Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Federated Identity Management across a Multi-campus Statewide System: The Texas Experience William A. Weems Assistant Vice President Academic.

Published byDevin Ortega Modified over 11 years ago

Similar presentations

Presentation on theme: "Implementing Federated Identity Management across a Multi-campus Statewide System: The Texas Experience William A. Weems Assistant Vice President Academic."— Presentation transcript:

1 Implementing Federated Identity Management across a Multi-campus Statewide System: The Texas Experience William A. Weems Assistant Vice President Academic Technology Associate Dean Information Technology Medical School U. Texas Health Science Center at Houston

2 BRIITE 20071004 2 Camelot in Cyberspace Everyone has a single authentication credential Permits authentication of ones physical identity by any application to which it is presented. If approved by the credentialed individual or required by law, the application may then request specific personal attributes from trusted sources of authorities. The application utilizes the acquired personal attributes to make authorization decisions, activate additional workflow, create digital signatures, evaluate digital signatures, etc.

3 BRIITE 20071004 3 An authentication credential when presented to a relying party: 1.can only be activated by the certified person, 2.positively identifies the physical claimant, 3.positively identifies the certifying authority (CA) – i.e. the identity provider (IdP) 4.provides a certified unique identifier issued to the vetted individual and registered with the CA, and 5.asserts a defined level of assurance (LOA) that the credential is presentable only by the person it authenticates.

4 Concepts of identity vary widely, and the word is often imprecisely used. Within the context of Identity Management, there are two types of identity; and, they relate to authentication and authorization. What is Identity?

5 Two Kinds of Identity Physical Identity - which is unique to only one person or entity. (Its certification is the responsibility of a certifying/credentialing authority) –Facial picture, –Fingerprints –Retina Scan Identity Attributes – are a time-varying set of attributes associated with each unique individual. –Common name, –Address, –Institutional affiliations - e.g. faculty, student, staff, contractor, –Specific group memberships, –Roles, –Etc.

6

7 Identity Provider (IdP) uth.tmc.edu Person IdP Obtains Physical Characteristics Identity Vetting & Credentialing Authentication Identifier Permanently Bound Assigns Everlasting Identifier Digital Credential Issues Digital Credential Person Only Activation Permanent Identity Database

8 Identity Provider (IdP) uth.tmc.edu PersonIdentifierDigital Credential Permanently Bound Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Person Only Activation Using Network Username Password Identity Vetting & Credentialing UTHSC-H Username/Password Authentication Permanent Identity Database ??????? ?

9 Identity Provider (IdP) uth.tmc.edu PersonIdentifierDigital Credential Permanently Bound Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Person Only Activation Identity Vetting & Credentialing UTHSC-H Two Factor Authentication Permanent Identity Database ? ?

10 Ideally, individuals would each like a single digital credential that can be securely used to authenticate his or her identity anytime authentication of identity is required to secure any transaction.

11 UT Institution A UTTouch e-Learning Grid Computing = Authentication of Some Kind= Authorization = User Password ???

12 UT Institution A UT Institution B UTTouch Compliance Training e-Learning Library Grid Computing = Authentication of Some Kine= Authorization = User Password ??? Non-Federated Identity Management Clair Goldsmith, Ph.D. UT System

13 UTTouch Compliance Training e-Learning Library Grid Computing = Credentialing / Authentication= Authorization = User Credential Federated Identity Management Clair Goldsmith, Ph.D. UT System UT System Federation UT Institution A UT Institution B

14 Today, most organizations and communities of interest recognize that IdM systems and their associated policies and procedures are a necessity. However, nearly all IdM projects currently utilize policies and procedures that are applicable only to a single enterprise or community of interest.

15 Federal E-Authentication Initiative http://www.cio.gov/eauthentication/ http://www.cio.gov/eauthentication/ Levels of assurance (Different Requirements) –Level 1 – e.g. no identity vetting –Level 2 - e.g. specific identity vetting requirements –Level 3 – e.g. cryptographic tokens required –Level 4 – e.g. cryptographic hard tokens required Credential Assessment Framework Suite (CAF) Federal Bridge Certification Authority (FBCA) –http://www.cio.gov/fbca/http://www.cio.gov/fbca/ –The FBCA is an information system that facilitates an entity accepting certificates issued by another entity for a transaction.

16 UT Federation Strategic Authentication Goals Two types of authentication credentials –Single university ID (UID) and password (LOA 2 ) –Public Key Digital ID on Token (two-factor authentication using public/private keys) (LOA 3 => 4) Digital Signatures –Authenticates senders –Guarantees messages are unaltered, i.e. message integrity –Provides for non-repudiation –Legal signature Encryption of email and other documents Highly Secure Access Control Potential for inherent global trust

17 Some Core IdM Concepts 1.Any time the same certified authentication credential is presented, relying parties can assume at some level of trust that the claimant is always the same physical person. 2.An authentication credential can be used to initially provision a system. 3.Once the credential is accepted, the relying party can, if so privileged, obtain certain identity attributes of a claimant from certified source(s) of authority. 4.Attribute exchange is determined by attribute release policies (ARPs) and attribute acceptance policies (AAPs).

18

19 Source of Authority (SOA) Responsibilities Identifying an individual, Maintaining the appropriate records that define a person's affiliations/ attributes, Providing others with information about the specifics of affiliation(s) and, Determining if an affiliation/attribute is currently active or inactive An organizational entity officially responsible for identifying individuals having explicitly defined affiliations/attributes within an enterprise constitutes a source of authority (SOA). The SOA is responsible for

20 Identifiers & Privacy 1.Identifiers should NEVER be used as authenticators! 2.Personal attributes should NEVER be divulged to unapproved entities. 3.Collaboration requires that entities have identifiers. 4.eduPersonTargetedID: A persistent, non-reassigned, privacy preserving identifier for a principal shared between a pair of coordinating entities. 5.What to do when multiple entities must collectively know that they are considering and/or interacting with the same person?

21 BRIITE 20071004 21 UT System Identity Management Federation Established September 2006 Operates Under Authority of the UT Board of Reagents UT IdM Federation Board of Appointed Members Policy and Procedure Federation Documents Current Membership the 16 U. Texas Institutions –9 Academic Institutions –6 Health Institutions –U.T. System > 40 Federated Applications Operational An Employee Benefits Application for Use By All employees under development

22 UT System IdM Federation: Governance © Clair Goldsmith

23 BRIITE 20071004 23 Governance: Issues to Ponder The Technical implementation aspects of Federation can get way ahead of Policy and Governance Governance entangled with power / autonomy conflicts Priorities vary by institution Conventions may be seen as dictates Managing trust relationships is complex enough when dealing with institutions within the same system (among family.) Complexity increases as diversity of membership increases © Clair Goldsmith

24 BRIITE 20071004 24 UT System IdM Federation Foundation Documents https://idm.utsystem.edu/utfed/ https://idm.utsystem.edu/utfed/ 1.Federation Charter 2.Membership Agreement 3.Operating Practices and Procedures 4.Membership Operating Practices (MOP) 5.Fee Schedule 6.Common Identity Attributes

25 References 1.InCommon Federation a.http://www.incommon.org/http://www.incommon.org/ 2.UC Trust: The University of California Identity Management Federation a.http://www.ucop.edu/irc/itlc/uctrust/http://www.ucop.edu/irc/itlc/uctrust/ 3.U. Texas System Identity Management Federation a.https://idm.utsystem.edu/utfed/https://idm.utsystem.edu/utfed/ 4.SAFE: Signature and Authentication For Everyone a.http://www.safe-biopharma.org/http://www.safe-biopharma.org/

Download ppt "Implementing Federated Identity Management across a Multi-campus Statewide System: The Texas Experience William A. Weems Assistant Vice President Academic."

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Paul Caskey Technology Architect June 21, 2007 The University of Texas System Federated Identity Management Initiative https://idm.utsystem.edu/downloads/APAN-UTsys-June07.ppt.

Paul Caskey Technology Architect June 21, 2007 The University of Texas System Federated Identity Management Initiative
The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.

The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.
1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.

1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.

Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
TFTM 01-06 Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, 2014 1-14-2014IDESG TFTM Committee1.

TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Certificate Interoperability S&I Framework Initiative Final Report August 17, 2011.

Certificate Interoperability S&I Framework Initiative Final Report August 17, 2011.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.
Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.

Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.
Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.

Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.
CAMP Med Identity and Access Management for HIPAA: Technology Model William A. Weems Assistant Vice President Academic Technology The University of Texas.

CAMP Med Identity and Access Management for HIPAA: Technology Model William A. Weems Assistant Vice President Academic Technology The University of Texas.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Information Security Policies and Standards

Information Security Policies and Standards

Similar presentations

Ads by Google