Presentation is loading. Please wait.

Presentation is loading. Please wait.

To Authentication and Beyond An update on C&C’s authentication-related middleware services UW Computing Support Staff Meeting December 16, 2004

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "To Authentication and Beyond An update on C&C’s authentication-related middleware services UW Computing Support Staff Meeting December 16, 2004"— Presentation transcript:

1 To Authentication and Beyond An update on C&C’s authentication-related middleware services UW Computing Support Staff Meeting December 16, 2004 http://www.washington.edu/computing/infra/

2 Topics Authentication in Context –within identity management –toward our communities of service Authentication Infrastructure Services –UW NetID, Kerberos, SecurID (for people) –UW Services CA (for servers and services) –Pubcookie –Shibboleth Authorization Infrastructure Services –UW Groups –ASTRA

3 Identity Management? “Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” - The Burton Group (market research firm specializing in enterprise IT infrastructure) How does this compare with, and fit into, our conception of C&C’s (middleware) infrastructure services?

4 Basic functions of IdM ReflectData of interest from SoR JoinMatch identity across SoR CredentialNetID, password, SecurID Manage Affil/GroupsBasic/flat AuthZ info Manage PrivilegesStructured AuthZ info ProvisionFor apps w/ attitude DeliverGet AuthZ info to app AuthenticateCheck identity claims AuthorizeMake allow/deny decision LogTrack usage for audit Original source: Keith Hazelton, Univ of Wisconsin

5 IdM functions & big picture Reflect Join Credential Deliver (AuthN) Provision AuthZ Mng Grps Mng Priv Log Source: Keith Hazelton, Univ of Wisconsin; Tom Barton, Univ of Chicago

6 Many communities to serve Central Services –C&C maintained, administrative services Local Community, that’s you! –enabling departmental services Federated Communities –external partnerships, virtual organizations –some 3rd-party hosted applications –this is you too! C&C’s infrastructure services need to serve the unique requirements of each community.

7 Another view… Image source: Keith Hazelton, Univ of Wisconsin

8 Definitions Basic: –Authentication says who you are. –Authorization says what you can do. Something geekier: –Authentication is the establishment of a security context based on evaluation of evidence. –Authorization is configuration and operation of systems so actions in support of organizational goals are permitted and other actions are prohibited.

9 UW NetIDs Primary digital credential for online services at the UW About 225,000 active UW NetIDs 3-8 characters in length They’re a service to users –single id, single password, maybe even some single sign-on Get in the game! –namespace first, authentication if you can

10 UW NetID passwords Uniform policy for all passwords 8 characters or longer Must pass strength test Regular changing recommended Not externally provisioned

11 UW NetID types Personal –belongs to a single person for life Shared/supplemental –group id; actions not easily audited Reserved –system account Tremporary –use by one person, temporarily Other –kerberos host principals, @u mailing list names

12 UW NetID populations All employees in UW payroll –including HMC, HHMI, affiliate faculty, UWRP retirees All UW students –including matriculated, non-matriculated, UW extension, UWT and UWB; and applicants too Some Clinicians –e.g., UW Medical Center, from Cancer Care Alliance, Children’s hospital, UW Physicians network

13 UW NetID populations… C&C Information additions –including sponsored and supplemental ids, temporary ids (guest wireless) UW Alumni ID holders –e.g., graduates in the alumni db, UW donors and others too, e.g. –some Digital Learning Commons users –Cascadia Community College students and employees (very soon)

14 Kerberos infrastructure UW’s Enterprise Authentication Service Fundamental credential store MIT Kerberos V (version 1.3.5) Do departments need service principals and host keys for departmental systems? –If so, we haven’t seen the demand –If so, we can create a storefront, similar to the UW CA and Weblogin registration services, based on UW DNS ownership info

15 SecurID infrastructure High-assurance authentication service based on SecurID technology Provides “two-factor” authentication –something you know + something you have Use is primarily administrative systems About 5,600 SecurIDs in use About $60 per device Use is not likely to expand much

16 UW Services CA Issues digital certificates for –Traditional web server uses –Systems and services using SSL/TLS 767 certificates in use What best practices are emerging in departments to trust the UW CA? Support calls? Very few (our perception, yours too?)

17 UW CA growth

18 Pubcookie/Weblogin Purpose –Normalize web-based user authentication –Deliver UW NetID authentication info to apps Participation –Registration based on UW DNS ownership –Requires trusted SSL server certificate –Over 790 participating servers

19 Pubcookie 3.2.0 New functionality –POST-based cross-dns-domain messaging –Custom login messages –Keyserver supports wildcard certs –Keyserver supports Subject Alt Names Release info –Beta 1 release available now (Apache only) –Beta 2 release available tomorrow(ish) Will be the recommended version for UW!

20 Custom login messages Example: ESS login

21 Shibboleth Purpose –An architecture, project, and software components for standards-based federated authentication and attribute exchange. –Like Pubcookie on steroids (mostly SAML standard) User support profile –Should be similar to Pubcookie… –Except now there are Attribute Release Policies (ARPs) involved

22 Shibboleth… UW is a Shibboleth “Identity Provider” (IdP) –Running Shibboleth IdP 1.2 –Production service status with first real Service Provider (CreateHope.com, e-academy.com) –User authentication by Pubcookie/weblogin –User attributes from UW EDS Person directory –Participating in InCommon (R&E) federation; “authenticate locally, act federally” –UW NetID credential services undergoing USG E- Authentication Program credential assessment

23 What can our Shib IdP deliver? Answer: in general, user attributes of broad cross-community interest: –eduPersonPrincipalName (based on UW NetID) –eduPersonAffiliation (faculty, student, staff, alum, member, affiliate, employee) –eduPersonEntitlement –eduPersonTargetedID –uwPersonAffiliation –uwEmployeeID Qualifier: but only if an Attribute Release Policy allows release to a given service provider.

24 Authority management Why externalize authorization? –To save development time and cost ASTRA is built and ready for use UW Groups are coming –To distribute management of authorization If you want to hand it off to others, you can Put business people in charge of managing authority –To leverage well designed and maintained solutions –To use standard UIs for managing authorization data –To increase visibility of access control policy –To improve policy adherence and auditing

25 UW Groups UW EDS Groups directory under development –Institutional –Departmental –Adhoc Pairing with new UW Authorization module (for Apache, known as mod_uwa) Infrastructure alone, not enough… Need to study institutional triggers and indicators for departmental-level group creation

26 ASTRA Mission ASTRA provides Web-based management of authority for UW administrative applications. ASTRA removes systems administrators and operations teams from the business of implementing authorization requests. Instead, using ASTRA, the appropriate decision makers within the University community can easily distribute authority to the appropriate people.

27 ASTRA authority elements example By authority of Rupert B., authorizor Nathan Dors, user within Financial Desktop, application in the role of Designee, role may inquire about budget information level of access for budget 012345 access restriction from 12-16-04 to 01-01-06. condition

28 ASTRA authority elements example… ASTRA UI: initial Authorizor view

29 ASTRA authority elements example… ASTRA UI: defining new authorization

30 ASTRA authority elements example… ASTRA UI: adding new authorization

31 ASTRA authority elements example… ASTRA UI: new authorization added

32 ASTRA authority elements example… <authz xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> ASTRA API: attributes received in XML view

33 ASTRA: Clients in Production SAGE Ariba System Administration E-Procurement Online Work Leave System Affirmative Action Department Tools for Time Schedule FS-Works Employee Self-Service

34 ASTRA: Clients in Development Financial Desktop Space Inventory Management System Online Accident Reporting System Year End Tax Form VEBA PUC Maintenance Application Vendor Payment System

35 ASTRA: Clients in Discussion MyGradProgram Online Payroll Update System UW Project Tracker Cognos Tools (Data Warehouse) Keynes Applications (PAS, FIN, etc.)

36 ASTRA: Usage Since Launch

37 To Authentication and Beyond… How far out do C&C’s various infrastructure services reach? Kerberos Pubcookie Shibboleth UW Groups ASTRA Answer: the necessary roadmaps are being defined now. Image source: Keith Hazelton, Univ of Wisconsin

38

Download ppt "To Authentication and Beyond An update on C&C’s authentication-related middleware services UW Computing Support Staff Meeting December 16, 2004"

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Intra-campus Web SSO Management Topics for Deployed Campuses Nathan Dors, Technology Manager University of Washington CAMP Shibboleth June 25-27, 2007.

Intra-campus Web SSO Management Topics for Deployed Campuses Nathan Dors, Technology Manager University of Washington CAMP Shibboleth June 25-27, 2007.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.

Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.
Understanding Active Directory

Understanding Active Directory
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
Security Middleware Update IS Development Staff Forum December 8, 2004.

Security Middleware Update IS Development Staff Forum December 8, 2004.
The Access Management Puzzle: Putting the Pieces Together Identity and Access Management at the UW Ian Taylor Manager of Security Middleware University.

The Access Management Puzzle: Putting the Pieces Together Identity and Access Management at the UW Ian Taylor Manager of Security Middleware University.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Managing Information UT November 13-14, 2008 Campus Identity and Access Management Services.

Managing Information UT November 13-14, 2008 Campus Identity and Access Management Services.

Similar presentations

Ads by Google