1 / 18

Bart Kerver Bart.kerver@surfnet.nl CAUDIT-meeting, Utrecht, 06 Oktober 2006

Bart Kerver Bart.kerver@surfnet.nl CAUDIT-meeting, Utrecht, 06 Oktober 2006. Federated Identity Management from local AAI towards federations. Agenda. Introduction Authentication & Authorization Infrastructures What is an AAI? Why the need for an AAI? SURFnet’s role for IdM Federations

kaleb
Download Presentation

Bart Kerver Bart.kerver@surfnet.nl CAUDIT-meeting, Utrecht, 06 Oktober 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Bart Kerver Bart.kerver@surfnet.nl CAUDIT-meeting, Utrecht, 06 Oktober 2006 Federated Identity Management from local AAI towards federations

  2. Agenda Introduction Authentication & Authorization Infrastructures • What is an AAI? • Why the need for an AAI? • SURFnet’s role for IdM Federations • What is federation? • Why federate? • Federations are happening! • Federations in .NL • SURFnet’s role for federations • SURFnet Federation policies • Federation global flow and architecture Summary

  3. Introduction XACML monitoring network logging authorization WS* database accounting registration identification SAML sso dsml ID-FF authenticate directory provisioning access control management dirxml SPML users network resources identities

  4. What is an AAI? AAI: Authentication and AuthorizationInfrastructure: • identification/authentication of users; • gathering of identity information of a user (attributes); • authorize users (apply and release attributes); • transport of the assertions; • important component: ‘trust’. …and if this is all in place, you’re able to: • provision (eg. create a ‘profile’ for an ELO); • personalize (eg. apply a ‘role’ in an ELO); • control access to resources. Examples:Star Alliance, banking, eduroam, DigiD …

  5. Why the need for an AAI? • Ease of use: less passwords, Single Sign-On, authenticate at home institute; • Collaboration of institutes (national/international); • Mobility of users on the network and among institute (Bologna act, European Credit Transfer System - ECTS); • Growing need for access control and personalization; • Centralized AAI has great (positive) impact on for maintenance/management/security/costs, etcetera.; • Easy to add additional services (resources/content).

  6. SURFnet’s role for IdM • Awareness for Identity Management (IdM) • Reports on IdM • studies on current state of IdM in HE in .NL; • Scenarios to realize (upgrade) IdM; • Federated IdM (business drivers, solutions…). • Workshops on IdM • Workgroup for Library Access Management (‘BAM’) • Development and support of open source product A-Select • Stimulate deployment of A-Select (200k+ users)

  7. What is federation? • It’s a formal federation (‘collaboration’) of organizations focused on creating a common framework for trust in support of research and education. • A federation is an association of organizations that use a common set of attributes, practices and policies to exchange information about their users and resources in order to enable collaborations and transactions. • So… it’s all about sharing resources • Federation has two main pillars: • procedures/policies; • (fe. schema, trust, …) • technical implementation; • (fe. pki, eduperson, metadata, technology) • Federations are NOT about a certain product but should be build on standards (fe. SAML/Liberty/WS*), fe. IdP’s and SP’s are build using vendor specific implementations (Oracle, Sun, IBM, Novell etc...)

  8. Why federate? AAI on different levels with own complexity, bv: • Faculty (local management of identities) • University (centralize identities / setup IdM!) • National (federate) • International (con-federate) Growing number of service providers and inter-institutional communication results in 1 to N relationships... A B wanted ? C D Identity provider service provider central components for federation

  9. Federations are happening HAKA • Applications outsourcing their users • To the home institution of the user • To a single place at the home institution • Academic identity federations are operational • Real services used everyday by large amount of users • Research and educational applications are federated • Federation software available in the marketplace • Identity2.0 aka Infocard • Making "identity" tangible to users • Convergence is there • With SAML as lingua franca • How to connect all of these federations • ‘Con-federate’ DK-AAI JISC federation

  10. Federation initiatives - .NL

  11. SURFnet’s role for federations • This year (2006) Build a service “SURFnet Federation” • technical implementation (based on A-Select); • define: policies, contracts, legal organization…; • organize service providers (SP); • support identity providers (IdP). • Next year (2007): • stimulate deployment and join-in • workshops; • install fests for both IdP and SP. • interconnect federations (‘confederate’: both NL and EU) • support standards (SAML, WS*,eduGAIN) • translate assertions from SAML<>A-Select<>WS-Federations<>eduGAIN enabling federated SSO

  12. SURFnet Federation Policies Start simple: low level entry • Contract for IdP part of SURFnet contract?; • Contract for all SP’s standardized; • If an IdP is also SP, just one contract. • IdPs make best efforts: • to issue credentials to members only • to ensure accuracy of assertions • SPs agree to respect the privacy of users • don't aggregate attributes or disclose to others • report on use of federation

  13. SNF Global flow 1: Access resource at SP 2: you are not authenticated, go to federation 4: Select your IdP (WAYF) 3: What IdP’s are available? 5: I want to authenticate 6: Please supply credentials to authenticate 9: Access to resource granted 7: You are authenticated and authorized, go back to the federation and carry the authentication assertion 8: Redirect to SP with authentication assertion

  14. SAML (SAML) users identities central federation components resources

  15. Confederation in Europe • Geant2 Project JRA5: 3 lines: roaming, AAI and uSSO • AAI: eduGAIN • national level federations should be respected; • different federation technologies/software; • connect through eduGAIN: • SAML1.1 profiles + extensions to standard profiles • REST for communication • Bridging element (BE) to convert eduGAIN <> local federation • Initially BE’s central (per federation), in future at all home institutes?

  16. Confederation in eduGAIN

  17. Summary • The way forward: federated identity management; • The base: (high quality) identity management at institutes; • Standardizing attributes (schema’s) will be hard (in .NL); • Federations should be build based on standards, SAML and Liberty are important, besides you need WS-Federations. • A-Select has high penetration/deployment in .NL • A-Select is one of the products to implement a federation.

More Related