1 Identity Management and Shibboleth h at MSU Jim Green Manager, Identity Management Michigan State t University it Academic Technology Services
2 Identity Management Definition: Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities. -- The Burton Group MSU s centrally-supported IdM infrastructure: Digital credentials Authentication Single Sign-on Directory Services Middleware Federation
3 Organizational Structure Libraries, Computing and Technology Academic Technology Services (ATS) Administrative Information Services (AIS) Broadcast Services Enterprise Business Systems Project (EBSP) Enterprise Information Stewardship (EIS) University it Librariesi University Archives & Historical Collections (UAHC) Virtual University Design & Technology (VUDAT)
4 How IdM fits in EIS IT governance EBSP new HR, financial, BI, research administration AIS Enterprise data/systems of record, administrative systems ATS Network, LMS, mail, web, computer labs IdM Requires partnership EIS, EBSP, AIS Stakeholders data stewards Registrar s office Human Resources ID Office Internal Audit Others
5 Guiding Organizations Internet2/MACE (Middleware Architecture Committee for Education) NMI-EDIT (National Science Foundation Middleware Initiative Enterprise and Desktop Integration ti Technologies) Educause/Internet2 CAMP (Campus Architecture and Middleware Planning) workshops Educause Identity Management Working Group InCommon
7 MSU IdM technology Central authentication service Kerberos Intra-institutional single sign-on Sentinel Federated authentication Shibboleth Directory services OpenDS msueduperson, eduorg, eduperson CommunityID Provisioning Web services Self service account creation/management NetID legacy provisioning system
8 InCommon Trust fabric between federation members Higher Ed Government NIH, NSF Sponsored participants -- Apple, EBSCO, OCLC, Shibboleth and SAML Participant Operating Practices statement Federation membership not necessary
9 Shibboleth introduction An Internet2/MACE initiative Open source Apache 2.0 license Strong community Standards-based -- SAML InCommon other federations Authentication and Authorization Infrastructure Simplify inter-organizational access to resources Intra-organizational applications, too
10 Shibboleth components Identity yp provider (IdP) Java/Tomcat Works with authentication/sso and enterprise directory systems Can also be configured to provide its own SSO capability, eliminating the need for an external SSO system Service provider (SP) Java works with Apache or IIS Where are you from? (WAYF)
11 MSU East Lansing, MI Shibboleth IdP CIC Chicago, IL Shibboleth SP CICme Sentinel/ Kerberos OpenDS msueduperson PSU State College, PA Shibboleth IdP PSU user MSU user PSU s SSO PSU s directory
12 Shibboleth at MSU IdP Shibboleth v x twilight June 30, 2010 Authentication Kerberos SSO Sentinel Attribute server OpenDS-based private LDAP directory msueduperson, eduperson, eduorg SPs Versions 2.x and 1.3 supported Interest as a local SSO solution Federation capability icing on the cake
13 MSU Shib SPs ANGEL course management system EZProxy access to library-licensed electronic resources Storemedia media server forums.msu.edu msu campus-wide discussion forums photos.msu.edu UR s stock photo store Departmental: ATS s Confluence wiki Biochemistry Chemistry HPCC s wiki Supported as an authentication method in our web hosting service
14 Partner projects Penn State ANGEL course Microsoft DreamSpark student software downloads CIC s CICme Sharepoint site In the works: Tower travel -- travel portal Aliquant benefits portal SAML 1.1 Proposed: StudentsOnly/StudentUniverse.com student travel portal
15 Issues Adoption Application integration required Limited (but growing?) support for Shibboleth or SAML among external entities Trust relationship required Policy infrastructure internal and external Identity verification and levels of assurance Questions about SSO and authentication in general Centralized vs. distributed IdM, access control
16 Plans Implement Shibboleth for more applications Begin to leverage federation capability by establishing partnerships Identity verification and InCommon Silver LOA Considering how to implement support for additional factors to allow stronger authentication for higher security applications Provisioning modernization/middleware Build out the Shibboleth attribute server
17 Resources Shibboleth InCommon MSU s Participant Operating Practices Internet2/MACE i t t2 d /MACE/ NMI-EDIT SWITCH Federation AAI info:
18 Resources, cont d Educause Identity Management Working Group Educause/Internet2 CAMP Workshops edu/camp NIST SP InCommon Identity Assurance Framework IAAF_1.0_Final.pdf Fi
19 Contact Info Jim Green Manager, Identity Management Phone: (517)
Multi-Tenancy Authorization System with Federated Identity for Cloud-Based Environments Using Shibboleth Marcos A. P. Leandro, Tiago J. Nascimento, Daniel R. dos Santos, Carla M. Westphall, Carlos B. Westphall
Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics B.Prasanalakshmi Assistant Professor Department of CSE Thirumalai Engineering College
The Pennsylvania State University IT Assessment Executive Summary Final Summary of Recommendations June 16, 2011 Goldstein & Associates, LLC Contents Section Page Introduction 3 Summary Recommendations
www.apereo.org/uportal Enterprise Portal Built by and for Higher Education Now Responsive for All Devices along with Native App Experience There is a growing demand for higher education institutions to
NSTIC National Program Office Discussion Draft STANDARDS CATALOG Contents Introduction Source Documents Introduction This document is a contribution from the NSTIC National Program Office to the Identity
Middleware integration in the Sympa mailing list software Olivier Salaün - CRU 1. Sympa, its middleware connectors 2. Sympa web authentication 3. CAS authentication 4. Shibboleth authentication 5. Sympa
Mobile Security Policies, Standards, Frameworks, Guidelines Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP 800-124 Rev. 1) http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf
Gap Analysis for Information Technology At Sacramento State: A Self Study February, 2008 1 Larry Gilbert Vice President and CIO Information Resources & Technology 2 February 20, 2007 Introduction The California
Marist College Information Security Policy February 2005 INTRODUCTION... 3 PURPOSE OF INFORMATION SECURITY POLICY... 3 INFORMATION SECURITY - DEFINITION... 4 APPLICABILITY... 4 ROLES AND RESPONSIBILITIES...
September 2012 Contents Overview... 1 IT Assessment and Inventory... 3 Email Consolidation... 3 Identity Management... 4 Storage as a Service... 5 Unified Communications... 6 Data Center Remediation...
Cloud Computing: Implications and Guidelines for Records Management in Kentucky State Government (Version 1.0 August 2012) Many information technology (IT) departments and resource allocators are considering
Knowledge Management and Information Technology (KMIT) Health Sciences Center Information Technology Standards for Users Updated and Approved by the KMIT Operations Council September 9, 2013 1.0 Introduction
Advance in Electronic and Electric Engineering. ISSN 2231-1297, Volume 4, Number 1 (2014), pp. 107-112 Research India Publications http://www.ripublication.com/aeee.htm Cloud Computing Services and its
Service Catalog Information Technology Version 5, January 2014 The Service Catalog defines and categorizes the Information Technology services provided to the Oklahoma State University community. A general
Oracle Access Management Complete, Integrated, Scalable Access Management Solution O R A C L E W H I T E P A P E R M A Y 2 0 1 5 Disclaimer The following is intended to outline our general product direction.
GlassFish Security Secure your GlassFish installation, Web applications, EJB applications, application client module, and Web Services using Java EE and GlassFish security measures Masoud Kalali PUBLISHING
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
Course 20412B: Configuring Advanced Windows Server 2012 Services Length: Audience(s): 5 Days Level: 200 IT Professionals Technology: Windows Server 2012 Type: Delivery Method: Course Instructor-led (classroom)
Tactical Plan for Business Intelligence at WMU Three Year Status Report: October 2013 Business Intelligence Mission Statement Accurately, clearly and efficiently assist the university community, including
Online Instruction Task Force Final Report and Recommendations: Guidelines and Standards of Practice for Online Programs and Courses at Wayne State University July 2012 Contents I. Introduction... 3 II.
CONTENTS NETWORK INFRASTRUCTURE AND SERVICES STRATEGIC PLAN... 1 ENVIRONMENTAL FORECAST... 5 NETWORK RESEARCH AND DEVELOPMENT... 10 NETWORK AND SWITCH ENGINEERING... 12 VIRGINIA TECH OPERATIONS CENTER...
IBM Security Systems Division Identitetshanterings id access management i ett Enterprise Network November 2012 Sven-Erik Vestergaard Nordic Security Architect Certified IT Specialist IBM software group
FRAUNHOFER INSTITUTE FOR OPEN COMMUNICATION SYSTEMS Cloud Concepts for the Public Sector in Germany Use Cases Peter Deussen, Klaus-Peter Eckert, Linda Strick, Dorota Witaszek Fraunhofer Institute FOKUS
IaaS, PaaS and SaaS adoption in SEE Current status analysis Efstathios Karanastasis DKMS ICCS/NTUA Distributed Knowledge and Media Systems Group Institute of Communications and Computer Systems National
MS 20412 Configuring Advanced Windows Server 2012 Services P a g e 1 of 8 About this Course Learn how to provision and configure advanced services using Windows Server 2012 with this five-day course. This
identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible IT transformation and evolving identities A number of technology trends, including cloud, mobility,