Tim Poe & Steve Thorpe {tpoe, MCNC All-Staff Meeting March 19, 2009 What is Federated ID Management and Why Should You Care?

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Distributed Data Processing

NRL Security Architecture: A Web Services-Based Solution

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

K20 Middleware Case Study: NC Pilot Project on Federated Identity Management Internet2 Fall Meeting – San Antonio, Texas - October 5, 2009 Tim Poe - MCNC,

Outsourcing IAM in North Carolina

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

NJVid New Jersey Video Portal 1 Grant partners. NJVid New Jersey Video Portal 2 NJTrust - New Jersey Identity Trust Federation NJViD Advisory Board Meeting.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

CONNECT as an Interoperability Platform - Demo. Agenda Demonstrate CONNECT “As an Evolving Interoperability Platform” –Incremental addition of features.

FIM-ig Federated Identity Management Interest Group.

SWITCHaai Team Federated Identity Management.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

Trimble Connected Community

The Earth System CoG Collaboration Environment Sylvia Murphy and Cecelia DeLuca (NOAA/CIRES), and Luca Cinquini (NASA/JPL) AGU Ocean Sciences February.

SWITCHaai Team Introduction to Shibboleth.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

The InCommon Federation The U.S. Access and Identity Management Federation

Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.

Building Strong K-20 Initiatives: NCTrust K-20 Federation Pilot Internet2 Spring Meeting – April 29, 2009 Mark Scheible – NC State University Co-Chair,

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Integrating with UCSF’s Shibboleth system

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

DEPARTMENT OF PUBLIC INSTRUCTION / MCNC The National Report: State, K-12, and Federal Government CAMP: June 23 rd, 2010, 10:45-11:45 Presenters: Tim Poe.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

 What is intranet What is intranet  FeaturesFeatures  ArchitectureArchitecture  MeritsMerits  applicationsapplications  What is ExtranetWhat is.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.

Federated ID Management Task Force DRAFT version 1 November 6, 2009 Executive Summary of NCTrust Federated ID Management.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Shibboleth: An Introduction

Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.

1 J. Keller, R. Naues: A Collaborative Virtual Computer Security Lab Amsterdam,Dec 4, 2006 Amsterdam, DEC 4, 2006 Jörg Keller FernUniversität in Hagen,

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

| Copyright© 2011 Microsoft Corporation 1 journey to the cloud KOEN VAN TOLHUYZEN TSP OFFICE 365 MICROSOFT CORPORATION.

Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.

DuraCloud Open technologies and services for managing durable data in the cloud Michele Kimpton, CBO DuraSpace.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Federations: The New Infrastructure Speaker Name Here Date Here Speaker Name Here Date Here.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.

Federated Identity Management

John O’Keefe Director of Academic Technology & Network Services

ESA Single Sign On (SSO) and Federated Identity Management

What is Federated ID Management and Why Should You Care?

The National Report: State, K-12, and Federal Government

Shibboleth 2.0 IdP Training: Introduction

Presentation transcript:

Tim Poe & Steve Thorpe {tpoe, MCNC All-Staff Meeting March 19, 2009 What is Federated ID Management and Why Should You Care?

Connecting North Carolina’s Future Today 3/19/09 Outline Motivation Example Services Requirements Underlying Technology NCTrust Federation Pilot Demo 2

Connecting North Carolina’s Future Today 3/19/09 Motivation Many NC institutions desire access to remote protected web-based services  17 UNC system institutions  115 LEAs, thousands of K-12 schools  58 community colleges  36 independent colleges / universities  Plus many other government / educational / commercial organizations Desire is for access to be efficient, cost effective, quick, secure, and user-friendly. Federated ID Management technologies enable such access 3

Connecting North Carolina’s Future Today 3/19/09 ATM machines - An Early Example of Federated ID Management Thousands of banks - Federated Millions of users (bank customers) User login (ATM card) and password (PIN) maintained by the user’s home institution (Bank) Other institutions give service ($) access to remote users, based on trusting the login and password that’s maintained by the home institution Today we’re doing something similar, only we’re serving Web-based services rather than $ 4

Connecting North Carolina’s Future Today 3/19/09 Example – Confluence Confluence is a web-based wiki service that fosters collaboration among multiple institutions Federated ID Management technologies can alleviate MCNC’s current need for in-house management of accounts for outside users Each home institution would manage their *own* accounts 5

Connecting North Carolina’s Future Today 3/19/09 Example - NCLive NCLive provides access to eJournals, etc. for libraries, higher-ed and increasingly K-12 Want ease of resource accessibility yet must adhere to licenses of various products being distributed, e.g. certain content might be allowed only for:  Students  K-20 staff  Chemistry teachers  etc. 6

Connecting North Carolina’s Future Today 3/19/09 Examples - VCL NCSU’s Virtual Computing Lab (VCL) is a web service that allows reservations of a computer with a desired set of applications, then remote access over the Internet You can use applications such as Matlab, Maple, SAS, Solidworks, and many others. Linux, Solaris and numerous Windows environments are available Due to licensing and resource limitations, access must be limited to certain user communities 7

Connecting North Carolina’s Future Today 3/19/09 Other Examples How about a service to enable cross-institutional course registration for access to distance learning from a different university in the UNC system? Federated ID Management technologies can facilitate resource utilization across NCREN by enabling these and other web-based services much more efficiently, saving $ for MCNC and the NCREN community 8 How about a service for elementary school kids to access privately licensed PBS, CSPAN, and History Channel video content through the internet?

Connecting North Carolina’s Future Today 3/19/09 Requirements Prevent users having to know yet-another password Prevent system administrators having to add yet-another account Avoid logins becoming out of date Enable easier scaling of web-based applications to include multiple additional users/organizations Must know people are who they say they are, with up-to- date accuracy With potentially hundreds of thousands of people involved, need the home institutions to be responsible for account administration 9

Connecting North Carolina’s Future Today 3/19/09 Underlying Technology: Shibboleth 10 Shibboleth is open source software for web single sign-on across or within organizational boundaries Allows informed authorization decisions for protected web service access in a privacy-preserving manner Uses Security Assertion Markup Language (SAML) to provide federated single sign-on and attribute exchange framework Provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application

Connecting North Carolina’s Future Today 3/19/09 11 Shibboleth Identity Provider (IdP)Shibboleth Service Provider (SP) (IdP is a J2EE app)(shibd daemon maintains state) (mod_shib gets attributes from shibd and protects web apps) Access to protected service (web app) is controlled by shib gatekeeper LDAP Server Obligatory Geek Diagram - Simplified (the only one, we promise ! ) 1. Student is at Starbucks 2. IdP is at his school 3. Protected Web Service is at a university 4. IdP/SP communication via SAML attributes exchanged through the browser session

Connecting North Carolina’s Future Today 3/19/09 NCTrust Federation Pilot MCNC and partners have convened the NC Trust Pilot Goal: create a Federation to test web resource sharing among several K-20 organizations within NC  Adding K-12 into the mix is a unique aspect NCTrust utilizes the national InCommon Federation infrastructure  Provides a trust mechanism allowing each organization to certify its operational practices MCNC is helping partners with tech / installation support 12 NC DPI North Carolina Learning Object Repository ? (tbd)

Connecting North Carolina’s Future Today 3/19/09 Shibboleth Training Workshops 1.5 day workshops were hosted by MCNC in October 2008 and February 2009 Instructors: Shilen Patel and Rob Carter (Duke), Gonz Guzman (MCNC) Approximately 45 participants total There’s an excellent video archive of the workshop, thanks to Bryon and Chad 13

Connecting North Carolina’s Future Today 3/19/09 MOU and InCommon Paperwork in Various Stages of Completion… First demos starting now! Paperwork is MUCH harder / slower than technical work! (though the technical parts are certainly not trivial)

Connecting North Carolina’s Future Today 3/19/09 As  Log onto test service, to see some attributes  Access Internet2’s Confluence site As  Log onto NCSU’s VCL site, check for images As  Log onto NCSU’s VCL site, check for images and see a different list based on my NCSU status 15 Demo

Connecting North Carolina’s Future Today 3/19/09 Future Steps Connect services among the NCTrust community  VCL  NCLive  MCNC’s confluence site is a likely candidate  Others? Recommendations on best model of state-wide federation to meet the needs of the K-20 educational community in North Carolina  To cover funding, operations, governance, etc. Pilot runs through December

Connecting North Carolina’s Future Today 3/19/09 Key Takeaways We believe Federated ID Management can enable more effective resource sharing among the NCREN community  Secure  Efficient  Scalable  Accessible  Saves $  Not to mention it’s a GREEN technology Fostering adoption of FIM technologies is another way of Connecting North Carolina’s Future Today 17

Connecting North Carolina’s Future Today 3/19/09 Thank You Special thanks to MCNC’s Gonz Guzman, Tom Throckmorton, Kambiz Aghaiepour, Neal Bullins, Carole Bruhn, Keith Venters, Chris Caswell, Bryon Coltrane, and Chad Pritchard who all helped this effort Also thanks to the many Federated ID Task Force members from throughout the NCREN community that are participating with us in the NCTrust pilot project Questions? 18