Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Identity Management Federation Kazu Yamaji, National Institute of Informatics, Japan.

Similar presentations


Presentation on theme: "Introduction to Identity Management Federation Kazu Yamaji, National Institute of Informatics, Japan."— Presentation transcript:

1 Introduction to Identity Management Federation Kazu Yamaji, National Institute of Informatics, Japan

2 2  Overview of the Federation  International Activity  Technical Information  How to build up the Federation

3 3  The Federation  provides a single sign on (SSO) to access web services for education and research.  makes sharing protected online resources easier(SSO), safer(privacy-preserving), and more scalable(distributed identity management) in our age of digital resources and services. Previous Federation Web Mail E-Journal eLearning System ID1/Pass1ID2/Pass2ID3/Pass3 Organization IDM System ID/Pass Web Mail E-Journal eLearning System Univ. AUniv. B Univ. C Inside of Univ. outside Distributed IDM

4 4 SP IdP (Identity Provider) DS (Discovery Service) SP (Service Provider) SP (Service Provider) SAML (Attribute)

5 IdP User Want to DL PPV Paper In CiNii He/She is a member of our University Please DL Want to DL from Science Direct as well You have authned. Please Want to update RefWorks record Once they have logged in then Single Sign On Personal Info DB ID & Password Redirect to IdP University 5 5 You have authned. Please

6  Facilitate Remote Access  Improve Usability by SSO etc. 6 Search Paper Read PaperMange Paper SSO

7 7  The Federation is  Secure, scalable and easy login architecture by standard protocol: SAML IdPSP AuthenticationAuthorization  Organization Name  Affiliation  Opaque ID  Mail Address  etc.

8 8  Higher security  Policy-driven methods, using strong authorization controls over secure access channels, provide a higher-level security. This higher level also provides a secure mechanism for ensuring privacy in the exchange of identity and authorization attributes.  Provide a standard conduit for collaboration  The Federation acts as a collection point and conduit for those wishing to provide and gain access to collaborative web based resources. Using a standard mechanism for connecting to this conduit provides economies of scale by reducing or removing the need to repeat integration work for each new collaborative work.  Reduced account overhead  Account creation and management can be reduced for resource consumers who are not affiliated with the institution offering those resources. As a federation member, these resources are made available to other federation members who are responsible for managing those accounts.  Economies of scale for contractual agreements  Some or all of the policy and legal requirements for bilateral agreements between institutions for sharing of resources may be consolidated by or leveraged from the Federation policies, agreements and requirements documents. This could minimize the need or scope of multiple relying party agreements.  More granular control over access to and auditing of online resource distribution  Institutions currently offering resources restricted by IP address or other gross controls will be able use authorization decisions to enforce more granular control for the distribution of cost based resources. The results of which lead to a more consistent accounting of which resources are actually being utilized and by whom.

9 9  End-User Benefits  Ease user account management: Users no longer have to manage an array of accounts and passwords.  Privacy maintained: Users identify themselves locally with their home institution, then pass only relevant and necessary attributes to the resource, maintaining privacy as necessary.  Convenience and security: Single sign-on reduces opportunities for accounts to be compromised and also allows users to access any number of resources while signing on only once.  Administrator Benefits  Integrate new users, services, and resource providers faster and easier  Reduce need for per-service account provisioning  Extend existing identity-management and resource services  Create layers of federation for various constituencies and consortia

10 10 Purple: Production Operation Red: Pilot Operation

11 11  5498 entities registered within 34 federations

12 12

13 13  Identity and Access Management Working Group  IAM-WG sessions at APAN meeting (twice a year)  Not only Japanese experience but also having speakers from EU and USA

14 14

15 15 User Info LDAP SAML Standard Something like a Filter which mediates SAML message Shibboleth IdPShibboleth SP

16 PasswordProtectedTransport faculty (continue) 16

17 (continued) https://idp.nii.ac.jp/idp/shibboleth … https://mcus.nii.ac.jp/shibboleth-sp 17

18 18  Redirection to collaborate among SP/DS/IdP  HTTP redirect  Javascript (automatic POST of assertion)  Cookie management  Memorize session information on  Selected IdP on DS (Discovery Service)  Status being authenticated on a IdP  Status being authorized on an SP  Session encryption with SSL Server Certificate  To protect Password and Cookies from wiretapping

19 19 DS (Discovery Service)User SP (Resource Provider)IdP (Home Org) 1 2 3 4 67 9 1 4 7 9 5 8 Attribu tes Access Approved HTTPS

20 20 http://www.switch.ch/aai/demo/

21 21  IdP selection at DS  A month or longer  Will be cleared after browser closed  You can choose when IdP selection (check box)  IdP session (you have been authenticated)  Will be cleared after browser close (logout by close)  Even if browser is not closed  Session timeout is managed by IdP  Re-authentication may be required by change of IP address at client side  SP session  Will be cleared after browser close (logout by close)  Clicking logout button on SP

22 22 DS (Discovery Service) User SP (Resource Provider)IdP (Home Org) Meta data Register Distribute (download) Distribute (download)

23  Number of contract can be reduced from N×M to N + M by introducing a uniform policy IdP SP IdP SP TFPTFP TFPTFP many Contracts a Contract Trust Framework 23 Trust Framework Provider

24 24 Federation Metadata Signed Info IdP Info SP Info ・ IdP-A Info ・ IdP-B Info ・・・・・ ・ SP-A Info ・ SP-B Info ・・・・・ ・ ID of IdP-A = entityID ・ Certificate ・ Protocol ・ Organization Info ・・・・・ ・ ID of SP-A = entityID ・ Certificate ・ Protocol ・ Organization Info ・・・・・ Entity Metadata (IdP) Entity Metadata (SP)

25 25 Federation DS (Discovery Service) Repository Federation Metadata IdP A SP A IdP B IdP C SP BSP C Entity Metadata Reliability of the relying party is confirmed by the singed metadata.

26 26 Shibboleth Daemon (shibd) Shibboleth Daemon (shibd) Session Initiator DS Assertion Consumer SAML POST Assertion Consumer SAML POST Attribute Authority Attribute Authority SSO Profile SSO Profile AuthN Engine AuthN Engine Username Password AuthN Username Password AuthN Form Tomcat IdP SP Apache / IIS Attribute DB AuthN DB LDAP/AD Web Resource Shibboleth Module (mod_shib) Browser https #.htaccess AuthType shibboleth ShibRequireSession On require valid-user (Shib 1.3) (port numbers: 443, 4443 or 8443. It depends on each SP) back channel front channel

27 27 LDAP attribute- resolver.xml attribute- policy.xml relying- party.xml shibboleth2. xml attribute- filter.xml Shibboleth IdP Shibboleth SP Trust BackingFile repository attribute- map.xml httpd SAML Web App Env. Val. http.conf.htaccess Access Control handler.xml login.config

28 28

29 29  Do you prefer to employ distributed ID mng.? GakuNin Policy Metadata DS A IdP B IdP C IdP α SP β SP γ SP

30 30  Membership Policy (Guidelines Governing the GakuNin Academic Access Management Federation) 1. Purpose 2. Description of GakuNin 3. Definitions 4. Member Organizations 5. Administrative Organization 6. Secretariat 7. Application for Membership 8. Administrators 9. System Administration Standards 10. Information Protection 11. Expulsion from GakuNin 12. Liability 13. Term of Effect 14. Consultation 15. Miscellaneous Provisions Example from UK federation 1.Definitions 2.Membership 3.Rules which apply to all Members 4.Rules applying to Service Providers 5.Data Protection and Privacy 6.Rules applying to End User Organisations… 7.Disclaimer and Limitation of Liability 8.Audit and Compliance 9.Termination 10.Consequences of Cessation of Membership 11.Changes to Rules 12.Changes to Rules 13.General

31 31  Technical Specifications System Administration Standards for the GakuNin Academic Access Management Federation 1. SAML Technical Standards 2. Protocol 3. Attribute Information 4. Metadata 5. Discovery Service 6. Federation Support 7. Certificate Use 8. Security 9. Entities for GakuNin Administrative Use Example from UK federation 1.Introduction 2.Trust Fabric 3.Metadata Usage and Extensions 4.Metadata Publication Service 5.Central Discovery Service 6.SAML V2.0 Browser SSO Implementation Profile 7.SAML V2.0 Browser SSO Deployment Profile 8.References

32 32 1. Define required architecture 2. Define minimum policy 3. Start feasibility study  With test IdP and SP 4. Brush up your architecture and policies 5. Start pilot operation  Integrate real service and account 6. Brush up your architecture and policies 7. Start practical operation


Download ppt "Introduction to Identity Management Federation Kazu Yamaji, National Institute of Informatics, Japan."

Similar presentations


Ads by Google