Federated ID Management Task Force DRAFT version 1 November 6, 2009 Executive Summary of NCTrust Federated ID Management

11/06/09 Motivation Many NC institutions desire access protected web- based services across organizational boundaries  17 UNC system institutions  115 LEAs, 2,500+ K-12 schools  58 community colleges  36 independent colleges / universities  Plus many other government / educational / commercial organizations Desire is for access to be efficient, cost effective, quick, secure, and user-friendly. Federated ID Management technologies enable such access 2

11/06/09 Example - NCLive NCLive provides access to eJournals, etc. for libraries, higher-ed and increasingly K-12 Want ease of resource accessibility yet must adhere to licenses of various products being distributed, e.g. certain content might be allowed only for:  Students  K-20 staff  Chemistry teachers  etc. 3

11/06/09 Examples - VCL NCSU’s Virtual Computing Lab (VCL) is a web service that allows reservations of a computer with a desired set of applications, then remote access over the Internet You can use applications such as Matlab, Maple, SAS, Solidworks, and many others. Linux, Solaris and numerous Windows environments are available Due to licensing and resource limitations, access must be limited to certain user communities 4

11/06/09 Example – Confluence Confluence is a web-based wiki service that fosters collaboration among multiple institutions Federated ID Management technologies can alleviate Confluence host institution’s in-house management of accounts for outside users – saves time => $ Each home institution would manage their *own* accounts 5

11/06/09 Benefits of Federated ID Prevents system administrators from having to add yet- another account (saves time and $) Enables easier scaling of web-based applications to include multiple additional users/organizations (efficiency, scalability, saves time and $) Prevents users from having to know yet-another password (security) Avoids logins becoming out of date (security) Confidence that users are who they say they are, with up- to-date accuracy (security) Home institutions reliably manage their own user accounts (security) 6

11/06/09 NCTrust Federation Pilot MCNC and partners have convened the NC Trust Pilot We’ve created a Federation to test web resource sharing among several K-20 organizations within NC  Adding K-12 into the mix is a unique aspect NCTrust utilizes the national InCommon Federation infrastructure  Provides a trust mechanism allowing each organization to certify its operational practices We’ve proven the technology and gained experience 7 NC DPI North Carolina Learning Object Repository ? (tbd) UNC-GA is a “Friend of NCTrust”

11/06/09  Access NCLive site  Can’t get authorized, since MCNC not licensed  Log onto NCLive, can see all the content  Log onto NCLive, can see only SOME of the content (the Media collection, which is licensed to K12 members) 8 Demo

11/06/09 Key Takeaways We believe Federated ID Management can enable more effective resource sharing among and beyond the North Carolina community  Secure  Efficient  Scalable  Accessible  Saves $  Not to mention it’s a GREEN technology Need to decide on best model of NC-wide federation to meet the needs of the K-20 community moving forward  Funding, operations, governance, etc. 9

11/06/09 Thank You Also thanks to the many Federated ID Task Force members from throughout the NCREN community that are participating with us in the NCTrust pilot project Finally thanks to a “Friend of NCTrust”, Steven Hopper from UNC-GA Questions? 10

11/06/09 Rest of Slides are on Back Burner 11

11/06/09 Outline Motivation Example Services Benefits Underlying Technology NCTrust Federation Pilot Demo 12

11/06/09 ATM machines - An Early Example of Federated ID Management Thousands of banks - Federated Millions of users (bank customers) User login (ATM card) and password (PIN) maintained by the user’s home institution (Bank) Other institutions give service ($) access to remote users, based on trusting the login and password that’s maintained by the home institution Today we’re doing something similar, only we’re providing Web-based services rather than $ 13

11/06/09 Other Examples How about a service to enable cross-institutional course registration for access to distance learning from a different university in the UNC system? Federated ID Management technologies can facilitate resource utilization among and beyond NC community by enabling these and other web-based services much more efficiently, saving $ for community members 14 How about a service for elementary school kids to access privately licensed PBS, CSPAN, and Discovery Learning video content through the internet?

11/06/09 Underlying Technology: Shibboleth 15 Shibboleth is open source software for web single sign-on across or within organizational boundaries Allows informed authorization decisions for protected web service access in a privacy-preserving manner Uses Security Assertion Markup Language (SAML) to provide federated single sign-on and attribute exchange framework Provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application

11/06/09 16 Shibboleth Identity Provider (IdP)Shibboleth Service Provider (SP) (IdP is a J2EE app)(shibd daemon maintains state) (mod_shib gets attributes from shibd and protects web apps) Access to protected service (web app) is controlled by shib gatekeeper LDAP Server Obligatory Geek Diagram - Simplified (the only one, we promise ! ) 1. Student is at Starbucks 2. IdP is at his school 3. Protected Web Service is at a university 4. IdP/SP communication via SAML attributes exchanged through the browser session

11/06/09 Shibboleth Training Workshops 1.5 day workshops were hosted by MCNC in October 2008 and February 2009 Instructors: Shilen Patel and Rob Carter (Duke), Gonz Guzman (MCNC) Approximately 45 participants total There’s an excellent video archive of the workshop, thanks to Bryon Coltrane and Chad Pritchard 17

11/06/09 MOU and InCommon Paperwork in Various Stages of Completion… First demos starting now! Paperwork is MUCH harder / slower than technical work! (though the technical parts are certainly not trivial) 18

11/06/09 Future Steps Recommendations on best model of state-wide federation to meet the needs of the K-20 educational community in North Carolina  To cover funding, operations, governance, etc. Pilot runs through December

11/06/09 Thank You Special thanks to MCNC’s Gonz Guzman, Tom Throckmorton, Kambiz Aghaiepour, Neal Bullins, Carole Bruhn, Keith Venters, Chris Caswell, Bryon Coltrane, Chad Pritchard, and John Moore who all helped this effort Also thanks to the many Federated ID Task Force members from throughout the NCREN community that are participating with us in the NCTrust pilot project Finally thanks to a “Friend of NCTrust”, Steven Hopper from UNC-GA Questions? 20