1 / 32

Identity Federations: Here and Now

Explore the need for federations in higher education, the benefits they provide, and the role of InCommon as a federated identity management solution. Learn about the challenges of access management, the rising call for better online collaboration, and how federations can simplify usability and protect personal information.

davisshirley
Download Presentation

Identity Federations: Here and Now

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Renée Shuey Penn State and InCommon Identity Federations:Here and Now

  2. Agenda The need for Federations in Higher Ed. Federation Overview Federating Software: Shibboleth InCommon: the US Higher Ed federation Other Federations: Europe and the U.S. government’s eAuthentication federation Penn State federation use cases Q&A

  3. The Problem for Higher Education Increasing collaboration Mandates for increased research consortia Increasing number of on-line resources Access management complexities for resource providers Usability: Account management Current Federal and State laws (e. g., FERPA, HIPAA, Gramm-Leach-Bliley Act)

  4. The Opportunity for Higher Education Simplified Usability for all collaborations Home organizations carefully manage the release of personal information On-line resource providers focus on the protection and authorization of use of their on-line resources.

  5. The Rising Call for Better On-line Collaboration Instructors sharing course materials through learning partnerships Researchers coordinating remote instruments and data gathering Growing on-line collections Increasing diversity of content providers eCommerce partnering in Higher Ed (Software, Music, etc.) Institutions working with outsourced learning management systems for course hosting, grading, scheduling, testing, Network security monitoring Visiting scholar access rights with peer institutions Federal Government resources and administration financial aid, grant submissions, etc.

  6. Federations Otherwise independent entities that give up a certain degree of autonomy in order to achieve a common set of goals. Working together requires Common way to express meaning Agreed upon ways to convey information Acceptable governance and trust models

  7. Identity Federations Enroll, authenticate and attribute locally...Act federally IdP provides trustworthy needed identity information to Resource Providers Part of access management decision Trust established through Federation Operator by means of standards, rules, and participation agreements

  8. Federations and Trust Requires common IdP and RP practices Federation governance roles include Establishing the rules Overseeing adherence (e.g., audits) Degrees of trust may be inherent/useful Allows flexibility in IdP and RP services What happens when trust is violated? Liability and indemnification

  9. Not all Federations are the same ... Identity federations may have different rules or constraints on identity release For example in Europe ... Some may choose to offer on-line services as well, or hold contracts for resources on behalf of members Some are for specific business purposes or industries, etc.

  10. With InCommon - The Home organization manages accounts and the release of personal information

  11. InCommon Federation Created to support Higher Education and its research and business partners Federation operator is an LLC formed by Internet2 Builds on existing campus identity management and single sign-on systems Makes use of industry standards and open source federating software, Shibboleth

  12. Shibboleth The Shibboleth software implements the OASIS SAML v1.1 specification, providing a federated Single-SignOn and attribute exchange framework. shibboleth.internet2.edu Built on OpenSAML, also created by the Internet2 community: OpenSAML is a set of open-source libraries in Java and C++ which can be used to build, transport, and parse SAML messages. www.opensaml.org

  13. InCommon Participation Requirements Common identity attributes Software Guidelines www.incommonfederation.org/ops/softguide.html Transparency of Policy and Practices POP (Participant Operational Practices) Participation Agreement Minimal “bar” to entry Limited Liability; No Indemnification General Liability Insurance Modest annual fee

  14. InCommon’s Governance & Committee’s Steering Committee Tracy Mitrano, Cornell – Chair Jerry Campbell, University of Southern California – Vice Chair Christopher Crowhurst, Thomson Learning Clair Goldsmith, University of Texas System Ken Klingenstein, Internet2 Mark Luker, Educause Peggy Plympton, Lehigh University Carrie Regenstein, Carnegie Mellon University Gene Spencer, Bucknell University Mike Teets, OCLC • Technical Advisory Committee • RL "Bob" Morgan, University of Washington – Co-Chair • Renee Shuey, Penn State – Co-Chair • Tom Barton, University of Chicago • Scott Cantor, The Ohio State University • Steven Carmody, Brown University • Keith Hazelton, University of Wisconsin - Madison • Walter Hoehn, University of Memphis • Ken Klingenstein, InCommon Steering Committee • Mike LaHaye, Internet2 • David Wasley, retired (U. Calif.)

  15. Current InCommon Participants: 27 Case Western Reserve University Cornell University Dartmouth *Elsevier ScienceDirect Georgetown University *HAM - Texas Medical Center Library *Internet2 Miami University *Napster, LLC *OCLC Ohio University *OhioLink - The Ohio Library & Information Network Penn State SUNY Buffalo The Ohio State University • The University of Chicago • *Turn It In • University of Alabama at Birmingham • University of California, Irvine • University of California, Los Angeles • University of California, Office of the President • University of California, San Diego • University of Rochester • University of Southern California • University of Virginia • University of Washington • *WebAssign * Sponsored Participant

  16. Federations using Shibboleth in Europe • Established national Federations • Finland (HAKA) • Switzerland (SWITCHaai) • National Federations getting ready • United Kingdom • Denmark, Germany, Sweden (SWIF) • REFEDS – Research and Education FederationsToward federating federations: http://www.terena.nl/activities/refeds/

  17. eAuthentication Federation (EAF) For all Federal agency outward facing applications 24 agencies: USDA, NIH, DOEd, NSF, etc... Over 600 applications Members are Federal agencies and Credential Service Providers Many of the applications are of interest to Higher Education

  18. EAF Organization EAF Executive Business & Legal Rules, FPKI Cert Policies Policy FPKIPA Interop Lab SAML Spec. Fed PKI OA Operations CAF XCert and MOA Providers

  19. Components of EAF Organized around Assurance Levels 1, 2 for assertion-based credentials Local authentication followed by identity message to agency application Business and Legal rules imposed on applications and Credential Providers alike 3, 4 for cryptography-based PKI predominates Serviced by Federal PKI Policy Authority and Federal PKI Operational Authority Major growth area for Federal Apps in first round

  20. Linking Federations How can federations interoperate? Information models must be compatible Conversion may be difficult Communication protocols Gateways are hard and may break trust models Governance and trust models Must be equivalent at some level

  21. Governance & Linking Federations Governance sets community standards May need to enhance or redefine somewhat Must uphold inter-federation agreement Responsible for trust between federations May require stronger role within federation May affect existing participation agreements May incur new liabilities, etc. Federation services might not interoperate

  22. Linking InCommon and eAuthentication Higher Ed is an important community for many Federal agency applications Both have federations in place Have been working together for > year Compatible technology Similar identity attributes InCommon has richer set InCommon includes privacy protections

  23. Linking InCommon and eAuthentication Trust issues eAuth defines 4 levels of identity assurance InCommon currently allows ‘best effort’ will need to define at least one compatible LOA Privacy Operational issues Will need to include LOA in identity assertions Will need to tag metadata, etc...

  24. Linking InCommon and eAuthentication Where we are now Draft Memorandum of Agreement Draft “InCommon Bronze” requirements Based on eAuth Level 1 Working on inter-federation assessment Identifying WG's to address operation, policy, and technical issues – May 10 Goal - Interoperability by Fall '06

  25. Penn State, InCommon, & Shibboleth Using Shibboleth since Summer '02 InCommon provides trust model for access to external resource providers Production Uses Napster WebAssign ANGEL Course Management System WorldWide University Network (WUN) LionShare

  26. Penn State, InCommon & Shibboleth Pilot or discussion phase Office of Student Aid PHEAA/AES Career Services Simplicity ITS-Teaching and Learning with Technology NETg Thomson Publishing Turnitin ITS-Digital Library Technology Elsevier, OCLC, JSTOR, and others

  27. Penn State and the eAuthentication Pilot Credential Assessment Jan '05 - LOA 1 Identified issues Password guessing, strength, expiration Authorization to Operate Statement Stored secret (password resets) Documentation Align policies and practices Proposed solution – approved by GSA/NIST GAP Analysis University of Washington, Penn State, and Cornell University

  28. Penn State and the eAuthentication Pilot FastLane pilot An interactive real-time system used to conduct NSF business over the Internet. Application assessed as level of assurance 1 Used by faculty to submit grant proposals, check status, participate in panels, enter financial transactions Credential Service Provider assessed as a level of assurance 1

  29. Useful URLs and pointers http://www.nmi-edit.org http://shibboleth.internet2.edu Subscribe to shib mailing lists http://www.incommonfederation.org/ http://lionshare.its.psu.edu Emerging issues/technologies/recipes http://middleware.internet2.edu/signet/ SAML 2.0: http://www.oasis-open.org/

  30. Questions? Contact Information Renee Shuey rshuey@psu.edu

More Related