Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.

Published byAbigail Blackham Modified over 9 years ago

Similar presentations

Presentation on theme: "Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007."— Presentation transcript:

1 Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007

2 Topics Federated Identity Extending enterprise security Application to network security protocols Peer-to-Peer Identity OpenID Convergence & Divergence Web Access Federations and Network Security Do these communities meaningfully overlap?

3 Federated Identity Leverages local identities to access remote resources Enterprise directories & authentication Organizations trust each other Decentralized center Multiple federations Federated identity is distinct from federations Can have federated ID without federations

4 Technical Basis of Exchange Attributes Identity Providers (IdP) Asserts authentication and attribute information Service Providers (SP) Receives and processes attributes and authentications Metadata

5 Trust Basis for Exchange IdP asserts good information SP disposes of information received properly Logging Tracking down malfeasants is cooperative but always possible Everything always boils down to a bilateral exchange

6 Trust Basis for Exchange Centralized federation services Metadata Auditing Attribute standardization Other rules Extensions and merges of existing identities Virtual Organizations

7 Trust Basis for Exchange Centralized federation services Metadata Auditing Attribute standardization Other rules Extensions and merges of existing identities Virtual Organizations

8 SAML-based Higher Ed Federations Australia Belgium Canada China Denmark Finland France Germany Greece New Zealand Norway Spain Sweden Switzerland The Netherlands United Kingdom United States

9 InCommon U.S. Higher Ed Federation Multiple levels of assurance Bronze, Silver, Gold, or basic Identity information managed by central IT Where are the attributes you need? No guidance on attribute release http://www.incommonfederation.org

10 Security Assertion Standards SAML 1.1 (Shibboleth 1.x) SAML 2.0 ID-WSF WS-Trust WS-Security Many other WS-* Many other others

11 Standards Convergence ID-FF 1.1 SAML 1.0SAML 1.1 Shibboleth 1.x ID-FF 1.2 SAML 2.0 200220032004

12 Peer-to-Peer Trust Self-issued credentials Usually bootstrapped through personal interaction Joe sent me his PKC in an IM, and I know this is Joe because of our secret handshake And I know that’s his screen-name because… Differentiate between quality of initial authentication and subsequent value Unauthenticated email sure is popular…

13 OpenID Codification of that community trust Using URL’s A simple protocol Basic attributes Plug-ins for most web environments Many other approaches, some based on heavier technology Deployed in blogosphere and beyond No attempts to integrate with network security But growing corporate interest and support

14 OpenID/SAML convergence There are protocols and there are tokens WS-Trust WS-Security Cardspace Solutions address somewhat different needs Room for co-existence But interoperability would still be nice Some cooperation between the two communities in looking for convergence opportunities

15 Related Projects Higgins A set of interfaces that try to abstract identity management Microsoft ADFS Shibboleth interoperability XACML Layered in SAML assertions Its own protocol

16 Big Changes Federated Identity evolving from Web SSO to other applications Maturation of vendor products in the IdM space Increasingly, Federated IdM packages support multiple protocols; sites make choices based on “value add” Growing interest in using Levels of Assurance (LoA) Growing interest in Inter-Federation

17 Federated Identity for Network Authentication Traveling individuals Attribute-based access control Privacy Accountability

18 Current Deployments Shibboleth-based wireless authentication at University of Texas It’s a hack Use Shibboleth to populate a database that the RADIUS server can draw on Supports multiple access groups Hugely popular with the university brass https://spaces.internet2.edu/display/SHIB /ShibbolizedWireless

19 Current Deployments eduroam Global RADIUS infrastructure using 802.1x Widespread adoption by European higher ed Multiple countries in Asia & Oceania U.S. under-represented http://www.eduroam.org/ Let’s look at the policies…

20 Revealing Challenges What security policies will be enacted on an eduroam visitor? Japan wants to mandate that once access is granted via eduroam a VPN tunnel home be established for all further traffic What information do people need to know? Which attributes are required? Does anonymity matter?

21 SAML, RADIUS, DIAMETER RADIUS profile of SAML http://tinyurl.com/24m9pm DAMe project DIAMETER supporting SAML Slide theft Diego Lopez of RedIRIS

22 InCommon U.S. higher education federation 50 participants and counting Oriented around access to web resources EBSCO, ScienceDirect, JSTOR, Napster, Turnitin, etc. SAML-centric

23 Questions for You What could you do with federated identity? What information do you need to know before making your various decisions? Can InCommon address your collaboration or network authentication needs? How would you do inter-realm network security?

Download ppt "Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Joining eduroam Wireless Roaming for Education and Research.

Joining eduroam Wireless Roaming for Education and Research.
The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Jens Haeusser Director, Strategy IT, UBC The Future of Identity Management in Higher Education JA-SIG June 2007.

Jens Haeusser Director, Strategy IT, UBC The Future of Identity Management in Higher Education JA-SIG June 2007.
The EARNEST Foresight Study 2006 - 2007 Results from the EARNEST Technical Study Licia Florio, TERENA EARNEST Workshop, Amsterdam, 8.

The EARNEST Foresight Study Results from the EARNEST Technical Study Licia Florio, TERENA EARNEST Workshop, Amsterdam, 8.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…

1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,

Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Similar presentations

Ads by Google