Federations: InQueue to InCommon Renee Woodten Frost 19 April 2004.

Slides:



Advertisements
Similar presentations
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Shibb oleth: Building Tools for Inter-institutional Resource Sharing InCommon: A Shibboleth-based Research and Education Federation Renee Woodten Frost.
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
17 May 2004 Shibboleth: Federated Identity Management Renee Woodten Frost, Internet2 Middleware and Security.
Protecting Privacy; Gaining Access Renee Woodten Frost Cheryl Munn-Fremon Renee Woodten Frost Cheryl Munn-Fremon.
Shibboleth Update a.k.a. “shibble-ware”
1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl
InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
1 Update on the InCommon Federation, Higher Education’s Community of Trust EDUCAUSE 2005 October 19 10:30am-11:20am.
Shibboleth Architecture and Requirements Shibboleth A New Approach to Web Based Access Control NERCOMP March 8, 2005.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
Administering the Mesh/s of Trust: Old Whine in New Battles.
23 April 2004 Shibboleth: Federated Identity Management Renee Woodten Frost, Internet2 Middleware and Security.
Federated Administration: The Cutting Edge. Topics  Federations: The Basics Business drivers and the basic model Technical Considerations and the marketplace.
Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.
1 The InCommon Federation John Krienke Internet2 Spring Member Meeting Tuesday, April 25, 2006.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.
1 The InCommon Federation, Higher Education’s Community of Trust: Why join and how to do it EDUCAUSE 2005 Pre-Conference Seminar October 18 8:30am-Noon.
Shibboleth & Federations Renee’ Shuey May 4, 2004 ITS – Emerging Technologies The Pennsylvania State Universtiy.
InCommon Update Internet2 Meeting April 20, 2004 Ken Klingenstein and Carrie Regenstein.
Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.
23 April 2004 Shibboleth: Federated Identity Management Renee Woodten Frost, Internet2 Middleware and Security.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004.
24 Jun 2004 Shibboleth: Building Tools for Inter-institutional Resource Sharing Renee Woodten Frost Internet2 Middleware and Security.
Internet2 Middleware Initiative. Discussion Outline  What is Middleware why is it important why is it hard  What are the major components of middleware.
Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes,
PKI Activities at Virginia September 2000 Jim Jokl
Shibboleth Authenticate Locally, Act Globally A Penn State Case Study Renee’ Shuey May 4, 2004 ITS – Emerging Technologies.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Federated Identity Management: The Shibboleth Approach Renee Woodten Frost Internet2 Middleware and Security University of Michigan 22 March 2005.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Origins: The Requirements of Participating in Federations CAMP Shibboleth June 29, 2004 Barry Ribbeck & David Wasley.
InCommon® for Collaboration Institute for Computer Policy and Law May 2005 Renee Shuey Penn State Andrea Beesing Cornell David Wasley Internet 2.
InCommon Update FedEd Meeting June 16, 2004 Carrie Regenstein.
Welcome to CAMP Directory Workshop Ken Klingenstein, Internet2 and University of Colorado-Boulder.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
The Policy Side of Federations Kenneth J. Klingenstein and David L. Wasley Tuesday, June 29, CAMP Shibboleth Implementation Workshop.
Interfederation: From Demo to Eternity RL “Bob” Morgan, University of Washington and Internet2 Internet2 Member Meeting, Chicago December, 2006.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Shibb oleth: Building Tools for Inter-institutional Resource Sharing InCommon: A Shibboleth-based Research and Education Federation Renee Woodten Frost.
Shibboleth: Federated Identity Management
USHER U.S. Higher Education Root Certificate Authority
Introduction to Federations
Overview and Development Plans
Internet2 Middleware & Security/University of Michigan
Appropriate Access InCommon Identity Assurance Profiles
Shibboleth and Federations
Introduction to Federations
Internet2 Middleware & Security/University of Michigan
Administering the Mesh/s of Trust: Old Whine in New Battles
Presentation transcript:

Federations: InQueue to InCommon Renee Woodten Frost 19 April 2004

What are federations?  Associations of enterprises that come together to exchange information about their users and resources in order to enable collaborations and transactions  Built on the premise of: Initially “Authenticate locally, act globally” Now, “Enroll and authenticate and attribute locally, act federally.”  Uses federating software (e.g. Liberty Alliance, Shibboleth, WS-*) and common attributes (e.g. eduPerson)  Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision.  Several federations now in construction or deployment

InQueue  The “holding pond”  Is a persistent federation with “passing-through” membership…  Operational today. Can apply for membership via InQueue Federation guidelines  Requires eduPerson attributes  Operated by Internet2; open to almost anyone using Shibboleth in an R&E setting or not…  Fees and service profile to be established shortly: cost- recovery basis

InCommon federation  A permanent federation for the R&E US sector  Federation operations – Internet2  Federating software – Shibboleth 1.1 and above  Federation data schema - eduPerson or later and eduOrg or later  Becomes operational April 5, with several early entrants to help shape the policy issues.  Precursor federation, InQueue, has been in operation for about six months and will feed into InCommon 

InCommon Management  Operational services by Internet2 Member services Backroom (CA, WAYF service, etc.)  Governance Executive Committee - Carrie Regenstein - chair (Wisconsin), Jerry Campbell (USC), Lev Gonick (CWRU), Clair Goldsmith (Texas System), Mark Luker (EDUCAUSE),,Tracy Mitrano (Cornell), Susan Perry (Mellon), Mike Teetz (OCLC), David Yakimischak (JSTOR) Two Executive Committee working groups – Policy – Tracy Mitrano, Chair –Communications, Membership, Pricing and Packaging – Susan Perry, Chair Technical Advisory Group – Scott Cantor (OSU), Steven Carmody (Brown), Bob Morgan (Washington), Renee Shuey (PSU) Project manager – Renee Frost (Internet2)  Membership open to.edu and affiliated business partners (Elsevier, OCLC, Napster, Diebold, etc…)  Contractual and policy issues being defined now…  Likely to take 501(c)3 status

Trust in InCommon - initial  Members trust the federated operations to perform its activities well The operator (Internet2) posts its procedures, attempts to execute them faithfully, and makes no warranties Enterprises read the procedures and decide if they want to become members  Origins and targets trust each other bilaterally in out-of- band or no-band arrangements Origins trust targets dispose of attributes properly Targets trust origins to provide attributes accurately Risks and liabilities managed by end enterprises, in separate ways

InCommon Trust - ongoing  Use trust  Build trust cycle  Clearly need consensus levels of I/A  Multiple levels of I/A for different needs Two factor for high-risk Distinctive requirements (campus in Bejing or France, distance ed, mobility)  Standardized data definitions unclear  Audits unclear  International issues

Balancing the work  InCommon CA Identity proofing the enterprise Issuing the enterprise signing keys (primary and spare) Signing the metadata  InCommon Federation Aggregating the metadata Supporting campuses in posting their policies

InCommon Ops Docs  InCommon_Federation_Disaster_Recovery_Procedures_ver_0.1 An outline of the procedures to be used if there is a disaster with the InCommon Federation.  Internet2_InCommon_Federation_Infrastructure_Technical_Referen ce_ver_0.2 Document describing the federation infrastructure.  Internet2_InCommon_secure_physical_storage_ver_0.2 List of the physical objects and logs that will be securely stored.  Internet2_InCommon_Technical_Operations_steps_ver_0.35 This document lists the steps taken from the point of submitting CSR, Metadata, and CRL to issuing a signed cert, generation of signed metadata, and publishing the CRL.  Internet2_InCommon_Technical_Operation_Hours_ver_0.12 Documentation of the proposed hours of operations.

InCommon CA Ops Docs  CA_Disaster_Recovery_Procedure_ver_0.14 An outline of the procedures to be used if there is a disaster with the CA.  cspguide Manual of the CA software planning to use.  InCommon_CA_Audit_Log_ver_0.31 Proposed details for logging related to the CA.  Internet2_InCommon_CA_Disaster_Recovery_from_root_key_compro mise_ver_0.2 An outline of the procedures to be used if there is a root key compromise with the CA.  Internet2_InCommon_CA_PKI-Lite_CPS_ver_0.61 Draft of the PKI-Lite CPS.  Internet2_InCommon_CA_PKI-Lite_CP_ver_0.21 Draft of the PKI-Lite CP.  Internet2_InCommon_Certificate_Authority_for_the_InCommon_Federa tion_System_Technical_Reference_ver_0.41 Document describing the CA.

InCommon Key Signing Process  2. Hardware descriptions a. Hardware will be laptop and spare laptop with no network capabilities, thumb drive, CDRW drive, media for necessary software 3. Software descriptions a. OS, OpenSSL, CSP, Java tools for meta data 4. Log into computer 5. Generation of the CA Private Root key and self-signing 6. Generation of the Metadata signing key 7. Generate CSR for Internet2 origin 8. Signing of new metadata sites and trusts files 9. Backup copies of all private keys and other operational backup data are generated. 10. Verify CD's and MD5 checksum 11. Write down passphrase and put in envelopes and sign envelopes 12. Securely store CA hardware and contents of local safe in safe 13. Log that these actions occurred on the log in safe and then close and lock the safe 14. Put thumb drive into secure db and copy data onto secure db 15. Take private key password archive and other contents to Private Key Password safe deposit box and record in log that this was done. 16. Take operational data archive to Operation Data safe deposit box and record in log that this was done.

InCommon Ops Process Steps  InCommon Process Technical Reviewers Scott Cantor, OSU Jim Jokl, UVa RL Bob Morgan, UW Jeff Schiller, MIT  Key Signing Party March 30, 2004 in Ann Arbor Videotaped Witnessed  Phase One Participants

The potential for InCommon  The federation as a networked trust facilitator  Needs to scale in two fundamental ways Policy underpinnings need to move to normative levels among the members; “post and read” is a starting place… Inter-federation issues need to be engineered; we are trying to align structurally with emerging federal recommendations  Needs to link with PKI and with federal and international activities  If it does scale and grow, it could become a most significant component of cyberinfrastructure…