Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.

Slides:

Advertisements

Similar presentations

How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.

Advertisements

Board Inclusion Shared Governance. .  President/Chair decides all  No real input from the Board  Everything goes to full Board  All day meetings.

Brown University Shibboleth at Brown University James Cramton April 2, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.

1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Identity & Access Management DCS 861 Team2 Kirk M. Anne Carolyn Sher-Decaustis Kevin Kidder Joe Massi John Stewart.

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.

Brown University Shibboleth at Brown University James Cramton May 28, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Brown University Shibboleth at Brown University James Cramton March 5, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

The Business of Identity Management Barry R. Ribbeck Director Systems Architecture & Infrastructure Rice University

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.

SWITCHaai Team Federated Identity Management.

InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb

Identity Management 2.0 George O. Strawn NSF CIO.

A case study of Shibboleth deployment within the U.T. System June 26, 2006 Paul Caskey University of Texas System Copyright Paul Caskey 2006 Not Your Father’s.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

The InCommon Federation The U.S. Access and Identity Management Federation

Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

ADFS in the U.T. System U.S. Federations Call - May 18, 2011 Paul Caskey System-wide Information Services.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

SUNY System Administration Federation Overview Gavin Hogan July 15th, 2009 A work in progress….

Shibboleth federations: A Publisher’s Perspective Ale de Vries Product Manager ScienceDirect Elsevier Terena EuroCAMP Malaga, October 18-19, 2006.

Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.

Directory Policy, Privacy, etc. David Millman – Columbia Keith Hazelton – Wisconsin et al.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd.

Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.

Shibboleth for Local Attribute Delivery 21 June 2007.

Shibboleth at Columbia Update David Millman R&D July ’05

Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

The UK Access Management Federation John Chapman Project Adviser – Becta.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.

NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.

Shibboleth for Middle Schools James Burger -

The Policy Side of Federations Kenneth J. Klingenstein and David L. Wasley Tuesday, June 29, CAMP Shibboleth Implementation Workshop.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Seminar: Security / Identity Management Presentation: Elke Weber

David Millman—Columbia January 2005

University of Texas System

John O’Keefe Director of Academic Technology & Network Services

e-Infrastructure Workshop 28th March 2006, University of Leeds

The French federation Eurocamp 2007 Helsinki

PASSHE InCommon & Federated Identity Workshop

Overview of The U.T. System Identity Management Federation

Shibboleth 2.0 IdP Training: Introduction

Presentation transcript:

Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006

Agenda Background and Context Identifying Stakeholders Sponsorship Various Approaches Trusts and Federations Running an Inter-institutional IdP and SP’s

Background Library and researcher motivations WebAuth and SU attributes Single campus and single user namespace

Identifying Stakeholders (and their motivations) Different for inter-institutional fed.s Entirely new level of risks and rewards Forces policy decisions

Stakeholders - Consumers Libraries (counterparties ready to go) Course Management Systems Researchers Administrators

Stakeholders - IT Infrastructure Groups Authentication and LDAP constituencies IdM providers: processes and mores PMO and support organizations

Stakeholders - IT Management Play the innovation card as needed Use buzz in trades and “expert” org.s Start small but scalable Sell the flexibility

Stakeholders - Policy Risk Management Information Privacy Officer Trademarks and Brands Office of General Counsel Internal Audit Information Security Officer

Policy Approach Try to leave existing policy intact Make reasoned extensions where needed Understand the actual risks and explain them objectively Encourage the vetting process Fix what the new models expose or break

Picking a Sponsor Should be supportive and well placed Doesn’t hurt if they have a clue Make sure they understand their part

Approach on IT Infrastructure Leverage existing infrastructure If you’ve got it (and it works), use it Use existing public release policies for ARP’s

Bilateral Trusts Point to point links Realm trusts Extradition treaties

Multilateral Trusts and Federations Federations establish a trust context and basic language Shibboleth federations do not actively take part in authN Active exchanges are bilateral in Shibboleth federations Inter-library loans

What does a federation do? Registration authority tasks Keeps list of federation members WAYF service…for now Keeps references to practice statements and nomenclature Keeps the legal agreements (e.g. InCommon Participation Agreement) Lives small

Critical Questions Is your institution ready to define digital trust relationships? Are you considering acting without formal support? Are most of your inter-institutional interactions likely to be bilateral? Are your staff and infrastructure ready? Does that matter? Are you actually likely to need a federation?

Running an IdP in an Inter- institutional Federation Operational considerations: high availability, backup&recovery, protection of certs, etc. Accommodation of “special” identifiers and TargetedID’s Default ARP takes on broader criticality Federation protections are for the other guy Being in a federation doesn’t automatically give you access to anything

Running an SP in an inter- institutional federation Provisioning users and managing user data Do other institutions need a contract to access your SP? Are your apps prepared for loooooong identifiers? e.g. from 'swl' to

How’s it going on The Farm? Integrated Shibboleth IdP’s with WebAuth and culture Leveraged existing “visibility” attributes for user ARP’s Lobbied stakeholders successfully Policy amendments on course On time, under budget and beyond scope Joined InCommon Federation OCLC pilot running, others

Judges 12:6…an example of a security policy with teeth And it was so, that, when any of the fugitives of Ephraim said, Let me go over, the men of Gilead said unto him, Art thou an Ephraimite? If he said, Nay; then said they unto him, Say now Shibboleth; and he said Sibboleth; for he could not frame to pronounce it right: then they laid hold on him, and slew him at the fords of the Jordan. And there fell at that time of Ephraim forty and two thousand.