Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

Slides:



Advertisements
Similar presentations
Implementing Federated Identity Management across a Multi-campus Statewide System: The Texas Experience William A. Weems Assistant Vice President Academic.
Advertisements

Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
1 Collaborators at the Gates of Troy: Extending eServices at USC.
Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.
Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.
CAMP Med Identity and Access Management for HIPAA: Technology Model William A. Weems Assistant Vice President Academic Technology The University of Texas.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Your Logo Here An Administrative Framework for the Blackboard Academic Suite Presented By Chris J Jones University of Oklahoma HSC April 13, 2005.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
1 Governance in Identity Management Federations Clair Goldsmith, Ph.D. The University of Texas System Administration.
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
CAMP Integration Reflect & Join A Case Study The University of Texas Health Science Center at Houston William A. Weems Assistant Vice President Academic.
Managing Information UT November 13-14, 2008 Campus Identity and Access Management Services.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
National Science Foundation Chief Information Officer CIO Fall Update for the Advisory Committee for Business and Operations: Identity Management 2.0 George.
Quarterly Customer Meeting Active Directory Federation Services (ADFS) April 2015.
A case study of Shibboleth deployment within the U.T. System June 26, 2006 Paul Caskey University of Texas System Copyright Paul Caskey 2006 Not Your Father’s.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
Identity Management Report By Jean Carreon and Marlon Gonzales.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
Uniting Cultures, Technology & Applications A Case Study University of New Hampshire.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.
FEDERATIONS Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO September 27,
Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University
Identity Management Practical Issues Associated with Sharing Federated Services William A. Weems The University of Texas Health Science Center at Houston.
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council
E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
U.S. Department of Agriculture eGovernment Program eAuthentication Initiative eAuthentication Solution Screens Review Meeting October 7, 2003.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Security Working Group George Komatsoulis, PhD. NCI CBIIT Marsha Young, J.D. Booz Allen Hamilton Presentation prepared by: Frank Manion, FCCC William Weems,
The Application Process Understanding the IERs (Institutional Eligibility Requirements ) 2106 TRACS Annual Conference.
Mark McConahay Delivering, Sourcing, and Securing Services Throughout
University of Texas System
Mark McConahay Delivering, Sourcing, and Securing Services Throughout
PASSHE InCommon & Federated Identity Workshop
HIMSS National Conference New Orleans Convention Center
Identity Management at the University of Florida
Appropriate Access InCommon Identity Assurance Profiles
Presentation transcript:

Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University of Texas Health Science Center at Houston

Identity Management 2 What is the Collaborative Goal? Make the sharing of restricted resources within an organization and across organizational boundaries as transparent to users as accessing public Web pages!

Identity Management 3 Ideally, individuals would each like a single digital credential that can be securely used to authenticate his or her identity anytime authentication of identity is required to secure any transaction.

Identity Management 4 Allows a person to use her federated identity credential for single sign-on access to restricted service applications provided by federation members for which she has privileges. A Federated Credential

Identity Management 5 Ideally, a digital credential must positively identify a person, include the person’s permanent identifier positively identify the certifying authority - i.e. the identity provider (IdP), be presentable only by the person it authenticates, be tamper proof, and be accepted by all systems.

Identity Management 6 Two Categories of Identity Physical Identity – Assigned Identifier - Authentication –Facial picture –Fingerprints –DNA sample Identity Attributes – Authorization Attributes –Common name, –Address, –Institutional affiliations - e.g. faculty, student, staff, contractor, –Specific group memberships, –Roles, –Entitlements for specific services. –Etc. What is Identity?

Identity Management 7 Identity Provider (IdP) uth.tmc.edu Person IdP Obtains Physical Characteristics Identity Vetting & Credentialing Identifier Permanently Bound Assigns Everlasting Identifier Digital Credential Issues Digital Credential Person Only Activation Permanent Identity Database

Identity Management 8 UTHSC-H Identity Management System HRMSSISGMEISGuest MSUTP INDIS OAC7OAC47 Secondary Directories Sync Person Registry Authoritative Enterprise Directories Authorization Service Authentication Service User Administration Tools Change Password Attribute Management Identity Reconciliation & Provisioning Processes

Identity Management 9 Federal E-Authentication Initiative Levels of assurance (Different Requirements) –Level 1 – e.g. no identity vetting –Level 2 - e.g. specific identity vetting requirements –Level 3 – e.g. cryptographic tokens required –Level 4 – e.g. cryptographic hard tokens required Credential Assessment Framework Suite (CAF)

Identity Management 10 Identity Provider (IdP) uth.tmc.edu Federated Services Identity (IdP) & Resource Providers (RP) Identity Provider (IdP) utsystem.edu Identity Provider (IdP) bcm.edu Resource Provider (RP) library.tmc.edu Blackboard (RP) uth.tmc.edu GMEIS (RP) uth.tmc.edu Identity Provider (IdP) mdanderson.org Identity Provider (IdP) utmb.edu Federation Assertion Service e.g. UT System Fed Public Key Infrastructure

The University of Texas System Homogeneous Share a common Mission Same governance body and consistent governance policies Same legal requirements And Also Diverse Significant differences in size and budgets Significant differences in culture Institutions enjoy considerable autonomy 16 “stovepipes” 16 Institutions 16 Institutions 9 General Academic institutions9 General Academic institutions 6 Health institutions6 Health institutions 1 System Administration1 System Administration

The University of Texas System Identity Management Federation Foundation Documents Federation Charter Membership Agreement Operating Practices and Procedures Membership Operating Practices Service Fee Schedule System Federation Common Identity Attributes

Identity Management 13

Identity Management 14

Identity Management 15

Identity Management 16

Identity Management 17 Person Cannot Login to Their IdP Authentication Service Potential Problems: –Does not know which password is being requested. Page must define which service is requesting the username/password pair. –e.g. UTEID in the previous example Login page must describe a help resource –Person typed password incorrectly Person is told that “Authentication Failed” and to re-enter his password

Identity Management 18 Person Authenticated But Unauthorized Potential Problems: –A statement only that “You Are Not Authorized” leaves individual from other institution in the dark. Who should person contact? –Someone at their home institution? –Someone at the service provider institution? Solution: –Error page should provide guidance. e.g. If the service is a Blackboard LMS, a statement like “ Contact the course instructor, organizational leader or appropriate registrar’s office to receive authorization for access.

Identity Management 19 Multiple New Processes and Procedures to be Worked Through How are courses provisioned? –Manually: BB administrator adds names and EPPNs (i.e. NetIDs) from lists obtained provided by source of authorities (SOAs) at relying institutions for appropriate courses? –Automatically: Service Provider Applications (e.g. Blackboard) obtains authorization attributes from the IdP’s attribute authority and provisions the BB courses with the appropriate student information?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.