1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Shibboleth Development and Support Services SDSS Development Federation Next Phase Sandy Shaw, EDINA JISC CM Programme Meeting, Windermere, 14–15 November.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Connecting People to Resources The UK Access Management Federation Nicole Harris Programme Manager.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Developments in Access and Identity Management Phil Leahy – Athens Product Manager.
SWITCHaai Team Federated Identity Management.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Supporting further and higher education Authentication & Authorisation for JISC and UK e-Science Alan Robiette, JISC Development Group.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.
New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
Shibboleth at Columbia Update David Millman R&D July ’05
Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.
Shibboleth: An Introduction
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK
New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
The UK Access Management Federation John Chapman Project Adviser – Becta.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Copyright JNT Association 20051Optional Copyright JNT Association The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
LIGO Identity and Access Management
e-Infrastructure Workshop 28th March 2006, University of Leeds
UK Access Management Federation
UK Federation 101 Ian A. Young EDINA, University of Edinburgh (and the UK Federation) Internet2 Fall Member Meeting, 7 Dec Shibboleth Development.
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh

2 Contents  Federated identity management overview  Open issues for federations

3 Introduction Federated identity management a live topic Both commercial and academic interest: –Liberty Alliance –Shibboleth (Internet2 – MACE) Both make use of SAML, which specifies rules for encoding security assertions

4 The familiar problem Users required to present different name/pass pairs for each service they use Addressed by the introduction of single- signon for local institutional services But distinct name/pass pairs are still often required for access to external services

5 Federated identity solution Use locally-managed credentials to enable access to remote services Extends the scope of single-signon to external services

6 Shibboleth Does neither authentication nor authorisation itself Conveys security assertions from Identity Provider (IdP) to Service Provider (SP) Security assertions (SAML) about: –user authentication –user attributes Privacy preserving

7 How does it work? SWITCH

8 Benefits to users IdP local SP 1 SP 3 SSO to local services … remote SP 2 SP N SSO to remote services (JISC IE) Enables proliferation of secure services once-only login screen

9 Management devolved to the institution Institution has control over choice of: –Authentication method (passwords, certs, …) –SSO system (pubcookie, CoSign, …) –Attribute store (LDAP, SQL, …) –Attribute disclosure policy The main cost is the integration effort required

10 Benefits to Service Providers IdP 1 IdP 3 IdP 2 IdP N … SP ed.ac.ukncl.ac.uk Hide NxM users behind N IdPs medium term ~50 UK sites Federation metadata provides authoritative information on IdPs

11 Working definition of federation A register of identity providers and service providers interworking in a common trust network Basis of trust: –reasonable expectation of behaviour –common understanding of obligations and rights …rather than technical assurance

12 What does a federation do? Acts as trusted third party to vet new members: –are they who they say they are? –do they speak for their organisation? –do they agree to federation policies? Maintains a list of members (metadata) Sets policies, such as acceptable CAs

13 UK activity JISC Core Middleware Programme –significant support for technical development projects and infrastructure SDSS project at EDINA –Shibboleth Development and Support Services –investigating federation development issues

14 Current Shibboleth status Shibboleth version 1.3 expected soon –use of (new) SAML 2.0 standard The federation model is still fluid Might develop in a variety of directions

15 Contents  Federated identity management overview  Open issues for federations

16 How many federations? Early view: one per country One federation implies: –single administrative framework –everyone on same development path Already three UK Education Federations So multiple federations (and multiple membership) already a reality

17 Federation interworking Required for international use: –InCommon –SWITCH –HAKA … and nationally (SDSS, Becta, Eduserv) Need more operational experience!

18 Virtual organisation support Examples of VOs: –Institutions sharing L&T responsibilities –Disparate groups of collaborating researchers Sub-federation / spanning federations Must be easy to create Relevance of GRID VO model?

19 Multiple identity assurance levels To cover a wider range of requirements: –cross-institutional access to e-Learning resources –access to high value e-Science resources Factors include: –value of resources protected –rigour of institutional identity management process Accommodate a range of levels in one federation? Or simply create distinct federations?

20 Metadata distribution methods Federation signs aggregated metadata (IdP and SP member details) in a single file Could separately sign each member's metadata as a discrete packet (SAML 2.0) Fetch on-the-fly –does this avoid revocation checking?

21 Next steps Deployment for live service Launch of UK production federation Further investigation of the technology Strive for commonality in approach (to enable future interworking): –attributes, certification, policy, assurance rules Many issues will be resolved over the next year

22 Further information Shibboleth: JISC Core Middleware Programme: SDSS project:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.