Presentation is loading. Please wait.

Presentation is loading. Please wait.

EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of.

Published byCora Howard Modified over 9 years ago

Similar presentations

Presentation on theme: "EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of."— Presentation transcript:

1 EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect, University of Wisconsin-Madison Ken Klingenstein Director, Internet2 Middleware and Security

2 EuroCAMP: Porto 2 Topics What is Identity Management (IdM)? The IdM Stone Age A better vision for IdM –An aside on the value of affiliation / group / privilege management services Basic IdM functions mapped to open source components Demands on IT and how IdM services help

3 EuroCAMP: Porto 3 Identity and Access Management (IAM) defined What is Identity Management? “Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise) Identity Management in this sense is often called “Identity and Access Management” (IAM) What problems do Identity and Access Management address?

4 EuroCAMP: Porto 4 IAM is… “Hi! I’m Lisa.” (Identity) “…and here’s my NetID / password to prove it.” (Authentication) “I want to do some E-Reserves reading.” (Authorization : Allowing Lisa to use the services for which she’s authorized) “And I want to change my grade in last semester’s Physics course.” (Authorization  : Preventing her from doing things she’s not supposed to do)

5 EuroCAMP: Porto 5 IAM is also… New hire, Assistant Professor Alice –Department wants to give her an email account before her appointment begins so they can get her off to a running start How does she get into our system and get set up with the accounts and services appropriate to faculty?

6 EuroCAMP: Porto 6 What questions are common to these scenarios? Are the people using these services who they claim to be? Are they a member of our campus community? Have they been given permission? Is their privacy being protected? Policy/process issues lurk nearby

7 EuroCAMP: Porto 7 The IAM Stone Age List of functions: AuthN: Authenticate principals (people, servers) seeking access to a service or resource Log: Track access to services/resources

8 EuroCAMP: Porto 8 The IAM Stone Age Every application for itself in performing these functions User list, credentials, if you’re on the list, you’re in (AuthN is authorization (AuthZ) And some identifiers are assigned nationally, with uncertain value locally

9 EuroCAMP: Porto 9 Vision of a better way to do IAM IAM as a middleware layer at the service of any number of applications Requires an expanded set of basic functions –Reflect: Track changes to institutional data from changes in Systems of Record (SoR) & other IdM components –Join: Establish & maintain person identity across SoR –Credential: issue digital credentials to people in the community –…

10 EuroCAMP: Porto 10 Basic IAM functions mapped to the NMI / MACE components Systems of Record Stdnt HR Other Enterprise Directory Registry LDAP

11 EuroCAMP: Porto 11 Your Digital Identity and The Join The collection of bits of identity information about you in all the relevant IT systems at your institution For any given person in your community, do you know which entry in each system’s data store carry bits of their identity? If more than one system can “create a person record,” you have identity fragmentation

12 EuroCAMP: Porto 12 The pivotal concept of IAM: The Join Identity fragmentation cure #1: The Join Use business logic to –Establish which records correspond to the same person –Maintain that identity join in the face of changes to data in collected systems

13 EuroCAMP: Porto 13 Identity Information Access Some direct from the Enterprise Directory via reflection from SoR Other bits need to be made reachable by identifier crosswalks Registry IDSys A IDSys B IDSys C IDSys D ID 3a104e59fsmith3286443freds864164 8c2f916dabecker145209amyb752731

14 EuroCAMP: Porto 14 Identity Fragmentation Cure #2 When you can’t integrate, federate Federated Identity & Access Management –Rely on the Identity Management infrastructure of one or more institutions or units –To authenticate and pass authorization-related information to service providers or resource hosts –Via institution-to-provider agreements –Facilitated by common membership in a federation (like InCommon) Shibboleth is a way to move the authNZ info between parties

15 EuroCAMP: Porto 15 Basic IAM functions mapped to the NMI / MACE components Systems of Record Enterprise Directory Grouper Signet A-Select, CAS, etc Shibboleth Apps / Resources

16 EuroCAMP: Porto 16 Vision of a better way to do IAM More in the expanded set of basic functions –Mng. Affil.: Manage affiliation and group information –Mng. Priv.: Manage privileges and permissions at system and resource level

17 EuroCAMP: Porto 17 Managing Roles & Privileges Grouper Signet Role-Based Access Control (RBAC) model Users are placed into groups Privileges are assigned to groups Groups can be arranged into hierarchies to effectively bestow privileges Signet manages privileges Grouper manages, well, groups

18 EuroCAMP: Porto 18 Vision of a better way to do IAM More in the expanded set of basic functions –Provision: Push IAM info out to systems and services as required –Relay: Make access control / authorization information available to services and resources at run time –AuthZ: Make the allow deny decision independent of AuthN

19 EuroCAMP: Porto 19 Provisioning Getting identity information where it needs to be For “Apps with Attitude,” this often means exporting reformatted information to them in a form they understand Using either App-provided APIs or tricks to write to their internal store Change happens, so this is an ongoing process

20 EuroCAMP: Porto 20 Two modes of app/IdM integration Domesticated applications: –Provide them the full set of IdM functions Applications with attitude (comes in the box) –Meet them more than halfway by provisioning

21 EuroCAMP: Porto 21 IAM functions ReflectData of interest JoinIdentity across SoR CredentialNetID, other Manage Affil/GroupsAuthZ info Manage PrivilegesMore AuthZ info ProvisionGen. AuthNZ info into app space RelayAuthZ info to app on request AuthenticateIdentity claim Authorizeaccess decision (allow/deny) Logusage for audit, accounting,…

22 EuroCAMP: Porto 22 Alternative packaging of basic IdM Systems of Record Enterprise Directory Directory Plug-ins Kerberos Apps / Resources LDAP

23 EuroCAMP: Porto 23 Alternative packaging of basic IdM functions: Single System of Record as Enterprise Directory Registry LDAP Student -HR Info System

24 EuroCAMP: Porto 24 Single SoR as Enterprise Directory Who “owns” the system? Do they see themselves as running shared infrastructure? Will any “external” populations ever become “internal?” –What if hospital negotiates a deal? Stress-test alternative packaging by thinking through the list of basic IdM functions

25 EuroCAMP: Porto 25 Same IdM functions, different packaging Your IdM infrastructure (existing or planned) may have different boxes & lines But somewhere, somehow this set of IdM functions is getting done Gives us all a way to compare our solutions by looking at various packagings of the IdM functions

26 EuroCAMP: Porto 26 From Construction to Integration Construction – Raw materials into systems Integration –Subsystems into whole systems –Multiple systems into ecosystems We’re all moving from construction to integration Let’s review state of middleware systems’ readiness for integration

27 EuroCAMP: Porto 27 IAM and Application Integration

28 EuroCAMP: Porto 28 Middleware -- Application Integration ERPs SAKAI uPortal …

29 EuroCAMP: Porto 29 As for Lisa Sez who? –What Lisa’s username and password are? –What she should be able to do? –What she should be prevented from doing? –Scaling to the other 40,000 just like her on campus

30 EuroCAMP: Porto 30 As for Professor Alice What accounts and services should faculty members be given? At what point in the hiring process should these be activated? Methods need to scale to 20,000 faculty and staff In all of these, a full IAM infrastructure would provide the technical part of a solution

31 EuroCAMP: Porto 31 Policy issues re “credential” function: NetID When to assign, activate (as early as possible) Who gets them? Applicants? Prospects? “Guest” NetIDs (temporary, identity-less) Reassignment (never; except…) Who can handle them? Argument for WebISO.

32 EuroCAMP: Porto 32 Inter-institutional integration: the transport function Federations Peering of federations –Levels of assurance –Attribute mapping –WAYF functionality Virtual Organization (VOs)

33 EuroCAMP: Porto 33 Alternatives to IP Address Based Access Restriction 1.User-based access restriction A.Each service provider manages credentials for all of its users B.One big credential database of all users used by all service providers C.Each user has a “home organization” whose credential database can, by magic, be used by each service provider 2.???

34 EuroCAMP: Porto 34 Federated Identities “Federated identities” is option C on previous slide –A hierarchical approach to decompose the problem into manageable pieces –Analogous to the problem that IAM addresses, and rests upon IAM infrastructure “Federating technology” is the “magic” part of option C “Identity federation” (noun) is a set of service providers, identity providers, and other context in which the magic happens

35 EuroCAMP: Porto 35 Federating Technologies SAML implementations –Security Assertion Markup Language –Shibboleth –Bodington/Guanxi –AthensIM –SourceID –SAMUEL –MS ADFS –Other proprietary Liberty Identity Federation implementations –SourceID –Lasso –Proprietary Others –MS Inter-Forest Trust

36 EuroCAMP: Porto 36 IAM functions & big pictures Reflect Join Credential Provide/run-time (AuthN) Provide/provision AuthZ Manage Grps Manage Privs Log

37 EuroCAMP: Porto 37 A closer look at managing affiliations, groups and privileges How does this help the harried IT staff?

38 EuroCAMP: Porto 38 What is IT being asked to do? Automatic creation and deletion of computer accounts Personnel records access for legal compliance One stop for university services (portal) integrated with course management systems

39 EuroCAMP: Porto 39 What else is IT being asked to do? Student record access for life Submission and/or maintenance of information online Privacy protection

40 EuroCAMP: Porto 40 More on the To Do list Stay in compliance with a growing list of policy mandates Increase the level of security protections in the face of a steady stream of new threats

41 EuroCAMP: Porto 41 More on the To Do list Serve new populations (alumni, applicants,…) More requests for new services and new combinations of services Increased interest in eBusiness There is an Identity Management aspect to each and every one of these items

42 EuroCAMP: Porto 42 How full IdM layer helps Improves scalability: IdM process automation Reduces complexity of IT ecosystem –Complexity as friction (wasted resources) Improved user experience Functional specialization: App developer can concentrate on app-specific functionality

Download ppt "EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of."

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.

Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.

NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
CAMP Med Identity and Access Management: Terms and Concepts Keith Hazelton Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE CAMP Med, Tempe,

CAMP Med Identity and Access Management: Terms and Concepts Keith Hazelton Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE CAMP Med, Tempe,
Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey 2007. This work is the intellectual property.

Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey This work is the intellectual property.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Practices from the Field NSF Middleware Initiative: Identity and Privilege Management Model Michael Gettes, Duke University Jim Phelps, UW-Madison EDUCAUSE.

Practices from the Field NSF Middleware Initiative: Identity and Privilege Management Model Michael Gettes, Duke University Jim Phelps, UW-Madison EDUCAUSE.
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.

Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.

Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.
Identity & Access Management DCS 861 Team2 Kirk M. Anne Carolyn Sher-Decaustis Kevin Kidder Joe Massi John Stewart.

Identity & Access Management DCS 861 Team2 Kirk M. Anne Carolyn Sher-Decaustis Kevin Kidder Joe Massi John Stewart.
Peter Deutsch Director, I&IT Systems July 12, 2005

Peter Deutsch Director, I&IT Systems July 12, 2005
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.

Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.

Similar presentations

Ads by Google