Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Published byDrusilla Dean Modified over 8 years ago

Similar presentations

Presentation on theme: "Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014."— Presentation transcript:

1 Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014

2 2 Connect | Communicate | Collaborate Learning Objectives What is Federated Identity Management? What is a Federation? Full mesh example (SWITCHaai) Hub and spoke federation example eduroam example What is a Federation? Full mesh example (SWITCHaai) Hub and spoke federation example eduroam example What is Interfederation? eduGAIN example Positioning Federation as a Service What is Interfederation? eduGAIN example Positioning Federation as a Service

3 3 Connect | Communicate | Collaborate Evolution of Identity Management Primordial Soup Nothing yet! Stone Age Application holds all info Bronze Age Centralised credential e.g. LDAP Identity in app Iron Age Central credentials and Identity App only has specific user data Diamond Age Federated Identity Share information outside one domain

4 4 Connect | Communicate | Collaborate Federated Identity Identity Provider (IdP) asserts authentication and identity information about users. Home organisation (HO) a related term Service Providers (SP) check and consume this information for authorization and make it available to an application Relying Part (RP) a related term Identity Providers and Service Providers are collectively called entities

5 5 Connect | Communicate | Collaborate Federated Identity The first principle within federated identity management is the active protection of user information Protect the user’s credentials - only the IdP ever handles the credential Protect the user’s identity information, including identifier - customized set of information released to each SP ✗

6 6 Connect | Communicate | Collaborate Benefits/Compelling Reason to Act Authentication-related calls to Penn State University’s helpdesk dropped by 85% after they installed Shibboleth Reduces work Studies of applications that maintain user data show that the majority of data is out of date. Are you “protecting” your app with stale data? Provides current data In FIM data is pushed to services as needed. If those services are compromised the attacker can’t get everyone’s data. Insulation from service compromises Only the IdP needs to be able to contact user data stores. All effort can be focused on securing this one connection instead of one or more connections per service. Minimize attack surface area

7 7 Connect | Communicate | Collaborate What is a Federation? A group of organizations running IdPs and SPs that agree on a common set of rules and standards The grouping can be on a regional level (e.g. SWITCHaai) or on a smaller scale (e.g. large campus) IdPs and SPs "know" nothing about federations They read metadata! An organization may belong to more than one federation at a time

8 8 Connect | Communicate | Collaborate What do Federations do? At a minimum a federation maintains the list of which IdPs and SPs are in the federation Most federations also Define agreements, rules, and policies Provide some user support (documentation, email list, etc.) Operate a central discovery service and test infrastructure Most federations also Define agreements, rules, and policies Provide some user support (documentation, email list, etc.) Operate a central discovery service and test infrastructure Some federations Provide self-service tools for managing IdP and SP data (Resource Registry) Provide application integration support Host or help with outsourced IdPs (IdP in the Cloud, hosted IdP Provide tools for managing "guest" users Develop custom tools for the community Some federations Provide self-service tools for managing IdP and SP data (Resource Registry) Provide application integration support Host or help with outsourced IdPs (IdP in the Cloud, hosted IdP Provide tools for managing "guest" users Develop custom tools for the community

9 9 Connect | Communicate | Collaborate Federation Rules? Technical Interoperability Supported protocols User authentication mechanisms User attribute specifications Accepted X.509 server certificates Legal Interoperability Membership agreement or contract Federation operation policies Requirements on identity management practices Others Common/best operational practices e.g. http://switch.ch/aai/bcp

10 10 Connect | Communicate | Collaborate SWITCHaai Example SWITCH operates the SWITCHaai Federation AAI is a Basic Service for the SWITCH Community Two classes of SWITCHaai Participants: SWITCH Community Organization fits the definition from the SWITCH Service Regulations May incur costs SWITCH Community Organization fits the definition from the SWITCH Service Regulations May incur costs Federation Partner Organization sponsored by a SWITCHaai Participant from the SWITCH Community Includes commercials Typically incurs costs Federation Partner Organization sponsored by a SWITCHaai Participant from the SWITCH Community Includes commercials Typically incurs costs

11 11 Connect | Communicate | Collaborate SWITCHaai Example Federal Law, Cantonal Law (e.g. data protection) SWITCHaai Service Description (includes Policy) Service Regulations Federation Partners Org n SWITCH Community Federation Partner Agreement & GTC Org 1 User Regulations Org 2 User Regulations Org... User Regulations SWITCH

12 12 Connect | Communicate | Collaborate SURFconext example SURFconext is the central point where the connection between a service and it's users is made. SURFconext manages the mutual authentication and authorization between them. Commercial SPs have contractual arrangements via SURFmarket Community AND free SPs have contracts via SURFnet

13 13 Connect | Communicate | Collaborate Other technology example - eduroam HI = Home Institution VI = Visited Institution IdP = Identity Provider SP = Service Provider

14 14 Connect | Communicate | Collaborate Interfederation Interconnecting national federations eduGAIN → Interfederation, eduroam → Confederation No longer a single legal or policy framework Each federation has its own eduGAIN has one as well No single 'interfederation helpdesk' in case of problems Debugging involves probably more parties Involved parties will generally know less about each other Different sets of attributes used internationally

15 15 Connect | Communicate | Collaborate eduGAIN Example eduGAIN provides policy framework and standards to build trust SPs and IdPs of participating federations opt-in for eduGAIN Various local processes for what this means Opt out being piloted by some MDS fetches, aggregates and republishes metadata

16 16 Connect | Communicate | Collaborate Metadata Exchange for eduGAIN Each Federation publishes a Metadata file with the entities that want to interfederate. The eduGAIN Metadata Data Service fetches them eduGAIN MDS aggregates all metadata and republishes it Federations fetch it and filter-out their own entities Entities consume the filtered eduGAIN metadata file in addition to the one from the federation

17 17 Connect | Communicate | Collaborate eduGAIN technical infrastructure in a nutshell

18 18 Connect | Communicate | Collaborate eduGAIN Constitution and Policy Governance and Governing Bodies eduGAIN Executive Committee (eEC) eduGAIN Steering Group (eSG) Operational Team (OT) Participant Federations MUST: Primarily serve the interests of the education and research sector. Provide a point of contact for their Members for dealing with technical issues. Provide processes for handling complaints and incidents involving their Members. Have a published Metadata registration practice statement. Follow the eduGAIN SAML 2.0 Metadata Profile No express right of communication For an Entity registered in an eduGAIN Participant Federation it does not imply any right of communication with any other Entity exchanged through eduGAIN. http://www.geant.net/service/eduGAIN/resources/Pages/home.aspx

19 19 Connect | Communicate | Collaborate Where Federation as a Service fits

20 20 Connect | Communicate | Collaborate Key Interfederation Challenges Coverage Number of federations Depth of adoption Coverage Number of federations Depth of adoption Policy and requirements Cannot mandate much for entities Policy and requirements Cannot mandate much for entities Branding Visibility vs. trust Branding Visibility vs. trust Reputation of the overall service depends on that of the members

21 21 Connect | Communicate | Collaborate Quiz Time

22 22 Connect | Communicate | Collaborate Quiz Time 1.Which of the following is NOT an entity? a) IdP b) RR c) SP d) MDS 2.Which of the following statements are true in Federated Identity Management? a) Only the IdP holds the user credentials b) Federations route credentials to SPs c) Per service credentials are held in applications d) The SP needs all information about a user to be released 3.Name an advantage of Federated Identity Management

23 23 Connect | Communicate | Collaborate Quiz Time 4.Which of the following are offered by most federations? a) Discovery Service b) List of entities c) Policies and Guidelines d) Managed IdP 5.Full mesh or hub and spoke? a) Operated by most federations b) Connections between entities managed by the federation c) Every entity has a copy of the trusted federation metadata listing all federation members 6.True or False? Participating eduGAIN members must a)Primarily serve the interests of the education and research sector. b)Provide a minimum standard attribute release between entities c)Get approval of the eduGAIN SG for commercial entities in eduGAIN d)Provide processes for handling complaints and incidents involving their Members.

24 24 Connect | Communicate | Collaborate Back at 11:30

25 25 Connect | Communicate | Collaborate www.geant.net www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv Connect | Communicate | Collaborate Thank you!

Download ppt "Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014."

Similar presentations

EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Innovation through participation eduGAIN federation operator training eduGAIN interfederation service 2011-10-17/18 Valter Nordh, NORDUnet / GU 1.

Innovation through participation eduGAIN federation operator training eduGAIN interfederation service /18 Valter Nordh, NORDUnet / GU 1.
CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN 2011-10-17/18 Valter Nordh, NORDUnet / GU.

Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN /18 Valter Nordh, NORDUnet / GU.
EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.

EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
AAF Middleware update February16 2012 Presented by Terry Smith Technical Manager and Heath Marks Manager.

AAF Middleware update February Presented by Terry Smith Technical Manager and Heath Marks Manager.
The InCommon Federation The U.S. Access and Identity Management Federation www.incommon.org.

The InCommon Federation The U.S. Access and Identity Management Federation
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service 2012-02-27 Federated Identity Systems.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk An Introduction to Access Management and the UK Federation Simon Cooper.

Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Updates Licia Florio, TERENA REFEDS Meeting 5 Sept 2012.

Updates Licia Florio, TERENA REFEDS Meeting 5 Sept 2012.

Similar presentations

Ads by Google