Federated Identity Management

Transcription

1 Federated Identity Management AKA, Identity Federation or just Federation Siju Mammen SANReN 28th March 2013

2 Table of contents What is Federation? Main Actors in the Federation game Research and Education Federations Protocols Architecture Attributes Services offered in typical Reserach and Education Federations How to implement a Federation Where to go from here Siju Mammen (SANReN) Federated Identity Management 28th March / 18

3 What is Federation? Part 1 Where does it all start? Before talking about federation I want to introduce the problem that it tries to solve. Modern internet users access a wide range of sites, everything from social media and to message boards and porn sites - each with potentially a different log-in credential. Given this situation, some clever people probably thought: Wouldn t it be nice to use the same username and password at all the sites I access? And really, can t I just fill in my details once and when I access a site, they automatically get these details? Moreover, why can t I just sign-on once and automatically have access to every site that I m subscribed to without having to repeatedly enter my username and password? Siju Mammen (SANReN) Federated Identity Management 28th March / 18

4 What is Federation? Part 2 So what can we do about it? The central idea is that you exist as a digital person (cyber-self) similar to how you exist as a legal person. Your digital credentials (username and password) is a validation of your cyber-self similar to how an ID or driver s license validates your person. Just as your ID or driver s license contains attributes allowing you to buy a beer (i.e. your age), you digital credentials give a service access to attributes that may be used to authorise access to that service. Practically this means that you can use your Gmail account to log into Linkedin This in its core is what an Identity Federation is, where an entity trusts someone else to store and provide the user s information. To cater for this idea various protocols and other technologies have been developed to make this into a reality. Siju Mammen (SANReN) Federated Identity Management 28th March / 18

5 What is Federation? Part 3 Great, so lets start deplying it. Whats the hold up? Unfortunately the story doesn t end there - does anyone see the problem? For most internet use, the user s attributes are not verified by anyone apart from the user themselves. And that is fine for most use cases on the internet, but there are applications that require a degree of certainty that the user is who they say they are, and that their attributes are correct. Luckily there is a relatively easy means to solve this problem. Use a digital identity that has some way to verify the user s attributes. How? Simple: If a user is formally associated with an institution, he/she should use the credentials from that institution to log onto sites. This is possible because the user can just as well use any log-in credentials to access sites provided that they support federation. And now the service that is accessed can have some confidence that the user s attributes are accurate. Siju Mammen (SANReN) Federated Identity Management 28th March / 18

6 What is Federation? Part 4 So lets get all institutions to allow for Federated login. That shouldn t be too hard. Right? It turns out that institutions generally do not wish for their user credentials to be used in a Federated manner. There are many reasons for this, but the most important one are legal concerns around privacy and consent as well as liability issues if the user s credentials are abused. So what now? Realistically there are 2 options and both involve contracts: 1 Let the institution and the service that wants verified users use the technologies that have been developed for federation, and in the background form some sort of legal contract between them to safeguard each other. 2 Formalise the entire Federation and make it an exclusive club where both the institutions providing the identities and the people providing the services need to follow certain policies to be part of it. And in this case legal issues need to be catered for in the policies. Siju Mammen (SANReN) Federated Identity Management 28th March / 18

7 What is Federation? Part 5 Answer the question already And now I am finally able to define what is meant by an identity federation: It is the trust framework created between select organisations, built upon the technologies, policies and procedures that have been agreed on with the end goal to allow users to use their existing digital identities from an organisation to access various services. Siju Mammen (SANReN) Federated Identity Management 28th March / 18

8 So what does it mean to Start a Federation? The most complicated part of creating a Federation is the Technologies, right? Siju Mammen (SANReN) Federated Identity Management 28th March / 18

9 Roleplayers in the Federation stage All the world s a stage - but who are the actors? Identity Provider - IdP The organisation that provides the user credentials Service Provider - SP Whoever provides the web service that you want to access Discovery Service Allows you to find your home institution Federation Agent An optional entity that manages the Federation Siju Mammen (SANReN) Federated Identity Management 28th March / 18

10 Research and education identity federations The concept of Federation is not new and especially in the Research & education sphere, it is quite widely deployed in developed nations as shown in the following diagram: Siju Mammen (SANReN) Federated Identity Management 28th March / 18

11 Technology part 1: Protocol We need to standardise our grammar! In the entire sphere of Federated Identity Management we have 3 or 4 protocols to choose from SAML 2.0 WS-Federation OpenID Connect Information Card based identities Practically we only have one choice: SAML 2.0. However we do have a choice of implementations of SAML 2.0 including: simplesamlphp Shibboleth Siju Mammen (SANReN) Federated Identity Management 28th March / 18

12 Technology part 2: Attributes Let s make sure we are all speaking the same language The availability of attributes to be provisioned if required is one of the main advantages of Federation. And they do not actually pose a real technical challenge. The problem comes in with the way that different organisations decide to name their attributes differently. E.g. First Name vs Given Name To make sure everyone understands one another, within a formal federation, a Schema is often agreed on to avoid these forms of confusion. The schema is usually quite minimal and generally represents only the required fields for attribute exchange in the federation. Siju Mammen (SANReN) Federated Identity Management 28th March / 18

13 Technology part 3.1: Mesh Architecture Maybe everyone should connect to everyone Siju Mammen (SANReN) Federated Identity Management 28th March / 18

14 Technology part 3.2: Hub-and-spoke architecture Central management is useful Siju Mammen (SANReN) Federated Identity Management 28th March / 18

15 Services Why should anyone go through all this effort? The simple answer to this question is Services. Federation allows the creators of services to deploy them without having to worry about the overhead of maintaining a database of users. Examples of services include: Library services Grid services Video conferencing Cloud Services (maybe) Certification Services Commercial Services Siju Mammen (SANReN) Federated Identity Management 28th March / 18

16 Implementing a Federation What needs to be done, and who needs to do it? While there is no set procedure to implement a federation, the following aspects will always have to be decided on (my opinion is provided in brackets): Identify the scope of the Federation (R&E institutes and related services) Choose a protocol to use within the Federation (SAML 2.0) Identify a schema or set of attributes to be used within the Federation (eduperson as a Starting point) Decide on the architecture of the Federation (start with hub and spoke) Define the policies of the Federation (build on the policies of other Federations) Siju Mammen (SANReN) Federated Identity Management 28th March / 18

17 Next Steps What will happen from here on: SANReN will organise a workshop workshop from the 6th to the 8th May. Purpose is to introduce institutions to Federations. With the end goal of forming a Steering Committee and various working groups to take the project forward What we need from you: Get your institution to participate in the workshop Help market the idea Learn more about Federation and if interested come to the workshop yourself. Siju Mammen (SANReN) Federated Identity Management 28th March / 18

18 Questions Thank you Siju Mammen (SANReN) Federated Identity Management 28th March / 18