430 likes | 758 Views
An Introduction to Identity and Access Management. Ken Klingenstein Director, Internet2 Middleware and Security. Borrowed from Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect, University of Wisconsin-Madison. Topics. What is Identity Management (IdM)? The IdM Stone Age
E N D
An Introduction to Identity and Access Management Ken Klingenstein Director, Internet2 Middleware and Security Borrowed from Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect, University of Wisconsin-Madison
Topics • What is Identity Management (IdM)? • The IdM Stone Age • A better vision for IdM • An aside on the value of affiliation / group / privilege management services • Basic IdM functions mapped to open source components • Demands on IT and how IdM services help 2
Identity and Access Management(IAM) defined • What is Identity Management? “Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise) • Identity Management in this sense is often called “Identity and Access Management” (IAM) • What problems do Identity and Access Management address? 3
IAM is… • “Hi! I’m Lisa.” (Identity) • “…and here’s my NetID / password to prove it.” (Authentication) • “I want to do some E-Reserves reading.” (Authorization : Allowing Lisa to use the services for which she’s authorized) • “And I want to change my grade in last semester’s Physics course.” (Authorization : Preventing her from doing things she’s not supposed to do) 4
IAM is also… • New hire, Assistant Professor Alice • Department wants to give her an email account before her appointment begins so they can get her off to a running start • How does she get into our system and get set up with the accounts and services appropriate to faculty? 5
What questions are common to these scenarios? • Are the people using these services who they claim to be? • Are they a member of our campus community? • Have they been given permission? • Is their privacy being protected? • Policy/process issues lurk nearby 6
The IAM Stone Age • List of functions: • AuthN: Authenticate principals (people, servers) seeking access to a service or resource • Log: Track access to services/resources 7
The IAM Stone Age • Every application for itself in performing these functions • User list, credentials, if you’re on the list, you’re in (AuthN is authorization (AuthZ) • And some identifiers are assigned nationally, with uncertain value locally 8
Vision of a better way to do IAM • IAM as a middleware layer at the service of any number of applications • Requires an expanded set of basic functions • Reflect: Track changes to institutional data from changes in Systems of Record (SoR) & other IdM components • Join: Establish & maintain person identity across SoR • Credential: issue digital credentials to people in the community • … 9
Basic IAM functions mapped to theNMI / MACE components Enterprise Directory Systems of Record Stdnt Registry LDAP Reflect HR Join Other Credential 10
Your Digital Identity and The Join • The collection of bits of identity information about you in all the relevant IT systems at your institution • For any given person in your community, do you know which entry in each system’s data store carry bits of their identity? • If more than one system can “create a person record,” you have identity fragmentation 11
The pivotal concept of IAM: The Join • Identity fragmentation cure #1: The Join • Use business logic to • Establish which records correspond to the same person • Maintain that identity join in the face of changes to data in collected systems 12
Identity Information Access • Some direct from the Enterprise Directory via reflection from SoR • Other bits need to be made reachable by identifier crosswalks 13
Identity Fragmentation Cure #2 • When you can’t integrate, federate • Federated Identity & Access Management • Rely on the Identity Management infrastructure of one or more institutions or units • To authenticate and pass authorization-related information to service providers or resource hosts • Via institution-to-provider agreements • Facilitated by common membership in a federation (like InCommon) • Shibboleth is a way to move the authNZ info between parties 14
Basic IAM functions mapped to theNMI / MACE components Apps / Resources Enterprise Directory AuthN Systems of Record AuthN Log Reflect Provision Join A-Select, CAS, etc Credential AuthZ Mng. Affil. Mng. Priv. Relay Log Grouper Signet Shibboleth 15
Vision of a better way to do IAM • More in the expanded set of basic functions • Mng. Affil.: Manage affiliation and group information • Mng. Priv.: Manage privileges and permissions at system and resource level 16
Managing Roles & Privileges Role-Based Access Control (RBAC) model • Users are placed into groups • Privileges are assigned to groups • Groups can be arranged into hierarchies to effectively bestow privileges • Signet manages privileges • Grouper manages, well, groups Grouper Signet 17
Vision of a better way to do IAM • More in the expanded set of basic functions • Provision: Push IAM info out to systems and services as required • Relay: Make access control / authorization information available to services and resources at run time • AuthZ: Make the allow deny decision independent of AuthN 18
Provisioning • Getting identity information where it needs to be • For “Apps with Attitude,” this often means exporting reformatted information to them in a form they understand • Using either App-provided APIs or tricks to write to their internal store • Change happens, so this is an ongoing process 19
Two modes of app/IdM integration • Domesticated applications: • Provide them the full set of IdM functions • Applications with attitude (comes in the box) • Meet them more than halfway by provisioning 20
Alternative packaging of basic IdM Apps / Resources Enterprise Directory AuthN Systems of Record AuthN Log Reflect Provision Join Kerberos Credential AuthZ LDAP Mng. Affil. Relay Log Directory Plug-ins 22
Alternative packaging of basic IdM functions: Single System of Record as Enterprise Directory Student -HR Info System Registry LDAP "Join" Reflect Credential 23
Single SoR as Enterprise Directory • Who “owns” the system? • Do they see themselves as running shared infrastructure? • Will any “external” populations ever become “internal?” • What if hospital negotiates a deal? • Stress-test alternative packaging by thinking through the list of basic IdM functions 24
Same IdM functions, different packaging • Your IdM infrastructure (existing or planned) may have different boxes & lines • But somewhere, somehow this set of IdM functions is getting done • Gives us all a way to compare our solutions by looking at various packagings of the IdM functions 25
From Construction to Integration • Construction • Raw materials into systems • Integration • Subsystems into whole systems • Multiple systems into ecosystems • We’re all moving from construction to integration • Let’s review state of middleware systems’ readiness for integration 26
Middleware -- Application Integration • ERPs • SAKAI • uPortal • … 28
As for Lisa • Sez who? • What Lisa’s username and password are? • What she should be able to do? • What she should be prevented from doing? • Scaling to the other 40,000 just like her on campus 29
As for Professor Alice • What accounts and services should faculty members be given? • At what point in the hiring process should these be activated? • Methods need to scale to 20,000 faculty and staff • In all of these, a full IAM infrastructure would provide the technical part of a solution 30
Policy issues re “credential” function: NetID • When to assign, activate (as early as possible) • Who gets them? Applicants? Prospects? • “Guest” NetIDs (temporary, identity-less) • Reassignment (never; except…) • Who can handle them? Argument for WebISO. 31
Inter-institutional integration:the transport function • Federations • Peering of federations • Levels of assurance • Attribute mapping • WAYF functionality • Virtual Organization (VOs) 32
Alternatives to IP Address Based Access Restriction • User-based access restriction • Each service provider manages credentials for all of its users • One big credential database of all users used by all service providers • Each user has a “home organization” whose credential database can, by magic, be used by each service provider • ??? 33
Federated Identities • “Federated identities” is option C on previous slide • A hierarchical approach to decompose the problem into manageable pieces • Analogous to the problem that IAM addresses, and rests upon IAM infrastructure • “Federating technology” is the “magic” part of option C • “Identity federation” (noun) is a set of service providers, identity providers, and other context in which the magic happens 34
SAML implementations Security Assertion Markup Language Shibboleth Bodington/Guanxi AthensIM SourceID SAMUEL MS ADFS Other proprietary Liberty Identity Federation implementations SourceID Lasso Proprietary Others MS Inter-Forest Trust Federating Technologies 35
IAM functions & big pictures Manage Grps Log AuthZ Reflect Provide/run-time Join Credential Manage Privs Provide/provision (AuthN) 36
A closer look at managing affiliations, groups and privileges • How does this help the harried IT staff? 37
What is IT being asked to do? • Automatic creation and deletion of computer accounts • Personnel records access for legal compliance • One stop for university services (portal) integrated with course management systems 38
What else is IT being asked to do? • Student record access for life • Submission and/or maintenance of information online • Privacy protection 39
More on the To Do list • Stay in compliance with a growing list of policy mandates • Increase the level of security protections in the face of a steady stream of new threats 40
More on the To Do list • Serve new populations (alumni, applicants,…) • More requests for new services and new combinations of services • Increased interest in eBusiness • There is an Identity Management aspect to each and every one of these items 41
How full IdM layer helps • Improves scalability: IdM process automation • Reduces complexity of IT ecosystem • Complexity as friction (wasted resources) • Improved user experience • Functional specialization: App developer can concentrate on app-specific functionality 42