1 InCommon Identity & Access Management Federation John Krienke Operations Manager, InCommon Assistant Director, Internet2

2 The Partnership Challenge Higher education’s Staff, students, and faculty are no longer located exclusively on campus Research and missions are increasingly complex, globally interdependent, and on line Security and protection of personal identity information is paramount and increasingly regulated (FERPA, HIPAA, Gramm-Leach-Bliley, SOX, etc.) Business processes and applications are increasingly outsourced and/or distributed –Digital collections and data –Course materials and management –Financial management –Remote instrumentation –Computational resources such as Grids –Music, Software –Travel resources –Government resources

3 The Partnership Solution Develop solutions that efficiently used existing information infrastructures securely and safely Reduce the time and resources spent on all the “one off” requirements for each partner and streamlined interoperation with each partner Reduce help desk calls and the number of user accounts to provision throughout our many partnerships Maximize the control, security, and privacy of personally identifiable, sensitive information Make online services richer, easier to use, and safer for students, faculty, and staff This is what I/A/M federations dodo

4 Identity & Access Management Federations A definition of Federation: A collaboration of independent entities that give up a certain degree of autonomy to a central authority in pursuit of a common set of goals. Central Authority: Federations set common policies, interoperability criteria (vocabulary for exchanges, technology), and provide central services to establish and maintain trust (registration, authoritative metadata and certificates, dispute resolution) Common Set of Goals: Federations enable secure, trustworthy, scalable online partnerships

5 Examples of the Federation Spectrum Homogeneous (vanilla)Heterogeneous (rocky road) CentralizedIndependent Conscription Subscription RequirementsExpectations SuggestionsDeclarations High CostLow Cost eAuth (US)InCommon

6 Federating Software “When is a duet an orchestra?” Not all federated software supports multi-party federated collaboration. National Arts Centre Orchestra Gala 2007 CBC Radio

7 Music Service ID #4 j.o.123 Joe Oval Psych Prof. DOB: 4/4/1955 Password #4 Grant Admin Service ID #2 Joval Dr. Joe Oval Psych Prof. SSN Password #2 Grading Service ID #3 Jo456 Dr. Joe Oval Psych Prof. Password #3 Home Circle University Dr. Joe Oval Psych Prof. SSN Password #1 ???????? IT patch 1 IT patch 2 IT patch 3 Service IDs Challenging Way

8 Home Circle University Anonymous ID# Dr. Joe Oval Psych Prof. SSN Circle University Dr. Joe Oval Psych Prof. SSN Circle University Dr. Joe Oval Psych Prof. SSN Password #1 Circle University Dr. Joe Oval Psych Prof. SSN ! 1. Single Sign On 2. Services no longer manage user accounts & personal data stores 3. Reduced Help Desk load 4. Standards-based Technology 5. Home Org controls privacy Federated Way

9 Home Circle University Anonymous ID# Dr. Joe Oval Psych Prof. SSN Circle University Dr. Joe Oval Psych Prof. SSN Affiliation EPPN Given/SurName Title SSN Password #1 Circle University ID # Dr. Joe Oval Psych Prof. SSN ! Role of the Federation 1. Agreed upon Attribute Vocabulary & Definitions: Member of, Role, Unique Identifier, Courses, … 2. Criteria for IdM practices (user accounts, credentialing, etc.), personal information stewardship, interoperability standards, technologies 3. Digital Certificates 4. Trusted “notary” for all universities and partners Verified By the Federation Verified By the Federation Verified By the Federation Verified By the Federation

10 Home Circle University Anonymous ID# Dr. Joe Oval Psych Prof. SSN Circle University Dr. Joe Oval Psych Prof. SSN Affiliation EPPN Given/SurName Title SSN Password #1 Circle University ID # Dr. Joe Oval Psych Prof. SSN ! Verified By the Federation Verified By the Federation Verified By the Federation Verified By the Federation federation metadata University A IdP: name, key, url, contacts, etc. SP1: name, key, url, contacts, etc. SP2: name, key, url, contacts, etc. University B IdP: name, key, url, contacts, etc. SP1: name, key, url, contacts, etc. University C IdP: name, key, url, contacts, etc. Partner 1 SP1: name, key, url, contacts, etc. Partner 2 SP1: name, key, url, contacts, etc. SP2: name, key, url, contacts, etc. Partner 3 … bronze LoA silver LoA future

11 User Experience Flows First visit the SP then Federation WAYF (“Where Are You From” home organization discovery page) –Wireless (UT System) [screencast]Wireless First visit the SP’s own customized WAYF –ScienceDirectScienceDirect –Spaces.internet2.edu WikisSpaces.internet2.edu Wikis –OhioLINKOhioLINK First visit the IdP –Penn State & WebAssign [screencast]Penn State & WebAssign

12 User Experience Flows Multiple IdPs and SPsMultiple IdPs and SPs in Action: [screencast] Authentication vs. Authorization Federation WAYF Single Sign On to multiple services Anonymous Identifiers Clearing Sessions IdP to SP without a WAYF

13 The Value of InCommon Broad Strokes Identity Providers (Home Institutions) control user accounts and the release (and spillage) of personal information Online services focus on their online resources and not on user account provisioning Users have easy, private, global access Partners have finely-tunable access controls and can quickly and securely deploy new collaborations and service relationships

14 The Value of InCommon Detail Governance by a Representative Steering Committee establishes:Steering Committee –Criteria for participation –Policy and shared direction –Services meet business needs with appropriate security levels and legal requirements –Scalable operational standards and practices Legal Agreement –Official Organizational Designees, Establishment of Trust, Conflict and Dispute Resolution, Basic Protections & Responsibilities Trust “Notary” –InCommon verifies the identity of Organizations and their delegated Officers; Trusted Metadata –InCommon verifies & aggregates location and security data for each participant’s servers, systems, and support contacts Certificate Authority –InCommon issues server certificates to Participants for secure communications Standards for Policies and Practices –How high is the bar? Right now, each Participant decides. Participants self-declare their practices to other Participants. Coming soon: Optional Bronze and Silver Levels of Assurance (Audit Criteria) Technical Interoperability (Technical Advisory Committee)Technical Advisory Committee –InCommon defines shared attributes, standards (SAML), federating software (Shibboleth+)

15 Internet2 InCommon Governance Federation Operator Federation Operator Technical Advisory Committee Technical Advisory Committee Nominations Committee Nominations Committee InCommon LLC: Steering Committee Representing Higher Ed & its Partners InCommon LLC: Steering Committee Representing Higher Ed & its Partners Direction Candidate Approvals Advice

16 Growth

17 78Current InCommon Participants Higher Education (54) Case Western Reserve University Clemson University Cornell University Dartmouth Duke University Florida State University Georgetown University Johns Hopkins University Indiana University Miami University Michigan State University New York University Northwestern University Ohio State University Ohio University Penn State University Stanford University Stony Brook University SUNY Buffalo Texas A & M University University of Alabama at Birmingham University of California, Davis University of California, Irvine University of California, Los Angeles University of California, Merced University of California, Office of the President University of California, Riverside University of California, San Diego University of Chicago University of Maryland University of Maryland Baltimore County University of Maryland, Baltimore University of Rochester University of Southern California University of Virginia University of Washington University of Wisconsin – Madison ….. Sponsored Partners (21) Apple – iTunes U Cdigix Cengage Learning (Formerly Thomson Learning) EBSCO Publishing Elsevier ScienceDirect Houston Academy of Medicine - Texas Medical Center Library Internet2 JSTOR Microsoft NAS Recruitment Communications Nelnet – Next Generation Division OCLC OhioLink - The Ohio Library & Information Network ProtectNetwork RefWorks, LLC Students Only, Inc. SumTotal Systems Symplicity Corporation Turnitin University Tickets WebAssign Gov. and Nonprofit Labs, Research Centers, and Agencies (3) National Institutes of Health Lawrence Berkeley National Laboratory Moss Landing Marine Laboratories NEXT Libraries & their partners Student Services (Registrars, Financial Aid officers, others) U.S. Agencies: –NIH (Libraries, Grants Administration, …) –NSF (FastLane, …) –Dept. of Education (Student Financial Aid, …) Federations on top of the InCommon Federation –University Systems –State & Regional Systems –Coalitions organized around Networks, Grids, others…

18 Join or Create? Or Both? University of California System creates UCTrust within InCommon David Walker, UCOP Interoperability: UC's solution had to fit seamlessly into higher education's broader solution Not reinventing the wheel: policy, criteria, operations Not inventing new wheels: how will multiple federations interoperate?

19 Joining Management Process 1.Eligibility: Higher Ed (accreditation) and Sponsored Partners (sponsors)accreditationsponsors 2.Agreement: InCommon Participation Agreement [PDF]:PDF –Delegating your trusted Executive –Signed by an authorized representative of the organization 3.Pay Fees ($700 registration, $1,000 annual) 4.Federation I.D. Proofing of Executive, appointment of Admin 5.Privacy and Security Policies and Processes articulated, documented, and posted (Participant Operational Practices)Participant Operational Practices Technical Process 1.Official Organization Directory (Identity Management system) 2.Web Single Sign On (SSO) 3.Common Language: EduPerson schemaEduPerson 4.Federating Software: Shibboleth IdP and/or SPsShibboleth 5.Federation I.D. Proofing of Admin 6.Submit Metadata, Certificate Signing Request, and POP URL 7.Install Certificate 8.Test with Partners and Attribute Release Policies 9.Deploy 10.Repeat steps 8 & 9

20 InCommon Benefit Federation enables communities to share information about individuals’ identity, reducing the overall work required to maintain connections and reduce the friction in cross-community interactions. Burton Group, Federating a Distributed World: Asserting Next- Generation Identity Standards

21 InCommon Benefit “To meet the increasing campus demand for using external applications and online resources, we developed and implemented solutions that efficiently use our existing information infrastructures securely and safely in such a way that we maintain control over the release of personal information for people at Penn State. InCommon is a vitally important part of this infrastructure and helps put us in a position to provide a richer, easier to use, safer online experience for Penn State students, faculty, and staff.” -Kevin Morooney, vice provost, Penn State University Scalability: Leverage your investments and your “next times”

22 Questions?

23 Shibboleth Attribute-Based Authorization Resource WAYF Identity Provider Resource Provider Website 1 ACS I don’t know you or your home organization. I redirect your request to the InCommon WAYF 3 2 Where are you from? HS 5 6 I don’t know you. Please authenticate Using your Web login 7 User DB ID+Password OK, I know you now. I redirect your request to the Resource, along with a handle 4 OK, I will now redirect your request to your home org. AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA I trust you. I’ll pass the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource © Switch user initiates a request