Multi-Factor Authentication, Assurance, and the Multi-Context Broker

Similar documents
Integrating Multi-Factor Authentication into Your Campus Identity Management System

Multi-Factor Authentication: All in This Together

New InCommon Working Groups

Are Passwords Passé?

Multi-factor Authentication Considerations for InCommon Silver. Mary Dunker Virginia Tech InCommon Confab April 26, 2012

Overcoming Barriers to Federation and Making IdPs Easier

The New Grouper: Its New User Interface and More

CAMPUS EXPERIENCES USING NET+ TRUST, IDENTITY, AND SECURITY SERVICES

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Provisioning and Deprovisioning 1 Provisioning/De-provisiong replacement 1

INTRODUCTION TO IDENTITY MANAGEMENT

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Network Identity Management Concepts and Standards: The Key Role of Middleware

Security Awareness for User Authentication: Passwords and Beyond

SD Departmental Meeting November 28 th, Ale de Vries Product Manager ScienceDirect Elsevier

Identity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees

Shibboleth N-Tier Support. Chad La Joie

Authentication Methods

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

SSO Plugin. Release notes. J System Solutions. Version 3.5

Shibboleth Identity Provider (IdP) Sebastian Rieger

Identity and Access Management (IAM) Roadmap DRAFT v2. North Carolina State University

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

CommIT: Simplifying Admissions Identity Management

Single Sign On at Colorado State. Ron Splittgerber

IMPACT RESEARCH INVESTMENT DISCOVERY OPPORTUNITIES STRENGTHS ACCESS RESOURCES EFFICIENCIES COLLABORATION

InCommon Basics and Participating in InCommon

A Look at Ourselves: Shibboleth Deployment Self-Assessment Checklist

Identity and Access Management Memorial s Strategic Roadmap

Unified Access for Enterprise Users

Federated Identity Management Checklist

InCommon Affiliates Webinar May 21, 2014

Evolving Strong Authentication at The University of Arizona

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

EDUCAUSE Identity and Access Management Working Group Thursday, October 14, p.m. EDT / 1 p.m. PDT

Identity Management Issues for Multi-Campus Institutions - University of California -

University of Wisconsin-Madison

Low Level of Assurance Identities & OpenID. Russell J. Yount <rjy@cmu.edu> Systems Architect

InCommon Affiliates Webinar Three Case Studies with Unicon September 18, 2013

Topics. Context. Scalable Privacy. Frontiers. R&E federations globally InCommon

Update on Identity Management Initiatives: What Are Institutions, Agencies and Federations Doing?

Guide to Getting Started with the CommIT Pilot

BMC Software Webinars 2013 Atrium Single Sign On (Atrium SSO)

Getting Started with Clearlogin A Guide for Administrators V1.01

Identity and Access Management PI-3 Demo. June 2, 2015 Tuesday 10:00-11:00 a.m. Lamont Forum Room

User Identity and Authentication

locuz.com Identity and Access Management Practice

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

UW System Identity & Access Management (IAM) Recommended Strategic Roadmap

Multi-Factor Authentication: Do I Need It, and How Do I Get Started? [And If I Do Need It, Why Aren't Folks Deploying It?]

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

AWS Account Management Guidance

Can We Reconstruct How Identity is Managed on the Internet?

Adding Stronger Authentication to your Portal and Cloud Apps

Virtual Code Authentication User s Guide. June 25, 2015

Federated Identity & Access Mgmt for Higher Education

IQS Identity and Access Management

IIS, FTP Server and Windows

NCSU SSO. Case Study

InCommon Multifactor Authentication

IAMUCLA 2.0 SSO Updates

Copyright

MULTI-FACTOR AUTHENTICATION SET-UP

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

Configuration Guide. SafeNet Authentication Service AD FS Agent

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Middleware integration in the Sympa mailing list software. Olivier Salaün - CRU

FCCX Briefing. Information Security and Privacy Advisory Board. June 13, 2014

TRUST AND IDENTITY EXCHANGE TALK

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

Windows Azure Multi-Factor Authentication

Microsoft Azure Multi-Factor authentication. (Concept Overview Part 1)

What is TIER? Trust and Identity in Education and Research

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Multi-Factor Authentication Job Aide

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources

Q&A Session for Understanding Atrium SSO Date: Thursday, February 14, 2013, 8:00am Pacific

How do I use Citrix Staff Remote Desktop

USING ESPRESSO [ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON] TO STREAMLINE ACCESS

TIB 2.0 Administration Functions Overview

OIS. CERN s Experience with Federated Single Sign-On. Operating Systems & Information Services IT-OIS. June 9-10, 2011

AVG Business Secure Sign On Active Directory Quick Start Guide

Shibboleth Development and Support Services. OpenID and SAML. Fiona Culloch, EDINA. EuroCAMP, Stockholm, 7 May 2008

SSO Plugin. HP Service Request Catalog. J System Solutions. Version 3.6

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology

Brought to you by InCommon in cooperation with Internet2 and the EDUCAUSE Identity and Access Management Working Group.

Using RD Gateway with Azure Multifactor Authentication

RFP BOR-1511 Federated Identity Services - Response to Questions / Answers

C21 Introduction to User Access

Comodo Web Application Firewall Software Version 2.11

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

Using Kerberos for Web Authentication. Wesley Craig University of Michigan

Shibboleth and Library Resources

Virtual Code Authentication User Guide for Administrators

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

Transcription:

Multi-Factor Authentication, Assurance, and the Multi-Context Broker IAM Online April 30, 2014 Keith Wessel, University of Illinois, Urbana-Champaign David Langenberg, University of Chicago David Walker, InCommon Technical Advisory Committee

Thank you to InCommon Affiliates for helping to make IAM Online possible Brought to you by Internet2 s InCommon in cooperation with the Higher Education Information Security Council

Overview The Multi-Context Broker Multi-Factor Authentication at the University of Illinois at Urbana-Champaign Multi-Factor Authentication and Assurance at the University of Chicago

The Multi-Context Broker (MCB) David Walker

Why Do We Need a Multi-Context Broker? Campus would like their authentication service to use multi-factor for internal services address risk needs of different campus services by supporting multiple levels of credential security, from email to budget distribution access higher-risk services where the external service provider needs confidence of higher-security credential practices And don t we want to develop custom code...

What Is the Multi-Context Broker? A Shibboleth Identity Provider plugin to make it easier to orchestrate multiple authentication methods within your IdMS. Uses include: Multi-factor authentication Assurance profiles Goal is very easy deployment with no programming, just configuration. Funded by the InCommon Assurance Program and the National Strategy for Trusted Identities in Cyberspace (NSTIC).

How Does It Work? 1. The service provider requests an authentication context (an authentication method, plus potential other criteria like identity proofing processes) 2. The MCB checks the IdMS to see if the user is certified to use the requested context, or some other context that satisfies the requirements of the requested context. 3. If additional authentication is required, the MCB invokes the appropriate authentication method. 4. Assuming success, the MCB returns the requested context to the service provider.

Variations on the Theme There may be multiple authentication methods that can satisfy a service provider s request. In that case, the user is given a choice. On a per-user basis, information in the IdMS can be set to require multi-factor authentication, even if the service provider does not specifically request it. The service provider can request multiple authentication contexts in priority order. User choices are ordered accordingly.

Current Status of the MCB Available now. Documentation and download: https://spaces.internet2.edu/x/bozfag Supported Authentication Methods Username / Password (JAAS) PKI Duo Security Very easy to build new submodules (fewer than 200 lines of Java for the Duo submodule). Engaged user community on the shib-users list.

The University of Illinois at Urbana-Champaign Keith Wessel

The Back Story Two SSOs needing to work together Remote User login handler did the trick A session in one took care of a session in the other

The Problem Along came Duo The Shib Duo login handler works with JAAS but not remote user Do we write our own login handler? How do we easily allow SPs to request MFA?

The Solution MCB has login submodules for remote user and Duo Make remote user the required initial authn method Allow SPs to request a specific context if they want optional or required MFA

David Langenberg davel@uchicago.edu

Use Cases InCommon Silver Duo Security Services opt-in to requiring users to 2FA Users opt-in to requiring 2FA for all services Desire to require a user to have to enter credentials only once per SSO Session

Demo

Evaluation Please complete the evaluation of today s webinar https://www.surveymonkey.com/s/iam_online_april_2014

Active Directory and Best Practices: A Revised Cookbook Best practices for authentication Active Directory and Assurance profiles Wednesday, May 7, 2014 Noon ET 11 am CT 10 am MT 9 am PT http://internet2.adobeconnect.com/incforum

Save the Date! Identity Week 2014 will take place at the Internet2 Technology Exchange Advance CAMP, CAMP, Trust and Identity October 26-30, 2014 - Indianapolis, Indiana http://events.internet2.edu/2014/technology-exchange/

InCommon Shibboleth Installation Workshops July 24-25 - Indiana University - Indianapolis, IN September 29-30 - New Jersey Institute of Technology - Newark, NJ Details and registration at www.incommon.org/shibtraining

Thank you to InCommon Affiliates for helping to make IAM Online possible Brought to you by Internet2 s InCommon in cooperation with the Higher Education Information Security Council

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information