1 / 23

Trends in Identity Management

Trends in Identity Management. Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007. Topics. Federated Identity Extending enterprise security Application to network security protocols Peer-to-Peer Identity OpenID Convergence & Divergence

tamal
Download Presentation

Trends in Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007

  2. Topics • Federated Identity • Extending enterprise security • Application to network security protocols • Peer-to-Peer Identity • OpenID • Convergence & Divergence • Web Access Federations and Network Security • Do these communities meaningfully overlap?

  3. Federated Identity • Leverages local identities to access remote resources • Enterprise directories & authentication • Organizations trust each other • Decentralized center • Multiple federations • Federated identity is distinct from federations • Can have federated ID without federations

  4. Technical Basis of Exchange • Attributes • Identity Providers (IdP) • Asserts authentication and attribute information • Service Providers (SP) • Receives and processes attributes and authentications • Metadata

  5. Trust Basis for Exchange • IdP asserts good information • SP disposes of information received properly • Logging • Tracking down malfeasants is cooperative but always possible • Everything always boils down to a bilateral exchange

  6. Trust Basis for Exchange • Centralized federation services • Metadata • Auditing • Attribute standardization • Other rules • Extensions and merges of existing identities • Virtual Organizations

  7. Trust Basis for Exchange • Centralized federation services • Metadata • Auditing • Attribute standardization • Other rules • Extensions and merges of existing identities • Virtual Organizations

  8. SAML-based Higher Ed Federations • Australia • Belgium • Canada • China • Denmark • Finland • France • Germany • Greece • New Zealand • Norway • Spain • Spain • Sweden • Switzerland • The Netherlands • United Kingdom • United States

  9. InCommonU.S. Higher Ed Federation • Multiple levels of assurance • Bronze, Silver, Gold, or basic • Identity information managed by central IT • Where are the attributes you need? • No guidance on attribute release • http://www.incommonfederation.org

  10. Security Assertion Standards • SAML 1.1 (Shibboleth 1.x) • SAML 2.0 • ID-WSF • WS-Trust • WS-Security • Many other WS-* • Many other others

  11. Standards Convergence ID-FF 1.1 ID-FF 1.2 SAML 1.0 SAML 1.1 SAML 2.0 Shibboleth 1.x 2002 2003 2004

  12. Peer-to-Peer Trust • Self-issued credentials • Usually bootstrapped through personal interaction • Joe sent me his PKC in an IM, and I know this is Joe because of our secret handshake • And I know that’s his screen-name because… • Differentiate between quality of initial authentication and subsequent value • Unauthenticated email sure is popular…

  13. OpenID • Codification of that community trust • Using URL’s • A simple protocol • Basic attributes • Plug-ins for most web environments • Many other approaches, some based on heavier technology • Deployed in blogosphere and beyond • No attempts to integrate with network security • But growing corporate interest and support

  14. OpenID/SAML convergence • There are protocols and there are tokens • WS-Trust • WS-Security • Cardspace • Solutions address somewhat different needs • Room for co-existence • But interoperability would still be nice • Some cooperation between the two communities in looking for convergence opportunities

  15. Related Projects • Higgins • A set of interfaces that try to abstract identity management • Microsoft ADFS • Shibboleth interoperability • XACML • Layered in SAML assertions • Its own protocol

  16. Big Changes • Federated Identity evolving from Web SSO to other applications • Maturation of vendor products in the IdM space • Increasingly, Federated IdM packages support multiple protocols; sites make choices based on “value add” • Growing interest in using Levels of Assurance (LoA) • Growing interest in Inter-Federation

  17. Federated Identity for Network Authentication • Traveling individuals • Attribute-based access control • Privacy • Accountability

  18. Current Deployments • Shibboleth-based wireless authentication at University of Texas • It’s a hack • Use Shibboleth to populate a database that the RADIUS server can draw on • Supports multiple access groups • Hugely popular with the university brass https://spaces.internet2.edu/display/SHIB /ShibbolizedWireless

  19. Current Deployments • eduroam • Global RADIUS infrastructure using 802.1x • Widespread adoption by European higher ed • Multiple countries in Asia & Oceania • U.S. under-represented http://www.eduroam.org/ Let’s look at the policies…

  20. Revealing Challenges • What security policies will be enacted on an eduroam visitor? • Japan wants to mandate that once access is granted via eduroam a VPN tunnel home be established for all further traffic • What information do people need to know? • Which attributes are required? • Does anonymity matter?

  21. SAML, RADIUS, DIAMETER • RADIUS profile of SAML • http://tinyurl.com/24m9pm • DAMe project • DIAMETER supporting SAML • Slide theft • Diego Lopez of RedIRIS

  22. InCommon • U.S. higher education federation • 50 participants and counting • Oriented around access to web resources • EBSCO, ScienceDirect, JSTOR, Napster, Turnitin, etc. • SAML-centric

  23. Questions for You • What could you do with federated identity? • What information do you need to know before making your various decisions? • Can InCommon address your collaboration or network authentication needs? • How would you do inter-realm network security?

More Related