150 likes | 271 Views
Managing Your Infrastructure in a Federated World. CAMP – In Production: Management Tues, 22-June-2010, Raleigh, NC Kevin Morooney, Penn State, Moderator Keith Hazelton, UW-Madison Doug Falk, Nat’l Student Clearinghouse. Guiding Question for Identity Provider Managers Out There.
E N D
Managing Your Infrastructure in a Federated World CAMP – In Production: Management Tues, 22-June-2010, Raleigh, NC Kevin Morooney, Penn State, Moderator Keith Hazelton, UW-Madison Doug Falk, Nat’l Student Clearinghouse
Guiding Question for Identity Provider Managers Out There • What do you need to know to do a good job managing Federated Identity and Access Management (FIAM)... • Within & across institutions • Without necessarily being a full-fledged FIAM techxpert
What biz are Service Providers in? • Offer resources and services to individuals... • Whose identity can be reliably vouched for by an Identity Provider • Who hold a particular affiliation with an identified institution • Or have been granted access to said service offerings by an identified institution • All of above defines obligations of higher ed. and research institutions as IDENTITY PROVIDERS: mediating USER access to "external" SERVICE PROVIDER resources
Identity Providers • Mediate USER access to "external" SERVICE PROVIDER resources • Via Federated IAM • Both a disruptive technology AND an enabling one
What rules of the game get SHIFTED or CHANGED in a federated IAM world?
Q: What Rules Change? • A: Obligations on IdM and WAM service providers (us in IT) • Gets us in New Biz: documenting & communicating on-the-fly • Identity assertions • Risk factors around our identity assertions • Gets us to partner with identity federations (InCommon) and with SPs • Gets us Building a robust infrastructure to support and manage federated access... • Oops!
Oops! From: Research admin at UW-Msn (IdP) Sent: Friday, 4:00 pm To: NIH CTSA (SP subcontractor) help desk Since Thursday we have not been able to log onto the NIH Clinical and Translational Science Award (CTSA) wiki. We go through the federation window to our UW verification/password and then we get the following error message: Unaccepted User Credentials…
Oops! From: CTSA Help Desk (NIH SP subcontractor) Sent: Monday 4:00 pm To: NIH Federation Technical Support SSO Admins, Please see the message below from the University of Wisconsin-Madison. Can you please contact their IT POC and let them know that multiple participants are encountering this error message?
Oops! From: NIH SSO Admin Sent: Monday 5:00 pm To: UW-Madison IdP Dev. Lead Univ of Wisconsin users aren’t able to login to NIH as the signing cert for your university expired on March 8th in the Incommon metadata. Since our SP doesn’t accept assertions signed by expired certs the users are not able to login. Can you guys update a new cert in the Incommon metadata?
Oops! From: UW-Madison IdP Dev. Lead Sent: Tuesday, 9:00 am To: NIH SSO Admin Thanks for the notification. While I don't operate our IdP here anymore, I'll work with those that do to get a new cert in place and in the InCommon metadata.
Oops! From: UW-Madison IdP Dev. Lead Sent: Wednesday, 10:00 am To: NIH SSO Admin A new (unexpired) cert is in yesterday's updated InCommon metadata and today after testing to make sure we didn't break anything else, we changed out the cert on our IdPs. I can't test the CTSA wiki, but it should work for UW-Madison users if you've got the updated metadata in place.
Whew! From: NIH SSO Admin Sent: Wednesday, 2:00 pm To: UW-Madison IdP Dev. Lead We have now updated the metadata in our production systems. Here is the test URL https://federation.nih.gov/FederationGateway If this login is working, then we can ask the user to verify her login to CTSA.
Post-incident Review • Let's do better monitoring production IdP services. This was painful.
As managers we can do anything… • As long as we understand it • So what about the view from the Service Provider angle??