Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practices from the Field NSF Middleware Initiative: Identity and Privilege Management Model Michael Gettes, Duke University Jim Phelps, UW-Madison EDUCAUSE.

Published byAbigail Bryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Practices from the Field NSF Middleware Initiative: Identity and Privilege Management Model Michael Gettes, Duke University Jim Phelps, UW-Madison EDUCAUSE."— Presentation transcript:

1 Practices from the Field NSF Middleware Initiative: Identity and Privilege Management Model Michael Gettes, Duke University Jim Phelps, UW-Madison EDUCAUSE October 2005

2 EDUCAUSE 2005 2 Topics What is Identity and Access Management (IAM)? An Institutional view of IAM –Roles, Privileges and Authentication Basic IAM functions mapped to NMI/MACE components Open Source solutions coming to a store near you Outside Forces Q & A (we take questions as we go also)

3 EDUCAUSE 2005 3 IAM and Application Integration

4 EDUCAUSE 2005 4 IAM is… “Hi! I’m Lisa.” (Identity) “…and here’s my NetID / password to prove it.” (Authentication) “I want to do some E-Reserves reading.” (Authorization : Allowing Lisa to use the services for which she’s authorized) “And I want to change my grade in last semester’s Physics course.” (Authorization  : Preventing her from doing things she’s not supposed to do)

5 EDUCAUSE 2005 5 What questions are common to these scenarios? Are the people using these services who they claim to be? Are they a member of our campus community? Have they been given permission? Is their privacy being protected? Policy/process issues lurk nearby

6 EDUCAUSE 2005 6 Vision of a better way to do IAM Reflect Join Credential Manage Affil/Groups Manage Privileges Provision Relay Authenticate Authorize Log IAM as a middleware layer at the service of any number of applications Requires an expanded set of basic functions

7 EDUCAUSE 2005 7 Basic IAM functions Systems of Record Stdnt HR Other Enterprise Directory Registry LDAP

8 EDUCAUSE 2005 8 Role- and Privilege-based AuthZ Privileges are what you can do Roles are who you are, which can be the used for policy-based privileges Both are viable, complementary for authorization

9 EDUCAUSE 2005 9 Privilege Management Feature Summary By authority of the Deangrantor principal investigatorsrole (group) who have completed trainingprerequisite can approve purchasesfunction in the School of Medicinescope for research projects up to $100,000 limits until January 1, 2006condition

10 EDUCAUSE 2005 10 Basic IAM functions mapped to the NMI / MACE components Systems of Record Enterprise Directory

11 EDUCAUSE 2005 11 The Environment Systems of Record Enterprise Directory Apps / Resources

12 EDUCAUSE 2005 12 How full IdM layer helps Improves scalability: IdM process automation Improves agility: Keeping up with demands Reduces complexity of IT ecosystem –Complexity as friction (wasted resources) Improved user experience Functional specialization: App developer can concentrate on app-specific functionality

13 EDUCAUSE 2005 13 The Environment Systems of Record Enterprise Directory Apps / Resources Grouper SignetShibboleth

14 EDUCAUSE 2005 14 Managing Roles & Privileges: The Internet2 way Grouper Signet Role-Based Access Control (RBAC) model Users are placed into groups Privileges are assigned to groups Groups can be arranged into hierarchies to effectively bestow privileges Signet manages privileges Grouper manages, well, groups

15 EDUCAUSE 2005 15 Grouper Grouper project of Internet2 MACE Infrastructure at University of Chicago –User interface at Bristol University in UK –$upport from NSF Middleware Initiative (NMI) http://middleware.internet2.edu/dir/groups

16 EDUCAUSE 2005 16 Signet Project Signet of Internet2 MACE –Development based at Stanford –$upport from NSF Middleware Initiative http://middleware.internet2.edu/signet

17 EDUCAUSE 2005 17 IAM functions ReflectData of interest JoinIdentity across SoR CredentialNetID, other Manage Affil/GroupsAuthZ info Manage PrivilegesMore AuthZ info ProvisionGen. AuthNZ info into app space RelayAuthZ info to app on request AuthenticateIdentity claim Authorizeaccess decision (allow/deny) Logusage for audit, accounting,…

18 EDUCAUSE 2005 18 Terminology CSP - Credential Service Provider - A trusted entity issuing electronic credentials to subscribers (aka Identity Provider) RA - Registration Authority - Vouches for the identity of a subscriber to a CSP Identity Proofing - Process by which CSP and RA uniquely identify a person/entity RP - Relying Party - an entity relying upon the credentials issued by a CSP (aka Service Provider) LoA - Level of Assurance - Classification of ID proofing suitable for electronic use to control access to information

19 EDUCAUSE 2005 19 What is a Federation? A collection of organizations, having implemented some form of Identity Management, where Credential Service Providers (CSP, Universities) and Service Providers (SP, Content Providers) agree to “rules of engagement” (policy and attributes) using federating software (Shibboleth, SAML, PKI)

20 EDUCAUSE 2005 20 What is a Federation? Sounds simple? It can be. It can be made really complex, really fast. www.nmi-edit.org for more infowww.nmi-edit.org CSPs and SPs retain control over their environments (identity data and access ctrl) www.InCommonFederation.org –Approx 25 participants, Launched 4/2005 Inqueue.internet2.edu –Testing/Playground for InCommon –>140 participants and growing

21 EDUCAUSE 2005 21 Shibboleth and Federation A note from our sponsors: Internet2 and NSF Middleware Initiatives It’s real, uses SAML Open source, freely available Takes between 3 hours and 3 years to install -- depending on IdM infra In production at various schools (duke!) –For internal apps & external Univ vendors shibboleth.internet2.edu

22 EDUCAUSE 2005 22 Inter-institutional integration Virtual Organization (VOs) –GridShib development to enhance VOs working with Institutional Identity Mgmt Systems Federations Federal E-Authentication Initiative League of Federations –The Interfederation Interoperability Working Group (IIWG). yes, it’s real

23 EDUCAUSE 2005 23 Outside Forces… Homeland Security Presidential Directive #12 –Policy for a Common Identification Standard for Federal Employees and Contractors –States there will be mandatory, Government-wide standards for secure authentication (not just E) OMB E-Authentication Guidance M-04-04 NIST Special Pub 800-63 (Electronic Authentication Guideline) –Defines 4 Levels of Assurance for E-Authentication. Impacts Credentialing. Federal E-Authentication Initiative *** Credential Assessment Framework

24 EDUCAUSE 2005 24 www.cio.gov/eauthentication US Government’s activity to implement HSPD-12 based on NIST SP800-63 to manage access to at least 24 major areas of service within the USG. It will utilize technologies based on SAML and PKI/X.509 (shibboleth, Bridge Certification Authority and Hierarchical PKI models, other technologies as appropriate)

25 EDUCAUSE 2005 25 Credential Assessment Framework (CAF) Processes to assess the efficacy of a CSP. We, institutions of Higher Education, can all be seen as CSPs as well as Relying Parties for the services we offer ourselves and each other. CAF is really only concerned for CSPs used by the Federal eAuth activities but there are lots of interconnects between HE and Fed so it impacts us in many ways. Hence, various projects active.

26 EDUCAUSE 2005 26 One key resource to help you start building the IdM infrastructure Enterprise Directory Implementation Roadmap http://www.nmi-edit.org/roadmap/ directories.html Parallel project planning paths: –Technology/Architecture –Policy/Management

27 EDUCAUSE 2005 27 The Environment Systems of Record Enterprise Directory Apps / Resources Grouper SignetShibboleth

28 EDUCAUSE 2005 28 Questions?

29 EDUCAUSE 2005 29

30 EDUCAUSE 2005 30 Responding to requests: A new approach at UW-Madison Campus leaders are defining new ways of channeling and responding to requests Groups like the AuthNZ Coordinating Team (ACT) anticipate policy issues and sort through the concerns They route findings and recommendations to the CIO office The CIO Office take the issue to an appropriate campus body*

31 EDUCAUSE 2005 31

32 EDUCAUSE 2005 32 Responding to requests: A new approach The Identity Management Leadership Group (IMLG) will provide leadership on IdM issues when responding to: Submission and/or maintenance of information online Privacy protection Increased compliance demands Increased security threats

33 EDUCAUSE 2005 33 Why a new group? Technology is now more robust and services are considered foundational to the institution Broader scope, e.g., new populations New policy issues and more of them Need for flexibility and quick turn-around time

Download ppt "Practices from the Field NSF Middleware Initiative: Identity and Privilege Management Model Michael Gettes, Duke University Jim Phelps, UW-Madison EDUCAUSE."

Similar presentations

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.

NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of.

EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of.
CAMP Med Identity and Access Management: Terms and Concepts Keith Hazelton Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE CAMP Med, Tempe,

CAMP Med Identity and Access Management: Terms and Concepts Keith Hazelton Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE CAMP Med, Tempe,
Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey 2007. This work is the intellectual property.

Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey This work is the intellectual property.
US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.

US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Emergence of Identity Management: A Federal Perspective Dr. Peter Alterman Chair, Federal PKI Policy Authority.

Emergence of Identity Management: A Federal Perspective Dr. Peter Alterman Chair, Federal PKI Policy Authority.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Peter Deutsch Director, I&IT Systems July 12, 2005

Peter Deutsch Director, I&IT Systems July 12, 2005
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

Similar presentations

Ads by Google