Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.

Slides:



Advertisements
Similar presentations
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Advertisements

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.
EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Geneva, Switzerland, September 2014 Introduction of ISO/IEC Identity Proofing Patrick Curry Director, British Business Federation Authority.
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
SWITCHaai Team Federated Identity Management.
EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Integrating with UCSF’s Shibboleth system
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Connect. Communicate. Collaborate Place organisation and project logos in this area AAIEye – A Monitoring Tool For AAI’s Mika Suvanto, CSC TNC 2008, Bruges.
Géant-TrustBroker project overview Slides assembled by the Géant-TrustBroker team at Leibniz Supercomputing Centre, Germany for a short presentation by.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Federation as a Service Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.
The UK Access Management Federation John Chapman Project Adviser – Becta.
Géant-TrustBroker Project Overview Daniela Pöhn 7 th FIM4R meeting Frascati, Italy April 24 th, 2014.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Attribute Release and Scalable Consent \. Part of the original vision for federated identity and necessary for it to succeed Federated identity is less.
Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
NREN Trust and Identity Strategy Ann Harding, SWITCH Cambridge July 2014.
AAI/Federated Identity Training Ann Harding, SWITCH Cambridge July 2014.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC.
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
DANTE AAI Training: Part 2: Under the Hood Nicole Harris, TERENA.
Research Community Requirements Ann Harding, SWITCH Cambridge July 2014.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
THE UNIVERSITY OF GEORGIA Office of the Chief Information Officer Enterprise Information Technology Services Identity Management Brief Presentation to.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
How eduGAIN can help education: a real life story Sabita Behari Product Manager TNC14.
Networks ∙ Services ∙ People TNC 2016, Prague Alice Through the Looking Glass Science DMZ goes above the network 13 June
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation.
Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014.
CoCo and R&S in the UK federation
Shibboleth Architecture
eduTEAMS platform for collaboration Niels Van Dijk
eduTEAMS – Current status & Future Plans
AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
GÉANT 4-2 JRA3 T1 and T2 Federations and Campus (CaFe) e-Infrastructures and Service Providers (RASP) Daniela Pöhn JRA3 T1 LRZ/DFN-AAI Technology Exchange.
PASSHE InCommon & Federated Identity Workshop
Supporting communities with harmonized policy
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Shibboleth 2.0 IdP Training: Introduction
Baseline Expectations for Trust in Federation
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014

2 Connect | Communicate | Collaborate Understanding implications on the supply chain Interactive Session Technical briefing Interactive discussion Review of ideas Topics Levels of Assurance Attribute Release Attribute Aggregation Monitoring and Accounting

3 Connect | Communicate | Collaborate To the whiteboard!

4 Connect | Communicate | Collaborate Assurance and Trust Behavioural Trust - IdP Behavioural Trust - SP Technical Trust - IdP Technical Trust - SP TRUST

5 Connect | Communicate | Collaborate What assurances? Organisational Security Management Notices and User Information Infrastructure Service Maturity Operational User Registration Password strength Maintaining logs Revocation { Externally Audited

6 Connect | Communicate | Collaborate The Problem Statement The Research Community/SP view Our resources are ‘special’ are we need to know they are protected properly. We need to know that you have taken care to make sure the right people are registered. This should be the responsibility of the infrastructure providers, not projects. The Campus/IdP view Reasonable level of trust through federation – you know us. Assurance is EXPENSIVE and you are asking us to bear the cost. Different SPs want different things all the time. There are no clear use cases as to WHY you need this.

7 Connect | Communicate | Collaborate Let’s discuss

8 Connect | Communicate | Collaborate Attribute Release – the Problem Statement The Research Community/SP view Different communities and different SPs need different attributes Need to identify individual’s personal informtion e.g. ethical committees need names etc. Negotiation with individual IdPs does not work and does not scale The Campus/IdP view An IdP takes a risk when it releases attributes Intentional or accidental misuse of information by SPs Data Protection legislation typically encourages a minimal release policy without specifying what minimal is Dealing with requests from many quarters burdens overworked IT departments

9 Connect | Communicate | Collaborate Attribute Release – uApprove Automated workflow for user approval for attribute release Consent not considered sufficient in many EU jurisdictions Shibboleth IdP extension

10 Connect | Communicate | Collaborate Attribute Release – Entity Categories Group federation entities that share common criteria. Facilitate IdP decisions to release a defined set of attributes to SPs without the need for detailed local review for each SP IdP makes a release decision based on the criteria detailed in each SP entity category specification Example Entity Categories Code of Conduct (CoCO) Research and Scholarship (R&S) Early days for deployment Example Entity Categories Code of Conduct (CoCO) Research and Scholarship (R&S) Early days for deployment Release is *facilitated* not *mandated* SP’s registrar (typically the Federation) checks for compliance at registration

11 Connect | Communicate | Collaborate Let’s discuss

12 Connect | Communicate | Collaborate Attribute Aggregation The “Scott Cantor is a Member of IETF” Problem. Affiliation Professional Body UniversityCharity Research Project

13 Connect | Communicate | Collaborate Attribute Aggregation

14 Connect | Communicate | Collaborate Let’s discuss

15 Connect | Communicate | Collaborate Monitoring and Accounting – what eduGAIN knows

16 Connect | Communicate | Collaborate Monitoring and Accounting – What Federations know Some know more than others Hub and Spoke vs Full Mesh Few if any standard tools Scalability and standard specs a big issue Some know more than others Hub and Spoke vs Full Mesh Few if any standard tools Scalability and standard specs a big issue Learn from the perfSONAR experience and not leap in with a ‘solution’ from above Raptor, f-ticks, AAIeye, AMAAIS, custom scripts to Nagios, Icinga, in-house tools and nothing

17 Connect | Communicate | Collaborate What IdPs and SPs know – Shibboleth Example idp-access.log contains a log entry for each time the IdP is accessed, whether information was ever sent back or not. request time, remote host making the request, server host name and port, and the request path idp-audit.log contains a log entry for each time the IdP sends data to an SP event time, IdP and relying party IDs, request and response binding, communication profile ID, request and response ID, principal name, authentication method, and released attribute of the current user. SP Transaction/Audit Each session that's created or removed Login, Logout, AuthnRequest Older versions show lack of error if an attribute was not provided

18 Connect | Communicate | Collaborate Let’s discuss

19 Connect | Communicate | Collaborate Back at 11:30

20 Connect | Communicate | Collaborate | | Connect | Communicate | Collaborate Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.