1 Update on Identity Management Initiatives: What Are Institutions, Agencies and Federations Doing? Ann West, Michigan Technology University Jackie Charonis, Stanford University Nancy Krogh, University of Idaho
2 A Case Study Shibboleth and NSC Stanford s perspective One registrar s perspective
3 Campus Partners and Collaborators One institution hosting course content for others Libraries purchasing licenses from multiple vendors with specific access policies
4 Research Partners and Collaborators Making resources available to project members at other schools Great Plains Network Single sign on across campus online services and national/international Grid environments GridShib
5 Before Federations
6 After Federations
7 Terms Federated Identity Enables single sign on across all partner applications Authenticates individual at their home institution Vouches for their affiliation Passes agreed upon information to partner for access decision
8 What is a Federation? An association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions. Uses agreed upon policy, technology, and business practices to establish baseline on which to exchange identity information
10 Identity Management Policies, processes, and supporting infrastructure used for the creation, maintenance, and use of digital identities. Enables organizations to facilitate and control users access based on policy Protects confidential personal and business information Provides assurance The persons I am working with and the systems I am using really are who they say they are No one can impersonate me or read or change my information. edit.org
11 Terms Identity collected information about an individual that indicates who they are. Authentication The process by which you prove your identity to another party. (Cornell) Authorization The process of determining a user s right to access a resource. (MAMS Project) Directory A lookup service for applications
12 Shibboleth Shibboleth is an initiative to develop an open, standards based solution to the needs for organizations to exchange information about their users in a secure, and privacy preserving manner. intro.html
13 Shibboleth and InCommon Key Concepts Federated Administration Access Control Based on Attributes Active Management of Privacy Standards Based open source A Framework for Multiple, Scaleable Trust and Policy Sets standard policies A Standard Attribute Value Vocabulary intro.html
14 A U.S. based federation created to create and manage a common framework for access to on line resources in support of education and research.
15 E Authentication is a government managed service that makes it possible for you to use log in IDs (identity credentials) you already have from Web sites that you and the government trust to get access to government services online.
16 NIST Special Publication Electronic Authentication Guideline After completing a risk assessment and mapping the identified risks to the required assurance level, agencies can select appropriate technology that, at a minimum, meets the technical requirements for the required level of assurance. 63/SP800 63V1_0_2.pdf
17 Assurance Levels In particular, the document states specific technical requirements for each of the four levels of assurance in the following areas: Tokens (typically a cryptographic key or password) for proving identity, Identity proofing, registration and the delivery of credentials which bind an identity to a token, Remote authentication mechanisms, that is the combination of credentials, tokens and authentication protocols used to establish that a claimant is in fact the subscriber he or she claims to be, Assertion mechanisms used to communicate.
18 Four Assurance Levels Level Descriptions 1.Little or no confidence in the asserted identity's validity 2. Some confidence in the asserted identity's validity 3. High confidence in the asserted identity's validity 4.Very high confidence in the asserted identity's validity
19 Potential Impact at Each Assurance Level ASSURANCE LEVEL Inconvenience, distress or damage to standing or reputation Minimal Moderate Substantial High Financial loss or agency liability Minimal Moderate Substantial High Harm to agency programs or public interests Unauthorized release of sensitive information N/A Minimal Moderate High N/A Minimal Substantial High Personal safety N/A N/A Minimal Sub/ High Civil or criminal violations N/A Min Substantial High
20 Liberty Alliance Builds Global Trust Framework for Identity Federations Spanning Industries and Regions Electronic Authentication Partnership (EAP) and Liberty Alliance Form New Expert Group to Drive Trusted Federations and Identity Assurance Internationally
21 Standards Liberty Identity Assurance Framework Draft 1 liberty identity assurance framework v1.0.pdf Attempt to establish accepted standards in practice and policy Standards for accreditation of institutions
22 PESC E Authentication / E Authorization (EA2) Task Force Postsecondary Electronic Standards Council (PESC) PESC's mission is to lead the establishment and adoption of data exchange standards in education. PESC e Authentication/e Authorization (EA2) Task Force EA2 organizational meeting in March, 2007
24 Technology Questions Which authentication technology(ies) should we choose? How do applications get the data they need to make authorization decisions? How do we ensure uptime? Do we encrypt passwords in storage? In transit? Do we log changes in privileges? In the IdM system?
25 Policy Questions Who can access our services? What can they do or access? Who stewards the IdM function? The applications it uses? The data contained in it? What is our standing on privacy? What is the role of audit? Who decides?
26 Process Questions How does a prospective student get an account? A guest? A distance learner? How do we distribute credentials? How/When do deactivations or status changes flow from source systems into the IdM system? Who verifies the physical identity of individuals?
27 One Vision of the Future It's 3:00 am and Bianca is sitting in a 24 hour Starbucks in the spring semester of her senior year, working on her Physics 456 homework. In a browser, she clicks on the link to the course management system, logs in with her University web single sign on userid and password, and starts viewing the course information. Next, she clicks on the homework link hosted by a third party provider and "Welcome Bianca" appears along with her new homework assignment for that class. After finishing that, she decides to check her loan status and surfs to the web site of her financing agent. She clicks "Access your record" and is presented with an aggregation of her loan liability without having to identify herself or login. She takes a deep breath, wondering if any of those job applications had yielded an interview. She clicks on her shortcut to the job placement service and again is presented with the status of her applications, without having to identify herself. One company is requesting an interview, so Bianca purchases a cheap airline ticket offered by an online service that sells only to students. In the past, she had to provide proof of enrollment, but now the technology handles this in the background
28 Questions and Discussion