1 / 25

Edugate

Edugate. Glenn Wearen HEAnet. Summary. 1 year Pilot Project / 2 years in production All IoT ’ s, Universities, Colleges, but only half of HEAnet ’ s members Core service at some institutions but light use at others. So, where to now?. Extended Attribute Schema

virgo
Download Presentation

Edugate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Edugate Glenn Wearen HEAnet.

  2. Summary • 1 year Pilot Project / 2 years in production • All IoT’s, Universities, Colleges, but only half of HEAnet’s members • Core service at some institutions but light use at others

  3. So, where to now? • Extended Attribute Schema • Higher Identity Assurance • Strong Authentiation • Account Provisioning • Cross institutional groups • New Identity Protocols • Statistics • Bilateral Trusts • Expansion beyond HEAnet • SSO for non-web applications • Aggregated identities • Logout

  4. 1. Extended Attribute Schema Students • Do you have photos? • Can I tell if a user is part-time/full-time? • What course is the student pursuing? Staff • Cost-center code (for eProcurement) • ResearcherID AuthorID • Availability calendar • Telephone number

  5. 2. Higher Identity Assurance Would you use Edugate for eProcurement? • On-campus (cross charging for campus services) • Shared procurement portal (Shannon Consortium Procurement Network) • External suppliers (vikingdirect.ie/officedepot.ie) Service Provider will seek assurances that the identity is sufficient quality to underpin a cardless financial transaction

  6. 3. Strong Authentication Passwords are the root of all e-vil • Easily shared • Easily forgotten • Frequently exposed • No common password policy • Password changes not enforced

  7. 3. Strong Authentication • SSO helps to eliminate passwords • Consolidating onto a single (or single+1) credential allows for strong authentication • 2-factor authentication / strong password policy • SSO systems can protect sensitive resources • re-authentication • ‘step-up’ authentication

  8. 4. Account Provisioning • On-campus, provisioning is a minor problem, but, for cloud/hosted/outsourced services provisioning is a significant problem • Invitation systems require; • email address of all potential users -1 time url • approval workflows -open URL

  9. 4. Account Provisioning • Bulk provisioning • Handling of bulk files a significant risk • Out of Sync almost immediately • De-provisioning rarely handled • Accounts created for users who might never login

  10. 4. Account Provisioning Just-in-Time provisioning Standards emerging • Simple Cloud Identity Management (SCIM) But, service Providers familiar with; • LDAP Enter username/password, authenticate, query for attributes • Oauth Enter user ID, authenticate, get token, query for attributes • API Enter a user identifier, query for attributes, forever

  11. 5. Cross institutional groups • Cross institutional/federation groups • (Virtual Organisations) • Identity provider doesn’t know all the collaboration or projects that a user participates within. • This makes it authorisation difficult for Service Providers (e.g. Project Portal)

  12. 5. Cross Institutional Groups • Establish an Edugate group repository; • this can be queried by IdP’s during the preparation of attributes for an assertion • this can be queried by SP’s provided the repository has a user identifier • Self-asserted group membership • Group membership approvals or invitations.

  13. 6. New Identity Protocols OpenID Connect • Addresses weaknesses and shortcomings of OpenID OAuth2 • Allows retrieval of user data when user is not present WIF • Predominant identity protocol for Microsoft services

  14. 6. New Identity Protocols • Should Edugate add new protocols? • Cost? • Benefit?

  15. 7. Statistics and Monitoring • Are my users able to access service X? • Why are my users accessing service Y? • How come I’ve no users from institution A? • Why are we so popular with institution B? • What is the most widely used Edugate service? • What is the least most used service? • Is Edugate being used? or being used more?

  16. 7. Statistics and Monitoring • Is IdP X up? • Are there high rates of attrition? • Are [staff|students] able to authenticate?

  17. 8.Proliferation of bilateral trusts • There are 29 bilateral trusts in Edugate, why don’t these services join Edugate? • Maybe not required (single institution) • Tender awarded, Edugate not in the tender • SP not a legal entity • Google Apps, Millennium, Blackboard Learn.

  18. 9. Expansion beyond HEAnet? More identity providers will mean more service providers • Private Colleges • Health Services Sector (HSE/Hospitals/CPD) • Industry Research Centers (Intel Labs / SFI participants) • 2nd Level schools

  19. 10. SSO for non-web SAML works well within the browser, but, Outside the browser, it requires client support • Native client support Outlook Claims based authentication • Or, with Moonshot; Common library support (GSS/SASL/SSPI)

  20. 11. Aggregated identities • Institution holds validated identity data and enrollment status. This can be aggregated or augmented with self-asserted data from other sources; • Social ID’s (Profile Pictures, friends, interests) • Group membership repository

  21. 11. Aggregated identities • Facebook/Twitter/Google hold self-asserted identity data. This can be aggregated or augmented with verified user data from other sources • :-p

  22. 12. Logout • Clicking on ‘Logout’ what should happen? • Logout of the application, but IdP session persists (Local Logout) • Logout of the application, redirect to IdP session killer page (partial logout) • Logout of the application, redirect to IdP session killer page, trigger logout of all services • (global logout)

  23. 12. Logout • Or should the SP force re-authentication at the IdP after the logout button has been used (if the IdP supports it.

  24. So, where to now? • Extended Attribute Schema • Higher Identity Assurance • Strong Authentiation • Account Provisioning • Cross institutional groups • New Identity Protocols • Statistics • Bilateral Trusts • Expansion beyond HEAnet • SSO for non-web applications • Aggregated identities • Logout

More Related