Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security.

Slides:

Advertisements

Similar presentations

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.

Advertisements

GT 4 Security Goals & Plans Sam Meder

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.

Federal Student Aid Technical Architecture Initiatives Sandy England

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

New CyberInfrastructure for Collaboration between Higher Ed and NIH.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.

The InCommon Federation The U.S. Access and Identity Management Federation

1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

VO and Internet2 Middleware. Presenter’s Name Topics Motivations for Internet2 Middleware work Federated identity and InCommon Other IdM Groups, privileges,

Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.

Middleware, Ten Years In: Vapority into Reality into Virtuality Dr. Ken Klingenstein, Senior Director, Middleware and Security, Internet2 Technologist,

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.

Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.

Scared Straight… if you want to go outside… Authenticate Locally, Act Globally.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.

The UK Access Management Federation John Chapman Project Adviser – Becta.

Internet2 and Cyberinfrastructure Russ Hobby Program Manager,

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

What’s Happening at Internet2 Renee Woodten Frost Associate Director Middleware and Security 8 March 2005.

Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.

John Dyer Business & Technology Strategist TERENA ASPIRE Project Manager TF-MSP February 2013 ASPIRE Foresight Study

Federated Identity in the Global Landscape. Presenter’s Name Topics Federated identity basics International deployments and issues National, local and.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

The Policy Side of Federations Kenneth J. Klingenstein and David L. Wasley Tuesday, June 29, CAMP Shibboleth Implementation Workshop.

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Facing the challenge of relevance Erwin Bleumink 4 June 2013 TNC13.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Illinois Health Network The 14th Global Grid Forum Chicago, Illinois June 27, 2005.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

THE CAMPUS IDENTITY SYSTEM Lucy Lynch, NSRC. Learning Objectives Discovering the key role campus networks play in trusted identities for R&E Authoritative.

Collaboration and Federated Identity Two powerful forces being leveraged – the rise of federated identity – the bloom in collaboration tools, most particularly.

Introduction to AAI Services

Cross-sector and user-centric AAI

Data and Applications Security Developments and Directions

InCommon Steward Program: Community Review

Federated IdM Across Heterogeneous Clouding Environment

InCommon and Federated Identity Update

The Future of Indoor Plumbing

Context, Gaps and Challenges

Observations The phases of Internet-scale invention and the role of market-makers Skill sets for the new world order and nurturing its seed corn in common.

Discovery and Federated Identity

Presentation transcript:

Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security

Topics The State of Federated Identity Growth Interfederation The emergence of privacy managers and trust-based transparency The Attribute Ecosystem and the Tao of Attributes What it brings to Open Government Consistency of implementations Key constituencies Multiple and flexible LOA Roles Privacy and attributes Collaboration

A bit of background Internet identity work began in 2000 in the R&E sector Spread quickly into corporate sector via OASIS standards processes Corporate use cases limited to bi-lateral relationships R&E sector carried on multi-lateral federation work Created SAML, Shibboleth, InCommon, etc Widespread deployments began with exponential growth Building federations and trust more work than developing protocols

Growth of Federated Identity InCommon continues exponential growth, greater than 4M users, 200 major universities, research centers, and companies Internationally, growth is even more rapid; 25+ countries representing > 100M users Typical organization (Penn State) does 700,000 transactions a day with trust based on InCommon; reduces help desk cost by 85% Used for financial transactions, scholarly content access, access to national scientific resources, collaboration tools, social networking, etc.

Federation Soup Many US federations InCommon at the national R&E level UCTrust, Texas, CIC federation, etc at system and association level NCTrust, NJEdge, etc at comprehensive state levels Consistency in policies, technologies; diverse in communities served, standard attributes, etc.

Interfederation Connecting autonomous federations Critical for global scaling, accommodating state and local federations, integration across vertical sectors Has technical, financial and policy dimensions Elegant technical solution being developed in the eduGAIN project of Geant Policy activities in Kalmar2 Union, Kantara, Terena

MDX – metadata exchange protocol Institutions and organizations will pick a registrar to give their metadata to Institutions and organizations will pick an aggregator (or several) to get their partners metadata from Aggregators exchange metadata with each other and registrars If this sounds like DNS registration and routing, it is, one layer up In the land of data, metadata is king; imagine many new kinds of metadata

Trust, Identity and the Internet Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC’s and protocols First target area is DKIM; subsequent targets include SIP and firewall traversal (trust-mediated transparency)

The Attribute Ecosystem Authentication is very important, but identity is just one of many attributes And attributes provide scalable access control, privacy, customization, linked identities, federated roles and more We now have our first transport mechanisms to move attributes around – SAML and federations There will be many sources of attributes, many consumers of attributes, query languages and other transport mechanisms Together, this attribute ecosystem is the “access control” layer of the Internet

Attribute use cases are rapidly emerging Disaster “first responders” attributes and qualifications dynamically Access-ability use cases Public input processes – anonymous but qualified respondents Grid relying parties aggregating VO and campus attributes The “IEEE” problem The “over legal age” and the difference in legal ages use cases Self-asserted attributes – friend, interests, preferences, etc

Key Issues Attribute aggregation Metadata of attributes, LOA, etc Sources of authority and delegation Schema management, mapping, etc User interface Privacy and legal issues

The Tao of Attributes workshop 属性之道 Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc. Participants were the best and brightest – the folks who invented LDAP, SAML, OpenId, etc. Webcast at Twittered at TAOA

What Federated Identity Delivers Consistency of implementations Key constituencies Roles Multiple and flexible LOA Privacy and attributes Collaboration

Consistency of implementations SAML 2.0 is a heavily-referenced and widely implemented OASIS standard Metadata format (ala Shibboleth) is a standard Interoperability among federations is well- established

Key constituencies served Researchers, graduate students, etc Research administration, management, etc Students, patients, etc Note that coverage in each of these constituencies is 100% - all organizational identities in a federation are federated Unaffiliated and general public via “homes for the homeless” providers, on a free or paid basis – eg UK, Denmark, ProtectNetwork, etc

Multiple and Flexible LOA LOA 1 – 4 all readily available (LOA 1 username/password to LOA 4 with holder of key) Federated two factor authentication (LOA 3) a VERY powerful concept; work now starting on approaches, leveraging new NIST standards Privacy and secrecy valuable by-products of the architecture

LOA and applications

Roles Scaling is based on roles, not identity Roles are flexible and dynamic – PI, admin, collabmin, etc Roles provide opportunities to offload NIH of administrative burdens in tracking changes Audit controls provided by institution

Privacy and attributes Attributes are the real win – for fine-grain access control, for privacy, for secrecy Permit access control decisions to be made at relying party or at identity provider (entitlements) Can deliver identity, opaque identifiers, non- correlating identifiers, etc EU guidelines on privacy are more nuanced than the US

Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.