Some Frontier Issues from the Wild, Wild West Ken Klingenstein.

Slides:



Advertisements
Similar presentations
The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
Advertisements

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.
From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.
Federated Access: Identity Management and Access to Protected Resources Renée Woodten Frost Associate Director, Middleware & Security
Internet2 and other US WMD Update. Topics Update on non-merger, Newnet (and the control plane), InCommon and other feds “Product” update – Shib, Grouper,
Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.
Internet Scale Identity, Collaboration and Higher Education.
Leading in a new IT environment: Old saws and new technologies.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Widely Distributed Access Management Tom Barton University of Chicago.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
EAuthentication in Higher Education Tim Bornholtz Session 58.
InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
New CyberInfrastructure for Collaboration between Higher Ed and NIH.
Updates on Shib, a bit of InCommon and International Federations.
1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation Clair Goldsmith,
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
Federations and Security: A Multi-level Marketing Scheme Ken Klingenstein Director, Internet2 Middleware and Security.
Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.
The InCommon Federation The U.S. Access and Identity Management Federation
Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.
1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.
1 The InCommon Federation John Krienke Internet2 Spring Member Meeting Tuesday, April 25, 2006.
The Rise of Federations…Almost Everywhere. Topics Federation Basics Drivers Components International and pulic sector developments InCommon and its uses.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Federations: success brings new challenges Ken Klingenstein Director, Internet2 Middleware and Security.
InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.
InCommon, other federations, the attribute ecosystem, and some killer apps needing guns…
Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.
Campus middleware in the service of Science Keith Hazelton Internet2 Middleware Architecture Committee for Education NSF Internet2 Day October 19, 2006.
7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.
Federations 101: The U.T. System Identity Management Federation Internet2 Member Meeting Fall 2006 Paul Caskey.
VO and Internet2 Middleware. Presenter’s Name Topics Motivations for Internet2 Middleware work Federated identity and InCommon Other IdM Groups, privileges,
Identity Federations: Here and Now Renée Shuey Penn State and InCommon.
Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.
Shibboleth as Attribute Delivery for Authorization Renee Shuey Penn State University June 27, 2006.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
1 InCommon Identity & Access Management Federation John Krienke Operations Manager, InCommon Assistant Director, Internet2
Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.
Federations 101 John Krienke Internet2 Fall 2006 Internet2 Member Meeting.
Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes,
Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.
A Role for Libraries in Helping Users Manage Collaboration.
Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.
Taking Care of Our Core Business: Managing Collaborations Dr. Ken Klingenstein, Senior Director, Internet2 Middleware and Security.
Scared Straight… if you want to go outside… Authenticate Locally, Act Globally.
National Authentication and Authorization Infrastructures and NRENs Ken Klingenstein Director, Internet2 Middleware and Security.
Internet2: building and using an advanced network environment for research, teaching and learning APRU CIO Forum, 23 March 2007 Heather Boyles,
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Shibboleth: Molecules, Music, and Middleware. Outline ● Terms ● Problem statement ● Solution space – Shibboleth and Federations ● Description of Shibboleth.
Federated Identity Management at NIH…NIH Login and Beyond Debbie Bucci September 2009.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
AAI in Europe ++ Ken Klingenstein Director, Internet2 Middleware and Security.
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Federated Identity in the Global Landscape. Presenter’s Name Topics Federated identity basics International deployments and issues National, local and.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
InCommon® for Collaboration Institute for Computer Policy and Law May 2005 Renee Shuey Penn State Andrea Beesing Cornell David Wasley Internet 2.
InCommon Federation: Federating Relationships. Topics Administration Library Research Student Services Personal and Collaborative Applications Federal.
01 October 2001 “...By Any Other Name…”. Consequences and Truths (Ken) The Pieces and the Processes (Bob) Directories (Keith) Shibboleth and SAML (Scott)
Collaboration and Federated Identity Two powerful forces being leveraged – the rise of federated identity – the bloom in collaboration tools, most particularly.
John O’Keefe Director of Academic Technology & Network Services
Topics The simple life The Simple Life GUI The full IdM life
Context, Gaps and Challenges
Shibboleth as Attribute Delivery for Authorization
Updates on Shib, a bit of InCommon and International Federations
Presentation transcript:

Some Frontier Issues from the Wild, Wild West Ken Klingenstein

Topics Activities in the US R&E Sector Government sector Shib update The issues on the frontier At the infrastructure level At the user and application level

Activities in the US Government sector EAuthentication Law enforcement Health Care R&E Sector State based federations InCommon

Diego and RL “Bob”…

Or maybe this

Government Federations Internationally, several national governments are developing federations of agencies and offering services to external users Within the US, several national governments are developing federations GSA EAuthentication NSF NIH cio.com/story.php?id=

EAuthentication A set of federal agencies, working through a coordinating agency (GSA) in conjunction with NIST for primarily business (and some consumer) interactions Based on SAML, NIST , etc Applications range from booking campgrounds to checking social security to filing administrative data from universities to agencies to student loans to access to grant management to… Not a very good soccer team yet but it is the US Gov Attempting to peer with InCommon

State University Federations State university federations - Texas, California, Maryland, etc Leverage existing infrastructure in both policies and shared applications Some, such as the California Digital Marketplace, reach very broad populations

UTexas Federation Apps Project Tracking (CHA) Monthly Financial Reporting (BUD) TIXX (GOV) UT Plane (ADM) Compliance Training (ADM) Research Projects Tracking (ACA) Academic Affairs Jobs (ACA) Degree Programs (ACA) Grad Registration (ACA) System Administration Wireless (OTIS) Legal Tracking (OGC) Parking Management (APS) Signature Authority (APS) Bid Specification (OFPC) Project Time Reporting (OFPC) Student Couponing (UT Austin) Online Education via Blackboard (UTHSCH) Board of Regents Agenda (BOR) 12/06 Budget Change Request (BUD) 12/06 UTANOP (BUD) 12/06

InCommon US R&E Federation Members join a 501(c)3 Addresses legal, LOA, shared attributes, business proposition, etc issues Approximately 50 members and growing A low percentage of national Shib use…

InCommon Members 5/1/07 Case Western Reserve University Clemson University Cornell University Dartmouth Duke University Florida State University Georgetown University Indiana University Miami University New York University Ohio University Penn State Stanford University Stony Brook University SUNY Buffalo Texas A&M The Ohio State University The Johns Hopkins University The University of Chicago University of Alabama at Birmingham University of California, Davis University of California, Irvine University of California, Los Angeles University of California, Merced University of California, Office of the President University of California, Riverside University of California, San Diego University of Maryland University of Maryland Baltimore County University of Maryland, Baltimore University of Rochester University of Southern California University of Virginia University of Washington University of Wisconsin - Madison Cdigix EBSCO Publishing Elsevier ScienceDirect Houston Academy of Medicine - Texas Medical Center Library Internet2 JSTOR Napster, LLC OCLC OhioLink - The Ohio Library & Information Network ProtectNetwork Symplicity Corporation Thomson Learning, Inc. Turnitin WebAssign

Key aspects of InCommon Federating software Shib 1.2+ (other possibilities in the future) Shared attributes and schema eduPerson right now Levels of authentication POP (participant operational practices) for LOA-today InCommon Bronze and Silver will map to LOA 1 & 2 Management Steering committee of members IT executives Operations staffed by Internet2

InCommon Management/Governance Steering Committee of campus/vendor CIO’s and policy people – sets policies for membership, business model, etc. Technical advisory committee - Sets common member standards for attributes (eduPerson 2.0), identity management good practices, etc.

InCommon Uses Access control to content Popular content – Ruckus, CDigix, etc Scholarly content – Google, OCLC WorldCat Downloads – Microsoft Access to external services Student travel, charitable giving, web learning and testing, plagiarism testing service, etc. Allure for alumni services and other internal businesses Student loans, student testing, graduate school admissions, etc. Access to national services The National Science Digital Library The Teragrid pilot

Challenges in the US Addressing the risks in federated identity Too many lawyers Too few business drivers No bulk content licensing Few “national” applications No government access yet For many institutions, the focus is in state versus national for applications Bi-lateral relationships exist more than national relationships. Not all institutions really have their identity management technologies fully in place Very few have their identity management policies in place.

Shibboleth Shib 1.3 widely deployed; 1.2 still common Along the way, other capabilities added: ADFS compatibility for WS-Fed, (MS $) Eauthentication certification (with waiver form:)) Shib 2.0 completes the SAML+Shib integration More compatible with COTS SAML 2.0 products than they are with each other A Shib/SAML to TCP/IP analogy isn’t bad; Shib adds multi-party federation support through metadata, ARPS, etc. Also eases support for n-tier, non-web and other capabilities Alpha in April, Beta soon

The Shibboleth 2.0 Sidebar Support for the attribute ecosystem attribute handling, including policy, in both SP and IdP designed to be reusable for other protocols (eg CardSpace) sets stage for further work on multiple attribute sources, reputation management, etc. All Java SP (in addition to current Java/Apache), easing integration for some applications Trust management PKI still seems too hard, even at the simpler enterprise level Supports a broad set of trust choices – CA’s, certs, plain keys, managing site metadata (naming, acquisition, validating) A product of years of painful experience

Federated Applications Mostly access controls to content The first shibbed collaborative apps are appearing… Several wikis Digital repositories such as DSpace and Fedora Learning Management Systems such as WebCT IM, p2p fileshare (Lionshare), CVS Grid-Shib integration in several ways SIP based tools (videoconferencing, audioconferencing) within reach Bootstrapping from duct tape sometimes a problem

The Frontier

The issues on the frontier Peering, leveraging, confederating, etc Integration with p2p trust The user interface The applications Collaboration Domain-specific

Relationships among federations Peering Confederation Presumes peering, adds multifederation support Leveraged Specialized federations that extend a common base federation

Some inter-federation key issues Multi-protocols Sharing metadata Aligning policies WAYF functionality Dispute resolution Virtual organization support

REFeds

Peering Parameters: LOA Attribute mapping Legal structures Liability Adjudication Metadata VO Support Economics Privacy

VOs plumbed to peered federations

Developing the Attribute Ecosystem Addressing not only the real time delivery of attributes, but their creation, distribution and maintenance Providing a consistent set of user experiences, both in managing their identity/privacy, but in their roles as managers of privileges to others Must function with the real world of existing middlemen, uncertain user capabilities, laws and regulations, and duct tape

User Application access controls (including network devices) IdP Shib p2p

User Application access controls (including network devices) IdP Shib p2p Source of Authority Source of Authority Source of Authority Authn Autograph A Simple Life GUI

User Application access controls (including network devices) IdP Shib p2p Source of Authority Source of Authority Source of Authority An Integrated IdM Life Local apps

User Application access controls (including network devices) Shib p2p Source of Authority Source of Authority Source of Authority Authn Autograph Integrated Interfaces Signet/ Grouper IdP Local apps

User Application access controls (including network devices) IdP Shib p2p Source of Authority Source of Authority Source of Authority Portal Gateway Proxy Source of Authority Source of Authority Source of Authority Source of Authority Source of Authority Real Life

User Application access controls (including network devices) IdP Shib p2p Source of Authority Source of Authority Source of Authority VO Service Center Gateway Source of Authority Source of Authority Source of Authority IdP

Internet Identity – P2P Provides tokens for interpersonal trust Use cases include file and photo sharing, some encrypted , etc. Limited role but large personal contexts Subtle but critical layers Identity Selector, tokens, mobility, reputation systems, others Active space – Cardspace in MS Vista, Higgins and the Bandits, OpenId, etc.

Identity Integration goals Of federated and p2p identity Many levels of integration The tokens The GUI The privacy management paradigm Of identity and privilege management Assignment and management of permissions to users by those with authority to grant such access Addresses the static aspects of the authorization space, with audit, delegation, prerequisites, etc. Permissions can be enterprise or virtual organization

User Interface Frontier A consistent look and feel to the management of identity activities across a set of collaboration applications The applications may be web services, video or audioconferencing, calendaring, IM, wikis, file shares, etc The activities may include authentication, release of attributes and management of privacy, creation of attributes for others, group management, etc Defaults must hide most of the complexity Cards seem to be a common metaphor Variety of appliances an issue

Management of the Domain Lacking general infrastructure, identity and privilege management within the domain is problematic Insecure, ineffective, ad hoc or often missing Building tools to integrate Id/Pr Management within the domain with the approaches used on campuses. Allows more seamless interactions of research and instructional roles. Permit students to sample and engage in research securely and easily. Allow researchers to administer grants and integrate virtual and physical realities.

Collaboration tools and services Addressing the collaborative side of research Adapting common open-source collaborations tools for more effective use First in an institutional and inter-institutional use Then, leveraging that, for virtual organizations Addressing integration of authentication, authorizations, privacy, etc. Wikis, IM, web-accessed file-shares, videoconferencing, audio conferencing, etc. Use cases abound, from “open to members of a community” to “just these few colleagues” and others

MACE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.