200 likes | 331 Views
Identities and Federation: The Next IT Wave (The Canadian Access Federation). Rick Bunt President The Canadian University Council of CIOs (CUCCIO) rick.bunt@usask.ca. What’s CUCCIO? 45 member universities, represented by their CIOs or equivalents
E N D
Identities and Federation:The Next IT Wave(The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO) rick.bunt@usask.ca
What’s CUCCIO? • 45 member universities, represented by their CIOs or equivalents • Managed by a Board of Directors elected by the members web site: http://www.cuccio-cdpiuc.ca/
Why We Exist • To provide a trusted national voice for IT in Canadian universities • To foster the professional development of the higher education IT community in Canada • To provide a vehicle for collaboration, cooperation and collective action among Canadian universities in matters relating to higher education IT • To provide a focal point for liaison with national and international organizations and interest groups concerned with IT
What We’re Doing • Services for members: • Building an online storehouse of requests for proposals, policies and best practices • Developing a mechanism for Canadian institutions to gather a common set of data for measuring and benchmarking • Special interest groups: • Security, Business Continuity/Disaster Recovery, Cyberinfrastructure, Professional Development and Training, … • Annual CANHEITconference (Canadian Higher Ed IT) • edupass.ca: The Canadian Access Federation
Defining Identity Management Separate two functions of identity management: • Authentication:proving who you are • Authorization: policies controlling access to resources For enterprise efficiency: • Authenticate centrally: administer one set of credentials (id/password) • Authorize locally: service provider controls access to service according to role Single Sign On: • The “authenticate once” principle 2008/10/01
An Access Federation • Access management across cooperating institutions • Based on trust • Retain local management of identity information: • Preserves privacy • Roles based on local responsibilities • Be efficient: • Don’t replicate information or technologies 2008/10/01
How it Works • Access Federation comprises identity providers and service providers • Identity providers authenticate users • Service providers offer services to users under agreements negotiated with the Access Federation
The Canadian Access Federation (edupass.ca) • A made-in-Canada solution • Eligible participants include higher education institutions, public research institutions, sponsored service providers, others • Services delivered under two technologies: • Eduroam: for wireless mobility • Shibboleth: for web-based applications • Managed by CUCCIO: technology, policies, agreements 2008/10/01
What is eduroam? eduroam stands for Educational Roaming Launched in Europe in 2003 to deal with the “Roaming Scholar problem” Allows users visiting other eduroam institutions to access WLAN using home credentials CUCCIO’s Canadian service launched in June 2008
How it Works: Eduroam Calgary bunt@usask.ca Saskatchewan
What is Shibboleth? Supports inter-institutional sharing of web resources subject to access controls Streamlines sharing secured online services Leverages existing campus identity and access management infrastructures Identity provider chooses what information to send to service provider Service provider makes final authorization decision based on verified information
How it Works: Shibboleth 1 first request Authenticate (bunt@usask.ca) Remote Application 4 2 use U Saskatchewan ID Mgmt Service 3 Service ProviderAccess Policies • Confirm User is known • Pass approved identity and role information so service can apply authorization policy. 2008/10/01
Summary The Canadian Access Federation (edupass.ca) A CUCCIO-sponsored trust federation providing access management to the higher ed community in Canada Expanded services for faculty/staff/students, supporting inter-institutional collaboration Efficiencies in use, efficiencies in negotiations Key Requirements institutional Identity Management strategy Enterprise identity repository Role-based access policies attributes & policies that recognize federation Applications that utilize Identity Management services 2008/10/01
Benefits of Participating • For Identity Providers • Enhanced control of personal information of users • Easier to comply with regulatory requirements (e.g. PIPEDA) • Integrates with existing enterprise identity management systems • Common standardized solution for many services 2008/10/01
Benefits of Participating • For Service Providers • Authentication is performed by the identity providers • Eliminates credential security issues • No need for user accounts database • Reduced requirements for user support • Accurate implementation of license conditions • Users take better care of their credentials 2008/10/01
Benefits of Participating • For Users • Much less need to disclose identity • Personal data kept between user and home institution • Fewer user names/passwords to remember 2008/10/01
Polytechs Universities Colleges CUCCIO CCCCIO Canadian Access Federation Shared Library Research Orgs Scholars Portal, Elsevier CANARIE, Compute Canada Commercial Service Providers Government Turnitin, eAcademy • -Federal • Provinces • Research Granting Councils International InCommon (US), AAF (Australia), Terena (EU), UK AMF 2008/10/01
Where Do We Go From Here? • Finalize business plan, legal agreements, policies, procedures, etc. • Recruit participants: institutions, service providers • Support users “The only way to do something is to do it.” 2008/10/01
Questions • How can the Canadian Access Federation benefit your applications/services? • Which service providers would you be interested in sponsoring? For more info see www.cuccio-cdpiuc.ca 2008/10/01
Polytechs Universities Colleges CUCCIO CCCCIO Canadian Access Federation Shared Library Research Orgs Scholars Portal, Elsevier CANARIE, Compute Canada Commercial Service Providers Government Turnitin, eAcademy • -Federal • Provinces • Research Granting Councils International InCommon (US), AAF (Australia), Terena (EU), UK AMF 2008/10/01