Identity Federations: Here and Now Renée Shuey Penn State and InCommon.
-
Upload
louise-banks -
Category
Documents
-
view
214 -
download
0
Transcript of Identity Federations: Here and Now Renée Shuey Penn State and InCommon.
Identity Federations:Here and Now
Renée ShueyPenn State and InCommon
Agenda
• The need for Federations in Higher Ed.• Federation Overview• Federating Software: Shibboleth• InCommon: the US Higher Ed federation• Other Federations: Europe and the U.S.
government’s eAuthentication federation• Penn State federation use cases• Q&A
The Problem for Higher Education
• Increasing collaboration• Mandates for increased research consortia• Increasing number of on-line resources• Access management complexities for
resource providers • Usability: Account management• Current Federal and State laws (e. g.,
FERPA, HIPAA, Gramm-Leach-Bliley Act)
The Opportunity for Higher Education
• Simplified Usability for all collaborations• Home organizations carefully manage
the release of personal information• On-line resource providers focus on the
protection and authorization of use of their on-line resources.
The Rising Call for Better On-line Collaboration
• Instructors sharing course materials through learning partnerships
• Researchers coordinating remote instruments and data gathering
• Growing on-line collections• Increasing diversity of content providers• eCommerce partnering in Higher Ed (Software, Music, etc.)• Institutions working with outsourced learning management
systems for course hosting, grading, scheduling, testing, • Network security monitoring• Visiting scholar access rights with peer institutions• Federal Government resources and administration
• financial aid, grant submissions, etc.
Federations
• Otherwise independent entities that give up a certain degree of autonomy in order to achieve a common set of goals.
• Working together requires• Common way to express meaning• Agreed upon ways to convey information• Acceptable governance and trust models
Identity Federations
• Enroll, authenticate and attribute locally...Act federally
• IdP provides trustworthy needed identity information to Resource Providers• Part of access management decision
• Trust established through Federation Operator by means of standards, rules, and participation agreements
Federations and Trust
• Requires common IdP and RP practices• Federation governance roles include• Establishing the rules• Overseeing adherence (e.g., audits)
• Degrees of trust may be inherent/useful• Allows flexibility in IdP and RP services
• What happens when trust is violated?• Liability and indemnification
Not all Federations are the same ...
• Identity federations may have different rules or constraints on identity release• For example in Europe ...
• Some may choose to offer on-line services as well, or hold contracts for resources on behalf of members
• Some are for specific business purposes or industries, etc.
With InCommon
- The Home organization manages accounts and the release of personal information
InCommon Federation
• Created to support Higher Education and its research and business partners
• Federation operator is an LLC formed by Internet2
• Builds on existing campus identity management and single sign-on systems
• Makes use of industry standards and open source federating software, Shibboleth
Shibboleth
• The Shibboleth software implements the OASIS SAML v1.1 specification, providing a federated Single-SignOn and attribute exchange framework. • shibboleth.internet2.edu
• Built on OpenSAML, also created by the Internet2 community: OpenSAML is a set of open-source libraries in Java and C++ which can be used to build, transport, and parse SAML messages. • www.opensaml.org
InCommon Participation Requirements
• Common identity attributes• Software Guidelines
• www.incommonfederation.org/ops/softguide.html
• Transparency of Policy and Practices• POP (Participant Operational Practices)
• Participation Agreement• Minimal “bar” to entry• Limited Liability; No Indemnification• General Liability Insurance
• Modest annual fee
InCommon’s Governance & Committee’sSteering Committee
• Tracy Mitrano, Cornell – Chair • Jerry Campbell, University of
Southern California – Vice Chair • Christopher Crowhurst, Thomson
Learning • Clair Goldsmith, University of
Texas System • Ken Klingenstein, Internet2 • Mark Luker, Educause • Peggy Plympton, Lehigh
University • Carrie Regenstein, Carnegie
Mellon University • Gene Spencer, Bucknell
University• Mike Teets, OCLC
Technical Advisory Committee• RL "Bob" Morgan, University of
Washington – Co-Chair • Renee Shuey, Penn State – Co-Chair • Tom Barton, University of Chicago • Scott Cantor, The Ohio State
University • Steven Carmody, Brown University • Keith Hazelton, University of
Wisconsin - Madison • Walter Hoehn, University of Memphis • Ken Klingenstein, InCommon
Steering Committee • Mike LaHaye, Internet2 • David Wasley, retired (U. Calif.)
Current InCommon Participants: 27• Case Western Reserve University• Cornell University• Dartmouth• *Elsevier ScienceDirect• Georgetown University• *HAM - Texas Medical Center Library• *Internet2• Miami University• *Napster, LLC• *OCLC• Ohio University• *OhioLink - The Ohio Library &
Information Network• Penn State• SUNY Buffalo• The Ohio State University
• The University of Chicago• *Turn It In• University of Alabama at
Birmingham• University of California, Irvine• University of California, Los
Angeles• University of California, Office
of the President• University of California, San
Diego• University of Rochester• University of Southern
California• University of Virginia• University of Washington• *WebAssign
* Sponsored Participant
Federations using Shibboleth in Europe • Established national Federations• Finland (HAKA)
• Switzerland (SWITCHaai)
• National Federations getting ready• United Kingdom
• Denmark, Germany, Sweden (SWIF)
• REFEDS – Research and Education FederationsToward federating federations:
http://www.terena.nl/activities/refeds/
eAuthentication Federation (EAF)
• For all Federal agency outward facing applications• 24 agencies: USDA, NIH, DOEd, NSF, etc...• Over 600 applications
• Members are Federal agencies and Credential Service Providers
• Many of the applications are of interest to Higher Education
EAF Organization
EAF Executive
Business & Legal Rules,
FPKI CertPolicies
Fed PKI OA
XCert and MOA
Interop LabSAML Spec.
CAF
Policy
Operations
Providers
FPKIPFPKIPAA
Components of EAF
• Organized around Assurance Levels• 1, 2 for assertion-based credentials
• Local authentication followed by identity message to agency application
• Business and Legal rules imposed on applications and Credential Providers alike
• 3, 4 for cryptography-based• PKI predominates• Serviced by Federal PKI Policy Authority and Federal PKI
Operational Authority• Major growth area for Federal Apps in first round
Linking Federations
• How can federations interoperate?• Information models must be compatible• Conversion may be difficult
• Communication protocols• Gateways are hard• and may break trust models
• Governance and trust models• Must be equivalent at some level
Governance & Linking Federations
• Governance sets community standards• May need to enhance or redefine somewhat
• Must uphold inter-federation agreement• Responsible for trust between federations• May require stronger role within federation• May affect existing participation agreements• May incur new liabilities, etc.
• Federation services might not interoperate
Linking InCommon and eAuthentication
• Higher Ed is an important community for many Federal agency applications• Both have federations in place• Have been working together for > year
• Compatible technology• Similar identity attributes• InCommon has richer set• InCommon includes privacy protections
Linking InCommon and eAuthentication
• Trust issues• eAuth defines 4 levels of identity assurance• InCommon currently allows ‘best effort’
• will need to define at least one compatible LOA
• Privacy
• Operational issues• Will need to include LOA in identity assertions• Will need to tag metadata, etc...
Linking InCommon and eAuthentication
• Where we are now• Draft Memorandum of Agreement• Draft “InCommon Bronze” requirements
• Based on eAuth Level 1
• Working on inter-federation assessment• Identifying WG's to address operation, policy,
and technical issues – May 10
• Goal - Interoperability by Fall '06
Penn State, InCommon, & Shibboleth
• Using Shibboleth since Summer '02• InCommon provides trust model for
access to external resource providers• Production Uses• Napster• WebAssign• ANGEL Course Management System • WorldWide University Network (WUN)• LionShare
Penn State, InCommon & Shibboleth
• Pilot or discussion phase• Office of Student Aid
• PHEAA/AES• Career Services
• Simplicity• ITS-Teaching and Learning with Technology
• NETg• Thomson Publishing• Turnitin
• ITS-Digital Library Technology• Elsevier, OCLC, JSTOR, and others
Penn State and the eAuthentication Pilot
• Credential Assessment Jan '05 - LOA 1• Identified issues
• Password guessing, strength, expiration• Authorization to Operate Statement• Stored secret (password resets)• Documentation• Align policies and practices
• Proposed solution – approved by GSA/NIST• GAP Analysis• University of Washington, Penn State, and
Cornell University
Penn State and the eAuthentication Pilot
• FastLane pilot • An interactive real-time system used to
conduct NSF business over the Internet. • Application assessed as level of assurance 1• Used by faculty to submit grant proposals,
check status, participate in panels, enter financial transactions• Credential Service Provider assessed as a
level of assurance 1
Useful URLs and pointers
http://www.nmi-edit.org http://shibboleth.internet2.edu Subscribe to shib mailing lists http://www.incommonfederation.org/ http://lionshare.its.psu.edu Emerging issues/technologies/recipes
http://middleware.internet2.edu/signet/ SAML 2.0: http://www.oasis-open.org/
Questions?
• Contact Information• Renee Shuey• [email protected]