1 / 15

Managing Your Infrastructure in a Federated World

This session explores managing Federated Identity and Access Management (FIAM) in a production environment, focusing on the obligations and rules within and across institutions. The discussion covers the shifting dynamics of federated IAM, responsibilities of Identity Providers, and the impact on Service Providers. Real-life incident responses and post-incident reviews provide valuable insights for effective infrastructure management.

Download Presentation

Managing Your Infrastructure in a Federated World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Managing Your Infrastructure in a Federated World CAMP – In Production: Management Tues, 22-June-2010, Raleigh, NC Kevin Morooney, Penn State, Moderator Keith Hazelton, UW-Madison Doug Falk, Nat’l Student Clearinghouse

  2. Guiding Question for Identity Provider Managers Out There • What do you need to know to do a good job managing Federated Identity and Access Management (FIAM)... • Within & across institutions • Without necessarily being a full-fledged FIAM techxpert

  3. What biz are Service Providers in? • Offer resources and services to individuals... • Whose identity can be reliably vouched for by an Identity Provider • Who hold a particular affiliation with an identified institution • Or have been granted access to said service offerings by an identified institution • All of above defines obligations of higher ed. and research institutions as IDENTITY PROVIDERS: mediating USER access to "external" SERVICE PROVIDER resources

  4. Identity Providers • Mediate USER access to "external" SERVICE PROVIDER resources • Via Federated IAM • Both a disruptive technology AND an enabling one

  5. What rules of the game get SHIFTED or CHANGED in a federated IAM world?

  6. Q: What Rules Change? • A: Obligations on IdM and WAM service providers (us in IT) • Gets us in New Biz: documenting & communicating on-the-fly • Identity assertions • Risk factors around our identity assertions • Gets us to partner with identity federations (InCommon) and with SPs • Gets us Building a robust infrastructure to support and manage federated access... • Oops!

  7. Oops! From: Research admin at UW-Msn (IdP) Sent: Friday, 4:00 pm To: NIH CTSA (SP subcontractor) help desk Since Thursday we have not been able to log onto the NIH Clinical and Translational Science Award (CTSA) wiki.  We go through the federation window to our UW verification/password and then we get the following error message: Unaccepted User Credentials…

  8. Oops! From: CTSA Help Desk (NIH SP subcontractor) Sent: Monday 4:00 pm To: NIH Federation Technical Support SSO Admins, Please see the message below from the University of Wisconsin-Madison. Can you please contact their IT POC and let them know that multiple participants are encountering this error message?

  9. Oops! From: NIH SSO Admin Sent: Monday 5:00 pm To: UW-Madison IdP Dev. Lead Univ of Wisconsin users aren’t able to login to NIH as the signing cert for your university expired on March 8th in the Incommon metadata. Since our SP doesn’t accept assertions signed by expired certs the users are not able to login. Can you guys update a new cert in the Incommon metadata?

  10. Oops! From: UW-Madison IdP Dev. Lead Sent: Tuesday, 9:00 am To: NIH SSO Admin Thanks for the notification. While I don't operate our IdP here anymore, I'll work with those that do to get a new cert in place and in the InCommon metadata.

  11. Oops! From: UW-Madison IdP Dev. Lead Sent: Wednesday, 10:00 am To: NIH SSO Admin A new (unexpired) cert is in yesterday's updated InCommon metadata and today after testing to make sure we didn't break anything else, we changed out the cert on our IdPs. I can't test the CTSA wiki, but it should work for UW-Madison users if you've got the updated metadata in place.

  12. Whew! From: NIH SSO Admin Sent: Wednesday, 2:00 pm To: UW-Madison IdP Dev. Lead We have now updated the metadata in our production systems. Here is the test URL https://federation.nih.gov/FederationGateway If this login is working, then we can ask the user to verify her login to CTSA.

  13. Post-incident Review • Let's do better monitoring production IdP services. This was painful.

  14. As managers we can do anything… • As long as we understand it • So what about the view from the Service Provider angle??

More Related