1. Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University of Texas Health Science Center at Houston

2. Identity Management 2 What is the Collaborative Goal? Make the sharing of restricted resources within an organization and across organizational boundaries as transparent to users as accessing public Web pages!

3. Identity Management 3 Ideally, individuals would each like a single digital credential that can be securely used to authenticate his or her identity anytime authentication of identity is required to secure any transaction.

4. Identity Management 4 Allows a person to use her federated identity credential for single sign-on access to restricted service applications provided by federation members for which she has privileges. A Federated Credential

5. Identity Management 5 Ideally, a digital credential must positively identify a person, include the person’s permanent identifier positively identify the certifying authority - i.e. the identity provider (IdP), be presentable only by the person it authenticates, be tamper proof, and be accepted by all systems.

6. Identity Management 6 Two Categories of Identity Physical Identity – Assigned Identifier - Authentication –Facial picture –Fingerprints –DNA sample Identity Attributes – Authorization Attributes –Common name, –Address, –Institutional affiliations - e.g. faculty, student, staff, contractor, –Specific group memberships, –Roles, –Entitlements for specific services. –Etc. What is Identity?

7. Identity Management 7 Identity Provider (IdP) uth.tmc.edu Person IdP Obtains Physical Characteristics Identity Vetting & Credentialing Identifier Permanently Bound Assigns Everlasting Identifier Digital Credential Issues Digital Credential Person Only Activation Permanent Identity Database

8. Identity Management 8 UTHSC-H Identity Management System HRMSSISGMEISGuest MSUTP INDIS OAC7OAC47 Secondary Directories Sync Person Registry Authoritative Enterprise Directories Authorization Service Authentication Service User Administration Tools Change Password Attribute Management Identity Reconciliation & Provisioning Processes

9. Identity Management 9 Federal E-Authentication Initiative http://www.cio.gov/eauthentication/ Levels of assurance (Different Requirements) –Level 1 – e.g. no identity vetting –Level 2 - e.g. specific identity vetting requirements –Level 3 – e.g. cryptographic tokens required –Level 4 – e.g. cryptographic hard tokens required Credential Assessment Framework Suite (CAF)

10. Identity Management 10 Identity Provider (IdP) uth.tmc.edu Federated Services Identity (IdP) & Resource Providers (RP) Identity Provider (IdP) utsystem.edu Identity Provider (IdP) bcm.edu Resource Provider (RP) library.tmc.edu Blackboard (RP) uth.tmc.edu GMEIS (RP) uth.tmc.edu Identity Provider (IdP) mdanderson.org Identity Provider (IdP) utmb.edu Federation Assertion Service e.g. UT System Fed Public Key Infrastructure

11. The University of Texas System Homogeneous Share a common Mission Same governance body and consistent governance policies Same legal requirements And Also Diverse Significant differences in size and budgets Significant differences in culture Institutions enjoy considerable autonomy 16 “stovepipes” 16 Institutions 16 Institutions 9 General Academic institutions9 General Academic institutions 6 Health institutions6 Health institutions 1 System Administration1 System Administration

12. The University of Texas System Identity Management Federation Foundation Documents https://idm.utsystem.edu/utfed/ Federation Charter Membership Agreement Operating Practices and Procedures Membership Operating Practices Service Fee Schedule System Federation Common Identity Attributes

13. Identity Management 13

14. Identity Management 14

15. Identity Management 15

16. Identity Management 16

17. Identity Management 17 Person Cannot Login to Their IdP Authentication Service Potential Problems: –Does not know which password is being requested. Page must define which service is requesting the username/password pair. –e.g. UTEID in the previous example Login page must describe a help resource –Person typed password incorrectly Person is told that “Authentication Failed” and to re-enter his password

18. Identity Management 18 Person Authenticated But Unauthorized Potential Problems: –A statement only that “You Are Not Authorized” leaves individual from other institution in the dark. Who should person contact? –Someone at their home institution? –Someone at the service provider institution? Solution: –Error page should provide guidance. e.g. If the service is a Blackboard LMS, a statement like “ Contact the course instructor, organizational leader or appropriate registrar’s office to receive authorization for access.

19. Identity Management 19 Multiple New Processes and Procedures to be Worked Through How are courses provisioned? –Manually: BB administrator adds names and EPPNs (i.e. NetIDs) from lists obtained provided by source of authorities (SOAs) at relying institutions for appropriate courses? –Automatically: Service Provider Applications (e.g. Blackboard) obtains authorization attributes from the IdP’s attribute authority and provisions the BB courses with the appropriate student information?