Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jens Haeusser Director, Strategy IT, UBC The Future of Identity Management in Higher Education JA-SIG June 2007.

Published byDestiny Sackett Modified over 10 years ago

Similar presentations

Presentation on theme: "Jens Haeusser Director, Strategy IT, UBC The Future of Identity Management in Higher Education JA-SIG June 2007."— Presentation transcript:

1 Jens Haeusser Director, Strategy IT, UBC The Future of Identity Management in Higher Education JA-SIG June 2007

2 Agenda  Today: Centralized Identity Management –Overview, Best Practices, and Lessons Learned –“Identity 1.0”  Tomorrow: Federated ID –Shibboleth and eduroam –“Identity 1.5”  What’s Next: Distributed / User Centric ID –Open ID, Cardspace, and Claims –“Identity 2.0”

3 What is Identity Management?  Lifecycle maintenance of electronic accounts  Provisioning –Account creation –Account updates –Role maintenance –Account removal  Authentication & Authorization  Access Control

4 Why is it Important? “Your identity is your most valuable possession. Protect it. And if anything goes wrong, use your powers!” – Elastigirl Kim Cameron’s Identity Weblog

5 Today’s Challenges  Complex and fractured identity landscape –Many systems of records –Many applications –Many passwords –Many overlapping roles  Make life easier for faculty, staff and students –Enable access to resources –Enforce privacy and security –Create a sense of a unified University

6 Today’s Solutions  Consolidated directories  Integrated and automated provisioning  Multiple managed domain controllers  Separation of Authentication and Authorization  Role-based access control  Virtual organizations  Distributed and delegated administration  Initial/reduced/single sign-on

7 A Provisioning Example Identity Manager Student System Active Directory Windows Hosts HR System LDAPCAS Websites Authoritative Repositories Domain Controllers Applications/S ervices Unix Hosts

8 Lessons Learned  It’s all about relationships –Let people engage, cradle to grave –Multiple, overlapping, ever changing  Embrace multiple authoritative sources –Authoritative for attributes, not people  Account names should be ephemeral –Users should be free to select and change –Applications should record account ID, not name  Dynamic rules, not static roles

9 Tomorrow: Federation  Today’s solutions are institution centric –Institution as walled garden –Centralized Identity - “Identity 1.0”  Tomorrow’s solutions move beyond the institution –Broadcast identity from one institution to another –Trust model controlled by institution, not user –Federated Identity - “Identity 1.5”

10 What are Federations?  Group of organizations sharing a set of agreed policies and rules for access to online resources –enable members to establish trust and shared understanding of language or terminology –provide a structure / legal framework that enables authentication and authorization  Enables people to use their home credentials to connect to remote sites –Without revealing their credentials (pseudonimity) –Without releasing unnecessary private information

11 A Federation Example Authentication and Authorization Infrastructure

12 What is ?  An open source project supporting inter-institutional sharing of web resources subject to access controls.  Streamlines sharing secured online services  Leverages campus identity and access management infrastructures –sends information about users to resource site –enables resource provider to make authorization decisions  Ideal for lightweight web authentication –digital libraries –learning object repositories

13 How Does it Work? 2 134

14 Where is it Used? Information Providers: Bodington EBSCO Publishing Elsevier ScienceDirect ExLibris - SFX JSTOR National Digital Science Library (NSDL) Project MUSE TurnItIn Products: Blackboard Confluence EZProzy iTunesU Moodle Twiki Sakai Sympa WebCT

15 What is ?  eduroam stands for Education Roaming  Originally a European initiative  Launched in 2003 to deal with the “Roaming Scholar problem”  RADIUS-based infrastructure  Uses 802.1X to allow inter-institutional roaming  Allows users visiting other eduroam institutions to access WLAN using home credentials

16 How Does it Work? International National Institutional.edu.ca.uk sfuubcoxfordcambridge user@ubc.ca ssid: eduroam 1 2 3 45 6

17 Where Does it Work?

18 Higher Education Federations  Shibboleth –InCommon (US) –UK Access Management Federation  eduroam –JANET (UK) –TERANA  Policy Based –CIMF (Canada) –SWITCH (Switzerland)

19 What Comes Next?  Move control from the institution to the individual  Complex interactions with many institutions  Greater control over identity data –User chooses which attributes (claims) to release, and where to get those claims  User Centric Identity - “Identity 2.0” “ Of course I have a secret identity. I mean, do you see me at the supermarket wearing... this? Who wants to go shopping as Elastigirl, know what I'm saying?"

20 What are Claims?  An assertion, made by the user, of identity data –Identifier (account name) –Personal information (name, address, birthday) –Group membership (over 21, University student)  Multiple types –Directly validated (password) –User-asserted (self signed) –Third party validated (trusted public key)

21 How Does it Work? Identity Provider Identity Provider Identity Agent Identity Agent Service Provider Service Provider 1. What claims? 2. Authenticate 3. Issue claims 4. Present claims Optional

22 What is OpenID?  Open source, distributed authentication system  Simple and lightweight: identity is a URL  Fully decentralized and open platform  I want to log into example.com: 1.I type my OpenID URL into the login form on example.com 2.example.com redirects me (via my web-browser) to myopenid.com 3.I tell myopenid.com whether or not I trust example.com with my identity 4.I am redirected back to example.com and am automatically logged in

23 What is CardSpace?  Windows client software- part of Microsoft’s “Identity Metasystem”  Stores “Identity Cards” –Bundles of claims –Managed or self-issued cards  Presents user with choice of valid cards  Token Agnostic –Can use SAML, Shibboleth, OpenID, WS-*, …

24 The Coming Convergence  Still early days, and rapid development, but…  Active, open conversation between developers, creating the Internet Identity Layer  Open Source Infocard clients and servers emerging  Microsoft sponsored Shibboleth-Cardspace integration  CAS 3.1 supports OpenID and SAML

25 Conclusion  Identity practice undergoing dramatic changes  Users will expect to engage with us in new ways –Bring identity information when they join –Gradual migration to claim based access  Prepare by continuing to strengthen and consolidate internal Identity Management  Target low hanging fruit for Federation  Keep abreast of user-centric identity management

26 Questions? jens.haeusser@ubc.ca

27 Additional Resources 1.OpenIDOpenID 2.Higgins: Open Source Identity Project Open Source Identity Project 3.CardSpace: Wikipedia Article Wikipedia Article 4.Burton Document: The Information Card Landscape (CardSpace and Higgins) The Information Card Landscape 5.eduroameduroam 6.ShibbolethShibboleth 7.CIMF Shibboleth PilotCIMF Shibboleth Pilot 8.Phil Windley’s Technometria Technometria 9.Phil Windley’s book: Digital Identity [ sample chapter ] Digital Identity sample chapter 10.Kim Cameron’s Blog Blog 11.Kim Cameron’s Laws of Identity Laws of Identity 12.Dick Hardt’s BlogBlog

28

29

30

31

32

33

34

Download ppt "Jens Haeusser Director, Strategy IT, UBC The Future of Identity Management in Higher Education JA-SIG June 2007."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.

Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
1 The Evolving Definition of Student: Identity Management at Duke University Klara Jelinkova Director, Computing Systems Office of Information Technology.

1 The Evolving Definition of "Student": Identity Management at Duke University Klara Jelinkova Director, Computing Systems Office of Information Technology.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Digital Identities for Networks and Convergence Joao Girao, Amardeo Sarma.

Digital Identities for Networks and Convergence Joao Girao, Amardeo Sarma.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Evolution of Identity Management May 15, 2008 For: CIPS Security Special Interest Group Presented by: Mike Waddingham, PMP President, Code Technology Corp.

Evolution of Identity Management May 15, 2008 For: CIPS Security Special Interest Group Presented by: Mike Waddingham, PMP President, Code Technology Corp.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.

 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.
Identity & Access Management DCS 861 Team2 Kirk M. Anne Carolyn Sher-Decaustis Kevin Kidder Joe Massi John Stewart.

Identity & Access Management DCS 861 Team2 Kirk M. Anne Carolyn Sher-Decaustis Kevin Kidder Joe Massi John Stewart.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
Peter Deutsch Director, I&IT Systems July 12, 2005

Peter Deutsch Director, I&IT Systems July 12, 2005

Similar presentations

Ads by Google