Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.

Slides:

Advertisements

Similar presentations

Identity Network Ideals – Heterogeneity & Co-existence

Advertisements

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

WSO2 Identity Server Road Map

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Microsoft Ignite /16/2017 4:55 PM

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Naam van de Auteur 7 januari 2008 Kennisnet Entree: federated authentication Pieter BruringTechnical Product Manager.

Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.

Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Integrating with UCSF’s Shibboleth system

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Identity on Force.com & Benefits of SSO Nick Simha.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

In the web address box enter Enter your user ID (first and last initial 7 digit ID number) Select Log in.

Web Authentication at Iowa Ed Hill Software Developer The University of Iowa.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

The Application and the Ecosystem. Acknowledgments Home and Scott Cantorhttps://spaces.internet2.edu/display/fedapp/

- NCSU project goals and requirements - Adoption Drivers - Current challenges and pain points - Identacor at NCSU - Identacor Features - NCSU Key Benefits.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

The UK Access Management Federation John Chapman Project Adviser – Becta.

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

A uthentication & A uthorization for R esearch & C ollaboration Pilots in SA1 Paul van Dijk, SURFnet AARC.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Secure Mobile Development with NetIQ Access Manager

Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.

B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.

Project Moonshot Daniel Kouřil EGI Technical Forum

General Overview of Various SSO Systems: Active Directory, Google & Facebook Antti Pyykkö Mikko Malinen Oskari Miettinen.

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD

The FederID project The First Identity Management and Federation Free Software.

Introduction to W3C Verifiable Claims Work

Access Policy - Federation March 23, 2016

Using Your Own Authentication System with ArcGIS Online

EGI Updates Check-in Matthew Viljoen – EGI Foundation

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Authentication Interact Cloud.

Federation made simple

Identity Federations - Overview

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

John O’Keefe Director of Academic Technology & Network Services

CheckIn: the AAI platform for EGI

GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –

InAcademia Simple Validation Service Niels van Dijk

ESA Single Sign On (SSO) and Federated Identity Management

First-time Login to Business Banking:

Matthew Levy Azure AD B2B vs B2C Matthew Levy

Community AAI with Check-In

The Attribute and the ecosystem

D Guidance 26-Jun: Would like to see a refresh of this title slide

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

SSO Roadmap ΑΚΑΔΗΜΑΪΚΟ ΔΙΑΔΙΚΤΥΟ Pavlos Drandakis June 2019.

Presentation transcript:

Edugate Glenn Wearen HEAnet.

Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members Core service at some institutions but light use at others

So, where to now? 1.Extended Attribute Schema 2.Higher Identity Assurance 3.Strong Authentiation 4.Account Provisioning 5.Cross institutional groups 6.New Identity Protocols 7.Statistics 8.Bilateral Trusts 9.Expansion beyond HEAnet 10.SSO for non-web applications 11.Aggregated identities 12.Logout

1. Extended Attribute Schema Students Do you have photos? Can I tell if a user is part-time/full-time? What course is the student pursuing? Staff Cost-center code (for eProcurement) ResearcherID AuthorID Availability calendar Telephone number

2. Higher Identity Assurance Would you use Edugate for eProcurement? On-campus (cross charging for campus services) Shared procurement portal (Shannon Consortium Procurement Network) External suppliers (vikingdirect.ie/officedepot.ie) Service Provider will seek assurances that the identity is sufficient quality to underpin a cardless financial transaction

3. Strong Authentication Passwords are the root of all e-vil Easily shared Easily forgotten Frequently exposed No common password policy Password changes not enforced

3. Strong Authentication SSO helps to eliminate passwords Consolidating onto a single (or single+1) credential allows for strong authentication 2-factor authentication / strong password policy SSO systems can protect sensitive resources re-authentication ‘step-up’ authentication

4. Account Provisioning On-campus, provisioning is a minor problem, but, for cloud/hosted/outsourced services provisioning is a significant problem Invitation systems require; address of all potential users -1 time url approval workflows -open URL

4. Account Provisioning Bulk provisioning Handling of bulk files a significant risk Out of Sync almost immediately De-provisioning rarely handled Accounts created for users who might never login

4. Account Provisioning Just-in-Time provisioning Standards emerging Simple Cloud Identity Management (SCIM) But, service Providers familiar with; LDAP Enter username/password, authenticate, query for attributes Oauth Enter user ID, authenticate, get token, query for attributes API Enter a user identifier, query for attributes, forever

5. Cross institutional groups Cross institutional/federation groups (Virtual Organisations) Identity provider doesn’t know all the collaboration or projects that a user participates within. This makes it authorisation difficult for Service Providers (e.g. Project Portal)

5. Cross Institutional Groups Establish an Edugate group repository; this can be queried by IdP’s during the preparation of attributes for an assertion this can be queried by SP’s provided the repository has a user identifier Self-asserted group membership Group membership approvals or invitations.

6. New Identity Protocols OpenID Connect Addresses weaknesses and shortcomings of OpenID OAuth2 Allows retrieval of user data when user is not present WIF Predominant identity protocol for Microsoft services

6. New Identity Protocols Should Edugate add new protocols? Cost? Benefit?

7. Statistics and Monitoring Are my users able to access service X? Why are my users accessing service Y? How come I’ve no users from institution A? Why are we so popular with institution B? What is the most widely used Edugate service? What is the least most used service? Is Edugate being used? or being used more?

7. Statistics and Monitoring Is IdP X up? Are there high rates of attrition? Are [staff|students] able to authenticate?

8.Proliferation of bilateral trusts There are 29 bilateral trusts in Edugate, why don’t these services join Edugate? Maybe not required (single institution) Tender awarded, Edugate not in the tender SP not a legal entity Google Apps, Millennium, Blackboard Learn.

9. Expansion beyond HEAnet? More identity providers will mean more service providers Private Colleges Health Services Sector (HSE/Hospitals/CPD) Industry Research Centers (Intel Labs / SFI participants) 2 nd Level schools

10. SSO for non-web SAML works well within the browser, but, Outside the browser, it requires client support Native client support Outlook Claims based authentication Or, with Moonshot; Common library support (GSS/SASL/SSPI)

11. Aggregated identities Institution holds validated identity data and enrollment status. This can be aggregated or augmented with self-asserted data from other sources; Social ID’s (Profile Pictures, friends, interests) Group membership repository

11. Aggregated identities Facebook/Twitter/Google hold self-asserted identity data. This can be aggregated or augmented with verified user data from other sources :-p

12. Logout Clicking on ‘Logout’ what should happen? Logout of the application, but IdP session persists (Local Logout) Logout of the application, redirect to IdP session killer page (partial logout) Logout of the application, redirect to IdP session killer page, trigger logout of all services (global logout)

12. Logout Or should the SP force re-authentication at the IdP after the logout button has been used (if the IdP supports it.

So, where to now? 1.Extended Attribute Schema 2.Higher Identity Assurance 3.Strong Authentiation 4.Account Provisioning 5.Cross institutional groups 6.New Identity Protocols 7.Statistics 8.Bilateral Trusts 9.Expansion beyond HEAnet 10.SSO for non-web applications 11.Aggregated identities 12.Logout