo

Web SSO with Cloud Resources using AD Federation Services

Access Policy - Federation March 23, 2016

GEOSS Federated Single Sign-On

New York regional information centers

Azure Active Directory - Business 2 Consumer

Experiences to Date Faculty of Engineering April 2017

Federation made simple

Identity Federations - Overview

Data and Applications Security Developments and Directions

OpenID Connect Working Group

Community AAI with Check-In

ARCHITECTURE OVERVIEW

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

Una herramienta para la gestión de identidad, el control de acceso y uso compatible con la regulación de identidad europea eIDAS.

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Microsoft Virtual Academy

Presentation transcript:

A View into the Mi$t 1 RL "Bob" Morgan University of Washington Co-chair, InCommon Technical Advisory Committee

The 2 Poles of Identity Accountability Expression

Big Data: Whose Data?

Consumer-scale Number of Google Apps domains: 2 million? Number of Facebook Connect RPs: 3 million? An inconvenient truth: the consumer web is supported by the aggregation, processing, and sale of the personal information of billions of people. Consumerization of web identity technology driven by consumer services industry

NSTIC Vision and Strategy Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation. An Identity Ecosystem of solutions that are –privacy-enhancing and voluntary –secure and resilient –interoperable –cost-effective and easy to use Public/private partnership

NSTIC Operations and Governance NSTIC Steering Group –promote creation, maintenance of Identity Ecosystem consistent with Strategy –privately-led, all stakeholders represented –promote standards adoption –accredit ecosystem components –bids out now for secretariat organizations –forming of Steering Group may involve some... politics –will it rule a realm that anyone is interested in?

Open Identity Exchange - OIX Formed in 2009 as federation for consumer IdPs –participating in FICAM TFP certification Now supporting general Trust Framework development Representing industry in NSTIC deliberations Offering alternative views on ecosystem... Attribute Exchange Network WG –create trust framework for AX, policies and tech pilots –separate IdPs from Attribute Providers, via brokers –support monetizing providing of attributes, brokering

A World of Web Services A WWW of browsers -> a world of software Every web/cloud-based company has "API" Design patterns emerge: REST, JSON, OAuth

OAuth 2.0 Authorization or "valet key" protocol –eliminate "password anti-pattern": web sites asking for your password to act as you to get to your stuff –you ("resource owner") authorize something ("client") to access your stuff ("resources") somewhere ("server") –client can be web app, desktop/phone app, JS in browser –right-to-access represented as access token Right to access... what? –very easy for user to grant access to gmail inbox, say, to many sites/apps –limited scopes? who wants to have limits?

OpenID Connect OpenID 1.0 (2006) promoted simple, web-based SSO –a little too simple, too geeky, too idealistic OpenID 2.0 (2008) better, more complex –widely deployed by consumer IdPs, not so many SPs, not very interoperable, generating proxy industry –large consumer IdPs became only IdPs... OpenID Connect (2012) –focus on simplicity for SPs; based on OAuth 2.0; supports data channel –finally FTW? supported by all the big (consumer) players still consumer-IdP focused: bilateral, no metadata (yet)

Account Chooser OpenID Foundation project (formerly Google) –"An open standard and interface guidelines for the next generation of web sign in" –provide transition-from/coexistence-with local signon and federation; easy to deploy JavaScript –visual representation of accounts, handle multiple accounts per client machine; protocol-agnostic (OIDC, SAML, other) –similar to work in federated space: ULX, DiscoJuice –could support federated IdP discovery/search? Could... –best experience depends on centralized service...

UMA Kantara initiative project to support controlled sharing of personal info: person-self, person-other, person-org, in a fully multi-lateral way element (perhaps) of "personal data ecosystem" driven by many use cases –consumer sharing (e.g. photos, calendar) –health/financial personal data management –employer/employee data sharing profile, extension of OAuth2 open-source implementations; any deployments?

Brave New World? Web service access will happen... via OAuth –and be enabled in the context of existing federation; OAuth2 includes spec for SAML tokens –develop enterprise OAuth infrastructure services, OAuth support in federations, use in apps e.g. LMSes More use of, integration with consumer identities –HE already good at providing attributes... HE/VO support of "personal" data management –combine user and institutional control? –will involve consumer services, will still require community-based trust, standards (Net+, yes!)