1. Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure Rice University Thanks To Andrea Beesing, Cornell for the permission to use some of the material presented here Subliminal humour by Steven Wright Copyright Barry Ribbeck and Andrea Bessing 2007. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. Mainframe era Ken Kennedy & Parallel Computing Growing Silos of AuthX 1985 Enterprise Directory Keberos 2001-04 1999 2005 GuestID & Shibboleth 2008 Grouper 2006-072007-08 Signet YON Mosaic 1992 New Network 2005 I2 Shibboleth & Federations Rice Time Line Join InCommon

3. Rice University S.W. : 47.3% of all statistics are made up on the spot. Located in Houston adjacent to Texas Medical Center ~5000 Students ~1000 Faculty ~2000 Staff Tens of thousands of Alumni Uncounted Friends

4. Groups and Roles S.W. :Some people would kill for a Nobel Peace Prize! Groups are abstractly associate people into a rational collections. Groups are tools that allows us to scale access control more easily. Roles are groupings of privileges Associating Groups to Roles provides a method to scale access control.

5. Identity, Credentials and LOA S.W. :Half the people you know are below average. Who are you to me? How do I know it is you logging in? How do we measure trust in the offered credential? What tools do I use to assert an identity credential? What tools do I use to trust your identity and credentialing processes?

6. Levels Of Assurance (LOA) Credential Trust Metric S.W: Why do psychics have to ask your name? Traditional Well known community (faculty, staff, Students, Alumni) Proxy Asserted Affiliates and Federated Users Self Asserted Affiliates Unknown Masses

7. The Business Context S.W. :Everyone who believes in psycho-kinesis, raise my hand. Legislation driving better controls over access to information –Authorized use only –Understanding who, when, why Privacy concerns Continued high demand for new online services Interest in identity federation for collaboration and leveraging investments Need to align with granting agency requirements

8. From Kansas to Oz S.W.: 99% of lawyers give the rest a bad name. Enhancing authorization –Distributed access management solution –Grouper for group management –Signet for privilege management Enhancing authentication –Getting ready for federation = attention to business processes and policy –Resources and tools provided by NMI and EDUCAUSE can help at this stage or any stage What happens if you are scared half to death – twice?

9. What is Distributed Access Management S.W.:To steal ideas from one person is plagiarism, to steal from many is research. Addresses the challenge of –Managing access rights for many types of users for many resources –Ensuring that access rights are adjusted as the individual’s relationship to the institution changes Set of central services in a distributed management model Tied into your identity management and integrated through common middleware

10. Creating Leveraged Resources A Phased Approach Authentication –Authentication - Kerberos, Web ISO –Automated credential management - (Home Grown and Commercial Products) –Identity Repositories - Person Registries Authorization –Authorization Repositories - Directories –Group Management - Grouper –Privilege Management - Signet

11. AuthN & AuthZ: not just technology Business processes Policy Technology Authentication of IT Resources Information Security of Institutional Data Training and awareness Account management Identification and registration Kerberos GrouperSignet Directory Ensuring users have ready access to information and resources they are entitled to Data access standards

12. Aligning IT with business process and policy: Grouper example Unit Head, College of Sciences Grouper stem: Admin 1: Dan Admin 2: Tim Grouper stem: Statistics Admin: Marion Grouper stem: Math Admin: Judy Grouper stem: Engineering Admin: Joe Math&Stats faculty Math students ECE Students Data access policy & standards

13. Other Grouper Features Common API for program access Better integration with applications and other middleware components Better support for automated provisioning of institutional groups/roles based on source data Common interface for users, customizable using tiles and struts

14. Other Grouper Features Sophisticated group management capabilities to support many access management needs –Subgroups –Allows useful actions on these groups -- group math, group nesting, negative authorizations –Traceback of indirect membership –Subscription feature

15. Signet: Privilege Management Tool Central repository for privilege information—who, what, when, why Maps assigned privileges into system-specific terms needed by applications Privileges are exported into applications and infrastructure services using the appropriate notification mechanisms (e- mail, xml, webmethods, etc) Web-based UI for managers and holders of privileges Supports life cycle controls for privileges

16. Signet: Use case #1- Self Service A user requests a change in account range or group in the Accounting Data Warehouse –Self-granting privilege with a prerequisite for approval –Request triggers email to the person who can grant the privilege

17. Signet: Use Case #2 An application with its own authorization database wants to use the Signet UI as its front-end –The application’s authZ scheme can be integrated into Signet as a subsystem. An initial synchronization is done to populate Signet with current privilege info from the application –When a privilege change is made in Signet, a message is forwarded to the application’s internal database in the correct format

18. Signet Interface example

19. IAM/IdM: The Big Picture

20. What is Federated identity The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains TRANSLATION: I can access a Grid resource at Penn State using my Rice NetID and password because I’m collaborating with a researcher there.

21. AuthN:Challenges in a federated world Service providers want to know things like: –How do you accomplish identity proofing and registration? –How do you confirm delivery of credentials? –Does your authentication protocol resist online password guessing? Federal government is driving the development of standards for assessing level of assurance (LoA) LoA determines the measure of trust a service provider has agreed to accept regarding the credentials presented in a federated authentication transaction. Strategy for aligning authentication with broader goals is important

22. The NMI-EDIT Roadmap can help S.W.:A conclusion is a place you go when you get tired of thinking. Step by step approach aimed at considering broader issues related to authentication Draws on wealth of experience within higher education –Case studies –Policy examples –Roadmaps Tools for assessing gaps in LoA’s

23. Resources NMI-EDIT Enterprise Authentication Implementation Roadmap: http://www.nmi-edit.org/roadmap/draft-authn-roadmap-03/ Grouper site: http://grouper.internet2.edu Signet site: http://signet.internet2.edu –Cornell Identity Management program site: http://www.cit.cornell.edu/services/identity/ http://www.cit.cornell.edu/services/identity/ Cornell IT Policy Office web site: http://www.cit.cornell.edu/oit/PolicyOffice.html http://www.cit.cornell.edu/oit/PolicyOffice.html