Broadening Iden-ty & Access Management: InCommon Federa-on John Krienke jcwk@internet2.edu
700 InCommon Participants Year-to-Year https://www.incommon.org/participants/ Number of Participants 600 500 400 300 200 100 0 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
incommon.org/par-cipants
Federa-on Basics Iden-ty -ed to campus business systems Campus provides authen-ca-on (IdP) Passes ajributes to service provider for access management decision (SP) Federa-on operator sets legal, policy, and prac-ces to support trust Interna-onal in scope
Number of En77es in Metadata Num IdPs Num SPs 2100 2000 1900 1800 1700 1600 1500 1400 1300 1200 1100 1000 900 800 700 600 500 400 300 200 100 0 351 IdPs 1690 SPs
Federated Service Providers http://www.incommon.org/participants/ Business & Admin Benefits Asset management Human Resources Talent management Mobile alerts Travel management Energy management Surveys and market analysis Learning and Student Affairs LMS, MOOCs Online Journals Databases and analytical tools Homework labs, Quiz tools Plagiarism detection Student travel discounts Transportation and rideshare services. Transcript services 6
Federated Service Providers http://www.incommon.org/participants/ Research NIH: pub med, scien-cv, NSF: research.gov XSEDE, CILogon LIGO LTERN Open Science Grid Scholarly Journals Gov-affiliated labs, Many others 7
Research and Education Identity Federations Identity Federations in production AT ACOnet Identity Federation AU Australian Access Federation AAF BE Belnet R&E Federation BR CAFe CA Canadian Access Federation CAF CH SWITCHaai CL COFRe CZ eduid.cz DE DFN-AAI DK WAYF EE TAAT ES FI FR GR HR HU IE IT JP LV SIR Haka Fédération Éducation-Recherche GRNET AAI@EduHr eduid.hu Edugate IDEM GakuNin LAIFE NL NO NZ PT SE SI UK US int SURFconext FEIDE Tuakiri New Zealand Access Federation RCTSaai SWAMID ArnesAAI Slovenska UK Access Management Federation for Education and Research InCommon IGTF Identity Federations in pilot AR CN COL IN LT PE MA OM MATE PL PIONIERId CARSI RO RoEduNet Federation COLFIRE RS iamres INFED RU ФEDUrus AAI LEFT TR YETKİM INCA ZA SAIF eduidm Oman Knowledge ID Federation This map is intended to provide a high-level overview of countries with identity federations. Last update: 14 October 2013
Maintaining a Common Trust Fabric Governance Defines eligibility, promises and behaviors, terms, fees, and policies of par-cipa-on Defines common vocabulary & usage rules: iden-fiers, ajributes (eduperson), their sharing, storage, & privacy Defines Interoperability technologies: standards, so]ware, services & trust mechanisms Opera-ons, Support, Outreach Verifies organiza-ons, trusted officers, and en-ty metadata Securely collects, validates, decorates, and redistributes metadata Provides support: documenta-on, help desk, training, community Creates addi-onal frameworks for trusted exchange: ajribute release mechanisms, levels of iden-ty assurance, privacy and consent Moving us forward Addi-onal services & partnerships for easy adop-on, interop, & scale From descrip-ve to norma-ve prac-ces From the large few to the many small adopters, from na-onal to interna-onally aligned trust fabrics
Preparing for Federa-on: Campus Basics Manage centralized current directory infrastructure Understand who gets added/access to services Use persistent iden-fiers Support eduperson schema Establish process for provisioning and de- provisioning
Why Care About Iden-ty and CI? Secured Sharing Distributed nature of projects Iden-ty integrity & Assurance Visibility into CI: Incident response Centralized provisioning, audi-ng, and support Global community Growing amount of work! Passwords, iden-ty assurance
A Few Research Roadblocks and Solu-ons Different Trust Infrastructures: SAML vs PKI CILogon Web vs non- browser clients: IdP support ECP profile extension VO managing access to distributed resources for distributed members CoCoA: COmanage + SURFNet s OpenConext + Apps Onboarding new collaborators InCommon Research and Scholarship category: aka R&S trust mark Users show up and get immediate access. Federated SSO & Access Control Shibboleth, SimpleSAML.php, Grouper 100% coverage Social to SAML gateways
Resources Roadmap for using CI with InCommon from Center for Applied Cybersecurity Research CILogon SAML- to- IGTF certs from Cybersecurity Directorate, Na-onal Center for Supercompu-ng Applica-ons, University of Illinois Internet2 Trust and Iden-ty InCommon Affiliates Help for Campus and Research IAM R&S (research & scholarship) trust mark InCommon website and Federa-on Technical Guide wiki