Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federations and Security: A Multi-level Marketing Scheme Ken Klingenstein Director, Internet2 Middleware and Security.

Published byDarlene Preston Modified over 8 years ago

Similar presentations

Presentation on theme: "Federations and Security: A Multi-level Marketing Scheme Ken Klingenstein Director, Internet2 Middleware and Security."— Presentation transcript:

1 Federations and Security: A Multi-level Marketing Scheme Ken Klingenstein Director, Internet2 Middleware and Security

2 Topics Context The Big Middleware Picture The Big Security Blob Areas of interactions Current status of federations International US deployments - Experimental, production, and federated Key issues Leveraging Federations trust attributes Roles Privacy and anonymization

3 A Map of Middleware Land

4 Components of Core Middleware

5 Federations Concept

6 The Art of Federating

7 The Big Security Blob Several fundamental problems Software complexity and flaws Naïve underlying protocols (SMTP, ICMP, DNS, etc) Human nature Others (economic gain, etc.) That compound with each other in multiple and diverse ways All in an embedded and growing base…

8 The Intersection Identity Management is a big part of security Authentication and authorization Data issues -encryption, privacy spills, etc And identity management may be a significant help in other areas of security Real time inter-realm incident handling, network access controls, etc Preserving core values – e.g. trust-mediated transparency

9 Federations Persistent enterprise-centric trust facilitators Sector-based, nationally-oriented Federated operator handles enterprise I/A, management of centralized metadata operations Members of federation use common software to exchange assertions bi-laterally using a federated set of attributes; members of federation determine what to trust and for what purposes on an application level basis Steering group sets policy and operational direction Note the “discovery” of widespread internal federations and the bloom of local and ad-hoc federations

10 Federation Fundamentals Members sign a contract to join. Members must still create Business Relationships with each other Bilateral relationships can impose additional policy The Federation does NOT Collect or assert anything, except the necessary metadata about member signing keys, etc. Authenticate end users Provide services, though it may be associated with groups or buying clubs

11 SAML Security Access Markup Language – an OASIS standard SAML 1.0 current eAuth standard; SAML 1.1 widely embedded in commercial products SAML 2.0 ratified by OASIS last year Combines much of the intellectual contributions of the Liberty Alliance with materials from the Shibboleth community – a fusion product Scott Cantor of Ohio State was the technical editor Adds some interesting new capabilities, eg. privacy- preservation, actively linked identities Possibly a plateau product

12 Shibboleth v1.3b SAML and Shib open source implementation Certified for use with the US Federal Government e-Authentication Initiative WS-Fed compatible, funded by Microsoft Plugins for non-web services – GridShib, Lionshare, etc. Installs relatively easily Plumbing can take one day to four years, depending on local middleware infrastructure Getting some press…

13 Shibboleth 2.0 Features Convergence with commercial Liberty and SAML products refactors Shib What is the definition of Shibboleth 2.0? A SAML 2.0 profile An open source implementation of that profile, include SAML 2.0 as the building block Inclusion of open source add-ons such as ShARPE and Autograph

14 Application integration Access to online content, from scholarly to popular Access to digital repositories and federated search Submissions of materials, from grant proposals to tests and exams Non web applications – p2p file sharing, Grids, etc. – are beginning to leverage federated identity

15 Federated model Enterprises and organizations provide local authentication and attributes, namespaces, etc. Uses a variety of end-entity local authentication – PKI, username/password, Kerberos, two- factor, etc. Enterprises within a vertical sector federate to coordinate LOA’s, namespaces, metadata, etc. Provides a scalable alternative to multiple bi- lateral technical relationship management

16 Research and Education Federations Growing national federations UK, France, Germany, Switzerland, Australia, Netherlands, Norway, Spain, Denmark, etc. Stages range from fully established to in development; scope ranges from higher ed to further education Many are Shib-based; all speak Shib on the outside… Several million users in the UK between JISC and BECTA All working in concert with almost all major publishers for access control; some are using for security exchanges, software downloads,etc. EU WG29 may do a year-long study of privacy around Shibboleth

17 US Federations InCommon (InQueue) State-based Texas, UCOP, Maryland, etc. For library use, for roaming access, for payroll and benefits, etc. US Gov Federal eAuthentication Initiative

18 InCommon US R&E Federation www.incommonfederation.org Members join a 501(c)3 Addresses legal, LOA, shared attributes, business proposition, etc issues Approximately 30 members and growing A low percentage of national Shib use…

19 InCommon Membership Case Western Reserve University Cornell University Dartmouth Elsevier ScienceDirect Georgetown University Houston Academy of Medicine - Texas Medical Center Library Internet2 Napster, LLC OCLC Ohio University OhioLink - The Ohio Library & Information NetworkCase Western Reserve University Cornell University Dartmouth Elsevier ScienceDirect Georgetown University Houston Academy of Medicine - Texas Medical Center Library Internet2 Napster, LLC OCLC Ohio University OhioLink - The Ohio Library & Information Network Penn State SUNY Buffalo The Ohio State University The University of Chicago University of Alabama at Birmingham University of California, Irvine University of California, Los Angeles University of California, Office of the President University of California, San Diego University of Rochester University of Southern California University of Virginia University of Washington WebAssignPenn State SUNY Buffalo The Ohio State University The University of Chicago University of Alabama at Birmingham University of California, Irvine University of California, Los Angeles University of California, Office of the President University of California, San Diego University of Rochester University of Southern California University of Virginia University of Washington WebAssign

20 Key questions in federations It doesn’t seem to be about the technology or model anymore SAML 2.0 in most IdM vendor’s blueprints (except MS); some will ship with Shib profiles embedded It is about whether the core IdM systems are open or proprietary with open API’s. Can federations happen in the US, or will we be bi-lateral hell? Can they be multi-application or should we have library feds (and Elsevier feds) and science feds?

21 Federal Eauthentication A federation of US Gov agencies, to provide services to each other and to the general population Services to be provisioned include NSF Fastlane, National Park Research and Camping Permits, Social Security management, export permits, etc Based on SAML protocol and Credential Service Providers to businesses and the general public http://www.cio.gov/eAuthentication/ A noble march through the DC political swamps

22 Inter-federation key issues Peering, peering, peering At what size of the globe? (Confederation for Europe?) How do vertical sectors relate? How to relate to a government federation? On what policy issues to peer and how? Legal framework Treaties? Indemnification? Adjudication How to technically implement Wide variety of scale issues WAYF functionality Virtual organization support

23 InCommon E-Auth alignment Promote interop for widespread higher-ed access to USG applications grants process, research support, student loans... Process project started Oct 2004, thru July 2006 application trials; implement via next e-auth, InCommon phases Peering Of InCommon and EAuth Definition of peering – attribute mappings, LOA, legal alignment, etc. Draft SAML 2.0 eAuthentication Profile Draft USPerson

24 Implications of using campus credentials in federations Level of Assurance (LOA) of Credentials Level 1 through Level 4 – maps to risk assessment of applications Many interesting applications are at levels 2-3 LOA depends on some organizational factors and User Identity proofing Delivery of credential to user Repeated acts of authentication

25 Take-aways for authn Single-Sign-On, and federated identity Think about several operational paths for identity management, with different types of users being credentialed differently (including two factor for certain applications), and a user going through several stages in identity proofing. Documenting policies and practices, with some internal audit processes.

26 Takeaways for authz Role-based access controls, both at the enterprise and virtual organization Privilege management for audit, compliance, and user scaling Local assignment of attributes evolving to community standards Privacy managers at both enterprise and personal levels Beware the side effects on network security

27 Leveraging federations Inter-institutional Trust Community Attributes and roles Privacy and anonymizations

28 Uses CSI2 Federated network access and eduroam Trust mediated transparency DKIM for spam control, etc DNSSec discovery Desktop firewall management (InfoCard)

29 Some specifics Infocard

Download ppt "Federations and Security: A Multi-level Marketing Scheme Ken Klingenstein Director, Internet2 Middleware and Security."

Similar presentations

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.
The rise, slowly, of a middleware infrastructure Ken Klingenstein Director, Internet2 Middleware and Security Ken Klingenstein Director, Internet2 Middleware.

The rise, slowly, of a middleware infrastructure Ken Klingenstein Director, Internet2 Middleware and Security Ken Klingenstein Director, Internet2 Middleware.
Ken Klingenstein Director, Internet2 Middleware and Security Current stuff.

Ken Klingenstein Director, Internet2 Middleware and Security Current stuff.
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.

Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.
Federated Access: Identity Management and Access to Protected Resources Renée Woodten Frost Associate Director, Middleware & Security

Federated Access: Identity Management and Access to Protected Resources Renée Woodten Frost Associate Director, Middleware & Security
US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.

US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.

Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Internet Scale Identity, Collaboration and Higher Education.

Internet Scale Identity, Collaboration and Higher Education.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Some Frontier Issues from the Wild, Wild West Ken Klingenstein.

Some Frontier Issues from the Wild, Wild West Ken Klingenstein.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
EAuthentication in Higher Education Tim Bornholtz Session 58.

EAuthentication in Higher Education Tim Bornholtz Session 58.
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

Similar presentations

Ads by Google