1 / 21

Federated Identity: What It Brings to Open Government

Federated Identity: What It Brings to Open Government. Dr Ken Klingenstein Director, Internet2 Middleware and Security. Topics. The State of Federated Identity Growth Interfederation The emergence of privacy managers and trust-based transparency

babu
Download Presentation

Federated Identity: What It Brings to Open Government

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federated Identity:What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security

  2. Topics • The State of Federated Identity • Growth • Interfederation • The emergence of privacy managers and trust-based transparency • The Attribute Ecosystem and the Tao of Attributes • What it brings to Open Government • Consistency of implementations • Key constituencies • Multiple and flexible LOA • Roles • Privacy and attributes • Collaboration

  3. A bit of background • Internet identity work began in 2000 in the R&E sector • Spread quickly into corporate sector via OASIS standards processes • Corporate use cases limited to bi-lateral relationships • R&E sector carried on multi-lateral federation work • Created SAML, Shibboleth, InCommon, etc • Widespread deployments began 2004-5 with exponential growth • Building federations and trust more work than developing protocols

  4. Growth of Federated Identity InCommon continues exponential growth, greater than 4M users, 200 major universities, research centers, and companies Internationally, growth is even more rapid; 25+ countries representing > 100M users Typical organization (Penn State) does 700,000 transactions a day with trust based on InCommon; reduces help desk cost by 85% Used for financial transactions, scholarly content access, access to national scientific resources, collaboration tools, social networking, etc.

  5. Federation Soup • Many US federations • InCommon at the national R&E level • UCTrust, Texas, CIC federation, etc at system and association level • NCTrust, NJEdge, etc at comprehensive state levels • Consistency in policies, technologies; diverse in communities served, standard attributes, etc.

  6. Interfederation Connecting autonomous federations Critical for global scaling, accommodating state and local federations, integration across vertical sectors Has technical, financial and policy dimensions Elegant technical solution being developed in the eduGAIN project of Geant Policy activities in Kalmar2 Union, Kantara, Terena

  7. MDX – metadata exchange protocol Institutions and organizations will pick a registrar to give their metadata to Institutions and organizations will pick an aggregator (or several) to get their partners metadata from Aggregators exchange metadata with each other and registrars If this sounds like DNS registration and routing, it is, one layer up In the land of data, metadata is king; imagine many new kinds of metadata

  8. Trust, Identity and the Internet • Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities • http://www.isoc.org/isoc/mission/initiative/trust.shtml • ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC’s and protocols • First target area is DKIM; subsequent targets include SIP and firewall traversal (trust-mediated transparency)

  9. The Attribute Ecosystem Authentication is very important, but identity is just one of many attributes And attributes provide scalable access control, privacy, customization, linked identities, federated roles and more We now have our first transport mechanisms to move attributes around – SAML and federations There will be many sources of attributes, many consumers of attributes, query languages and other transport mechanisms Together, this attribute ecosystem is the “access control” layer of the Internet

  10. Attribute use cases are rapidly emerging Disaster “first responders” attributes and qualifications dynamically Access-ability use cases Public input processes – anonymous but qualified respondents Grid relying parties aggregating VO and campus attributes The “IEEE” problem The “over legal age” and the difference in legal ages use cases Self-asserted attributes – friend, interests, preferences, etc

  11. Key Issues • Attribute aggregation • Metadata of attributes, LOA, etc • Sources of authority and delegation • Schema management, mapping, etc • User interface • Privacy and legal issues

  12. The Tao of Attributes workshop 属性之道 Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc. Participants were the best and brightest – the folks who invented LDAP, SAML, OpenId, etc. Webcast at http://videocast.nih.gov/PastEvents.asp Twittered at TAOA http://middleware.internet2.edu/tao-of-attributes/

  13. What Federated Identity Delivers • Consistency of implementations • Key constituencies • Roles • Multiple and flexible LOA • Privacy and attributes • Collaboration

  14. Consistency of implementations SAML 2.0 is a heavily-referenced and widely implemented OASIS standard Metadata format (ala Shibboleth) is a standard Interoperability among federations is well-established

  15. Key constituencies served Researchers, graduate students, etc Research administration, management, etc Students, patients, etc Note that coverage in each of these constituencies is 100% - all organizational identities in a federation are federated Unaffiliated and general public via “homes for the homeless” providers, on a free or paid basis – eg UK, Denmark, ProtectNetwork, etc

  16. Multiple and Flexible LOA LOA 1 – 4 all readily available (LOA 1 username/password to LOA 4 with holder of key) Federated two factor authentication (LOA 3) a VERY powerful concept; work now starting on approaches, leveraging new NIST standards Privacy and secrecy valuable by-products of the architecture

  17. LOA and applications

  18. Roles Scaling is based on roles, not identity Roles are flexible and dynamic – PI, admin, collabmin, etc Roles provide opportunities to offload NIH of administrative burdens in tracking changes Audit controls provided by institution

  19. Privacy and attributes Attributes are the real win – for fine-grain access control, for privacy, for secrecy Permit access control decisions to be made at relying party or at identity provider (entitlements) Can deliver identity, opaque identifiers, non-correlating identifiers, etc EU guidelines on privacy are more nuanced than the US

  20. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.

More Related