SWITCHaai Team Federated Identity Management.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Innovation through participation eduGAIN federation operator training eduGAIN interfederation service /18 Valter Nordh, NORDUnet / GU 1.
1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation EDUCAUSE 2006 October.
Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN /18 Valter Nordh, NORDUnet / GU.
Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
(Rev 1/11) UW System Identity and Access Management (IAM) Current Status and Roadmap Tom Jordan, IAM-TAG Chair Ty Letto, IAM Support Team Manager January,
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
AAF Middleware update February Presented by Terry Smith Technical Manager and Heath Marks Manager.
SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Michal Procházka, Jan Oppolzer CESNET.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Géant-TrustBroker project overview Slides assembled by the Géant-TrustBroker team at Leibniz Supercomputing Centre, Germany for a short presentation by.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
State of e-Authentication in Higher Education August 20, 2004.
E-Authentication in Higher Education April 23, 2007.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Test your IdP
Géant-TrustBroker Project Overview Daniela Pöhn 7 th FIM4R meeting Frascati, Italy April 24 th, 2014.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Trust and Identity Infrastructure Services Above the Network Ann Harding, SWITCH/GÉANT UbuntuNetConnect 2014.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014.
Access Policy - Federation March 23, 2016
LIGO Identity and Access Management
Mechanisms of Interfederation
Federation Systems, ADFS, & Shibboleth 2.0
Géant-TrustBroker Dynamic inter-federation identity management
InCommon Steward Program: Community Review
Incident Response for Federated Identities
ESA Single Sign On (SSO) and Federated Identity Management
Shibboleth in Switzerland
Appropriate Access InCommon Identity Assurance Profiles
Presentation transcript:

SWITCHaai Team Federated Identity Management

© 2012 SWITCH Agenda What is Federated Identity Management? What is a Federation? The SWITCHaai Federation Interfederation 2

© 2012 SWITCH Evolution of Identity Management Stone Age Application maintains unique credential and identity information for each user Bronze Age Credentials are centralized (e.g. Kerberos, LDAP) but applications maintain all user identity information Iron Age Credentials and core identity information is centralized and application maintains only app-specific user data 3

© 2012 SWITCH Federated Identity Current mechanisms assume applications are within the same administrative domain Adding a user from outside means creating an account within your IdM system. This could result in the new user having access to more than just the intended application. Federated Identity Management (FIM) securely shares information managed at a users home organization with remote services. Within FIM systems it doesn’t matter if the service is in your administrative domain or another. It’s all handled the same. 4

© 2012 SWITCH Federated Identity In Federated Identity Management: Identity Providers (IdP) publish authentication and identity information about users Service Providers (SP) consume this information and make it available to an application An IdP or SP is generically known as an entity The first principle within federated identity management is the active protection of user information Protect the user’s credentials only the IdP ever handles the credential Protect the user’s identity information, including identifier customized set of information released to each SP 5

© 2012 SWITCH What does it do for me? Reduces work Authentication-related calls to Penn State University’s helpdesk dropped by 85% after they installed Shibboleth Provides current data Studies of applications that maintain user data show that the majority of data is out of date. Are you “protecting” your app with stale data? Insulation from service compromises In FIM data is pushed to services as needed. If those services are compromised the attacker can’t get everyone’s data. Minimize attack surface area Only the IdP needs to be able to contact user data stores. All effort can be focused on securing this one connection instead of one (more) connection per service. 6

© 2012 SWITCH Some other gains Users generally find the resulting single sign-on experience to be nicer than logging in numerous times. Usability-focused individuals like that the authentication process is consistent regardless of the service accessed. A properly maintained federation drastically simplifies the process of integrating new services. 7

© 2012 SWITCH What is a Federation? A group of organizations running IdPs and SPs that agree on a common set of rules and standards It’s a label for people to talk about such a collection of organizations An organization may belong to more than one federation at a time The grouping can be on a regional level (e.g. SWITCHaai) or on a smaller scale (e.g. large campus) IdPs and SPs ‘know’ nothing about federations 8

© 2012 SWITCH What are these rules of which you speak? Technical Interoperability Supported protocols User authentication mechanisms User attribute specifications Accepted X.509 certificates Legal Interoperability Membership agreement/contract Federation operation policies Requirements on identity management practices Others Common/best operational practices 9

© 2012 SWITCH What does a Federation do? At a minimum a federation maintains the list of which IdPs and SPs are in the federation Most federations also define agreements, rules, and policies provide some user support (documentation, list, etc.) operate a central discovery service and test infrastructure Some federations provide self-service tools for managing IdP and SP data install IdPs and SPs for members provide application integration support host or help with outsourced IdPs provide tools for managing “guest” users develop custom tools for the community 10

© 2012 SWITCH Federation Metadata An XML document that describes every federation entity Contains Unique identifier for each entity known as the entityID Endpoints where each entity can be contacted Certificates used for signing and encrypting data May contain Organization and person contact information Information about which attributes an SP wants/needs Metadata is usually distributed by a public HTTP URL The metadata should be digitally signed Bilateral metadata exchange scales very badly Metadata must be kept up to date so that New entities can work with existing ones Old, or revoked, entities are blocked 11

© 2012 SWITCH SWITCHaai: An Example Federation (1) SWITCH consults with two bodies Advisory Committee deals with policies and legal framework Community Group deals with technical/operational issues Two classes of SWITCHaai Participants SWITCH Community Organization fits the definition from the SWITCH Service Regulations Federation Partner Organization sponsored by a SWITCHaai Participant from the SWITCH Community 12

© 2012 SWITCH SWITCHaai: An Example Federation (2) SWITCH operates the SWITCHaai Federation AAI is a Basic Service for the SWITCH Community 13

© 2012 SWITCH SWITCHaai: Rules, Policies, & Agreements SWITCHaai Service Description (includes the Policy) concepts and rules for all entities in the federation Federation Partner Agreement legal contract between SWITCH and federation partner Certificate Acceptance Policy policy certificates accepted by the federation AAI Attribute Specification minimum set of core and optional attributes supported by federation entities 14

© 2012 SWITCH SWITCHaai: The Legal Framework Federal Law, Cantonal Law (e.g. data protection) SWITCHaai Service Description (includes Policy) Service Regulations Federation Partners Org n SWITCH Community Federation Partner Agreement & GTC Org 1 User Regulations Org 2 User Regulations Org... User Regulations SWITCH 15

© 2012 SWITCH SWITCHaai: Services Provided Rules, policies and agreements Documentation: installation/migrations guides, HowTos Call-in helpdesk and support mailing list Centralized Services Discovery Service Resource Registry (metadata management) Virtual Home Organization (VHO) Attribute Viewer Group Management Tool uApprove Shibboleth IdP plugin Test federation Some application integration support Training 16

© 2012 SWITCH SWITCHaai: Status Spring 2012 # AAI enabled accounts # Resources # Home Organizations 98% coverage in higher education 17

© 2012 SWITCH Interfederation Users get access to services registered only in other federations eduGAIN is the Interfederation Service of GÉANT Rules and Guidelines regarding international data protection are still under debate 18

© 2012 SWITCH Interfederation (2) 19

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.