1. Federated Identity Management: Is The State of Texas Ready? Paul Caskey The University of Texas System System-wide Information Services TASSCC 2008 August 12, 2008

2. 2 Agenda Identity Management: The Basics Federating Technologies Benefits of Federation Challenges of Federation Examples of Federations Federations in Texas Federated Applications What Are Others Doing? How Could It Work In Texas? What Will The Future Hold? Next Steps

3. IdM: The Basics Identity Management:  The union of policy, process, governance, and technology surrounding the creation, maintenance, and use of digital identities. Federation:  An organized group of entities who share one or more: –Goals –Applications –Customers –Regulatory environments –Funding sources –Industry 3

4. IdM: The Basics (cont.) Federated Identity Management:  Participating in an organized group of entities who agree to follow shared policies, maintain consistent practices, and trust other participants with respect to the creation, maintenance, and use of digital identities.  Moving away from application or service provider based identity towards institutional or enterprise based identity.  “Authenticate locally, act globally!” 4

5. Institution A Institution B Benefits Compliance Training Administrative Apps Library Grid Computing = Credentialing / Authentication = Authorization = User Credential Traditional Identity Management

6. Federation Institution A Institution B = Credentialing / Authentication= Authorization= User Credential Federated Identity Concept Benefits Compliance Training Library Grid Computing Administrative Apps

7. IdM: The Basics (cont.) What are some of the policies and practices that are important in federated identity management?  Identity verification (vetting)  Credentialing  Password policies  Provisioning  Auditing 7

8. IdM: The Basics (cont.) Examples of policy standards and associated regulation that affect Federated IdM:  US Federal Governement’s eAuthentication Credential Assessment SuiteCredential Assessment Suite –Password Entropy Spreadsheet (assess password policy)Password Entropy Spreadsheet  NIST Special Publication 800-63800-63  The Office of Management and Budget memorandum OMB 04-04 OMB 04-04  US Federal Homeland Security Presidential Directive 12 (HSPD-12)HSPD-12  The European Union’s privacy directive 95/46/EC95/46/EC 8

9. IdM: The Basics (cont.) Examples of policy standards and associated rules and laws that affect Federated IdM (cont):  Code of Federal Regulations 21, part 11part 11  HIPAA HIPAA  FERPA (Education only) FERPA  Sarbanes-Oxley (SOX)SOX  Graham-Leach-Bliley (GLB)GLB  Texas: TAC 202, TBCC - Title 11: Personal Identity InformationTAC 202TBCC - Title 11 9

10. Federating Technologies Security Assertion Markup Language (SAML) – a standard developed and ratified by OASIS, an international non-profit standards organization. WS-Federation – a specification developed by IBM, Microsoft, BEA (and others); OASIS now has a technical committee tasked with standardizing WS-Fed. Liberty Identity Federation Framework (ID-FF) – has now been integrated into the SAML 2.0 standard. OpenID – a user-centric distributed web-SSO technology, generally more lightweight and less-focused around communities of trust than SAML. 10

11. Federating Technologies (cont.) SAML is the most robust, is mature, is internationally standardized, and has a large user base. (demo) Most available software supports multiple protocols. Commercial: Sun, IBM/Tivoli, Oracle, Novell, Ping Identity Open-source: Shibboleth (from Internet2)Shibboleth Here’s some comparisons of SAML to WS-Fed:  Sun Blog 1 Sun Blog 1  Sun Blog 2 (more in-depth) Sun Blog 2 11

12. Benefits of Federation Share Resources (training systems) Collaborate (wikis) Lower costs (no application-based IdM) Increase security / Improve the user experience (fewer usernames/passwords) 12

13. Challenges of Federation Deploying new infrastructure is hard  The infrastructure must be there before gains can be realized, which makes justification a challenge. Policy development can take considerable time. Trust can be difficult to achieve.  Good policy and governance helps (“trust but verify”) Making it ubiquitous across entities of varying size is a challenge.  Many times, it is the smaller organizations that can benefit most. 13

14. Examples of Government- Funded Federations National  US: The Federal Government’s eAuthentication initiative (www.cio.gov/eauthentication)www.cio.gov/eauthentication  US: The InCommon Federation (www.incommonfederation.org)www.incommonfederation.org  Sweden (www.swamid.se)www.swamid.se  Denmark (www.dk-aai.dk)www.dk-aai.dk  UK (www.ukfederation.org - 5 million + users)www.ukfederation.org  China (CARSI - shibboleth.edu.cn)shibboleth.edu.cn  France (federation.cru.fr)federation.cru.fr 14

15. Examples of Government- Funded Federations (cont.) National: (cont)  Germany (www.dfn.de)www.dfn.de  The Netherlands (federatie.surfnet.nl)federatie.surfnet.nl  Norway (www.feide.no)www.feide.no  Finland (www.csc.fi)www.csc.fi  Belgium (shib.kuleuven.be)shib.kuleuven.be  Australia (www.federation.org.au)www.federation.org.au  Switzerland (www.switch.ch)www.switch.ch 15

16. Examples of Other Federations: Medical Disaster Management: Project Sentinel (http://sentinel.georgetown.edu/)http://sentinel.georgetown.edu/ Cancer Research: caBIG (https://cabig.nci.nih.gov/)https://cabig.nci.nih.gov/ State-based:  North-Carolina (MCNC Project Page)MCNC Project Page  Texas: Lone Education and Research Network (LEARN) https://eco.tx-learn.net/ (more later)https://eco.tx-learn.net/ 16

17. Federation in Texas The University of Texas System Federation  Participants include only U.T. System institutions and “sponsored affiliates”.  Serves a constituency of 190,000 students and 80,000 employees  First federated application in 2004, official production status on 9/1/2006  Focus has been on business applications  40+ applications in use, including 4 (and counting) commercial products/services 17

18. Federation in Texas (cont.) The Lonestar Education and Research Network (LEARN) Federation  Participation is open to LEARN members and sponsored affiliates  In pilot operation as of spring 2008  Policy work underway  Governing board is being formed  One application in use (more under development) 18

19. Current Federated Applications Microsoft DreamSpark (LEARN Federation) Forensics Assessment Center Network (UT/LEARN) MobileCampus.com Cayuse Adobe Connect (compliance training) Blackboard (course management) MediaWiki Federated Wireless LegalTracking Risk Management (ISAAC) Financial Reporting Project Reporting Federated Sharepoint (in development) 19

20. What Are Others Doing? A quick google search turned up mentions of Federated Identity Management in a surprising number of states:  California –Federated IdM: The Blueprint (PPT)Federated IdM: The Blueprint (PPT)  New York –https://www.oft.state.ny.us/Policy/G07-001/ (trust model)https://www.oft.state.ny.us/Policy/G07-001/ –https://www.oft.state.ny.us/oft/IAM.htm (IAM)https://www.oft.state.ny.us/oft/IAM.htm  Washington –http://dis.wa.gov/enterprise/enterprisearch/identitymgmtInitiativ eCharter.doc (planning doc)http://dis.wa.gov/enterprise/enterprisearch/identitymgmtInitiativ eCharter.doc 20

21. What Are Others Doing? (cont.) States that are discussing Federated IdM (cont.):  New Jersey –http://www.state.nj.us/it/ps/it_architecture.pdfhttp://www.state.nj.us/it/ps/it_architecture.pdf  Nevada –http://www.nitoc.nv.gov/ARCH/arcdocs/2005/EAC- Minutes-2005-09-20.doc (older doc)http://www.nitoc.nv.gov/ARCH/arcdocs/2005/EAC- Minutes-2005-09-20.doc  Wisconsin –IdM OverviewIdM Overview 21

22. What Are Others Doing? (cont.) States that are discussing Federated IdM (cont.):  Nebraska –http://www.nitc.state.ne.us/events/conferences/egov/2004/files/ 345_UserAuthentication_Hartman-FedID.ppthttp://www.nitc.state.ne.us/events/conferences/egov/2004/files/ 345_UserAuthentication_Hartman-FedID.ppt  And, last, but most certainly not least, TEXAS –http://www.dir.state.tx.us/pubs/UserAccess/UserAccessStudy.p df (DIR’s user access study from 2006)http://www.dir.state.tx.us/pubs/UserAccess/UserAccessStudy.p df –http://architecture.hhsc.state.tx.us/myweb/Documents%20page /identityManagement.doc (HHS)http://architecture.hhsc.state.tx.us/myweb/Documents%20page /identityManagement.doc 22

23. How Could It Work in Texas? There are countless agency-to-agency applications  A variety DIR reporting apps (security, projects, etc)  Pediatric forensics (FACN)  Educational support (K-12)  Transportation (TxDOT)  Law enforcement The 800 pound elephant in this space is, of course, TexasOnline (government-to-citizen)  Who is the identity provider for Joe Citizen? 23

24. The Future? Standards convergence (SAML, WS-Fed, OpenID) Interfederation  Building trust paths between federations  In certain cases, the legal issues can be daunting (especially on an international basis) More public Identity Providers (yahoo, google)  ProtectNetwork.org already serves this purpose worldwide and basic accounts are free. Cardspace/Infocard 24

25. Next Steps for Texas To pursue a Federated Identity Management approach, Texas should:  Establish an IdM governance framework  Define IdM policies/best-practices (this takes considerable time)  Identify a few low-risk, limited audience applications  Begin pilot operations with those who are ready  Make arrangements for smaller agencies to use externally-hosted identity providers (like ProtectNetwork.org) 25

26. So, Is the state of Texas ready for Federated identity Management?  The technology is available, secure, robust, reliable, and mature.  Policy frameworks exist.  Governance models can be established.  Expertise is available.  External services are ready.  The benefits are clear and significant. We're only waiting on us! 26

27. Thank You! Paul Caskey (pcaskey@utsystem.edu) The University of Texas System System-wide Information Services