InCommon, other federations, the attribute ecosystem, and some killer apps needing guns…

Slides:



Advertisements
Similar presentations
The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
Advertisements

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.
From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…
Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.
Federated Access: Identity Management and Access to Protected Resources Renée Woodten Frost Associate Director, Middleware & Security
US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.
Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Internet Scale Identity, Collaboration and Higher Education.
Some Frontier Issues from the Wild, Wild West Ken Klingenstein.
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
EAuthentication in Higher Education Tim Bornholtz Session 58.
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.
InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
New CyberInfrastructure for Collaboration between Higher Ed and NIH.
1 Update on the InCommon Federation, Higher Education’s Community of Trust EDUCAUSE 2005 October 19 10:30am-11:20am.
Updates on Shib, a bit of InCommon and International Federations.
1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation Clair Goldsmith,
Federations and Security: A Multi-level Marketing Scheme Ken Klingenstein Director, Internet2 Middleware and Security.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
The InCommon Federation The U.S. Access and Identity Management Federation
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.
1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.
Shibboleth Architecture and Requirements Shibboleth A New Approach to Web Based Access Control CNI April 4, 2005.
1 The InCommon Federation John Krienke Internet2 Spring Member Meeting Tuesday, April 25, 2006.
The Rise of Federations…Almost Everywhere. Topics Federation Basics Drivers Components International and pulic sector developments InCommon and its uses.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Federations: success brings new challenges Ken Klingenstein Director, Internet2 Middleware and Security.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.
(Inter)Federation as Identity Management Policy Driver? RL "Bob" Morgan University of Washington.
VO and Internet2 Middleware. Presenter’s Name Topics Motivations for Internet2 Middleware work Federated identity and InCommon Other IdM Groups, privileges,
InCommon Update Internet2 Meeting April 20, 2004 Ken Klingenstein and Carrie Regenstein.
Identity Federations: Here and Now Renée Shuey Penn State and InCommon.
Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.
1 InCommon Identity & Access Management Federation John Krienke Operations Manager, InCommon Assistant Director, Internet2
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.
Federations 101 John Krienke Internet2 Fall 2006 Internet2 Member Meeting.
Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.
A Role for Libraries in Helping Users Manage Collaboration.
Scared Straight… if you want to go outside… Authenticate Locally, Act Globally.
Shibboleth: Status and Pilots. The Golden Age of Plywood.
Project Shibboleth Update, Demonstration and Discussion Michael Gettes May 20, 2003 TERENA Conference, Zagreb, Croatia Michael Gettes.
National Authentication and Authorization Infrastructures and NRENs Ken Klingenstein Director, Internet2 Middleware and Security.
Internet2: building and using an advanced network environment for research, teaching and learning APRU CIO Forum, 23 March 2007 Heather Boyles,
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
Federated Identity Graduates Nate Klingenstein Internet2 APAN 27 高雄台湾, March 3, 2009.
Middleware Futures Internet2 Member Meeting Arlington VA, April 2006 RL “Bob” Morgan, University of Washington and Internet2.
Shibboleth: Molecules, Music, and Middleware. Outline ● Terms ● Problem statement ● Solution space – Shibboleth and Federations ● Description of Shibboleth.
Federated Identity Management at NIH…NIH Login and Beyond Debbie Bucci September 2009.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
AAI in Europe ++ Ken Klingenstein Director, Internet2 Middleware and Security.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Federated Identity in the Global Landscape. Presenter’s Name Topics Federated identity basics International deployments and issues National, local and.
InCommon® for Collaboration Institute for Computer Policy and Law May 2005 Renee Shuey Penn State Andrea Beesing Cornell David Wasley Internet 2.
Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.
InCommon Update FedEd Meeting June 16, 2004 Carrie Regenstein.
InCommon Federation: Federating Relationships. Topics Administration Library Research Student Services Personal and Collaborative Applications Federal.
Shibboleth Roadmap
New CyberInfrastructure for Collaboration between Higher Ed and NIH
Topics The simple life The Simple Life GUI The full IdM life
Context, Gaps and Challenges
Updates on Shib, a bit of InCommon and International Federations
Shibboleth: Status and Pilots
Presentation transcript:

InCommon, other federations, the attribute ecosystem, and some killer apps needing guns…

Publisher’s Note The author of this presentation warns us “that the shelf life of the content has expired. … the problem with a rapidly moving area.”

Topics International Federations State system federations, medical federations, and others InCommon Peering, confederation, nested and other relationships The rest of the attribute economy Some killer apps Grad student admissions Authenticated letters of recommendation

International Federations Widespread in Europe (over 15 countries), emergent in Australia, nascent in Asia. The UK federation ( already has over five million active users and intends to grow to all of higher ed, K-12 and further education. Used for academic content access, research support, national level services, etc Clear needs for peering; some need for confederation or dynamic relationships.

Public sector federations cio.com/story.php?id= State-based among health agencies (NY), presenting a SSO to citizens (Washington), etc. GSA EAuthentication State university federations - Texas, California, Maryland, etc InCommon

US R&E Federation Members join a 501(c)3 Addresses legal, LOA, shared attributes, business proposition, etc issues Approximately 50 members and growing A low percentage of national Shib use…

InCommon Members 2/27/07 Case Western Reserve University Clemson University Cornell University Dartmouth Duke University Florida State University Georgetown University Miami University New York University Ohio University Penn State Stanford University Stony Brook University SUNY Buffalo The Ohio State University The University of Chicago University of Alabama at Birmingham University of California, Irvine University of California, Los Angeles University of California, Merced University of California, Office of the President University of California, Riverside University of California, San Diego University of Maryland University of Maryland Baltimore County University of Maryland, Baltimore University of Rochester University of Southern California University of Virginia University of Washington University of Wisconsin - Madison Cdigix EBSCO Publishing Elsevier ScienceDirect Houston Academy of Medicine - Texas Medical Center Library Internet2 JSTOR Napster, LLC OCLC OhioLink - The Ohio Library & Information Network ProtectNetwork Symplicity Corporation Thomson Learning, Inc. Turnitin WebAssign

Key aspects of InCommon Federating software Shib 1.2+ (other possibilities in the future) Shared attributes and schema eduPerson right now Levels of authentication POP (participant operational practices) InCommon Bronze and Silver will map to LOA 1 & 2 Management Steering committee of members IT executives Operations staffed by Internet2

Shibboleth Shib 1.3 widely deployed; 1.2 still common Along the way, other capabilities added: ADFS compatibility for WS-Fed, (MS $) Eauthentication certification (with waiver form:)) Shib 2.0 completes the SAML+Shib integration More compatible with COTS SAML 2.0 products than they are with each other A Shib/SAML to TCP/IP analogy isn’t bad; Shib adds multi-party federation support through metadata, ARPS, etc. Also eases support for n-tier, non-web and other capabilities Alpha in April

The Shibboleth 2.0 Sidebar Support for the attribute ecosystem attribute handling, including policy, in both SP and IdP designed to be reusable for other protocols (eg CardSpace) sets stage for further work on multiple attribute sources, reputation management, etc. All Java SP (in addition to current Java/Apache), easing integration for some applications Trust management PKI still seems too hard, even at the simpler enterprise level Supports a broad set of trust choices – CA’s, certs, plain keys, managing site metadata (naming, acquisition, validating) A product of years of painful experience

InCommon Management/Governance Steering Committee of campus/vendor CIO’s and policy people – sets policies for membership, business model, etc. Technical advisory committee - Sets common member standards for attributes (eduPerson 2.0), identity management good practices, etc.

InCommon Uses Access control to content Popular content – Ruckus, CDigix, etc Scholarly content – Google, OCLC WorldCat Downloads – Microsoft Access to external services Student travel, charitable giving, web learning and testing, plagiarism testing service, etc. Allure for alumni services and other internal businesses Student loans, student testing, graduate school admissions, etc. Access to national services The National Science Digital Library The Teragrid pilot

Challenges in the US Addressing the risks in federated identity Too many lawyers Too few business drivers No bulk content licensing Few “national” applications No government access yet Number of “big dog” institutions For many institutions, the focus is in state versus national for applications Bi-lateral relationships exist more than national relationships Single-purpose federations can leverage existing contracts. Not all institutions really have their identity management technologies fully in place Very few have their identity management policies in place.

Inter-federation key issues Peering, peering, peering At what size of the globe? Confederation Tightly coupled autonomous federations How do vertical sectors relate? How to relate to a government federation? On what policy issues to peer and how? Legal framework Treaties? Indemnification? Adjudication How to technically implement Wide variety of scale issues WAYF functionality Virtual organization support

Peering

Possible peering parameters LOA Attribute mapping Economics Liability Privacy

VOs plumbed to federations

The Attribute Ecosystem We now understand, we think, an overall “attribute ecosystem” Shibboleth is the real-time transport of attributes from an IdP to an SP for an authorization decision Other, “compile-time” means are used to ship attributes from sources of authority to IdP Or to the SP, or to the various middlemen (portals, proxies, etc.) And a user needs to be manage all of this

User Application access controls (including network devices) IdP Shib p2p

User Application access controls (including network devices) IdP Shib p2p Source of Authority Source of Authority Source of Authority Authn Autograph A Simple Life GUI

User Application access controls (including network devices) IdP Shib p2p Source of Authority Source of Authority Source of Authority A Full IdM Life Local apps

Relative Roles of Signet & Grouper Grouper Signet RBAC (role-based access control) model Users are placed into groups (aka “roles”) Privileges are assigned to groups Groups can be arranged into hierarchies to effectively bestow privileges Grouper manages, well, groups Signet manages privileges Separates responsibilities for groups & privileges

User Application access controls (including network devices) Shib p2p Source of Authority Source of Authority Source of Authority Authn Autograph A Full Life GUI Signet/ Grouper IdP Local apps

User Application access controls (including network devices) IdP Shib p2p Source of Authority Source of Authority Source of Authority Portal Gateway Proxy Source of Authority Source of Authority Source of Authority Source of Authority Source of Authority Real Life

User Application access controls (including network devices) IdP Shib p2p Source of Authority Source of Authority Source of Authority VO Service Center Gateway Source of Authority Source of Authority Source of Authority IdP

Killer Apps Graduate school admissions Group, including UW, Cornell, and UWisc, starting conversations on “student process improvement via authn/federation” Current approaches to letters of reference has significant exposure Student viewing of grad application status is classis “yet another account/password” Federal apps, from Fastlane to NIH to the Dept of Ed

Killer apps Outsourced services Scholarly services - TurnItIn, WebAssign Trust model for SPEEDE? Benefits Dorm room matching, travel Alumni Professional societies for their peer review, content access, etc.

Opportunities for action The application of federated identity to improve student processing, etc… Beginning to wade upstream within institutional SOA to distill good practices

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.