The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

Slides:



Advertisements
Similar presentations
The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.
Advertisements

GT 4 Security Goals & Plans Sam Meder
From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…
Ken Klingenstein Director, Internet2 Middleware and Security Current stuff.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.
Internet2 and other US WMD Update. Topics Update on non-merger, Newnet (and the control plane), InCommon and other feds “Product” update – Shib, Grouper,
Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Internet Scale Identity, Collaboration and Higher Education.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Some Frontier Issues from the Wild, Wild West Ken Klingenstein.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
New CyberInfrastructure for Collaboration between Higher Ed and NIH.
Updates on Shib, a bit of InCommon and International Federations.
Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.
The InCommon Federation The U.S. Access and Identity Management Federation
Frameworks To get on the same page word wise To suggest some useful analytic approaches To identify opportunities for integration.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Federations: success brings new challenges Ken Klingenstein Director, Internet2 Middleware and Security.
Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.
Campus middleware in the service of Science Keith Hazelton Internet2 Middleware Architecture Committee for Education NSF Internet2 Day October 19, 2006.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
VO and Internet2 Middleware. Presenter’s Name Topics Motivations for Internet2 Middleware work Federated identity and InCommon Other IdM Groups, privileges,
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.
Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.
A Role for Libraries in Helping Users Manage Collaboration.
Taking Care of Our Core Business: Managing Collaborations Dr. Ken Klingenstein, Senior Director, Internet2 Middleware and Security.
Scared Straight… if you want to go outside… Authenticate Locally, Act Globally.
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
State of e-Authentication in Higher Education August 20, 2004.
Middleware Futures Internet2 Member Meeting Arlington VA, April 2006 RL “Bob” Morgan, University of Washington and Internet2.
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
The UK Access Management Federation John Chapman Project Adviser – Becta.
Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Federations: The New Infrastructure Speaker Name Here Date Here Speaker Name Here Date Here.
Federated Identity in the Global Landscape. Presenter’s Name Topics Federated identity basics International deployments and issues National, local and.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Overview of the BI Tools – Enterprise CoE Scope of Services
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
The FederID project The First Identity Management and Federation Free Software.
Collaboration and Federated Identity Two powerful forces being leveraged – the rise of federated identity – the bloom in collaboration tools, most particularly.
Web SSO with Cloud Resources using AD Federation Services
LIGO Identity and Access Management
Shibboleth Roadmap
I2/NMI Update: Signet, Grouper, & GridShib
The State of Federations
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
New CyberInfrastructure for Collaboration between Higher Ed and NIH
Topics The simple life The Simple Life GUI The full IdM life
Technical Approach Chris Louden Enspier
Context, Gaps and Challenges
Overview and Development Plans
Updates on Shib, a bit of InCommon and International Federations
HIMSS National Conference New Orleans Convention Center
Guests and Collaborators
Shibboleth and Federations
Presentation transcript:

The Basics of Federated Identity

Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers Architecture and attributes Panel of developers Session 3 – more for deployers State of practice in federations Panel of deployers Session 4 – a focus on VOs and federated identity Privilege management VO services

Basics Types of identity The basics of federated identity Enterprise middleware Attribute and entitlement orientation Federating software The trust fabrics Current status and uses Applications R&E, Gov Corporations and federations Internal, Sector, and Participation in R&E Policies and Peering

Three Types of Identity Global basic identity Passport, drivers license, qualifying X.509 cert Federated enterprise Enterprise provides identity management for its users Enterprises federate to build inter-realm trust and identity; federations peer Peer to peer Self asserted, individual to individual Lots of approaches, many clever Hybrids and others

A Word About the Other Two… Global government issued Qualifying certs, birth certificates, passports, drivers licenses, etc. Strength of identity proofing varies widely Lurching along Peer to peer is very hot but not yet gelling Lots of different identifiers ( addresses, urls, aliases) Lots of different trust builders (read my site, special delivery, friends of friends, etc.) Workshops every two months, may converge soon on just two - three approaches.

And Some Hint of Layering User-centric Identity wants to integrate all types of identity At storage level Maybe not the actual credentials, but a store of pointers At user interface level The brainmap and the presentation MS Cardspace and Higgins two of the major players

Basics of federated identity Enterprise middleware Attribute and entitlement orientation Federating software The trust fabrics

Enterprise Middleware Provide common services for many applications, network layer services (wireless access, lambdas, etc.) Directories and metadirectories Authentication and Single Sign-On Lifecycle Identity Management Services To students, faculty, staff, alumni, contractors, guests, academic medical centers… Group and privilege management May eventually include workflow, DRM, etc Business Processes and legacy apps that feed the infrastructure and draw from it.

Relative Roles of Signet & Grouper Grouper Signet RBAC (role-based access control) model Users are placed into groups (aka roles) Privileges are assigned to groups Groups can be arranged into hierarchies to effectively bestow privileges Grouper manages, well, groups Signet manages privileges Separates responsibilities for groups & privileges

Attributes Attributes have well-defined syntax and semantics across the relevant community Typically have controlled vocabulary of possible values, though some values are open-ended in meaning. May be personally identifiable or more general Exist in many forms, from storage (LDAP) to transport (SAML, attribute certificates) to metadata (OIDs, rfcs,etc.) Come from sources of authority Are often used to determine access In shifting the focus from identity to attributes lies the ability to preserve privacy

Entitlements A particular and common attribute, giving a person permissions to use certain resources Are often delegated, constrained, time-limited, etc. Can be managed, at enterprise and end-user levels, with a privilege manager (e.g. Signet) Controlled complexity Have much to offer VOs in moving from identity- based authorization to better models

Federating Software Almost all software built on OASIS SAML standard. Many vendors moving towards SAML 2.0 Most R&E federations use Shibboleth 1.x or a compatible (e.g. properly configured Sun Identity Manager, A-Select, etc.) SAML and Shib have been deeply joined from the beginning (c 2000). Shared design, OpenSAML a major part of Shib, Scott Cantor (OSU) lead Shib architect and SAML 2.0 editor… SAML addresses more the bi-lateral use case; Shib the multi-lateral Apache 2.0 type license open source Shib 2.0 alpha due out in April WS-Fed, part of WS-* Proprietary MS and IBM trust framework Works well with ADFS and enterprise MS

Trust Fabrics Instantiate as federations, with a federated operator, frequently leveraging existing organizations Technical set of issues Versions of software Attributes Metadata exchanges Policy issues Common standards for IdM – identity proofing, acts of authentication, assignment of common attributes, etc. Governance and federation operations

Federated Applications Mostly access controls to content The first shibbed collaborative apps are appearing… Several wikis Digital repositories such as DSpace and Fedora Learning Management Systems such as WebCT IM, p2p fileshare (Lionshare), CVS Grid-Shib integration in several ways SIP based tools (videoconferencing, audioconferencing) within reach Bootstrapping from duct tape sometimes a problem

Current State – R&E R&E federations moving forward rapidily in many countries, including the US, UK, France, Germany, Sweden, Australia, Switzerland, Norway, Netherlands, Finland, Denmark, etc. State university systems federate – Texas, California, Maryland, Cal State, Ohio, etc. Use primarily is access to content and services, but eScience, collaborative apps and virtual organizations are on the map In the US, InCommon has approximately forty members.

Current State - Gov Several national governments are developing federations of agencies and offering services to external users Within the US, several national governments are developing federations GSA EAuthentication NSF NIH Close and strange working relationships with InCommon

Corporations and Federations Internal use of federated id Vertical sectors Participation in other sectors Content providers Apps for education The consumer marketplace

Peering and Confederation For federations to scale – internationally, across vertical sectors, and in size, some forms of interactions are necessary Peering involves agreements between federations on common attributes, levels of assurance, metadata, economics, privacy, etc. Confederation, a union of national federations, is useful in situations such as Europe with many similar but distinct federations Other forms, such as state federations relating to InCommon, are certain to emerge.

Peering

Frontier Thoughts… Right now, federations are about identities and their attributes Could federations support collaboration fabrics? Federated group and privilege management Virtual organization support Servers and tools Workflow? Digital signatures? How much integration is too much?

VOs plumbed to federations

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.