Web Services and Identity 2.2 Federated Identity Technologies
The Basics of Federated Identity
25
The Basics of Federated Identity
description
The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop. Session 1 - for all Basics and GridShib Session 2 – more for developers Architecture and attributes Panel of developers Session 3 – more for deployers State of practice in federations Panel of deployers - PowerPoint PPT Presentation
Transcript of The Basics of Federated Identity
The Basics of Federated Identity
Overview of Federated Identity and Grids Workshop
• Session 1 - for all• Basics and GridShib
• Session 2 – more for developers• Architecture and attributes• Panel of developers
• Session 3 – more for deployers• State of practice in federations• Panel of deployers
• Session 4 – a focus on VO’s and federated identity• Privilege management• VO services
Basics
• Types of identity• The basics of federated identity
• Enterprise middleware• Attribute and entitlement orientation• Federating software• The trust fabrics
• Current status and uses • Applications • R&E, Gov• Corporations and federations
• Internal, Sector, and Participation in R&E
• Policies and Peering
Three Types of Identity
• Global basic identity• Passport, driver’s license, qualifying X.509 cert
• Federated enterprise• Enterprise provides identity management for its users• Enterprises federate to build inter-realm trust and
identity; federations peer • Peer to peer• Self asserted, individual to individual • Lots of approaches, many clever
• Hybrids and others
A Word About the Other Two…
• Global government issued• Qualifying certs, birth certificates, passports, drivers
licenses, etc.• Strength of identity proofing varies widely• Lurching along
• Peer to peer is very hot but not yet gelling• Lots of different identifiers (email addresses, url’s,
aliases)• Lots of different trust builders (read my site, special
delivery, friends of friends, etc.)• Workshops every two months, may converge soon on
just two - three approaches.
And Some Hint of Layering
• User-centric Identity wants to integrate all types of identity• At storage level• Maybe not the actual credentials, but a store of
pointers• At user interface level• The brainmap and the presentation• MS Cardspace and Higgins two of the major players
Basics of federated identity
• Enterprise middleware• Attribute and entitlement orientation• Federating software• The trust fabrics
Enterprise Middleware
• Provide common services for many applications, network layer services (wireless access, lambdas, etc.)
• Directories and metadirectories• Authentication and Single Sign-On• Lifecycle Identity Management Services
• To students, faculty, staff, alumni, contractors, guests, academic medical centers…
• Group and privilege management• May eventually include workflow, DRM, etc• Business Processes and legacy apps that feed the
infrastructure and draw from it.
Relative Roles of Signet & Grouper
Grouper Signet
RBAC (role-based access control) model• Users are placed into
groups (aka “roles”)• Privileges are assigned to
groups• Groups can be arranged
into hierarchies to effectively bestow privileges
• Grouper manages, well, groups
• Signet manages privileges• Separates responsibilities
for groups & privileges
Attributes
• Attributes have well-defined syntax and semantics across the relevant community• Typically have controlled vocabulary of possible values,
though some values are open-ended in meaning.• May be personally identifiable or more general
• Exist in many forms, from storage (LDAP) to transport (SAML, attribute certificates) to metadata (OIDs, rfc’s,etc.)
• Come from “sources of authority”• Are often used to determine access • In shifting the focus from identity to attributes lies the
ability to preserve privacy
Entitlements
• A particular and common attribute, giving a person permissions to use certain resources
• Are often delegated, constrained, time-limited, etc.
• Can be managed, at enterprise and end-user levels, with a privilege manager (e.g. Signet)
• Controlled complexity• Have much to offer VOs in moving from identity-
based authorization to better models
Federating Software
• Almost all software built on OASIS SAML standard. Many vendors moving towards SAML 2.0
• Most R&E federations use Shibboleth 1.x or a compatible (e.g. properly configured Sun Identity Manager, A-Select, etc.)• SAML and Shib have been deeply joined from the beginning (c
2000). Shared design, OpenSAML a major part of Shib, Scott Cantor (OSU) lead Shib architect and SAML 2.0 editor…
• SAML addresses more the bi-lateral use case; Shib the multi-lateral
• Apache 2.0 type license open source• Shib 2.0 alpha due out in April
• WS-Fed, part of WS-*• Proprietary MS and IBM trust framework• Works well with ADFS and enterprise MS
Trust Fabrics
• Instantiate as federations, with a federated operator, frequently leveraging existing organizations
• Technical set of issues• Versions of software• Attributes• Metadata exchanges
• Policy issues• Common standards for IdM – identity proofing, acts of
authentication, assignment of common attributes, etc.• Governance and federation operations
Federated Applications• Mostly access controls to content• The first shibbed collaborative apps are
appearing…• Several wikis• Digital repositories such as DSpace and Fedora• Learning Management Systems such as WebCT• IM, p2p fileshare (Lionshare), CVS
• Grid-Shib integration in several ways• SIP based tools (videoconferencing,
audioconferencing) within reach• Bootstrapping from duct tape sometimes a
problem
Current State – R&E
• R&E federations moving forward rapidily in many countries, including the US, UK, France, Germany, Sweden, Australia, Switzerland, Norway, Netherlands, Finland, Denmark, etc.
• State university systems federate – Texas, California, Maryland, Cal State, Ohio, etc.
• Use primarily is access to content and services, but eScience, collaborative apps and virtual organizations are on the map
• In the US, InCommon has approximately forty members.
Current State - Gov
• Several national governments are developing federations of agencies and offering services to external users
• Within the US, several national governments are developing federations • GSA EAuthentication• NSF • NIH
• Close and strange working relationships with InCommon
Corporations and Federations
• Internal use of federated id• Vertical sectors• Participation in other sectors• Content providers• Apps for education
• The consumer marketplace
Peering and Confederation
• For federations to scale – internationally, across vertical sectors, and in size, some forms of interactions are necessary
• Peering involves agreements between federations on common attributes, levels of assurance, metadata, economics, privacy, etc.
• Confederation, a union of national federations, is useful in situations such as Europe with many similar but distinct federations
• Other forms, such as state federations relating to InCommon, are certain to emerge.
Peering
Frontier Thoughts…
• Right now, federations are about identities and their attributes
• Could federations support collaboration fabrics?• Federated group and privilege management• Virtual organization support• Servers and tools• Workflow? Digital signatures?
• How much integration is too much?
VOs plumbed to federations
