1 / 22

Scared Straight: Authenticate Locally, Act Globally

This article discusses the importance of authenticating locally and acting globally in the context of identity management (IdM). It explores topics such as externalities, content, services, government, virtual organizations, and security, usability, and privacy. The article also examines the benefits and challenges of incorporating federated identity for various use cases, including protecting intellectual property, opening up markets, and managing virtual organizations.

bethanyallen
Download Presentation

Scared Straight: Authenticate Locally, Act Globally

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scared Straight… if you want to go outside…Authenticate Locally, Act Globally

  2. Topics • Externalities who care about our IdM • Content • Services • Government • Virtual organizations • Internal federations • Security, usability and privacy • And now, for the rest of the story…

  3. Externalities • Relying Parties want to use campus authn • For economies • Not another sso to incorporate into the app • Avoid much of the costs of account management • For scaling in users • Interest is tempered by legal considerations, policy considerations, and unintended disruptive economic consequences

  4. Content • To protect IPR (the JSTOR incident…) • To open up markets • Popular content – Ruckus, CDigix, etc • MS • Scholarly content – Google, OCLC WorldCat • Scope of IdM may be an issue

  5. Services • Student travel, charitable giving, web learning and testing, plagiarism testing service, etc. • Allure for alumni services and other internal businesses • Student loans, student testing, graduate school admissions, etc. • The Teragrid

  6. Government • NSF Fastlane Grant Submission • Dept of Agriculture Permits • Social Security • NIH • Dept of Ed

  7. Virtual Organizations • The big team science efforts, and even smaller collaborations with real resources to be managed seriously • Have their own IdM issues • Collaboration tools • Domain science identity management • Today’s solutions are non-existent, insecure or widely despised… • Could leverage federated identity for both ease of use and better security

  8. Peering

  9. Possible peering parameters • LOA • Attribute mapping • Economics • Liability • Privacy

  10. VOs plumbed to federations

  11. Inviting Attributes into your life… • For privacy and secrecy • Albeit for a refined view of privacy • For better security • Federated identity allows for stronger security where needed in a manner scalable for both RP and the user. • For efficiency

  12. The impacts on cyberinfrastructure “The event was a nice example of why you get on an airplane and travel to a workshop - to make progress about 50 times faster than exchanging email and position papers! Having made this investment, we are ready to take the next concrete steps to make this vision a reality. Improving security and usability at the same time. How often do you get a chance to do that? “ Charlie Catlett, Teragrid Director

  13. And Now for the Rest of the Story • The Simple Life and the Simple User • The Full IdM Life • Real IdM Life and the Attribute Economy

  14. Application access controls (including network devices) Shib User IdP p2p

  15. A Simple Life GUI Application access controls (including network devices) Autograph Shib User Authn IdP Source of Authority Source of Authority Source of Authority p2p

  16. A Full IdM Life Application access controls (including network devices) Shib User IdP Local apps Source of Authority Source of Authority Source of Authority p2p

  17. Relative Roles of Signet & Grouper RBAC (role-based access control) model • Users are placed into groups (aka “roles”) • Privileges are assigned to groups • Groups can be arranged into hierarchies to effectively bestow privileges • Grouper manages, well, groups • Signet manages privileges • Separates responsibilities for groups & privileges Grouper Signet

  18. A Full Life GUI Application access controls (including network devices) Autograph Shib User Authn IdP Local apps Signet/ Grouper Source of Authority Source of Authority Source of Authority p2p

  19. Real Life Source of Authority Application access controls (including network devices) Source of Authority Portal Gateway Shib Source of Authority Proxy Source of Authority IdP User Source of Authority Source of Authority Source of Authority Source of Authority p2p

  20. Source of Authority Application access controls (including network devices) VO Service Center IdP Gateway Shib Source of Authority IdP User Source of Authority Source of Authority Source of Authority Source of Authority p2p

  21. A VO Service Center Flow VO Service Center Application access controls (including network devices) Source of Authority Shib S/G Autograph User IdP Authn S/G S/G Source of Authority p2p Source of Authority

More Related