Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK...
Transcript of Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK...
![Page 1: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/1.jpg)
CHECK 05/30/2013
Extending Services with Federated Identity
Management
Wes HubertInformation Technology Analyst
![Page 2: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/2.jpg)
CHECK 05/30/2013
Overview
• General Concepts• Higher Education Federations
– eduroam– InCommon
• Federation Infrastructure– Trust Agreements– Processes
![Page 3: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/3.jpg)
CHECK 05/30/2013
Common IdM Terms• Identifier: A name that identifies a
unique person, group, or object• Authentication: Verification of an
identity• Authorization: Granting access to a
specific resource• Identity Management: Control of
identifiers, authentication, authorization
![Page 4: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/4.jpg)
CHECK 05/30/2013
• Federation: An organization whose members are organizations with some degree of internal autonomy
![Page 5: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/5.jpg)
CHECK 05/30/2013
Actors• User (principal, supplicant, client, etc)
– Initiates the request for a service• Identity Provider (IdP)
– Maintains a directory of vetted users– Authenticates user identity
• Service Provider (SP)– Authorizes (or denies) access– Based on information provided by IdP
![Page 6: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/6.jpg)
CHECK 05/30/2013
Federated Identity Management
• Provides portability of identity information across organizations
• Manages trust between administratively separate IdP and SP
• Protects privacy of identity information
![Page 7: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/7.jpg)
CHECK 05/30/2013
Examples
• Higher Education– eduroam– InCommon
• Public– OpenID
• Yahoo!• Google
– ...
![Page 8: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/8.jpg)
CHECK 05/30/2013
eduroam
• education roaming
• Secure network access service (wi-fi)
• Research and education community
• Thousands of institutions worldwide
• http://www.youtube.com/watch?v=TVCmcMZS3uA
![Page 9: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/9.jpg)
CHECK 05/30/2013
eduroam Sites
![Page 10: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/10.jpg)
CHECK 05/30/2013
eduroam London Sites
![Page 11: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/11.jpg)
CHECK 05/30/2013
eduroam US Sites
![Page 12: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/12.jpg)
CHECK 05/30/2013
KU wi-fi prior to eduroam
• JAYHAWK– Primary campus wi-fi– Requires KU Online ID authentication
• KUGUEST– Rate limited, restricted ports
• KU-Passport– Sponsored short-term access
![Page 13: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/13.jpg)
CHECK 05/30/2013
eduroam
• Provides travelers secure network access at participating institutions without obtaining guest credentials
• Removes the need for institutions to provision wi-fi credentials for visitors
![Page 14: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/14.jpg)
CHECK 05/30/2013
Select SSID eduroam
![Page 15: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/15.jpg)
CHECK 05/30/2013
Log in with home credentials
![Page 16: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/16.jpg)
CHECK 05/30/2013
Start VPN (Optional)
![Page 17: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/17.jpg)
CHECK 05/30/2013
eduroam
• More later on– How it works– Why it is secure
![Page 18: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/18.jpg)
CHECK 05/30/2013
InCommon
• Internet2-based research and education identity management federation
• 347 Higher Education Participants• 28 Government, Labs, Non-profits, etc.• 139 Sponsored Partners
» (April 2013)
![Page 19: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/19.jpg)
CHECK 05/30/2013
InCommon
• Provides privacy-preserving trust fabric– Higher education– Sponsored partners
• Identity management federation• Certificate service• Multifactor authentication service• Assurance program
![Page 20: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/20.jpg)
CHECK 05/30/2013
InCommon IdM Federation
• About 300 identity providers• More than 6 million end users• Sample services
– EDUCAUSE federated login– Internet2 FileSender service
![Page 21: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/21.jpg)
CHECK 05/30/2013
Federated Login: EDUCAUSE
• Alternative to EDUCAUSE-specific login– Eliminates need for remembering an
EDUCAUSE-specific password• www.educause.edu
![Page 22: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/22.jpg)
CHECK 05/30/2013
EDUCAUSE Federated Login• On http://www.educause.edu screen click Login >
![Page 23: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/23.jpg)
CHECK 05/30/2013
![Page 24: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/24.jpg)
CHECK 05/30/2013
• In Federated Login section click Log in Using InCommon
![Page 25: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/25.jpg)
CHECK 05/30/2013
![Page 26: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/26.jpg)
CHECK 05/30/2013
• Select home campus identity provider
![Page 27: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/27.jpg)
CHECK 05/30/2013
• Home system presents the login page
![Page 28: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/28.jpg)
CHECK 05/30/2013
• ... and you’re logged in to EDUCAUSE
![Page 29: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/29.jpg)
CHECK 05/30/2013
• Can verify login page via https URL
![Page 30: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/30.jpg)
CHECK 05/30/2013
• Can verify login page via https certificate
![Page 31: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/31.jpg)
CHECK 05/30/2013
Internet2 FileSender Service
• Service for sharing large files– Initiated by federation member– Usable by anyone
• Operated by Internet2• https://filesender.internet2.edu
![Page 32: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/32.jpg)
CHECK 05/30/2013
FileSender Service
![Page 33: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/33.jpg)
CHECK 05/30/2013
• Select home system for authentication
![Page 34: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/34.jpg)
CHECK 05/30/2013
• Select home system for authentication
![Page 35: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/35.jpg)
CHECK 05/30/2013
• Text Entered Limits Selection List
![Page 36: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/36.jpg)
CHECK 05/30/2013
• Easy Reuse of Previous AuthN System
![Page 37: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/37.jpg)
CHECK 05/30/2013
• Login On Home System
![Page 38: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/38.jpg)
CHECK 05/30/2013
• Information About File to be Shared
![Page 39: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/39.jpg)
CHECK 05/30/2013
• Email Notification of Shared File
![Page 40: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/40.jpg)
CHECK 05/30/2013
• Generate A Guest Voucher
![Page 41: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/41.jpg)
CHECK 05/30/2013
What’s behind the curtain?
• Enrollment of users with IdP– Vetting of user identities– Common attributes known to IdP/SP
• Secure connection between IdP/SP– Identity of communicating systems– Specification of attributes to send– Encrypted transfer of required attributes
![Page 42: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/42.jpg)
CHECK 05/30/2013
Trust Points
• Two primary trust relationships– Between user and IdP– Between IdP and SP
• Both are bidirectional• User ultimately depends on both• Details specific to each federation
![Page 43: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/43.jpg)
CHECK 05/30/2013
How Is Trust Established?
• User Trust for InCommon Authentication– Communicates with home system as IdP
• Based on trust established during ID setup– Authentication via familiar (home) login– Can verify site using https
• URL address bar• Server certificate
![Page 44: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/44.jpg)
CHECK 05/30/2013
How Is Trust Established?
• InCommon IdP/SP– Participant Operational Practices statement– X.509 Certificate in Metadata– XML Attribute Release Specifications– Optional Higher Levels of Assurance
• Bronze• Silver
![Page 45: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/45.jpg)
CHECK 05/30/2013
POP Statement
• Attribute assertions to other participants• Made at organization’s executive level• Issuing system assures risk appropriate
risk management measures• Information will be used only for
purposes for which it is provided
![Page 46: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/46.jpg)
CHECK 05/30/2013
POP Statement
• Federation Participant Information• Identity Provider Information• Service Provider Information• Other Information
![Page 47: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/47.jpg)
CHECK 05/30/2013
Participant Information
• Organization• Links for
– ID management practices– Privacy policy
• Contact information
![Page 48: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/48.jpg)
CHECK 05/30/2013
Identity Provider Information
• Community– Who can get IDs– Who is identified as “Member”
• Credentials– Administrative processes– Technologies (UserID/password, PKI, etc.)
![Page 49: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/49.jpg)
CHECK 05/30/2013
Identity Provider Information
• Electronic Identity Database– Sources, update procedures– What is considered public information?
• Own Use of Credential System– Attribute assertions– Privacy constraints
![Page 50: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/50.jpg)
CHECK 05/30/2013
Service Provider Information
• What attributes are required to manage access decisions?
• Other use of attributes• Controls on access and use of PII• Controls on access management• Actions taken in case of compromise
![Page 51: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/51.jpg)
CHECK 05/30/2013
SAML
• Security Assertion Markup Language– XML-based– 3 roles
• Principal (user)• Identity Provider (IdP)• Service Provider (SP)
• Securely passes limited information between federated systems
![Page 52: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/52.jpg)
CHECK 05/30/2013
Shibboleth
• Federated IdM software• Internet2 Middleware Initiative project• SAML-based SSO• Controlled attribute release• Privacy preserving• Started in 2000, first release July 2003• Developed in parallel with InCommon
![Page 53: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/53.jpg)
CHECK 05/30/2013
InCommon Metadata
• Submitted by site administrator• Defines IdP and SP
– Entity– X.509 certificate– User interface, error handling– SAML protocol endpoints– Contacts
![Page 54: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/54.jpg)
CHECK 05/30/2013
EDUCAUSE Attribute Release
• eduPersonPrincipalName• surname• givenName• email• eduPersonAffiliation
![Page 55: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/55.jpg)
CHECK 05/30/2013
EDUCAUSE Attribute Release• <!-- Release personal attributes required by EDUCAUSE -->• <afp:AttributeFilterPolicy id="releaseToEduCause">• <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"• value="https://www.educause.edu/shibboleth-sp" />• <afp:AttributeRule attributeID="eduPersonPrincipalName">• <afp:PermitValueRule xsi:type="basic:ANY" />• </afp:AttributeRule>• ... (other attribute specifications) ...• <afp:AttributeRule attributeID="eduPersonAffiliation">• <afp:PermitValueRule xsi:type="basic:ANY" />• </afp:AttributeRule>• </afp:AttributeFilterPolicy>
![Page 56: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/56.jpg)
CHECK 05/30/2013
General Attribute Release• <!-- Release eduPersonAffiliation (and Scoped form) to anyone -->• <afp:AttributeFilterPolicy id="releaseEduPersonAffiliationToAnyone">• <afp:PolicyRequirementRule xsi:type="basic:ANY" />• <afp:AttributeRule attributeID="eduPersonAffiliation">• <afp:PermitValueRule xsi:type="basic:ANY" />• </afp:AttributeRule>• <afp:AttributeRule attributeID="eduPersonScopedAffiliation">• <afp:PermitValueRule xsi:type="basic:ANY" />• </afp:AttributeRule>• </afp:AttributeFilterPolicy>
![Page 57: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/57.jpg)
CHECK 05/30/2013
InCommon Research & Scholarship Category
• Group shares common attribute release• New SPs may be added• No action required by IdP to access• Currently (May 16, 2013)
– 12 SPs– 51 IdPs
• FileSender is in this group
![Page 58: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/58.jpg)
CHECK 05/30/2013
eduroam
• RADIUS– Remote Authentication Dial-In User Service– It’s rarely for dial-in anymore– Peers authenticate by IP & shared secret
• 802.1X– PEAP
• Protected Extensible Authentication Protocol• Server-side public key certificate authenticates
![Page 59: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/59.jpg)
CHECK 05/30/2013
How Is Trust Established?
• eduroam user– Pre-travel setup on home campus
• Establishes trusted connection to authentication server
– PEAP/WPA2 authentication– Server name (e.g. adhome-lawc-04.home.ku.edu)– X.509 certificate signed by trusted CA
![Page 60: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/60.jpg)
CHECK 05/30/2013
eduroam Wi-Fi Profile
![Page 61: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/61.jpg)
CHECK 05/30/2013
How Is Trust Established?
• eduroam IdP/SP– Vetting when joining the federation– RADIUS shared secret via encrypted email– X.509 Certificates– Specific IP numbers and ports
![Page 62: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/62.jpg)
CHECK 05/30/2013
![Page 63: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/63.jpg)
CHECK 05/30/2013
Summary
• Federated identity management increases security and convenience
• It’s all about Trust– Trust between user and IdP– Trust between IdP and SP
![Page 64: Extending Services with Federated Identity Managementpeople.ku.edu/~wes/federated_idm.pdf · CHECK 05/30/2013 Common IdM Terms • Identifier: A name that identifies a unique person,](https://reader033.fdocuments.us/reader033/viewer/2022042315/5f044ae17e708231d40d41de/html5/thumbnails/64.jpg)
CHECK 05/30/2013
Related Links
• https://eduroam.org• http://www.incommon.org