Presentation is loading. Please wait.

Presentation is loading. Please wait.

New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.

Published byJudith Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002."— Presentation transcript:

1 New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002

2 24 June 2002 JISC-NSF-DLI2 Projects Meeting 2 Outline Overview and terminology Authentication – problems and progress Authorisation – problems and progress Summary and conclusions

3 24 June 2002 JISC-NSF-DLI2 Projects Meeting 3 The High-Level Problem We need national-scale services for Authentication (linking people to electronic IDs) Authorisation (linking IDs to privileges) Profiling (linking IDs to personal preferences) Accounting (in the sense of tracking and recording usage, whether or not for actual billing) All in an interoperable framework which can be realistically implemented by our institutions Not to mention all our third-party suppliers …

4 24 June 2002 JISC-NSF-DLI2 Projects Meeting 4 Authentication On a local scale, largely a solved problem Various solutions exist, some with single sign-on (Internet2 promoting WebISO for web resources) Digital certificates are on the increase Not least because Grid environments require them Public-key technology will itself evolve XML-based schemes are likely to emerge E.g. XKMS, Web Services Security

5 24 June 2002 JISC-NSF-DLI2 Projects Meeting 5 Authentication Issues on a National Scale Naming and name-space management How is uniqueness assured nationally? What happens in the case of multiple affiliations? Location of the authentication process Universally agreed that this is best carried out at and by the institution itself Should real IDs be generally visible to off campus providers? Trade-offs between privacy, convenience and accountability

6 24 June 2002 JISC-NSF-DLI2 Projects Meeting 6 Authorisation Issues Determining an individual’s privileges What attributes (roles) is it useful to consider? Which are generic and which application-specific? How many could be defined sector-wide? Location of the access control decision At the resource itself (greatest provider control)? At the institution (i.e. devolution of trust)? At some intermediate point (e.g. as in the present case in the UK, at the Athens server)?

7 24 June 2002 JISC-NSF-DLI2 Projects Meeting 7 Where Should Control Be Applied? Logically at the resource itself The resource owner should determine who gets access and who does not; but this may require more user information to be disclosed For electronic information, this is often delegated (e.g. on the basis of a contract) A better model for a bibliographic database than for a supercomputer? Or even a telescope? Where third party services are involved, are there legal issues to consider?

8 24 June 2002 JISC-NSF-DLI2 Projects Meeting 8 Where is the Complexity Felt? Do we best achieve interoperability by having the same software interface at All service providers’ servers? All campuses? All users’ local environments (wherever they are)? More than one of these? And where the complexity ends up, so do most of the costs …

9 24 June 2002 JISC-NSF-DLI2 Projects Meeting 9 Other Concerns The single sign-on question How important is “seamlessness”? The portal problem To address this properly is quite hard Standards and interoperability There aren’t many, especially for authorisation The international scene A system for JISC services is all very well, but what about integrating resources from the wider world?

10 24 June 2002 JISC-NSF-DLI2 Projects Meeting 10 Current UK Developments EduServ’s development plan for Athens Single sign-on introduced Spring 2002 Distributed authentication will be trialled this summer JISC call for projects issued Summer 2002 With the objective of exploring a range of emerging technologies JISC is actively working with Internet2- MACE in the US and TERENA in Europe

11 24 June 2002 JISC-NSF-DLI2 Projects Meeting 11 Authentication Goals To investigate practical and management issues in embedding X.509 certificate regimes in institutions of varying kinds With some particular technology options to be explicitly specified for piloting To investigate “mixed economy” approaches in which X.509 certificates are used alongside (say) Athens IDs and passwords

12 24 June 2002 JISC-NSF-DLI2 Projects Meeting 12 Authorisation Goals To explore a range of authorisation schemes and assess their applicability in both Grid and Information Environment scenarios To include trialling of (at least) Globus CAS (Globus Project) Akenti (Lawrence Berkeley Lab) PAPI (Spanish academic and research network) NB Evaluation of Shibboleth (Internet2) already planned

13 24 June 2002 JISC-NSF-DLI2 Projects Meeting 13 Developments Elsewhere (1) Shibboleth (Internet2) Devolves authentication and attribute assertion to campuses Resource owner requests attributes from campus and makes decisions based on the response Model allows both campus and user control over attribute release (strong emphasis on privacy) Open source reference implementation due to be released Autumn 2002 Publishers getting involved in trial programme

14 24 June 2002 JISC-NSF-DLI2 Projects Meeting 14 Developments Elsewhere (2) PAPI (Spanish national network) Distributed architecture: authentication and authorisation both carried out at campus (i.e. campuses have to be trusted by resource owners) Multi-tier architecture – easy to interface to existing publishers’ services Open source and in use in a number of sites/consortia in Spain, including some publisher involvement

15 24 June 2002 JISC-NSF-DLI2 Projects Meeting 15 PAPI Architecture Basic PAPI architecture with PoA only

16 24 June 2002 JISC-NSF-DLI2 Projects Meeting 16 Is a Common View Emerging? What is clearly needed is a single, widely accepted vendor-independent scheme At first sight the different projects (PAPI, Shibboleth, AthensNG) look very distinct However they share many components and a common architecture appears feasible PAPI plans to investigate adding support for Shibboleth resource providers Proprietary nature of Athens remains problematic

17 24 June 2002 JISC-NSF-DLI2 Projects Meeting 17 And What About the Grid? Currently the Grid community’s problems appear more complex Grid middleware relies heavily on X.509 identity certificates, which are far from universal otherwise Even in the longer term, it may not be possible to standardise on one single Grid authorisation solution But there may be analogies with other relatively complex problems, e.g. medical middleware

18 24 June 2002 JISC-NSF-DLI2 Projects Meeting 18 Conclusions Authorisation in particular remains a tough problem But some of the emerging solutions look promising, for quite large sets of commonly encountered applications And the extent of international cooperation in this area is also encouraging!

Download ppt "New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002."

Similar presentations

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.

Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
03 December 2003 Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003.

03 December 2003 Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Developments in Access and Identity Management Phil Leahy – Athens Product Manager.

Developments in Access and Identity Management Phil Leahy – Athens Product Manager.
Digital Identity Management Strategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.

Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.

Similar presentations

Ads by Google