Federated Identity Management



Similar documents
Federated Identity Management

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

Logout Support on SP and Application

TRUST AND IDENTITY EXCHANGE TALK

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

ESA EO Identify Management

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Authentication and Single Sign On

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

Authentication Methods

Federated Wikis Andreas Åkre Solberg

Shibboleth N-Tier Support. Chad La Joie

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

TIB 2.0 Administration Functions Overview

BEST CURRENT PRACTICES

Shibboleth Identity Provider (IdP) Sebastian Rieger

Introducing Shibboleth

Provisioning and deprovisioning in an identity federation

External and Federated Identities on the Web

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Owner of the content within this article is Written by Marc Grote

SWITCH Resource Registry Guide

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

SAML Federated Identity at OASIS

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Flexible Identity Federation

Federated Identity Management Interest Group

Identity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees

Project Géant-TrustBroker dynamic identity management across federation borders

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

Canadian Access Federation: Trust Assertion Document (TAD)

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

Shibboleth User Verification Customer Implementation Guide Version 3.5

An Analysis of the Benefits and Risks to LIGO When Participating in Identity. Federations

Using Shibboleth for Single Sign- On

Oracle Fusion Middleware 11g Release 1 IDM Suite

HP Software as a Service. Federated SSO Guide

How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data

Federation Operator Practice (FOP): Metadata Registration Practice Statement

Canadian Access Federation: Trust Assertion Document (TAD)

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Extending DigiD to the Private Sector (DigiD-2)

RedIRIS Identity Service

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

Collaboration in the Cloud. Niels van Dijk, SURFnet, CAMP, Nov , San Francisco

New InCommon Working Groups

Integrating Multi-Factor Authentication into Your Campus Identity Management System

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Single Sign-On for the UQ Web

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

EUMEDCONNECT2 AAI information day

Shibboleth Configuration from 100,000 Feet, in 15 Minutes or Less! Steve Thorpe Systems Programmer / Analyst MCNC

SAML-Based SSO Solution

Merit Cloud Media User Guide

Unlocking the Secrets of Alfresco Authentication. Mehdi BELMEKKI,! Consultancy Team! Alfresco!

Groups Inside FHNW: Why it s not just another AAI SP

Agenda. How to configure

Identity and Access Management (IAM) Roadmap DRAFT v2. North Carolina State University

in Swiss Higher Education

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Canadian Access Federation: Trust Assertion Document (TAD)

Implementation Guide SAP NetWeaver Identity Management Identity Provider

User and Machine Authentication and Authorization Infrastructure for Distributed Wireless Sensor Network Testbeds

How To Use Saml 2.0 Single Sign On With Qualysguard

Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications

Federated Identity Management Checklist

Enabling SAML for Dynamic Identity Federation Management

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Configuring EPM System for SAML2-based Federation Services SSO

PARTNER INTEGRATION GUIDE. Edition 1.0

Canadian Access Federation: Trust Assertion Document (TAD)

Federated Identity Management Solutions

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Canadian Access Federation: Trust Assertion Document (TAD)

Configuring. Moodle. Chapter 82

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Experiences in Supporting Service Providers and User Communities. Lukas Hämmerle, GÉANT/SWITCH Conference 26 November 2014

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

Intended status: Informational January 15, 2014 Expires: July 19, 2014

The Role of Federation in Identity Management

VOPaaS Virtual Organisation Platform as a Service

Connected Data. Connected Data requirements for SSO

Single Sign-on (SSO) technologies for the Domino Web Server

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

Integration of Shibboleth and (Web) Applications

Getting Started with Single Sign-On

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Improving Security and Productivity through Federation and Single Sign-on

External Authentication with WebCT. What We ll Discuss

This way, Bluewin will be able to offer single sign-on for service providers within the circle.

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR

IGI Portal architecture and interaction with a CA- online

Enterprise Identity Management Connie Dwyer, US EPA Steve Girt, Wyoming DEQ Luke Gentry, CGI Federal, Inc.

OpenID and identity management in consumer services on the Internet

Salesforce1 Mobile Security Guide

Building blocks for establishing federation with organizations like ESA

SAML Authentication Quick Start Guide

Transcription:

Federated Identity Management SWITCHaai Team aai@switch.ch Agenda 2 What is Federated Identity Management? What is a Federation? The SWITCHaai Federation Interfederation

Evolution of Identity Management 3 Stone Age Application maintains unique credential and identity information for each user Bronze Age Credentials are centralized (e.g. Kerberos, LDAP) but applications maintain all user identity information Iron Age Credentials and core identity information is centralized and application maintains only app-specific user data Federated Identity 4 Current mechanisms assume applications are within the same administrative domain Adding a user from outside means creating an account within your IdM system. This could result in the new user having access to more than just the intended application. Federated Identity Management (FIM) securely shares information managed at a users home organization with remote services. Within FIM systems it doesn t matter if the service is in your administrative domain or another. It s all handled the same.

Federated Identity 5 In Federated Identity Management: Identity Providers (IdP) publish authentication and identity information about users Service Providers (SP) consume this information and make it available to an application An IdP or SP is generically known as an entity The first principle within federated identity management is the active protection of user information Protect the user s credentials only the IdP ever handles the credential Protect the user s identity information, including identifier customized set of information released to each SP What does it do for me? 6 Reduces work Authentication-related calls to Penn State University s helpdesk dropped by 85% after they installed Shibboleth Provides current data Studies of applications that maintain user data show that the majority of data is out of date. Are you protecting your app with stale data? Insulation from service compromises In FIM data is pushed to services as needed. If those services are compromised the attacker can t get everyone s data. Minimize attack surface area Only the IdP needs to be able to contact user data stores. All effort can be focused on securing this one connection instead of one (more) connection per service.

Some other gains 7 Users generally find the resulting single sign-on experience to be nicer than logging in numerous times. Usability-focused individuals like that the authentication process is consistent regardless of the service accessed. A properly maintained federation drastically simplifies the process of integrating new services. What is a Federation? 8 A group of organizations running IdPs and SPs that agree on a common set of rules and standards It s a label for people to talk about such a collection of organizations An organization may belong to more than one federation at a time The grouping can be on a regional level (e.g. SWITCHaai) or on a smaller scale (e.g. large campus) IdPs and SPs know nothing about federations

What are these rules of which you speak? 9 Technical Interoperability Supported protocols User authentication mechanisms User attribute specifications Accepted X.509 certificates Legal Interoperability Membership agreement/contract Federation operation policies Requirements on identity management practices Others Common/best operational practices http://switch.ch/aai/bcp What does a Federation do? 10 At a minimum a federation maintains the list of which IdPs and SPs are in the federation Most federations also define agreements, rules, and policies provide some user support (documentation, email list, etc.) operate a central discovery service and test infrastructure Some federations provide self-service tools for managing IdP and SP data install IdPs and SPs for members provide application integration support host or help with outsourced IdPs provide tools for managing guest users develop custom tools for the community

Federation Metadata 11 An XML document that describes every federation entity Contains Unique identifier for each entity known as the entityid Endpoints where each entity can be contacted Certificates used for signing and encrypting data May contain Organization and person contact information Information about which attributes an SP wants/needs Metadata is usually distributed by a public HTTP URL The metadata should be digitally signed Bilateral metadata exchange scales very badly Metadata must be kept up to date so that New entities can work with existing ones Old, or revoked, entities are blocked http://switch.ch/aai/metadata SWITCHaai: An Example Federation (1) 12 SWITCH consults with two bodies Advisory Committee deals with policies and legal framework Community Group deals with technical/operational issues Two classes of SWITCHaai Participants SWITCH Community Organization fits the definition from the SWITCH Service Regulations Federation Partner Organization sponsored by a SWITCHaai Participant from the SWITCH Community http://switch.ch/aai/about/federation/

SWITCHaai: An Example Federation (2) 13 SWITCH operates the SWITCHaai Federation AAI is a Basic Service for the SWITCH Community SWITCHaai: Rules, Policies, & Agreements 14 SWITCHaai Service Description (includes the Policy) concepts and rules for all entities in the federation Federation Partner Agreement legal contract between SWITCH and federation partner Certificate Acceptance Policy policy certificates accepted by the federation AAI Attribute Specification minimum set of core and optional attributes supported by federation entities

SWITCHaai: The Legal Framework 15 Federal Law, Cantonal Law! (e.g. data protection)! SWITCHaai Service Description! (includes Policy)! SWITCH! Service Regulations! Federation Partner Agreement & GTC! Org 1! Org 2! Org...! Org n! User Regulations! User Regulations! User Regulations! SWITCH Community! Federation Partners! SWITCHaai: Services Provided 16 Rules, policies and agreements Documentation: installation/migrations guides, HowTos Call-in helpdesk and support mailing list Centralized Services Discovery Service Resource Registry (metadata management) Virtual Home Organization (VHO) Attribute Viewer Group Management Tool uapprove Shibboleth IdP plugin Test federation Some application integration support Training

SWITCHaai: Status Spring 2012 17 50 40 # Home Organizations 30 20 10 0 2004 2006 2008 2010 2012 350'000 300'000 # AAI enabled accounts # Resources 600 500 250'000 200'000 150'000 100'000 50'000 98% coverage in higher education 0 2004 2006 2008 2010 2012 400 300 200 100 0 2004 2006 2008 2010 2012 Interfederation! 18 Users get access to services registered only in other federations edugain is the Interfederation Service of GÉANT Rules and Guidelines regarding international data protection are still under debate http://edugain.org

Interfederation (2) 19 http://switch.ch/aai/interfederation

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information