230 likes | 362 Views
Trends in Identity Management. Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007. Topics. Federated Identity Extending enterprise security Application to network security protocols Peer-to-Peer Identity OpenID Convergence & Divergence
E N D
Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007
Topics • Federated Identity • Extending enterprise security • Application to network security protocols • Peer-to-Peer Identity • OpenID • Convergence & Divergence • Web Access Federations and Network Security • Do these communities meaningfully overlap?
Federated Identity • Leverages local identities to access remote resources • Enterprise directories & authentication • Organizations trust each other • Decentralized center • Multiple federations • Federated identity is distinct from federations • Can have federated ID without federations
Technical Basis of Exchange • Attributes • Identity Providers (IdP) • Asserts authentication and attribute information • Service Providers (SP) • Receives and processes attributes and authentications • Metadata
Trust Basis for Exchange • IdP asserts good information • SP disposes of information received properly • Logging • Tracking down malfeasants is cooperative but always possible • Everything always boils down to a bilateral exchange
Trust Basis for Exchange • Centralized federation services • Metadata • Auditing • Attribute standardization • Other rules • Extensions and merges of existing identities • Virtual Organizations
Trust Basis for Exchange • Centralized federation services • Metadata • Auditing • Attribute standardization • Other rules • Extensions and merges of existing identities • Virtual Organizations
SAML-based Higher Ed Federations • Australia • Belgium • Canada • China • Denmark • Finland • France • Germany • Greece • New Zealand • Norway • Spain • Spain • Sweden • Switzerland • The Netherlands • United Kingdom • United States
InCommonU.S. Higher Ed Federation • Multiple levels of assurance • Bronze, Silver, Gold, or basic • Identity information managed by central IT • Where are the attributes you need? • No guidance on attribute release • http://www.incommonfederation.org
Security Assertion Standards • SAML 1.1 (Shibboleth 1.x) • SAML 2.0 • ID-WSF • WS-Trust • WS-Security • Many other WS-* • Many other others
Standards Convergence ID-FF 1.1 ID-FF 1.2 SAML 1.0 SAML 1.1 SAML 2.0 Shibboleth 1.x 2002 2003 2004
Peer-to-Peer Trust • Self-issued credentials • Usually bootstrapped through personal interaction • Joe sent me his PKC in an IM, and I know this is Joe because of our secret handshake • And I know that’s his screen-name because… • Differentiate between quality of initial authentication and subsequent value • Unauthenticated email sure is popular…
OpenID • Codification of that community trust • Using URL’s • A simple protocol • Basic attributes • Plug-ins for most web environments • Many other approaches, some based on heavier technology • Deployed in blogosphere and beyond • No attempts to integrate with network security • But growing corporate interest and support
OpenID/SAML convergence • There are protocols and there are tokens • WS-Trust • WS-Security • Cardspace • Solutions address somewhat different needs • Room for co-existence • But interoperability would still be nice • Some cooperation between the two communities in looking for convergence opportunities
Related Projects • Higgins • A set of interfaces that try to abstract identity management • Microsoft ADFS • Shibboleth interoperability • XACML • Layered in SAML assertions • Its own protocol
Big Changes • Federated Identity evolving from Web SSO to other applications • Maturation of vendor products in the IdM space • Increasingly, Federated IdM packages support multiple protocols; sites make choices based on “value add” • Growing interest in using Levels of Assurance (LoA) • Growing interest in Inter-Federation
Federated Identity for Network Authentication • Traveling individuals • Attribute-based access control • Privacy • Accountability
Current Deployments • Shibboleth-based wireless authentication at University of Texas • It’s a hack • Use Shibboleth to populate a database that the RADIUS server can draw on • Supports multiple access groups • Hugely popular with the university brass https://spaces.internet2.edu/display/SHIB /ShibbolizedWireless
Current Deployments • eduroam • Global RADIUS infrastructure using 802.1x • Widespread adoption by European higher ed • Multiple countries in Asia & Oceania • U.S. under-represented http://www.eduroam.org/ Let’s look at the policies…
Revealing Challenges • What security policies will be enacted on an eduroam visitor? • Japan wants to mandate that once access is granted via eduroam a VPN tunnel home be established for all further traffic • What information do people need to know? • Which attributes are required? • Does anonymity matter?
SAML, RADIUS, DIAMETER • RADIUS profile of SAML • http://tinyurl.com/24m9pm • DAMe project • DIAMETER supporting SAML • Slide theft • Diego Lopez of RedIRIS
InCommon • U.S. higher education federation • 50 participants and counting • Oriented around access to web resources • EBSCO, ScienceDirect, JSTOR, Napster, Turnitin, etc. • SAML-centric
Questions for You • What could you do with federated identity? • What information do you need to know before making your various decisions? • Can InCommon address your collaboration or network authentication needs? • How would you do inter-realm network security?