Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Slides:

Advertisements

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Advertisements

Europe Latin America Collaborative e ‑ Infrastructure for Research Activities A Model for Federated Services Brook Schofield, TERENA ● Sofia, Bulgaria.

Interfederation subgroup of InCommon Technical Advisory Committee (TAC) spaces.internet2.edu/display/incinterfed.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

TERENA TF-EMC2 15 feb 2011 Dyonisius Visser

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

University of Chicago University of Illinois Indiana University University of Iowa University of Maryland University of Michigan Michigan State University.

Widely Distributed Access Management Tom Barton University of Chicago.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

SWITCHaai Team Federated Identity Management.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

AAI with simpleSAMLphp

Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,

BfB: Supporting Collaboration with Infrastructure.

Identity Management Report By Jean Carreon and Marlon Gonzales.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.

The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.

Integrating with UCSF’s Shibboleth system

ADFS in the U.T. System U.S. Federations Call - May 18, 2011 Paul Caskey System-wide Information Services.

InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

SUNY System Administration Federation Overview Gavin Hogan July 15th, 2009 A work in progress….

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

User Provisioning Project Presented to ITLC September 28, 2010 David Walker, ITAG Co-Chair Information and Educational Technology, UC Davis Mary Doyle,

Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.

Openness and Extending Blackboard Software Asbed Bedrossian Otto Khera USC.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

COmanage and InCommon: Present and Future Activities and Interactions Heather Flanagan, COmanage Project Coordinator, Internet2.

Kalmar Union lessons: Findings in federation harmonisation REFEDS Mikael Linden, CSC.

Géant-TrustBroker project overview Slides assembled by the Géant-TrustBroker team at Leibniz Supercomputing Centre, Germany for a short presentation by.

Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Overview of schemas used for IdM community Setting up of identity provider Motonori Nakamura, National Institute of Informatics, Japan 2nd TEIN IAM Workshop.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Status Update on Other GFIPM Activity Threads GFIPM Delivery Team Meeting November 2011.

Géant-TrustBroker Project Overview Daniela Pöhn 7 th FIM4R meeting Frascati, Italy April 24 th, 2014.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Stanford University & National Student Clearinghouse Shibboleth Pilot CAMP Phoenix, AZ February 5, 2009.

Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

Open Collaboration Exchange Alexander Blanc, Niels van Dijk, Jocelyn Manderveld, Remco Poortinga - van Wijnen VAMP 2013, Espoo.

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

Collaboration and Federated Identity Two powerful forces being leveraged – the rise of federated identity – the bloom in collaboration tools, most particularly.

LIGO Identity and Access Management

Shibboleth Roadmap

OMG, Another Simple, Lightweight Authentication Service???

eduTEAMS platform for collaboration Niels Van Dijk

Identity Federations - Overview

Géant-TrustBroker Dynamic inter-federation identity management

John O’Keefe Director of Academic Technology & Network Services

Guests and Collaborators

Shibboleth Deployment Overview

Shibboleth 2.0 IdP Training: Introduction

NSF Middleware Initiative: GridShib

Presentation transcript:

Social Identity Working Group Steve Carmody

Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with Cirrus Identity Review, Develop Consensus on Common RequirementsCommon Requirements Next Steps Campuses Working With Cirrus 2

Topics Some History Use Cases Requirements Why How Status 3

Some History Early work in Europe by Andreas Solberg and Roland Hedberg InCommon TAC forms Social Identity Working group Some campuses deploy local solutions (eg CMU) 4

Some History Pilot Gateway available since Fall 2012 –Operated by Paul Caskey, UT –NO SLA! –This Pilot will end! InCommon Pilot underway –Gateway provided and operated by Cirrus Identity –Can be used to access I2 Spaces Wiki and InCommon Federation Manager App –Currently only supports Google 5

Use Cases We’re used to working with identities vetted and issued by our campus and other campuses But, we already work with people from outside those Communities –Applicants –Parents –Continuing Education/MOOCs Other areas showing interest in working with people outside the traditional communities –Courses -- additional speakers form the community –Research - partners at campuses that are not Shibboleth- enabled 6

Use Cases Up until now, campuses have been issuing campus identities to of these people However, all of those people have identities at one of the social/personal providers Google, Yahoo, FaceBook, etc In some circumstances, this approach may be preferable to issuing campus identities to those people However, there is NO guarantee about who is using a social account … there is the same issue for a campus identity issued to someone with only a loose, remote connection to the campus 7

Requirements An SP can be accessed by people with either Federated or Social Identities Provide application owners with a single authN/Z Framework for both types of Identities Provide info to the application about the user with a single interface, regardless of Identity type Application owner can choose which Social Identity providers to allow Process for the browser user is uncomplicated 8

How Does it Work ? Looks like an IDP to the SP Looks like a single SP/app to external services Designed to be as simple and transparent as possible for Application Owners to use As easy as possible for users to use and understand 9

How Does it Work ? Web-based authentication gateway Translates authentication responses from popular “social” ID services into regular SAML 2 Assertions (consumable by Shibboleth) Downstream applications receive SAML Assertions (which may have been generated by the S2S Gateway) 10

Attributes Maps attributes (if released by service/user) –givenName –Sn –Mail –uid Generated attributes –eduPersonPrincipalName –eduPersonTargetedID (as a SAML 2 NameID) –displayName 11

User Experience 12

User Experience 13

14

What We’ve Learned Works great for guest authentication Typical use is “pick and choose” among the external Identity Providers Very powerful when combined with invitation service (eg MACE Grouper) 15

Issues Consent screen at Social Providers asks user to release attributes to the Gateway, not the SP Each Social Provider provides different attributes Many applications want to leverage an invitation service (eg MACE Grouper includes one) Should a locally run Gateway instance integrate with the local Person Registry, and register different providers/accounts for each person 16

Status Next Phase –Looking to work with campuses to develop use cases and requirements during Summer 2013 –Campus participants being identified (raise your hand if interested! ) –Hope to have service available to InCommon members for Fall

Social Identity Working Group Info available at: – List Bi-weekly conference calls 18

Questions? 19

Cirrus Identity Social Gateway Service May 2013

Overview of Gateway Service

Phase 1 – InCommon/Internet2 SPs Beta gateway service for InCommon Federation Manager app and Internet2 spaces (you can try it now) Limited scope for initial offering – Supports Google OpenID 2.0 – Metadata exchange with the SPs (no decision on social IdPs in InCommon metadata) Cirrus Identity working with InCommon to move beta gateway to a production service for those 2 SPs

Phase 2 – Higher Ed Gateway Offering Cirrus Identity working with a small set of early adopter campuses on common core requirements The gateway service will be built on existing open source software (SimpleSAMLphp) and new open source software developed by Cirrus Identity By sometime this fall, Cirrus Identity hopes to have code and service available InCommon and Cirrus Identity currently evaluating business and support models

Some Key Questions Which social IdPs should be supported in the service? How will Gateway Manager admins be authorized? How are social identities handled in InCommon metadata and what are the options for discovery? What are the requirements for a basic invitation service and how will social identities registered to a specific campus or SP be exposed to a campus IDMS?

Early Adopters The InCommon social identities workgroup has identified a handful of early adopter campuses If you are interested, contact Steven Carmody or Keith Hazelton, chairs of the social identities workgroup