Presentation is loading. Please wait.

Presentation is loading. Please wait.

InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.

Published byGrant Williamson Modified over 8 years ago

Similar presentations

Presentation on theme: "InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon."— Presentation transcript:

1 InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon University Renee Shuey, The Pennsylvania State University Internet2 Member Meeting, October 1, 2012

2 RL “Bob” Morgan

3 Current/Active Practices and Federation Features Emerging Practices, trends and ideas Future issues

4 Current/Active Practices Assurance – Bronze/Silver Contracts Attribute Release – Easing integration – Categories Metadata – Timely data – Keys, endpoints & tigers, oh my! eduPerson Schema

5 Assurance Virginia Tech has achieved Bronze & Silver! Many institutions currently working towards Bronze & Silver If Silver is too soon for you – consider Bronze! POP vs. Bronze www.incommon.org/assurance

6 Contracts University of California and University of Texas language at www.incommon.org/working_sp.html Carnegie Mellon and Penn State specify software interoperability (work with Shib IdP, not just specify SAML) and require joining InCommon. Of course, not everyone joins. Language varies.

7 Attribute Release Develop a simple default attribute release policy with maximal coverage (CMU policy next slide). InCommon is creating categories of services to help IdP and SP operators determine attribute requirements. – Research & Scholarship Category https://spaces.internet2.edu/x/-IKVAQ

8 Carnegie Mellon Attribute Release

9 Attribute Release While a security principal is supposed to be just a security principal – with cloud integrations we see more usage of email addresses as principals – this is unfortunate. Having eduPersonPrincipalName (ePPN) happen to be a working, reliable email address eases cloud integrations Ensuring ePPN to be non-reassigned also eases cloud integrations. Use eduPersonTargetedID where possible.

10 Metadata Until metadata is no longer distributed via files… Describes all Fed Entities (Identity & Service Providers) Timely metadata update is important! Pay attention to strong keys (2048 keys) in MD Quickly moving to all endpoints via SSL (don’t forget the InCommon Certificate Service!!!) MD is transforming to provide UI hints, error handling & other benefits effecting operations and user experience. GOOD METADATA IS IMPORTANT!

11 Metadata Growth Fed Software developers and Federation Operators need to begin addressing this problem space. since SMM-2012 IdPs, 14% growth SPs, 13% growth

12 eduPerson Schema eduPerson started as an LDAP schema but its practicality has exceeded LDAP. Now used as lingua-franca for R&E app integrations. Pay close attention to this schema to aid with attribute release issues and ease application integrations. Consider referencing of eduPerson schema in contracts

13 Emerging Practices and Tools Repository of software and pointers to tools Federated Error Handling Federated Security Incident Response Delegated Admin for InCommon

14 Repository InCommon Ops committing to GITHUB soon: – SAML2JSON translator – Smart Web User Agent (smart_get) – SAML Metadata Cert Parser – SAML Entity Probe – SAML2AttributeFilterPolicy XSLT script for R&S Web page coming. Community contributions encouraged.

15 Federated Error Handling Guidance at https://spaces.internet2.edu/x/xa6KAQ 3 sites in R&S already using FEH – (PSU wikispaces, OSU carmenwiki, i2 filesender) Did you know there is FEH service? https://spaces.internet2.edu/x/kJOVAQ https://ds.incommon.org/FEH/

16 FEH Service Example

17 Federated Security Incident Response See https://spaces.internet2.edu/x/8o6KAQ Origins from CIC Id Mgmt Task Force Federated identity introduces new challenges for security incident response. Federation participants should consider the impact of federated identity in their incident response practices and treat federated identity partners impacted by a security incident in a similar manner as they would local parties.

18 Delegated Admin for InCommon Metadata mgmt needs to scale. DA is critical to make this possible. Distribute the mgmt for MDUI, LoA, descriptive info per SP, Federated Error Handling. Easily allows InCommon as local federation Supports federated access, of course. http://www.incommon.org/v/da_demo/

19 CMU – Profile Spring 2011: deployed IdP, begin using InCommon as local federation. Summer 2011: Default attribute release policy Fall 2012: 117 SPs, 2 IdPs. > 75% all authNs now federated. 150 old pubcookie sites to go. Up take was fairly quick. Will decommit pubcookie summer 2013. Sept 2012: > 1M SSO events – google analytics

20

21 In Summary The more successful is InCommon, the greater the benefit of InCommon to all of us. – Knowing other participants operate well increases the trust among us. – We must express how we operate (metadata) We need to share our methods, tools and policies so we may help/learn from our selves. So why don’t we all put our SPs into InCommon?

Download ppt "InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon."

Similar presentations

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.
CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.
US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.

US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.

REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material.

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
InCommon Forum Fall 2012 Internet2 Member Meeting Wednesday, October 3, 2012 1.

InCommon Forum Fall 2012 Internet2 Member Meeting Wednesday, October 3,
InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb

InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb
Cloud Security Myths, Legends and Reality Cloud Security Paul Schopis CTO OARnet Joint Techs.

Cloud Security Myths, Legends and Reality Cloud Security Paul Schopis CTO OARnet Joint Techs.
The InCommon Federation The U.S. Access and Identity Management Federation www.incommon.org.

The InCommon Federation The U.S. Access and Identity Management Federation
Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.

Similar presentations

Ads by Google