Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh."— Presentation transcript:

1 1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh

2 2 Contents  Federated identity management overview  Open issues for federations

3 3 Introduction Federated identity management a live topic Both commercial and academic interest: –Liberty Alliance –Shibboleth (Internet2 – MACE) Both make use of SAML, which specifies rules for encoding security assertions

4 4 The familiar problem Users required to present different name/pass pairs for each service they use Addressed by the introduction of single- signon for local institutional services But distinct name/pass pairs are still often required for access to external services

5 5 Federated identity solution Use locally-managed credentials to enable access to remote services Extends the scope of single-signon to external services

6 6 Shibboleth Does neither authentication nor authorisation itself Conveys security assertions from Identity Provider (IdP) to Service Provider (SP) Security assertions (SAML) about: –user authentication –user attributes Privacy preserving

7 7 How does it work? SWITCH

8 8 Benefits to users IdP local SP 1 SP 3 SSO to local services … remote SP 2 SP N SSO to remote services (JISC IE) Enables proliferation of secure services once-only login screen

9 9 Management devolved to the institution Institution has control over choice of: –Authentication method (passwords, certs, …) –SSO system (pubcookie, CoSign, …) –Attribute store (LDAP, SQL, …) –Attribute disclosure policy The main cost is the integration effort required

10 10 Benefits to Service Providers IdP 1 IdP 3 IdP 2 IdP N … SP ed.ac.ukncl.ac.uk Hide NxM users behind N IdPs medium term ~50 UK sites Federation metadata provides authoritative information on IdPs

11 11 Working definition of federation A register of identity providers and service providers interworking in a common trust network Basis of trust: –reasonable expectation of behaviour –common understanding of obligations and rights …rather than technical assurance

12 12 What does a federation do? Acts as trusted third party to vet new members: –are they who they say they are? –do they speak for their organisation? –do they agree to federation policies? Maintains a list of members (metadata) Sets policies, such as acceptable CAs

13 13 UK activity JISC Core Middleware Programme –significant support for technical development projects and infrastructure SDSS project at EDINA –Shibboleth Development and Support Services –investigating federation development issues

14 14 Current Shibboleth status Shibboleth version 1.3 expected soon –use of (new) SAML 2.0 standard The federation model is still fluid Might develop in a variety of directions

15 15 Contents  Federated identity management overview  Open issues for federations

16 16 How many federations? Early view: one per country One federation implies: –single administrative framework –everyone on same development path Already three UK Education Federations So multiple federations (and multiple membership) already a reality

17 17 Federation interworking Required for international use: –InCommon –SWITCH –HAKA … and nationally (SDSS, Becta, Eduserv) Need more operational experience!

18 18 Virtual organisation support Examples of VOs: –Institutions sharing L&T responsibilities –Disparate groups of collaborating researchers Sub-federation / spanning federations Must be easy to create Relevance of GRID VO model?

19 19 Multiple identity assurance levels To cover a wider range of requirements: –cross-institutional access to e-Learning resources –access to high value e-Science resources Factors include: –value of resources protected –rigour of institutional identity management process Accommodate a range of levels in one federation? Or simply create distinct federations?

20 20 Metadata distribution methods Federation signs aggregated metadata (IdP and SP member details) in a single file Could separately sign each member's metadata as a discrete packet (SAML 2.0) Fetch on-the-fly –does this avoid revocation checking?

21 21 Next steps Deployment for live service Launch of UK production federation Further investigation of the technology Strive for commonality in approach (to enable future interworking): –attributes, certification, policy, assurance rules Many issues will be resolved over the next year

22 22 Further information Shibboleth: http://shibboleth.internet2.edu http://shibboleth.internet2.edu JISC Core Middleware Programme: http://www.jisc.ac.uk/index.cfm?name=programme_middleware http://www.jisc.ac.uk/index.cfm?name=programme_middleware SDSS project: http://sdss.ac.ukhttp://sdss.ac.uk

Download ppt "1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.

Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Shibboleth Development and Support Services SDSS Development Federation Next Phase Sandy Shaw, EDINA JISC CM Programme Meeting, Windermere, 14–15 November.

Shibboleth Development and Support Services SDSS Development Federation Next Phase Sandy Shaw, EDINA JISC CM Programme Meeting, Windermere, 14–15 November.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Connecting People to Resources The UK Access Management Federation Nicole Harris Programme Manager.

Joint Information Systems Committee 19/05/2015 | | Slide 1 Connecting People to Resources The UK Access Management Federation Nicole Harris Programme Manager.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.

Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Developments in Access and Identity Management Phil Leahy – Athens Product Manager.

Developments in Access and Identity Management Phil Leahy – Athens Product Manager.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.

Similar presentations

Ads by Google