1 / 24

From Authentication to Privilege Management to the Attribute Eco-System: Marketing runs amok…

From Authentication to Privilege Management to the Attribute Eco-System: Marketing runs amok…. Topics. Coupling identity and privilege management – Isn’t that putting authn and authz back together? An almost whole view of identity and attributes The creation and consumption of attributes

waldo
Download Presentation

From Authentication to Privilege Management to the Attribute Eco-System: Marketing runs amok…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. From Authentication to Privilege Management to the Attribute Eco-System:Marketing runs amok…

  2. Topics • Coupling identity and privilege management – • Isn’t that putting authn and authz back together? • An almost whole view of identity and attributes • The creation and consumption of attributes • From the enterprise view • From the VO view • From the user view • The unexplored regions of the ecosystem

  3. Identities, Attributes and Privileges • (Avoid rathole of identity and identifiers) • Identities have attributes for privacy (secrecy) and scale • Many attributes reflect privileges; they are used by relying parties to make access control decisions • Privileges have a small subset of useful /qualifiers • Delegation, constraints, prerequisites, expirations, and a few more…

  4. Unified IdM • A very, very common activity in much of life, and many of its computer applications • Select a set of people • Form them into a group (managed) • Assign the members of the group privileges • Happens in enterprises, VO’s and the p2p world. • The ecosystems view • …the p2p unknowns

  5. Inviting Attributes into your life… • For privacy and secrecy • Albeit for a refined view of privacy • For better security • Federated identity allows for stronger security where needed in a manner scalable for both RP and the user. • For efficiency • Reduced sign-ons, reduced second-factors

  6. Attributes in the enterprise • Designated sources of authority for systems and applications • Authority tree allows sources of authority to flow permissions and privileges to others in the enterprise • May need to be coupled with local conditions

  7. Corporate Authority Tree

  8. Alternative Authority Tree

  9. Academic Authority Tree

  10. Attributes in the VO • PI or subcommittee of management defines a set of roles for VO use • Individual PI’s assign the roles to people in their local workgroups • Attributes currently carried in the VO identity credential but can be stored in other locations, such as enterprise or local directories • Or everyone uses the PI’s cert to do everything

  11. But together…the Attribute Ecosystem • We now understand, we think, an overall “attribute ecosystem” • Shibboleth is the real-time transport of attributes from an IdP to an SP for an authorization decision • Other, “compile-time” means are used to ship attributes from sources of authority to IdP • Or to the SP, or to the various middlemen (portals, proxies, etc.) • And a user needs to be manage all of this

  12. User attribute management • As a user • Select an identity and authenticate • Release attributes • As a manager of privilege (attribute assignment) • Authentication • People picking • Group management • Privilege management

  13. A Simple Life Application access controls (including network devices) Shib User IdP Source of Authority Source of Authority Source of Authority p2p

  14. A Simple Life GUI Application access controls (including network devices) Autograph Shib User Authn IdP Source of Authority Source of Authority Source of Authority p2p

  15. A Full IdM Life Application access controls (including network devices) Shib User IdP Local apps Source of Authority Source of Authority Source of Authority p2p

  16. A Full Life GUI Application access controls (including network devices) Autograph Shib User Authn IdP Local apps Signet/ Grouper Source of Authority Source of Authority Source of Authority p2p

  17. Real Life Source of Authority Application access controls (including network devices) Source of Authority Portal IdP Source of Authority Gateway Shib Proxy Source of Authority Source of Authority IdP User Source of Authority Source of Authority Source of Authority Source of Authority p2p

  18. Example Flows in the Attribute Ecosystem Source of Authority Application access controls (including network devices) VO Service Center IdP Gateway Shib Source of Authority IdP User Source of Authority Source of Authority Source of Authority Source of Authority p2p

  19. Application access controls (including network devices) Portal Shib Autograph User IdP Authn S/G S/G Source of Authority p2p Source of Authority

  20. A VO Service Center Flow VO Service Center Application access controls (including network devices) Source of Authority Shib S/G Autograph User IdP Authn S/G S/G Source of Authority p2p Source of Authority

  21. The Unexplored regions • Identity linking • Batch and real-time attribute flows • Metadata services • Federation support of VO’s • The “middlemen issues” • Constrained delegation • Science gateways • P2P integration issues

  22. Characteristics of Attribute Flows • Context of a session • Attributes hang off an authn context • Meaning of a logout • Source of authority versus immediate provider of assertion • Quality of original attribute assignment • Identifier to identifier across autonomous

  23. Example issues • Intermediaries making assertions that are not verifiable by the federated trust fabric. • Users not being able to manage their privacy on information passed to intermediaries • LoA on attributes • The IEEE distributing membership attributes • When to use multiple IdP’s versus send attributes

  24. VOs plumbed to federations

More Related