University of Chicago University of Illinois Indiana University University of Iowa University of Maryland University of Michigan Michigan State University.

Slides:

Advertisements

Similar presentations

Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN /18 Valter Nordh, NORDUnet / GU.

Advertisements

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

Presenter(s): Candace Soderston Matt Sargent Bill Yock Date:November 16, 2011 Time:2:30 to 3:30 pm Help Shape the Future of Open Source Identity and Access.

Getting to Silver: Practical Matters for CIC Universities Tom Barton University of Chicago © 2009 The University of Chicago.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

InCommon and Federated Identity Management 1

Winter 2011 CSG Workshop: InCommon Silver January 12, 2011.

LEVERAGING THE ENTERPRISE INFORMATION ENVIRONMENT Louise Edmonds Senior Manager Information Management ACT Health.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

National Smartcard Project Work Package 8 – Security Issues Report.

1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Federated Incident Response Jim Basney

SWITCHaai Team Federated Identity Management.

InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb

1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.

CIC E-Publishing Venture COC-11 Portland, Oregon April 19, 2002 Tom Peters.

INTERNET2 COLLABORATIVE INNOVATION PROGRAM DEVELOPMENT Florence D. Hudson Senior Vice President and Chief Innovation.

Improving Performance: Conveying the Impact to Your Constituents  Jason Saul, CEO, Mission Measurement  Barbara Allen, Director,

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Monitoring public satisfaction through user satisfaction surveys Committee for the Coordination of Statistical Activities Helsinki 6-7 May 2010 Steve.

Introduction of the Curriculum for Prospective NHTI Faculty NHTI Coordinating Committee Association of College & University Housing Officers – International.

HATHITRUST A Shared Digital Repository The HathiTrust Print Monograph Archive Planning Task Force Print Archive Network Forum ALA 2015 Annual Meeting June.

Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Overview of schemas used for IdM community Setting up of identity provider Motonori Nakamura, National Institute of Informatics, Japan 2nd TEIN IAM Workshop.

State of e-Authentication in Higher Education August 20, 2004.

TechCon Food systems history… Agriculture has a 10,000 year history Farmers are estimated to be 38 to 45% of the global work force In the developing.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Federated Identity in Texas Paul Caskey The University of Texas System HEAnet National Conference Kilkenny, Ireland 13 November 2008.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Web Accessibility at IU UITS Adaptive Technology and Accessibility Centers Brian Richwine Mary Stores March 10, 2010.

Government and Industry IT: one vision, one community Vice Chairs April Meeting Agenda Welcome and Introductions GAPs welcome meeting with ACT Board (John.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Federations: The New Infrastructure Speaker Name Here Date Here Speaker Name Here Date Here.

Attribute Release and Scalable Consent \. Part of the original vision for federated identity and necessary for it to succeed Federated identity is less.

Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.

Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.

National Geospatial Enterprise Architecture N S D I National Spatial Data Infrastructure An Architectural Process Overview Presented by Eliot Christian.

NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.

SEPARATE ACCOUNTS FOR PROSPECTS? WHAT A HEADACHE! Ann West Assistant Director, InCommon Assurance and Community Internet2 at Michigan Tech.

EFQM Excellence Model and EFQM Community of Practice for Police Forces and Services Vilnius, March 29-30, 2007.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Open Collaboration Exchange Alexander Blanc, Niels van Dijk, Jocelyn Manderveld, Remco Poortinga - van Wijnen VAMP 2013, Espoo.

Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Tom Barton, Senior Director for Integration, University of Chicago

Information Security Policy

Shibboleth Roadmap

Innovative Solutions from Internet2

Deployment Planning Services

InCommon Steward Program: Community Review

Federated Identity to Support Collaboration in the CIC

Federated Incident Response

The Attribute and the ecosystem

Baseline Expectations for Trust in Federation

Presentation transcript:

University of Chicago University of Illinois Indiana University University of Iowa University of Maryland University of Michigan Michigan State University University of Minnesota University of Nebraska-Lincoln Northwestern University Ohio State University Pennsylvania State University Purdue University Rutgers University University of Wisconsin-Madison Lowering Barriers for Distributed Service Integration The Cloud Cookbook Project By the CIC ID Management Research CI Working Group Presenters: Keith Wessel, Mark Nye, Keith Brautigam

What is the CIC? Founded in 1958, the Committee on Institutional Cooperation is an academic consortium of top-tier research universities, including members of the Big Ten Conference and the University of Chicago. CIC members collaborate to advance their academic missions, generate unique opportunities for students and faculty, and serve the common good by sharing expertise, leveraging campus resources, and creating innovative programming. The work of the CIC is carried out in two ways: 1) through targeted project partnerships that meet three primary criteria: addresses member university needs; creates new opportunities through the aggregation of resources; and would not be possible by a university acting alone; and 2) through communities of peers that meet together to address common issues, share best practices, and diffuse innovation throughout the network of universities. Building Collaboration Infrastructure

PURPOSE Why a Cloud Services Cookbook?  Lower cost and effort in federating with a cloud service.  Reduce need for schools to regularly consult for vendors.  Help vendors understand IAM in higher education.  Reduce duplicated efforts among CIC schools.

PROGRESS The story so far …  The Cookbook is in the process of being written  Developing a recipe for success  Integration template for federated cloud services  Best practices for cloud integration  Complement to Internet2 NET+ initiative

PROCESS The Cloud Cookbook is a consensus-driven project! Thus far, we’ve …  Surveyed CIC schools on the experience of implementing various cloud services.  Combined survey results with common knowledge to create a document outline.  Documented best practices for identity providers as well as service providers.  Plan to produce both school- and vendor-facing documents.

FORMAT What will the Cloud Services Cookbook look like?  “Do” and “don’t” best practice statements with concise explanations.  No verbose expositions and definitions; that content is already available elsewhere.  Where a recommendation isn't fully supported by all CIC schools, it will be included as a consideration instead of a definite do or don't.

TOPICS High-level Cloud Cookbook Topics:  Authentication  Identifiers  Authorization  Provisioning and Deprovisioning  Trust Frameworks  Operational Agility  User Experience  Policy and Compliance

best practice #1 TRUST FRAMEWORKS “If you want to scale, DO define a process for maintaining SAML Service Provider metadata.”  SAML is an accepted standard.  If trust isn't an issue, allow for anonymous services.  Self-published SP metadata and exchanges don't scale well.  Your best option is the use of a federation.

best practice #2 TRUST AND OPERATIONAL AGILITY “DO register SAML metadata with the InCommon Federation.” Joining InCommon takes care of many best practices:  Leverages an existing trust framework.  Provides for validated SAML and sound operational practices.  Ensures daily metadata refresh.  Automatically handles certificate and endpoint changes without service disruption.  Automate security issues such as cert revocation.

best practice #3 IDENTIFIERS “Re-defining attributes is painful, so DON’T call a Foo a Bar!”  Resist the temptation to force something you have into something you need.  In federated contexts, standard attribute definitions are important.  Carefully consider what's available before creating a new attribute.  If the available attributes won't do, create something new instead of misusing a known attribute.

best practice #4 IDENTIFIERS “CONSIDER the relationship between eduPersonPrincipalName and mail.”  It's hard to enroll for most cloud services without a standard enterprise address.  University environments aren't as well- controlled as in the corporate world.  Higher Ed can be multi-valued, and often is.  Services want an identifier for three purposes: unique ID, address, and scope

best practice #5 IDENTIFIERS “DON'T be afraid of eduPersonTargetedID.”  Continues to identify a user, even when their name or address changes.  Might sound intimidating, but is simple to set up.  Requires a unique and unchanging identifier.  Because it's computed with a salt, it's opaque but unique to the SP.

best practice #6 AUTHORIZATION To avoid trouble later … “DO authentication at the campus, but authorize at the service.”  Remember, it's the SP's job to do authorization.  The IDP can make authorization decisions, but this doesn't scale.  Service authorization changes are easier when the SP is interpreting the identity data.  eduPersonEntitlement is an entitlement class, not an authorization decision.

best practice #7 PROVISIONING / DEPROVISIONING “DO practice ‘defensive programming’ when setting up provisioning services.”  Be warned! Vendor service provisioning docs are often incomplete or inaccurate.  Campus should test error conditions and unhandled failures and identify work-arounds.  Service reliability under load can fluctuate. Schools need to plan for these issues.

CONCLUSION We want your help! You have an opportunity to shape the Cloud Cookbook Project. If you have feedback to share or you would like to get involved, please contact Keith, Keith, or Mark.

1819 South Neil Street, Suite D, Champaign, IL Preview the Cloud Cookbook working draft at: This is a CIC project, and your feedback and input is welcome! Keith Wessel - Mark Nye - Keith Brautigam -