Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.

Slides:

Advertisements

Similar presentations

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.

Advertisements

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.

Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.

US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,

The E-Authentication Initiative: A Status Report Presented at Educause Meeting June 16, 2004 The E-Authentication Initiative.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.

Federations and Security: A Multi-level Marketing Scheme Ken Klingenstein Director, Internet2 Middleware and Security.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

FIM-ig Federated Identity Management Interest Group.

SWITCHaai Team Federated Identity Management.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Federated Security and the Federal Government Ken Klingenstein Director, Internet2 Middleware and Security.

The InCommon Federation The U.S. Access and Identity Management Federation

1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.

Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

PEER (Public End-Entity Registry) (MLS -> SPIT -> BEER -> PEER)

SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program.

IDENTITY ASSURANCE PROFILES AND FRAMEWORK DOCUMENTS: PEEK INTO PROPOSED FICAM CHANGES 12/12/12 1.

InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.

(Inter)Federation as Identity Management Policy Driver? RL "Bob" Morgan University of Washington.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.

Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Identity Assurance: When it Matters David L. Wasley Internet2 / InCommon.

Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.

Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University

GFIPM FICAM Status Update GFIPM Delivery Team Meeting November 2011.

National Authentication and Authorization Infrastructures and NRENs Ken Klingenstein Director, Internet2 Middleware and Security.

Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

E-Authentication in Higher Education April 23, 2007.

The Feds and Shibboleth Peter Alterman, Ph.D. Asst. CIO, E-Authentication National Institutes of Health.

Identity Federations and the U.S. E-Authentication Architecture Peter Alterman, Ph.D. Assistant CIO, E-Authentication National Institutes of Health.

Middleware Futures Internet2 Member Meeting Arlington VA, April 2006 RL “Bob” Morgan, University of Washington and Internet2.

1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.

University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.

Federated Identity in Texas Paul Caskey The University of Texas System HEAnet National Conference Kilkenny, Ireland 13 November 2008.

AAI in Europe ++ Ken Klingenstein Director, Internet2 Middleware and Security.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Identity Federations: Here and Now David L. Wasley Thomas Lenggenhager Peter Alterman John Krienke.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.

Federated Identity in the Global Landscape. Presenter’s Name Topics Federated identity basics International deployments and issues National, local and.

E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.

Origins: The Requirements of Participating in Federations CAMP Shibboleth June 29, 2004 Barry Ribbeck & David Wasley.

Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority Meet FedFed.

Interfederation: From Demo to Eternity RL “Bob” Morgan, University of Washington and Internet2 Internet2 Member Meeting, Chicago December, 2006.

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

Federal Identity Management Overview and Current Status Dr. Peter Alterman, Chair Federal PKI Policy Authority.

Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

The Venn of Levels RL “Bob” Morgan, University of Washington / Internet2 / InCommon TERENA/Refeds, October 2009 Rome, IT.

EAuthentication – Update on Federal Initiative Jacqueline Craig IR&C September 27, 2005.

Shibboleth Roadmap

Federal Requirements for Credential Assessments

Appropriate Access InCommon Identity Assurance Profiles

The Attribute and the ecosystem

Presentation transcript:

Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco

2 Topics Federation and Interfederation US E-Authentication Program and Internet2 USperson schema

3 Federations defined created to support community interesting ones are multi-IdP, multi-SP embodies agreements on many levels membership, technology, assurance, key mgt, legal, attributes, privacy, appropriate use, etc facilitates member federated interactions many potential sub-communities and their apps operational support key/config distribution, IdP discovery, etc doesn't preclude non-fed arrangements

4 Federations happening i.e., SAML-based (or similar) federations in Europe, natural extension of HE NREN services Switzerland, Finland, Netherlands, UK, Spain, France, etc in US InCommon Federation in higher ed also state-level planning, vertical apps such as student loan management US government E-Authentication Program also much non-fed or pre-fed deployment among fed members

5 Interfederation an immediate consequence of federation brand-new federations don't have well-defined boundaries or service scopes it's the Internet, we're all connected many interesting SPs are global, e.g. Elsevier Interfederation workshop, Oct 2004 Upper Slaughter, UK (a nicer walled garden?) many countries, including CERN many agreements on direction, future work

6... but it's a nice garden

7 Interfederation models parallel universes members simply participate in many if needed consistent with fundamental pairwise nature of app-level relationships scaling, diversity not addressed peering transitive assurance, legal, policy, maybe ops too tight a coupling? league of federations? some historical examples...

8 US E-Authentication for authoritative info facilitates trusted access to e-government e-auth elements credential providers (CSPs), agency apps (AAs) credential assessment framework (CAF), application risk assessment, defined LoAs approved technologies, products (X.509, SAML) e-auth ops: membership, portal (aka “Fed fed”) agency mandates

9 InCommon E-Auth alignment promote interop for widespread higher-ed access to USG applications grants process, research support, student loans... process project started Oct 2004, thru Sept 2005 compare federation models propose alignment steps validate with federation members, via concrete application trials implement via next e-auth, InCommon phases

10 Alignment points Basic divergence: loose vs tight coupling assurance: facilitated vs guaranteed InCommon participants publish their processes E-auth participants audited, approved by GSA level of assurance is fundamental characteristic membership: IdP-centric vs SP-centric E-auth driven by requirements of e-government AAs InCommon driven by requirements of university CSPs operation: metadata-centric vs portal-centric InCommon-managed metadata supports interaction E-auth portal mediates flow, adds adapation point

11 Alignment points 2 user identity: application-supporting attributes vs fixed identifier set InCommon relies on Internet2-defined eduPerson, promotes attribute-based authorization E-Authentication specifies delivery of identifiers technology: SAML and profiles InCommon specifies Shib profile of SAML 1.1 E-authentication specifies extensive profile on top of SAML 1.0 intend to converge on SAML 2.0

12 Validation steps universities undergo trial by CAF assess whether compliance is likely across HE U Washington, Penn State, Cornell pretty darned close: 50% all-OK, others do-able deploy access to a real USG app summer 2005 requires E-Auth acceptance of univs as CSPs app will modify existing provisioning process practical feedback to alignment recommendations

13 US person motivated by InCommon desire for attribute- based authorization modeled on Internet2 eduPerson spec framework on which agency/app definitions can be built not just SAML generic information model, mapped to LDAP, SAML, XML provisioning ambitious? yes...