University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop...
-
Upload
florence-ross -
Category
Documents
-
view
221 -
download
0
Transcript of University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop...
![Page 1: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/1.jpg)
University of WashingtonIdentity and Access Management
IEEAF – RENU Network Design Workshop
Seattle - 29 Nov 2007
Lori Stevens, Director, Distributed SystemsIan Taylor, Manager, Security Middleware
‘RL’ Bob Morgan, ArchitectAnne Hopkins, Lead
Zephyr McLaughlin, Lead
![Page 2: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/2.jpg)
Overview
IAM Mission and Scope IAM Practices UW IAM Service Set International Collaboration in IAM Q & A
![Page 3: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/3.jpg)
IAM Mission
UW Mission “preservation, advancement, dissemination of
knowledge” people-based processes, increasingly online
Identity management provides ... institutional means to know who can, should
and did access online (and physical) resources
![Page 4: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/4.jpg)
![Page 5: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/5.jpg)
IAM Scope
IAM supports the whole institution teaching, research, outreach, healthcare, student life, alumni,
collaborators, affiliates, local, regional, global
UW Identity and UW NetID Statistics 43,000 students at three campuses – Undergraduate,
Graduate and Professional Plus an Extension Enrollment of 27,000 more 28,000 Faculty and Staff Two Medical Centers, Neighborhood Clinics, SCCA, etc. K-20 network 385,000 Active UW NetIDs (11/28/07)
![Page 6: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/6.jpg)
IAM Practices
One identity per person Many affiliations per person Not just people (applications, groups, roles,
organizations, ...) Manage entire identity lifecycle Level of Assurance (LoA) varies depending on
population and application needs
![Page 7: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/7.jpg)
IAM Practices (cont.)
Compromise of credentials will happen
Business needs often must be balanced with compliance requirements
Identity theft is a serious problem
![Page 8: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/8.jpg)
UW Identity and Access Management Service Set Identity Management
Person Registry UW NetID Service
Authentication UW Kerberos Realm UW Windows Infrastructure Weblogin Service (Pubcookie / Shibboleth) SecurID UW Certificate Authority
![Page 9: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/9.jpg)
UW Identity and Access Management Service Set (cont.) Authorization and Aggregation
ASTRA Groups Service Subscriptions
Enterprise Directory Services Person Directory Groups Directory White Pages Directory
![Page 10: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/10.jpg)
Federation
Use university identity for external service access for web resources, using SAML standard Internet2 Shibboleth federation software widely deployed
R&HE Federations create trust communities agree on standards, vet institutions, exchange keys InCommon Federation in US many national R&HE federations in Europe and Australia global service providers (eg Elsevier, Microsoft) join work starting on global interfederation
![Page 11: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/11.jpg)
Other Identity Collaborations
eduroam access to university wireless for HE visitors 802.1x and RADIUS technology deployed throughout Europe and Asia/Pacific
grid supporting large e-science projects X.509 technology IGTF provides global linkage of grid CAs work on linking grid access to SAML/Shib federation
![Page 12: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/12.jpg)
Q & A
Thank you for your interest. We welcome your questions. Lori Stevens, [email protected] Ian Taylor, [email protected] Bob Morgan, [email protected] Anne Hopkins, [email protected] Zephyr McLaughlin, [email protected]
![Page 13: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/13.jpg)
![Page 14: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/14.jpg)
![Page 15: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/15.jpg)
Shibboleth Flow Overview
User connects to resource and is redirected to WAYF
User authenticates at his home organization User gets authenticated and redirected to
web server of resource Attribute request – user is granted access to
resource
![Page 16: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/16.jpg)
1. User connects to resource
and is redirected to WAYF
![Page 17: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/17.jpg)
2. User authenticates at his home organization
![Page 18: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/18.jpg)
3. User gets authenticated and redirected to web server of resource
![Page 19: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/19.jpg)
4. Attribute request – user is granted access to resource
![Page 20: University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.](https://reader035.fdocuments.us/reader035/viewer/2022062309/5697bf9b1a28abf838c92f3b/html5/thumbnails/20.jpg)
Shibboleth Demo
https://spaces.internet2.edu Login via Shibboleth
http://www.switch.ch/aai/demo/expert.html Excellent technical introduction