Identity Federations:Here and Now

Renée ShueyPenn State and InCommon

Agenda

• The need for Federations in Higher Ed.• Federation Overview• Federating Software: Shibboleth• InCommon: the US Higher Ed federation• Other Federations: Europe and the U.S.

government’s eAuthentication federation• Penn State federation use cases• Q&A

The Problem for Higher Education

• Increasing collaboration• Mandates for increased research consortia• Increasing number of on-line resources• Access management complexities for

resource providers • Usability: Account management• Current Federal and State laws (e. g.,

FERPA, HIPAA, Gramm-Leach-Bliley Act)

The Opportunity for Higher Education

• Simplified Usability for all collaborations• Home organizations carefully manage

the release of personal information• On-line resource providers focus on the

protection and authorization of use of their on-line resources.

The Rising Call for Better On-line Collaboration

• Instructors sharing course materials through learning partnerships

• Researchers coordinating remote instruments and data gathering

• Growing on-line collections• Increasing diversity of content providers• eCommerce partnering in Higher Ed (Software, Music, etc.)• Institutions working with outsourced learning management

systems for course hosting, grading, scheduling, testing, • Network security monitoring• Visiting scholar access rights with peer institutions• Federal Government resources and administration

• financial aid, grant submissions, etc.

Federations

• Otherwise independent entities that give up a certain degree of autonomy in order to achieve a common set of goals.

• Working together requires• Common way to express meaning• Agreed upon ways to convey information• Acceptable governance and trust models

Identity Federations

• Enroll, authenticate and attribute locally...Act federally

• IdP provides trustworthy needed identity information to Resource Providers• Part of access management decision

• Trust established through Federation Operator by means of standards, rules, and participation agreements

Federations and Trust

• Requires common IdP and RP practices• Federation governance roles include• Establishing the rules• Overseeing adherence (e.g., audits)

• Degrees of trust may be inherent/useful• Allows flexibility in IdP and RP services

• What happens when trust is violated?• Liability and indemnification

Not all Federations are the same ...

• Identity federations may have different rules or constraints on identity release• For example in Europe ...

• Some may choose to offer on-line services as well, or hold contracts for resources on behalf of members

• Some are for specific business purposes or industries, etc.

With InCommon

- The Home organization manages accounts and the release of personal information

InCommon Federation

• Created to support Higher Education and its research and business partners

• Federation operator is an LLC formed by Internet2

• Builds on existing campus identity management and single sign-on systems

• Makes use of industry standards and open source federating software, Shibboleth

Shibboleth

• The Shibboleth software implements the OASIS SAML v1.1 specification, providing a federated Single-SignOn and attribute exchange framework. • shibboleth.internet2.edu

• Built on OpenSAML, also created by the Internet2 community: OpenSAML is a set of open-source libraries in Java and C++ which can be used to build, transport, and parse SAML messages. • www.opensaml.org

InCommon Participation Requirements

• Common identity attributes• Software Guidelines

• www.incommonfederation.org/ops/softguide.html

• Transparency of Policy and Practices• POP (Participant Operational Practices)

• Participation Agreement• Minimal “bar” to entry• Limited Liability; No Indemnification• General Liability Insurance

• Modest annual fee

InCommon’s Governance & Committee’sSteering Committee

• Tracy Mitrano, Cornell – Chair • Jerry Campbell, University of

Southern California – Vice Chair • Christopher Crowhurst, Thomson

Learning • Clair Goldsmith, University of

Texas System • Ken Klingenstein, Internet2 • Mark Luker, Educause • Peggy Plympton, Lehigh

University • Carrie Regenstein, Carnegie

Mellon University • Gene Spencer, Bucknell

University• Mike Teets, OCLC

Technical Advisory Committee• RL "Bob" Morgan, University of

Washington – Co-Chair • Renee Shuey, Penn State – Co-Chair • Tom Barton, University of Chicago • Scott Cantor, The Ohio State

University • Steven Carmody, Brown University • Keith Hazelton, University of

Wisconsin - Madison • Walter Hoehn, University of Memphis • Ken Klingenstein, InCommon

Steering Committee • Mike LaHaye, Internet2 • David Wasley, retired (U. Calif.)

Current InCommon Participants: 27• Case Western Reserve University• Cornell University• Dartmouth• *Elsevier ScienceDirect• Georgetown University• *HAM - Texas Medical Center Library• *Internet2• Miami University• *Napster, LLC• *OCLC• Ohio University• *OhioLink - The Ohio Library &

Information Network• Penn State• SUNY Buffalo• The Ohio State University

• The University of Chicago• *Turn It In• University of Alabama at

Birmingham• University of California, Irvine• University of California, Los

Angeles• University of California, Office

of the President• University of California, San

Diego• University of Rochester• University of Southern

California• University of Virginia• University of Washington• *WebAssign

* Sponsored Participant

Federations using Shibboleth in Europe • Established national Federations• Finland (HAKA)

• Switzerland (SWITCHaai)

• National Federations getting ready• United Kingdom

• Denmark, Germany, Sweden (SWIF)

• REFEDS – Research and Education FederationsToward federating federations:

http://www.terena.nl/activities/refeds/

eAuthentication Federation (EAF)

• For all Federal agency outward facing applications• 24 agencies: USDA, NIH, DOEd, NSF, etc...• Over 600 applications

• Members are Federal agencies and Credential Service Providers

• Many of the applications are of interest to Higher Education

EAF Organization

EAF Executive

Business & Legal Rules,

FPKI CertPolicies

Fed PKI OA

XCert and MOA

Interop LabSAML Spec.

CAF

Policy

Operations

Providers

FPKIPFPKIPAA

Components of EAF

• Organized around Assurance Levels• 1, 2 for assertion-based credentials

• Local authentication followed by identity message to agency application

• Business and Legal rules imposed on applications and Credential Providers alike

• 3, 4 for cryptography-based• PKI predominates• Serviced by Federal PKI Policy Authority and Federal PKI

Operational Authority• Major growth area for Federal Apps in first round

Linking Federations

• How can federations interoperate?• Information models must be compatible• Conversion may be difficult

• Communication protocols• Gateways are hard• and may break trust models

• Governance and trust models• Must be equivalent at some level

Governance & Linking Federations

• Governance sets community standards• May need to enhance or redefine somewhat

• Must uphold inter-federation agreement• Responsible for trust between federations• May require stronger role within federation• May affect existing participation agreements• May incur new liabilities, etc.

• Federation services might not interoperate

Linking InCommon and eAuthentication

• Higher Ed is an important community for many Federal agency applications• Both have federations in place• Have been working together for > year

• Compatible technology• Similar identity attributes• InCommon has richer set• InCommon includes privacy protections

Linking InCommon and eAuthentication

• Trust issues• eAuth defines 4 levels of identity assurance• InCommon currently allows ‘best effort’

• will need to define at least one compatible LOA

• Privacy

• Operational issues• Will need to include LOA in identity assertions• Will need to tag metadata, etc...

Linking InCommon and eAuthentication

• Where we are now• Draft Memorandum of Agreement• Draft “InCommon Bronze” requirements

• Based on eAuth Level 1

• Working on inter-federation assessment• Identifying WG's to address operation, policy,

and technical issues – May 10

• Goal - Interoperability by Fall '06

Penn State, InCommon, & Shibboleth

• Using Shibboleth since Summer '02• InCommon provides trust model for

access to external resource providers• Production Uses• Napster• WebAssign• ANGEL Course Management System • WorldWide University Network (WUN)• LionShare

Penn State, InCommon & Shibboleth

• Pilot or discussion phase• Office of Student Aid

• PHEAA/AES• Career Services

• Simplicity• ITS-Teaching and Learning with Technology

• NETg• Thomson Publishing• Turnitin

• ITS-Digital Library Technology• Elsevier, OCLC, JSTOR, and others

Penn State and the eAuthentication Pilot

• Credential Assessment Jan '05 - LOA 1• Identified issues

• Password guessing, strength, expiration• Authorization to Operate Statement• Stored secret (password resets)• Documentation• Align policies and practices

• Proposed solution – approved by GSA/NIST• GAP Analysis• University of Washington, Penn State, and

Cornell University

Penn State and the eAuthentication Pilot

• FastLane pilot • An interactive real-time system used to

conduct NSF business over the Internet. • Application assessed as level of assurance 1• Used by faculty to submit grant proposals,

check status, participate in panels, enter financial transactions• Credential Service Provider assessed as a

level of assurance 1

Useful URLs and pointers

http://www.nmi-edit.org http://shibboleth.internet2.edu Subscribe to shib mailing lists http://www.incommonfederation.org/ http://lionshare.its.psu.edu Emerging issues/technologies/recipes

http://middleware.internet2.edu/signet/ SAML 2.0: http://www.oasis-open.org/

Questions?

• Contact Information• Renee Shuey• rshuey@psu.edu