Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.

Similar presentations


Presentation on theme: "Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007."— Presentation transcript:

1 Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007

2 Topics Federated Identity Extending enterprise security Application to network security protocols Peer-to-Peer Identity OpenID Convergence & Divergence Web Access Federations and Network Security Do these communities meaningfully overlap?

3 Federated Identity Leverages local identities to access remote resources Enterprise directories & authentication Organizations trust each other Decentralized center Multiple federations Federated identity is distinct from federations Can have federated ID without federations

4 Technical Basis of Exchange Attributes Identity Providers (IdP) Asserts authentication and attribute information Service Providers (SP) Receives and processes attributes and authentications Metadata

5 Trust Basis for Exchange IdP asserts good information SP disposes of information received properly Logging Tracking down malfeasants is cooperative but always possible Everything always boils down to a bilateral exchange

6 Trust Basis for Exchange Centralized federation services Metadata Auditing Attribute standardization Other rules Extensions and merges of existing identities Virtual Organizations

7 Trust Basis for Exchange Centralized federation services Metadata Auditing Attribute standardization Other rules Extensions and merges of existing identities Virtual Organizations

8 SAML-based Higher Ed Federations Australia Belgium Canada China Denmark Finland France Germany Greece New Zealand Norway Spain Sweden Switzerland The Netherlands United Kingdom United States

9 InCommon U.S. Higher Ed Federation Multiple levels of assurance Bronze, Silver, Gold, or basic Identity information managed by central IT Where are the attributes you need? No guidance on attribute release

10 Security Assertion Standards SAML 1.1 (Shibboleth 1.x) SAML 2.0 ID-WSF WS-Trust WS-Security Many other WS-* Many other others

11 Standards Convergence ID-FF 1.1 SAML 1.0SAML 1.1 Shibboleth 1.x ID-FF 1.2 SAML

12 Peer-to-Peer Trust Self-issued credentials Usually bootstrapped through personal interaction Joe sent me his PKC in an IM, and I know this is Joe because of our secret handshake And I know that’s his screen-name because… Differentiate between quality of initial authentication and subsequent value Unauthenticated sure is popular…

13 OpenID Codification of that community trust Using URL’s A simple protocol Basic attributes Plug-ins for most web environments Many other approaches, some based on heavier technology Deployed in blogosphere and beyond No attempts to integrate with network security But growing corporate interest and support

14 OpenID/SAML convergence There are protocols and there are tokens WS-Trust WS-Security Cardspace Solutions address somewhat different needs Room for co-existence But interoperability would still be nice Some cooperation between the two communities in looking for convergence opportunities

15 Related Projects Higgins A set of interfaces that try to abstract identity management Microsoft ADFS Shibboleth interoperability XACML Layered in SAML assertions Its own protocol

16 Big Changes Federated Identity evolving from Web SSO to other applications Maturation of vendor products in the IdM space Increasingly, Federated IdM packages support multiple protocols; sites make choices based on “value add” Growing interest in using Levels of Assurance (LoA) Growing interest in Inter-Federation

17 Federated Identity for Network Authentication Traveling individuals Attribute-based access control Privacy Accountability

18 Current Deployments Shibboleth-based wireless authentication at University of Texas It’s a hack Use Shibboleth to populate a database that the RADIUS server can draw on Supports multiple access groups Hugely popular with the university brass https://spaces.internet2.edu/display/SHIB /ShibbolizedWireless

19 Current Deployments eduroam Global RADIUS infrastructure using 802.1x Widespread adoption by European higher ed Multiple countries in Asia & Oceania U.S. under-represented Let’s look at the policies…

20 Revealing Challenges What security policies will be enacted on an eduroam visitor? Japan wants to mandate that once access is granted via eduroam a VPN tunnel home be established for all further traffic What information do people need to know? Which attributes are required? Does anonymity matter?

21 SAML, RADIUS, DIAMETER RADIUS profile of SAML DAMe project DIAMETER supporting SAML Slide theft Diego Lopez of RedIRIS

22 InCommon U.S. higher education federation 50 participants and counting Oriented around access to web resources EBSCO, ScienceDirect, JSTOR, Napster, Turnitin, etc. SAML-centric

23 Questions for You What could you do with federated identity? What information do you need to know before making your various decisions? Can InCommon address your collaboration or network authentication needs? How would you do inter-realm network security?


Download ppt "Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007."

Similar presentations


Ads by Google