Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated...
Transcript of Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated...
![Page 1: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/1.jpg)
Identity federation:A new way tomanage access toresourcesSANLiC 2017Durban, May 2017
1
![Page 2: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/2.jpg)
Identity FederationsA brief introduction
2
![Page 3: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/3.jpg)
FederatedIdentity
A federated identity in informationtechnology is the means of linking aperson's electronic identity andattributes, stored across multipledistinct identity management systems
3https://en.wikipedia.org/wiki/Federated_identity
![Page 4: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/4.jpg)
FederatedIdentity
4
Identity Providers(Home Organisations)
IdentityFederation
Service Providers’Web Sites
![Page 5: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/5.jpg)
Why not justuse Google?
All the major social network platforms providefederated identities…
… so why don’t we just use these?
They all have one major drawback – they are selfasserted
This means you cannot trust any of the information
This is often okay, but…
5
![Page 6: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/6.jpg)
AcademicIdentityFederations
Academic identity federations exist to solvethe trust problem
Your home organisation – university,research council, etc – knows a lot aboutyou
They also know stuff specific to highereducation (HEMIS, RIMS)
More importantly, most of this informationhas usually been checked and may besubject to audit
This makes them ideal to act as identityproviders
6
![Page 7: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/7.jpg)
AcademicFederationOperators
All federations have operators Facebook Inc operates Facebook Connect
Academic federations Usually operated by the National Research and
Education Network (NREN)
Typically only one per country
65 known academic federations worldwide
7
![Page 8: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/8.jpg)
AcademicIdentityFederationsAround theWorld
8https://refeds.org/federations/federations-map, May 2017
![Page 9: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/9.jpg)
AcademicFederationOperators
Academic federations are primarily trustrelationships with federation operatorsacting as trusted introducers
Federation operators worldwide collaborateon issues of interest to the research &education Interoperability (R&S profile)
Common identifiers (eduPersonOrcid)
Handling of sensitive information
Security/incident response (SIRTFI)
etc…
9
![Page 10: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/10.jpg)
Inter-federation
Inter-federation is the linking of one(academic) federation to another
Through inter-federation we can gainaccess to services that are not yet availablein our own country
Service providers can gain access tocustomers
10
![Page 11: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/11.jpg)
SAFIRESouth African Identity Federation
11
![Page 12: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/12.jpg)
SAFIRE –South AfricanIdentityFederation
Academic identity federation for SouthAfrica
Conceived by the community and pilotedover a number of years
Supported service operated by TENET
Member of eduGAIN (since February) 48th member / 41st full participant
1st member in Africa
Your IT Department should know all this…
12
![Page 13: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/13.jpg)
SAFIRE –Participants
13
![Page 14: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/14.jpg)
So what does this allmean for libraries?
14
![Page 15: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/15.jpg)
The“traditional”licensingmodel
License based on some form of FTE count
Site-wide, but use restricted to the localcampus network
Off-campus users must make use of areverse proxy or VPN solution
Not easy to enforce more granular controls
IP-based restrictions don’t scale well – andare out-of-sync with the modern Internet
15
Average student carries 3+ devices.
Default IPv6 allocation foruniversities in South Africa has
1 208 925 819 614 629 174 706 176IP addresses in it.
![Page 16: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/16.jpg)
ReverseProxies
Many libraries use reverse proxies to provideoff-campus access to electronic resources EZProxy III WAM Proxy
Campus networks – indeed “campuses” – arebecoming increasingly hard to define, andusers are becoming increasingly mobile
Confusing for users – “why can’t I just log inlike every other website I use?!”
Difficult to support & troubleshoot
As journal providers embrace SSL, thesebecome more complicated – and expensive –to maintain
16
![Page 17: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/17.jpg)
ReverseProxies
17
By perpetuating reverseproxies, libraries are
undermining Internet securityand directly contributing to
the problem of phishing
https://www.us-cert.gov/ncas/alerts/TA17-075A
![Page 18: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/18.jpg)
What if wecouldleverage ofexistinginstitutionallogins?
18
![Page 19: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/19.jpg)
What if wecould licensein a morespecific way?
19
schacHomeOrganizationType urn:schac:homeOrganizationType:int:university
schacHomeOrganization example.ac.za
eduPersonAffiliation faculty employee member
eduPersonScopedAffiliation [email protected] [email protected] [email protected] [email protected]
![Page 20: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/20.jpg)
What if wecould benefitfrom theintegrationwork done byothers?
20Rhodes University Library & eduGAIN MET, August 2016
![Page 21: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/21.jpg)
What if wecould do thiswhilst stillprotectingpersonalprivacy?
21
![Page 22: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/22.jpg)
Federation…
Provides a new approach to electronicresource management
Gives better control over who has access toyour resources = better compliance withlicensing agreements
Allows you to downsize/decommissionreverse proxies
Is less confusing for your users
Saves you money…
22
![Page 23: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/23.jpg)
FIM4RFindings(2012)
Federated technologies are good. Takeadvantage of them.
The infrastructure needs to be improved totake advantage of federated technologies.Do it.
Relying on older models of local accountcreation and IP-based ACLs is easier. Thisis a very limited view. Stop it.
If you can’t fix it all yourself (and you can’t),facilitate the efforts of groups that can. Buildrelationships, target your spending orfunding to make the biggest impact.
23Source: http://cds.cern.ch/record/1442597
Via: https://learn.nsrc.org/fedidm/iam_researchers
![Page 25: Identity federation: A new way to manage access to...2017/06/02 · FIM4R Findings (2012) Federated technologies are good. Take advantage of them. The infrastructure needs to be improved](https://reader034.fdocuments.us/reader034/viewer/2022050417/5f8d7d153bb3b66d7a717f1a/html5/thumbnails/25.jpg)
The problemwe’re tryingto solve
25