Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity...

19
Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University of Texas Health Science Center at Houston

Transcript of Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity...

Page 1: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

Identity Management

Practical Issues Associated with Sharing Federated Services

UT System Identity Management Federation

William A. Weems

The University of Texas Health Science Center at Houston

Page 2: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

2

Identity Management

What is the Collaborative Goal?

Make the sharing of restricted resources within an organization and across organizational boundaries as transparent to users as accessing public Web pages!

Page 3: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

3

Identity Management

Ideally,  individuals would each like a single digital credential that can be securely used to

authenticate his or her identity anytime authentication of

identity is required to secure any transaction.

Page 4: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

4

Identity Management

Allows a person to use her federated identity credential for single sign-on access to restricted service applications provided by federation members for which she has privileges.

A Federated Credential

Page 5: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

5

Identity Management

Ideally, a digital credential must

• positively identify a person,

• include the person’s permanent identifier

• positively identify the certifying authority - i.e. the identity provider (IdP),

• be presentable only by the person it authenticates,

• be tamper proof, and

• be accepted by all systems.

Page 6: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

6

Identity Management

Two Categories of Identity

• Physical Identity – Assigned Identifier - Authentication– Facial picture– Fingerprints– DNA sample

• Identity Attributes – Authorization Attributes– Common name,– Address,– Institutional affiliations - e.g. faculty, student, staff, contractor,– Specific group memberships,– Roles,– Entitlements for specific services.– Etc.

What is Identity?

Page 7: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

7

Identity Management

Identity Provider(IdP)

uth.tmc.edu

Person

IdP ObtainsPhysical

Characteristics

Identity Vetting & Credentialing

IdentifierPermanently

Bound

AssignsEverlasting

Identifier

Digital Credential

IssuesDigital

Credential

Person Only Activation

PermanentIdentity

Database

Page 8: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

8

Identity Management

UTHSC-H Identity Management System

HRMS SIS GMEIS Guest MSUTP

INDIS

OAC7 OAC47

SecondaryDirectories

Sync

Person Registry

AuthoritativeEnterprise Directories

AuthorizationService

AuthenticationService

User Administration Tools

ChangePassword

AttributeManagement

Identity Reconciliation &

ProvisioningProcesses

Page 9: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

9

Identity Management

Federal E-Authentication Initiativehttp://www.cio.gov/eauthentication/

• Levels of assurance (Different Requirements)– Level 1 – e.g. no identity vetting– Level 2 - e.g. specific identity vetting requirements– Level 3 – e.g. cryptographic tokens required– Level 4 – e.g. cryptographic hard tokens required

• Credential Assessment Framework Suite (CAF)

Page 10: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

10

Identity Management

Identity Provider(IdP)

uth.tmc.edu

Federated Services Identity (IdP) & Resource Providers (RP)

Identity Provider(IdP)

utsystem.edu

Identity Provider(IdP)

bcm.edu

Resource Provider(RP)

library.tmc.edu

Blackboard(RP)

uth.tmc.edu

GMEIS(RP)

uth.tmc.edu

Identity Provider(IdP)

mdanderson.org

Identity Provider(IdP)

utmb.edu

FederationAssertion Service

e.g. UT System Fed

Public Key

Infrastructure

Page 11: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

The University of Texas System

• Homogeneous• Share a common Mission• Same governance body

and consistent governance policies

• Same legal requirements

• And Also Diverse• Significant differences in

size and budgets• Significant differences in

culture• Institutions enjoy

considerable autonomy• 16 “stovepipes”

16 Institutions16 Institutions• 9 General Academic institutions9 General Academic institutions• 6 Health institutions6 Health institutions• 1 System Administration1 System Administration

Page 12: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

The University of Texas System Identity Management Federation

Foundation Documents https://idm.utsystem.edu/utfed/

• Federation Charter • Membership Agreement • Operating Practices and Procedures • Membership Operating Practices • Service Fee Schedule • System Federation Common Identity

Attributes

Page 13: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

13

Identity Management

Page 14: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

14

Identity Management

Page 15: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

15

Identity Management

Page 16: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

16

Identity Management

Page 17: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

17

Identity Management

Person Cannot Login to Their IdP Authentication Service

• Potential Problems:– Does not know which password is being

requested.• Page must define which service is requesting the

username/password pair.– e.g. UTEID in the previous example

• Login page must describe a help resource

– Person typed password incorrectly• Person is told that “Authentication Failed” and to re-enter

his password

Page 18: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

18

Identity Management

Person Authenticated But Unauthorized

• Potential Problems:– A statement only that “You Are Not Authorized”

leaves individual from other institution in the dark.• Who should person contact?

– Someone at their home institution?– Someone at the service provider institution?

• Solution: – Error page should provide guidance.

• e.g. If the service is a Blackboard LMS, a statement like “ Contact the course instructor, organizational leader or appropriate registrar’s office to receive authorization for access.

Page 19: Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

19

Identity Management

Multiple New Processes and Procedures to be Worked Through

• How are courses provisioned? – Manually: BB administrator adds names and

EPPNs (i.e. NetIDs) from lists obtained provided by source of authorities (SOAs) at relying institutions for appropriate courses?

– Automatically: Service Provider Applications (e.g. Blackboard) obtains authorization attributes from the IdP’s attribute authority and provisions the BB courses with the appropriate student information?