980 likes | 992 Views
Identity and Access Management: a Functional Model. http://arch.doit.wisc.edu/keith/camp/ iamintro-050627-01.ppt Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE CAMP Integration, Denver, June 27, 2005. Topics.
E N D
Identity and Access Management:a Functional Model http://arch.doit.wisc.edu/keith/camp/ iamintro-050627-01.ppt Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE CAMP Integration, Denver, June 27, 2005
Topics • What is Identity and Access Management (IAM)? • The IAM Stone Age • A better vision for IAM • Basic IAM functions mapped to NMI/MACE components • Integration as a theme 2
Identity and Access Management(IAM) defined • What is Identity Management? “Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise) • Identity Management in this sense is often called “Identity and Access Management” (IAM) • What problems do Identity and Access Management address? 3
IAM is… • “Hi! I’m Lisa.” (Identity) • “…and here’s my NetID / password to prove it.” (Authentication) • “I want to do some E-Reserves reading.” (Authorization : Allowing Lisa to use the services for which she’s authorized) • “And I want to change my grade in last semester’s Physics course.” (Authorization : Preventing her from doing things she’s not supposed to do) 4
IAM is also… • New hire, Assistant Professor Alice • Department wants to give her an email account before her appointment begins so they can get her off to a running start • How does she get into our system and get set up with the accounts and services appropriate to faculty? 5
What questions are common to these scenarios? • Are the people using these services who they claim to be? • Are they a member of our campus community? • Have they been given permission? • Is their privacy being protected? • Policy/process issues lurk nearby 6
The IAM Stone Age • List of functions: • AuthN: Authenticate principals (people, servers) seeking access to a service or resource • Log: Track access to services/resources 7
The IAM Stone Age • Every application for itself in performing these functions • User list, credentials, if you’re on the list, you’re in (AuthN is authorization (AuthZ) • As Hobbes might say: Stone age IAM “nasty, brutish & short on features” 8
Vision of a better way to do IAM • IAM as a middleware layer at the service of any number of applications • Requires an expanded set of basic functions • Reflect: Track changes to institutional data from changes in Systems of Record (SoR) & other IdM components • Join: Establish & maintain person identity across SoR • … 9
Your Digital Identity and The Join • The collection of bits of identity information about you in all the relevant IT systems at your institution • For any given person in your community, do you know which entry in each system’s data store carry bits of their identity? • If more than one system can “create a person record,” you have identity fragmentation 10
The pivotal concept of IAM: The Join • Identity fragmentation cure #1: The Join • Use business logic to • Establish which records correspond to the same person • Maintain that identity join in the face of changes to data in collected systems 11
Identity Information Access • Some direct from the Enterprise Directory via reflection from SoR • Other bits need to be made reachable by identifier crosswalks 12
Identity Information Reachability • In System B, to get info from System D • Lookup Sys D ID in identifier crosswalk • Use whatever means Sys D provides to access info • For new apps, leverage join by carrying Registry ID as a foreign key--even if not in crosswalk 13
Identity Information Reachability • Key to reachability is less about technology, more about shared practice across system owners 14
Identity Fragmentation Cure #2 • When you can’t integrate, federate • Federated Identity & Access Management • Rely on the Identity Management infrastructure of one or more institutions or units • To authenticate and pass authorization-related information to service providers or resource hosts • Via institution-to-provider agreements • Facilitated by common membership in a federation (like InCommon) • Shibboleth is a way to move the authNZ info between parties 15
Vision of a better way to do IAM • More in the expanded set of basic functions • Credential: issue digital credentials to people in the community • Mng. Affil.: Manage affiliation and group information • Mng. Priv.: Manage privileges and permissions at system and resource level 16
Managing Roles & Privileges:The Internet2 way Role-Based Access Control (RBAC) model • Users are placed into groups • Privileges are assigned to groups • Groups can be arranged into hierarchies to effectively bestow privileges • Signet manages privileges • Grouper manages, well, groups Grouper Signet 17
Vision of a better way to do IAM • More in the expanded set of basic functions • Provision: Push IAM info out to systems and services as required • Relay: Make access control / authorization information available to services and resources at run time • AuthZ: Make the allow deny decision independent of AuthN 18
Basic IAM functions mapped to theNMI / MACE components Enterprise Directory Systems of Record Stdnt Registry LDAP Reflect HR Join Other Credential 19
Basic IAM functions mapped to theNMI / MACE components Apps / Resources Enterprise Directory AuthN Systems of Record AuthN Log Reflect Provision Join WebISO Credential AuthZ Mng. Affil. Mng. Priv. Relay Log Grouper Signet Shibboleth 20
Alternative packaging of basic IdM Apps / Resources Enterprise Directory AuthN Systems of Record AuthN Log Reflect Provision Join Kerberos Credential AuthZ LDAP Mng. Affil. Relay Log Directory Plug-ins 21
Alternative packaging of basic IdM functions: Single System of Record as Enterprise Directory Student -HR Info System Registry LDAP "Join" Reflect Credential 22
Single SoR as Enterprise Directory • Who “owns” the system? • Do they see themselves as running shared infrastructure? • Will any “external” populations ever become “internal?” • What if hospital negotiates a deal? • Stress-test alternative packaging by thinking through the list of basic IdM functions 23
From Construction to Integration • Construction • Raw materials into systems • Integration • Subsystems into whole systems • Multiple systems into ecosystems • We’re all moving from construction to integration • Let’s review state of middleware systems’ readiness for integration 25
Next-up integration services • Message queuing (pub-sub, point-to-point) • Workflow (business process orchestration) • Policy info mgmt • Policy decision point • Service Oriented Architecture (SOA) as current buzz-word for the overall vision • The vision will outlast the name 26
Middleware -- Application Integration • ERPs • SAKAI • uPortal • … 27
Inter-institutional integration • Virtual Organization (VOs) • Federations • League of Federations • The Interfederation Interoperability Working Group (IIWG). yes, it’s real 29
Q & A 30
Exceedingly Brief Intro to Shibboleth & Federations Tom Barton, University of Chicago
Mike Neuman’s Issues • Walk-ins • Administrative permits & denies (whitelist, blacklist, any individually granted or revoked access) • Multiple IdPs within a single campus 32
Alternatives to IP Address Based Access Restriction • User-based access restriction • Each service provider manages credentials for all of its users • One big credential database of all users used by all service providers • Each user has a “home organization” whose credential database can, by magic, be used by each service provider • ??? 33
Federated Identities • “Federated identities” is option C on previous slide • A hierarchical approach to decompose the problem into manageable pieces • Analogous to the problem that IAM addresses, and rests upon IAM infrastructure • “Federating technology” is the “magic” part of option C • “Identity federation” (noun) is a set of service providers, identity providers, and other context in which the magic happens 34
SAML implementations Security Assertion Markup Language Shibboleth Bodington/Guanxi AthensIM SourceID SAMUEL MS ADFS Other proprietary Liberty Identity Federation implementations SourceID Lasso Proprietary Others MS Inter-Forest Trust Federating Technologies 35
Shibboleth Athenticate at home org Authorize at resource without knowing user’s identity 36
Shibboleth Underpinnings • Elements of shibboleth infrastructure must identify and authenticate each other • Home org or Identity Provider (IdP) pieces • Resource or Service Provider (SP) pieces • Attribute assertions about authenticated principals are sent from IdPs to SPs • For it all to work, IdPs and SPs must agree about which attributes and values are tossed around, and their semantics 37
Federation Value Proposition • Set of cooperating IdPs and SPs forms a community needing agreement on: • Trust Fabric • X.509 certs • IdP and SP identifiers & other metadata • Community standard for attribute semantics • Community standards for IdP and SP operational practices • Strength of authentication • Confidentiality • For N IdPs and M SPs, which is easier? • N*M agreements • N+M agreements 38
Federations … • Might support trust fabric maintenance • Operate a metadata distribution service • Might be the locus for attribute standards • Might be the locus for “minimum but sufficient” IdP and SP operational practice standards • Are not a party to the transactions between IdPs and SPs • Are not involved with entitling access to resources 39
REF Cluster InQueue (a starting point) Other clusters Other potential US R+E feds Other national nets SWITCH InCommon NSDL The Shib Research Club State of Penn Fin Aid Assoc The Research and EducationFederation Space Indiana Slippery slope - Med Centers, etc 40
As for Lisa • Sez who? • What Lisa’s username and password are? • What she should be able to do? • What she should be prevented from doing? • Scaling to the other 40,000 just like her on campus 42
As for Professor Alice • What accounts and services should faculty members be given? • At what point in the hiring process should these be activated? • Methods need to scale to 20,000 faculty and staff • In all of these, a full IAM infrastructure would provide the technical part of a solution 43
Policy issues re “credential” function: NetID • When to assign, activate (as early as possible) • Who gets them? Applicants? Prospects? • “Guest” NetIDs (temporary, identity-less) • Reassignment (never; except…) • Who can handle them? Argument for WebISO. 44
Basic IAM functions mapped to theNMI / MACE components Apps / Resources Enterprise Directory AuthN Systems of Record AuthN Log Reflect Provision Join WebISO Credential AuthZ Mng. Affil. Mng. Priv. Deliver Log Grouper Signet Shibboleth 45
IAM functions & big pictures Manage Grps Log AuthZ Reflect Provide/run-time Join Credential Manage Privs Provide/provision (AuthN) 46
Topics • What is Identity Management (IdM)? • The IdM Stone Age • A better vision for IdM • An aside on the value of affiliation / group / privilege management services • Basic IdM functions mapped to NMI/MACE components • Demands on IT and how IdM services help 47
What is Identity Management (IdM)? “Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise) • Identity Management in this sense is sometimes called “Identity and Access Management” • What problems does Identity Management solve? 48
Identity Management is… • “Hi! I’m Lisa.” (Identity) • “…and here’s my NetID / password to prove it.” (Authentication) • “I want to open the Portal to check my email.” (Authorization : Allowing Lisa to use the services for which she’s authorized) • “And I want to change my grade in last semester’s Physics course.” (Authorization : Preventing her from doing things she’s not supposed to do) 49
Identity Management is also… • New hire, Assistant Professor Alice • Department wants to give her an email account before her appointment begins so they can get her off to a running start • How does she get into our system and get set up with the accounts and services appropriate to faculty? 50