1 / 17

Practical Issues Associated with Sharing Federated Services

Practical Issues Associated with Sharing Federated Services. William A. Weems The University of Texas Health Science Center at Houston. What is the Collaborative Goal?.

efuru
Download Presentation

Practical Issues Associated with Sharing Federated Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Practical Issues Associated with Sharing Federated Services William A. Weems The University of Texas Health Science Center at Houston

  2. What is the Collaborative Goal? Make the sharing of restricted resources within an organization and across organizational boundaries as transparent to users as accessing public Web pages! 2

  3. Ideally,  individuals would each like a single digital credential that can be securely used to authenticate his or her identity anytime authentication of identity is required to secure any transaction. 3

  4. A Federated Credential Allows a person to use her federated identity credential for single sign-on access to restricted service applications provided by federation members for which she has privileges. 4

  5. Ideally, a digital credential must • positively identify a person, • include the person’s permanent identifier • positively identify the certifying authority - i.e. the identity provider (IdP), • be presentable only by the person it authenticates, • be tamper proof, and • be accepted by all systems. 5

  6. Two Categories of Identity What is Identity? • Physical Identity – Assigned Identifier - Authentication • Facial picture • Fingerprints • DNA sample • Identity Attributes – Authorization Attributes • Common name, • Address, • Institutional affiliations - e.g. faculty, student, staff, contractor, • Specific group memberships, • Roles, • Entitlements for specific services. • Etc. 6

  7. Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Permanently Bound Person Only Activation Identifier Digital Credential Identity Vetting & Credentialing Identity Provider (IdP) uth.tmc.edu Permanent Identity Database Person 7

  8. UTHSC-H Identity Management System HRMS SIS GMEIS UTP Guest MS Identity Reconciliation & Provisioning Processes Person Registry INDIS Authoritative Enterprise Directories OAC7 OAC47 User Administration Tools Attribute Management Sync Authentication Service Authorization Service Change Password Secondary Directories 8

  9. Federal E-Authentication Initiativehttp://www.cio.gov/eauthentication/ • Levels of assurance (Different Requirements) • Level 1 – e.g. no identity vetting • Level 2 - e.g. specific identity vetting requirements • Level 3 – e.g. cryptographic tokens required • Level 4 – e.g. cryptographic hard tokens required • Credential Assessment Framework Suite (CAF) 9

  10. Federated ServicesIdentity (IdP) & Resource Providers (RP) Identity Provider (IdP) uth.tmc.edu Identity Provider (IdP) utsystem.edu Identity Provider (IdP) bcm.edu Public Key Resource Provider (RP) library.tmc.edu GMEIS (RP) uth.tmc.edu Federation Asseration Service e.g. InCommon Infrastructure Identity Provider (IdP) mdanderson.org Blackboard (RP) uth.tmc.edu Identity Provider (IdP) utmb.edu 10

  11. 11

  12. 12

  13. 13

  14. 14

  15. Person Cannot Login to Their IdP Authentication Service • Potential Problems: • Does not know which password is being requested. • Page must define which service is requesting the username/password pair. • e.g. UTEID in the previous example • Login page must describe a help resource • Person typed password incorrectly • Person is told that “Authentication Failed” and to re-enter his password 15

  16. Person Authenticated But Unauthorized • Potential Problems: • A statement only that “You Are Not Authorized” leaves individual from other institution in the dark. • Who should person contact? • Someone at their home institution? • Someone at the service provider institution? • Solution: • Error page should provide guidance. • e.g. If the service is a Blackboard LMS, a statement like “ Contact the course instructor, organizational leader or appropriate registrar’s office to receive authorization for access. 16

  17. Multiple New Processes and Procedures to be Worked Through • How are courses provisioned? • Manually: BB administrator adds names and EPPNs (i.e. NetIDs) from lists obtained provided by source of authorities (SOAs) at relying institutions for appropriate courses? • Automatically: Service Provider Applications (e.g. Blackboard) obtains authorization attributes from the IdP’s attribute authority and provisions the BB courses with the appropriate student information? 17

More Related