1 / 33

NSF Middleware Initiative: Identity and Privilege Management Model

NSF Middleware Initiative: Identity and Privilege Management Model. Michael Gettes, Duke University Jim Phelps, UW-Madison EDUCAUSE October 2005. Topics. What is Identity and Access Management (IAM)? An Institutional view of IAM Roles, Privileges and Authentication

kayla
Download Presentation

NSF Middleware Initiative: Identity and Privilege Management Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NSF Middleware Initiative: Identity and Privilege Management Model Michael Gettes, Duke University Jim Phelps, UW-Madison EDUCAUSE October 2005

  2. Topics • What is Identity and Access Management (IAM)? • An Institutional view of IAM • Roles, Privileges and Authentication • Basic IAM functions mapped to NMI/MACE components • Open Source solutions coming to a store near you • Outside Forces • Q & A (we take questions as we go also) 2

  3. IAM and Application Integration 3

  4. IAM is… • “Hi! I’m Lisa.” (Identity) • “…and here’s my NetID / password to prove it.” (Authentication) • “I want to do some E-Reserves reading.” (Authorization : Allowing Lisa to use the services for which she’s authorized) • “And I want to change my grade in last semester’s Physics course.” (Authorization : Preventing her from doing things she’s not supposed to do) 4

  5. What questions are common to these scenarios? • Are the people using these services who they claim to be? • Are they a member of our campus community? • Have they been given permission? • Is their privacy being protected? • Policy/process issues lurk nearby 5

  6. Vision of a better way to do IAM IAM as a middleware layer at the service of any number of applications Requires an expanded set of basic functions 6

  7. Basic IAM functions Enterprise Directory Systems of Record Stdnt Registry LDAP Reflect HR Join Other Credential 7

  8. Role- and Privilege-based AuthZ • Privileges are what you can do • Roles are who you are, which can be the used for policy-based privileges • Both are viable, complementary for authorization 8

  9. Privilege Management Feature Summary 9

  10. Enterprise Directory AuthN Reflect Join Credential Mng. Affil. Mng. Priv. Basic IAM functions mapped to theNMI / MACE components Systems of Record 10

  11. The Environment Apps / Resources Enterprise Directory AuthN Systems of Record AuthN Log Reflect Provision Join Credential AuthZ Pass Attributes Mng. Affil. Mng. Priv. Log 11

  12. How full IdM layer helps • Improves scalability: IdM process automation • Improves agility: Keeping up with demands • Reduces complexity of IT ecosystem • Complexity as friction (wasted resources) • Improved user experience • Functional specialization: App developer can concentrate on app-specific functionality 12

  13. The Environment Apps / Resources Enterprise Directory AuthN Systems of Record AuthN Log Reflect Provision Join Credential AuthZ Pass Attributes Mng. Affil. Mng. Priv. Log Grouper Signet Shibboleth 13

  14. Managing Roles & Privileges:The Internet2 way Role-Based Access Control (RBAC) model • Users are placed into groups • Privileges are assigned to groups • Groups can be arranged into hierarchies to effectively bestow privileges • Signet manages privileges • Grouper manages, well, groups Grouper Signet 14

  15. Grouper • Grouper project of Internet2 MACE • Infrastructure at University of Chicago • User interface at Bristol University in UK • $upport from NSF Middleware Initiative (NMI) • http://middleware.internet2.edu/dir/groups 15

  16. Signet • Project Signet of Internet2 MACE • Development based at Stanford • $upport from NSF Middleware Initiative • http://middleware.internet2.edu/signet 16

  17. IAM functions 17

  18. Terminology • CSP - Credential Service Provider - A trusted entity issuing electronic credentials to subscribers (aka Identity Provider) • RA - Registration Authority - Vouches for the identity of a subscriber to a CSP • Identity Proofing - Process by which CSP and RA uniquely identify a person/entity • RP - Relying Party - an entity relying upon the credentials issued by a CSP (aka Service Provider) • LoA - Level of Assurance - Classification of ID proofing suitable for electronic use to control access to information 18

  19. What is a Federation? • A collection of organizations, having implemented some form of Identity Management, where Credential Service Providers (CSP, Universities) and Service Providers (SP, Content Providers) agree to “rules of engagement” (policy and attributes) using federating software (Shibboleth, SAML, PKI) 19

  20. What is a Federation? • Sounds simple? It can be. It can be made really complex, really fast. • www.nmi-edit.org for more info • CSPs and SPs retain control over their environments (identity data and access ctrl) • www.InCommonFederation.org • Approx 25 participants, Launched 4/2005 • Inqueue.internet2.edu • Testing/Playground for InCommon • >140 participants and growing 20

  21. Shibboleth and Federation • A note from our sponsors: Internet2 and NSF Middleware Initiatives • It’s real, uses SAML • Open source, freely available • Takes between 3 hours and 3 years to install -- depending on IdM infra • In production at various schools (duke!) • For internal apps & external Univ vendors • shibboleth.internet2.edu 21

  22. Inter-institutional integration • Virtual Organization (VOs) • GridShib development to enhance VOs working with Institutional Identity Mgmt Systems • Federations • Federal E-Authentication Initiative • League of Federations • The Interfederation Interoperability Working Group (IIWG). yes, it’s real 22

  23. Outside Forces… • Homeland Security Presidential Directive #12 • Policy for a Common Identification Standard for Federal Employees and Contractors • States there will be mandatory, Government-wide standards for secure authentication (not just E) • OMB E-Authentication Guidance M-04-04 • NIST Special Pub 800-63 (Electronic Authentication Guideline) • Defines 4 Levels of Assurance for E-Authentication. Impacts Credentialing. • Federal E-Authentication Initiative *** • Credential Assessment Framework 23

  24. www.cio.gov/eauthentication • US Government’s activity to implement HSPD-12 based on NIST SP800-63 to manage access to at least 24 major areas of service within the USG. • It will utilize technologies based on SAML and PKI/X.509 (shibboleth, Bridge Certification Authority and Hierarchical PKI models, other technologies as appropriate) 24

  25. Credential Assessment Framework (CAF) • Processes to assess the efficacy of a CSP. We, institutions of Higher Education, can all be seen as CSPs as well as Relying Parties for the services we offer ourselves and each other. • CAF is really only concerned for CSPs used by the Federal eAuth activities but there are lots of interconnects between HE and Fed so it impacts us in many ways. Hence, various projects active. 25

  26. One key resource to help you start building the IdM infrastructure • Enterprise Directory Implementation Roadmap http://www.nmi-edit.org/roadmap/ directories.html • Parallel project planning paths: • Technology/Architecture • Policy/Management 26

  27. The Environment Apps / Resources Enterprise Directory AuthN Systems of Record AuthN Log Reflect Provision Join Credential AuthZ Pass Attributes Mng. Affil. Mng. Priv. Log Grouper Signet Shibboleth 27

  28. Questions? 28

  29. 29

  30. Responding to requests:A new approach at UW-Madison • Campus leaders are defining new ways of channeling and responding to requests • Groups like the AuthNZ Coordinating Team (ACT) anticipate policy issues and sort through the concerns • They route findings and recommendations to the CIO office • The CIO Office take the issue to an appropriate campus body* 30

  31. 31

  32. Responding to requests:A new approach • The Identity Management Leadership Group (IMLG) will provide leadership on IdM issues when responding to: • Submission and/or maintenance of information online • Privacy protection • Increased compliance demands • Increased security threats 32

  33. Why a new group? • Technology is now more robust and services are considered foundational to the institution • Broader scope, e.g., new populations • New policy issues and more of them • Need for flexibility and quick turn-around time 33

More Related