180 likes | 318 Views
What is Federated ID Management and Why Should You Care?. Tim Poe & Steve Thorpe {tpoe, thorpe}@mcnc.org MCNC All-Staff Meeting March 19, 2009. Outline. Motivation Example Services Requirements Underlying Technology NCTrust Federation Pilot Demo. Motivation.
E N D
What is Federated ID Management and Why Should You Care? Tim Poe & Steve Thorpe {tpoe, thorpe}@mcnc.org MCNC All-Staff Meeting March 19, 2009
Outline • Motivation • Example Services • Requirements • Underlying Technology • NCTrust Federation Pilot • Demo
Motivation • Many NC institutions desire access to remote protected web-based services • 17 UNC system institutions • 115 LEAs, thousands of K-12 schools • 58 community colleges • 36 independent colleges / universities • Plus many other government / educational / commercial organizations • Desire is for access to be efficient, cost effective, quick, secure, and user-friendly. Federated ID Management technologies enable such access
ATM machines - An Early Example of Federated ID Management • Thousands of banks - Federated • Millions of users (bank customers) • User login (ATM card) and password (PIN) maintained by the user’s home institution (Bank) • Other institutions give service ($) access to remote users, based on trusting the login and password that’s maintained by the home institution • Today we’re doing something similar, only we’re serving Web-based services rather than $
Example – Confluence • Confluence is a web-based wiki service that fosters collaboration among multiple institutions • Federated ID Management technologies can alleviate MCNC’s current need for in-house management of accounts for outside users • Each home institution would manage their *own* accounts
Example - NCLive • NCLive provides access to eJournals, etc. for libraries, higher-ed and increasingly K-12 • Want ease of resource accessibility yet must adhere to licenses of various products being distributed, e.g. certain content might be allowed only for: • Students • K-20 staff • Chemistry teachers • etc.
Examples - VCL • NCSU’s Virtual Computing Lab (VCL) is a web service that allows reservations of a computer with a desired set of applications, then remote access over the Internet • You can use applications such as Matlab, Maple, SAS, Solidworks, and many others. Linux, Solaris and numerous Windows environments are available • Due to licensing and resource limitations, access must be limited to certain user communities
Other Examples • How about a service for elementary school kids to access privately licensed PBS, CSPAN, and History Channel video content through the internet? • How about a service to enable cross-institutional course registration for access to distance learning from a different university in the UNC system? • Federated ID Management technologies can facilitate resource utilization across NCREN by enabling these and other web-based services much more efficiently, saving $ for MCNC and the NCREN community
Requirements • Prevent users having to know yet-another password • Prevent system administrators having to add yet-another account • Avoid logins becoming out of date • Enable easier scaling of web-based applications to include multiple additional users/organizations • Must know people are who they say they are, with up-to-date accuracy • With potentially hundreds of thousands of people involved, need the home institutions to be responsible for account administration
Underlying Technology: Shibboleth • Shibboleth is open source software for web single sign-on across or within organizational boundaries • Allows informed authorization decisions for protected web service access in a privacy-preserving manner • Uses Security Assertion Markup Language (SAML) to provide federated single sign-on and attribute exchange framework • Provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application
Obligatory Geek Diagram - Simplified(the only one, we promise ! ) 1. Student is at Starbucks 4. IdP/SP communication via SAML attributes exchanged through the browser session 3. Protected Web Service is at a university 2. IdP is at his school Shibboleth Identity Provider (IdP) Shibboleth Service Provider (SP) (mod_shib gets attributes from shibd and protects web apps) Access to protected service (web app) is controlled by shib gatekeeper (shibd daemon maintains state) (IdP is a J2EE app) LDAP Server
NCTrust Federation Pilot • MCNC and partners have convened the NC Trust Pilot • Goal: create a Federation to test web resource sharing among several K-20 organizations within NC • Adding K-12 into the mix is a unique aspect • NCTrust utilizes the national InCommon Federation infrastructure • Provides a trust mechanism allowing each organization to certify its operational practices • MCNC is helping partners with tech / installation support North Carolina Learning Object Repository NC DPI ? (tbd)
Shibboleth Training Workshops • 1.5 day workshops were hosted by MCNC in October 2008 and February 2009 • Instructors: Shilen Patel and Rob Carter (Duke), Gonz Guzman (MCNC) • Approximately 45 participants total • There’s an excellent video archive of the workshop, thanks to Bryon and Chad
MOU and InCommon Paperwork in Various Stages of Completion… Paperwork is MUCH harder / slower than technical work! (though the technical parts are certainly not trivial) First demos starting now!
Demo • As thorpe@mcnc.org: • Log onto test service, to see some attributes • Access Internet2’s Confluence site • As srthorpe@unc.edu: • Log onto NCSU’s VCL site, check for images • As srthorpe@ncsu.edu: • Log onto NCSU’s VCL site, check for images and see a different list based on my NCSU status
Future Steps • Connect services among the NCTrust community • VCL • NCLive • MCNC’s confluence site is a likely candidate • Others? • Recommendations on best model of state-wide federation to meet the needs of the K-20 educational community in North Carolina • To cover funding, operations, governance, etc. • Pilot runs through December 2009
Key Takeaways • We believe Federated ID Management can enable more effective resource sharing among the NCREN community • Secure • Efficient • Scalable • Accessible • Saves $ • Not to mention it’s a GREEN technology • Fostering adoption of FIM technologies is another way of Connecting North Carolina’s Future Today
Thank You • Special thanks to MCNC’s Gonz Guzman, Tom Throckmorton, Kambiz Aghaiepour, Neal Bullins, Carole Bruhn, Keith Venters, Chris Caswell, Bryon Coltrane, and Chad Pritchard who all helped this effort • Also thanks to the many Federated ID Task Force members from throughout the NCREN community that are participating with us in the NCTrust pilot project • Questions?