Observations The phases of Internet-scale invention and the role of market-makers Skill sets for the new world order and nurturing its seed corn in common http://www.thebricktestament.com/judges/42000_ephraimites_killed/jg12_05-06.html

Next Year at CAMP

The things we didn’t get to this year at CAMP Archery Braiding lanyards Head lice

For next year’s camp The new newbies The Enterprise Frontiers Framing the new world order for stakeholders Bronze and Silver, Signing, roles, auditors The User Experience Discovery uApprove, privacy managers and informed consent Collaboration management New Technologies and their Implications Access control and domestication Interfederation, Non-web applications The Attribute Ecosystem

The new newbies It’s still early in the federation roll-out From early adopters to early majority It’s still early in the application adoption phase We’ll see more outsourcing of identity operations, more variety of software used, etc. Adjacent verticals – K-12, medical centers, financials

Talking the Enterprise Walk Framing discussions with stakeholders Bronze and Silver Certificates and Signing Roles Auditors

Framing the discussions with stakeholders A common model and vocabulary A handle on risk assessment A handle on attributes and access control The art of shaping the technology to fit the policy

A Common Vocabulary Identity and identifiers “Credentials” Acts of authentication Acts of identity proofing Services Sources of authority Provides definitive attribute values to identities May have a delegated authority

A Handle on Risk Assessment NIST guidelines on risk assessment – Somewhat dated, somewhat abstract, somewhat not relevant App owners tend to overestimate risk; users tend to underestimate Weak link applications can expose data if not credentials

Attributes and access control Getting stakeholders to think of themselves in specific roles As sources of authority As vetters of identity The emergence of roles for scaling The limits of gestalt semantics and the “value” of regulation

The art of “teching” a policy Policy is soft; code is hard Forcing the policy discussions Where to store attributes At the SoA or at the IdP or at the RP Where to authorize at the IdP (compute an entitlement) at the RP (pass attributes) Who should issue credentials versus issue attributes Identity linking/crosswalking – strategies and exposures

InCommon Bronze and Silver Revisions as time goes by Particularly in privacy Gold The apps? The technical options Certs SMS as a second factor Others

Certificate Services National, flexible arrangement with Comodo, a commercial CA in all web browsers Unlimited SSL and personal certs for a flat fee, based on the size of the institution or system; typically saves campus 30-50% Limited to .edu affiliated; requires InCommon membership The personal certs are the prize in the crackerjack box SSL certs saves significant money and allows campus security to be improved Personal certs introduces powerful capabilities for signed docs/email and two factor authentication

Signing A long-term Holy Grail Signing email and docs; not encryption for key escrow issues A lot easier than it was: better clients, rooted certs, federation to leverage, revocation processes Still really hard: enterprise deployment issues, LOA, including attributes and roles

New InCommon Initiative in Signing Several phases Enterprise deployment issues – clients, mobility, desktop, discovery, LOA Innovation – inter-institutional, signing roles and attributes Business leveraging – working with the verticals- Registrars, financial offices, legal, etc. Campus-driven with I2 flywheels and collab support services; watch incommon-participants for info International and other verticals coordination

Roles are mostly roll-ups of permission sets The key ingredient to scaling, to inter-realm work, to audit and compliance Roles are mostly roll-ups of permission sets With qualifiers, pre-requisites, etc Roles are mostly group information but… Regulation or federation can help define roles

How much auditing – Kantara and reality Auditors How much auditing – Kantara and reality http://kantarainitiative.org/ Institutional leverage to get engagement Finding the righteous auditors and training the rest Visibility of audit results

Talking User experience Discovery Privacy Managers Collaboration Management

Discovery The process of directing an unauthenticated user back to an organization to be authenticated (happens at new browser launch, not at new window, etc.); already authenticated users are taken directly to the resource A non-scalable aspect, especially as the number of federations and IdP’s grows exponentially An issue to be addressed by an SP Today done by the federation WAYF; users can set cookies to default to IdP, good for up to a year. The future is much better – see https://spaces.internet2.edu/display/SHIB2/DSRoadmap

Privacy managers Translating geek to English Translating English into other languages Bundles of commonly used attributes The collab package (eppn + display name) The privacy package (epTId + nickname) ??

The Emergence of Collaboration Management IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.

Collaboration Platforms Integrated set of collaboration apps (wikis, listprocs, CVS, file share, calendaring, etc) Integration of at least identity and access control via group memberships Extends consistent identity and access controls to domain apps Repackages successful enterprise technologies for a collaborative/project/VO setting Federated identity, group management, directories, and security token services (aka credential convertors) Allows integration of VO and enterprise IdM

Examples of Collaborative Platforms COmanage http://middleware.internet2.edu/co/ http://www.surfnet.nl/Documents/indi-2009-07-020%20(Report%20Collaboration%20Infrastructure).pdf Commercial offerings – Sharepoint, Adobe Connect, Google Sites, Google Wave, Google Apps Can be integrated with enterprise IdM Don’t integrate with domain apps

Dashboard (including invitation/registration) COManage Elements Dashboard (including invitation/registration) Shib SP Grouper STS Shib IdP LdapPC / SPML provisioning Data Store Applications

What’s in a COmanage data store Enterprise Attributes Project/VO attributes Federated Id PI groups Enrolled classes Wiki editing permissions Display name Instrument permissions Citizenship VO certificates Enterprise affiliation …

Flows of attributes - 1 Relying Party Data Store Project comanage Enterprise Project comanage Data Store Enterprise

Talking new technologies Interfederation Thinking beyond the web The Attribute Ecosystem and the Tao of Attributes

Interfederation Connecting autonomous federations Critical for global scaling, accommodating state and local federations, integration across vertical sectors Has technical, financial and policy dimensions Elegant technical solution (MDX) being developed in the eduGAIN project of Geant Policy activities in Kalmar2 Union, Kantara, Terena

MDX – metadata exchange protocol Institutions and organizations will pick a registrar to give their metadata to Institutions and organizations will pick an aggregator (or several) to get their partners metadata from Aggregators exchange metadata with each other and registrars If this sounds like DNS registration and routing, it is, one layer up In the land of data, metadata is king; imagine many new kinds of metadata

Thinking beyond the web All those mobile devices All those infrastructure elements – routers, firewalls Lots of apps want to leverage federated identity Several approaches at work Using Oauth to pass a token from web to app Project Moonshot effort in Europe to extend basic IETF protocols (GSSAPI, EAP, etc) to provide a broad set of app opportunities

The Attribute Ecosystem Authentication is very important, but identity is just one of many attributes And attributes provide scalable access control, privacy, customization, linked identities, federated roles and more We now have our first transport mechanisms to move attributes around – SAML and federations There will be many sources of attributes, many consumers of attributes, query languages and other transport mechanisms Together, this attribute ecosystem is the “access control” layer of the Internet

Attribute use cases are rapidly emerging Disaster “first responders” attributes and qualifications dynamically Access-ability use cases Public input processes – anonymous but qualified respondents Grid relying parties aggregating VO and campus attributes The “IEEE” problem The “over legal age” and the difference in legal ages use cases Self-asserted attributes – friend, interests, preferences, etc

The Tao of Attributes workshop 属性之道 Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc. Participants were the best and brightest – the folks who invented LDAP, SAML, OpenId, etc. Webcast at http://videocast.nih.gov/PastEvents.asp Twittered at TAOA http://middleware.internet2.edu/tao-of-attributes/

Back to Ann With much thanks to her, the Internet2 and InCommon staff who helped And much thanks to the program committee And great thanks to you with your great problems and your willingness to talk about them