Presentation is loading. Please wait.

Presentation is loading. Please wait.

SWITCHaai Team Federated Identity Management.

Published byAlban Sullivan Modified over 8 years ago

Similar presentations

Presentation on theme: "SWITCHaai Team Federated Identity Management."— Presentation transcript:

1 SWITCHaai Team aai@switch.ch Federated Identity Management

2 © 2012 SWITCH Agenda What is Federated Identity Management? What is a Federation? The SWITCHaai Federation Interfederation 2

3 © 2012 SWITCH Evolution of Identity Management Stone Age Application maintains unique credential and identity information for each user Bronze Age Credentials are centralized (e.g. Kerberos, LDAP) but applications maintain all user identity information Iron Age Credentials and core identity information is centralized and application maintains only app-specific user data 3

4 © 2012 SWITCH Federated Identity Current mechanisms assume applications are within the same administrative domain Adding a user from outside means creating an account within your IdM system. This could result in the new user having access to more than just the intended application. Federated Identity Management (FIM) securely shares information managed at a users home organization with remote services. Within FIM systems it doesn’t matter if the service is in your administrative domain or another. It’s all handled the same. 4

5 © 2012 SWITCH Federated Identity In Federated Identity Management: Identity Providers (IdP) publish authentication and identity information about users Service Providers (SP) consume this information and make it available to an application An IdP or SP is generically known as an entity The first principle within federated identity management is the active protection of user information Protect the user’s credentials only the IdP ever handles the credential Protect the user’s identity information, including identifier customized set of information released to each SP 5

6 © 2012 SWITCH What does it do for me? Reduces work Authentication-related calls to Penn State University’s helpdesk dropped by 85% after they installed Shibboleth Provides current data Studies of applications that maintain user data show that the majority of data is out of date. Are you “protecting” your app with stale data? Insulation from service compromises In FIM data is pushed to services as needed. If those services are compromised the attacker can’t get everyone’s data. Minimize attack surface area Only the IdP needs to be able to contact user data stores. All effort can be focused on securing this one connection instead of one (more) connection per service. 6

7 © 2012 SWITCH Some other gains Users generally find the resulting single sign-on experience to be nicer than logging in numerous times. Usability-focused individuals like that the authentication process is consistent regardless of the service accessed. A properly maintained federation drastically simplifies the process of integrating new services. 7

8 © 2012 SWITCH What is a Federation? A group of organizations running IdPs and SPs that agree on a common set of rules and standards It’s a label for people to talk about such a collection of organizations An organization may belong to more than one federation at a time The grouping can be on a regional level (e.g. SWITCHaai) or on a smaller scale (e.g. large campus) IdPs and SPs ‘know’ nothing about federations 8

9 © 2012 SWITCH What are these rules of which you speak? Technical Interoperability Supported protocols User authentication mechanisms User attribute specifications Accepted X.509 certificates Legal Interoperability Membership agreement/contract Federation operation policies Requirements on identity management practices Others Common/best operational practices 9 http://switch.ch/aai/bcp

10 © 2012 SWITCH What does a Federation do? At a minimum a federation maintains the list of which IdPs and SPs are in the federation Most federations also define agreements, rules, and policies provide some user support (documentation, email list, etc.) operate a central discovery service and test infrastructure Some federations provide self-service tools for managing IdP and SP data install IdPs and SPs for members provide application integration support host or help with outsourced IdPs provide tools for managing “guest” users develop custom tools for the community 10

11 © 2012 SWITCH Federation Metadata An XML document that describes every federation entity Contains Unique identifier for each entity known as the entityID Endpoints where each entity can be contacted Certificates used for signing and encrypting data May contain Organization and person contact information Information about which attributes an SP wants/needs Metadata is usually distributed by a public HTTP URL The metadata should be digitally signed Bilateral metadata exchange scales very badly Metadata must be kept up to date so that New entities can work with existing ones Old, or revoked, entities are blocked 11 http://switch.ch/aai/metadata

12 © 2012 SWITCH SWITCHaai: An Example Federation (1) SWITCH consults with two bodies Advisory Committee deals with policies and legal framework Community Group deals with technical/operational issues Two classes of SWITCHaai Participants SWITCH Community Organization fits the definition from the SWITCH Service Regulations Federation Partner Organization sponsored by a SWITCHaai Participant from the SWITCH Community 12 http://switch.ch/aai/about/federation/

13 © 2012 SWITCH SWITCHaai: An Example Federation (2) SWITCH operates the SWITCHaai Federation AAI is a Basic Service for the SWITCH Community 13

14 © 2012 SWITCH SWITCHaai: Rules, Policies, & Agreements SWITCHaai Service Description (includes the Policy) concepts and rules for all entities in the federation Federation Partner Agreement legal contract between SWITCH and federation partner Certificate Acceptance Policy policy certificates accepted by the federation AAI Attribute Specification minimum set of core and optional attributes supported by federation entities 14

15 © 2012 SWITCH SWITCHaai: The Legal Framework Federal Law, Cantonal Law (e.g. data protection) SWITCHaai Service Description (includes Policy) Service Regulations Federation Partners Org n SWITCH Community Federation Partner Agreement & GTC Org 1 User Regulations Org 2 User Regulations Org... User Regulations SWITCH 15

16 © 2012 SWITCH SWITCHaai: Services Provided Rules, policies and agreements Documentation: installation/migrations guides, HowTos Call-in helpdesk and support mailing list Centralized Services Discovery Service Resource Registry (metadata management) Virtual Home Organization (VHO) Attribute Viewer Group Management Tool uApprove Shibboleth IdP plugin Test federation Some application integration support Training 16

17 © 2012 SWITCH SWITCHaai: Status Spring 2012 # AAI enabled accounts # Resources # Home Organizations 98% coverage in higher education 17

18 © 2012 SWITCH Interfederation Users get access to services registered only in other federations eduGAIN is the Interfederation Service of GÉANT Rules and Guidelines regarding international data protection are still under debate 18 http://edugain.org

19 © 2012 SWITCH Interfederation (2) 19 http://switch.ch/aai/interfederation

Download ppt "SWITCHaai Team Federated Identity Management."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Innovation through participation eduGAIN federation operator training eduGAIN interfederation service 2011-10-17/18 Valter Nordh, NORDUnet / GU 1.

Innovation through participation eduGAIN federation operator training eduGAIN interfederation service /18 Valter Nordh, NORDUnet / GU 1.
1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation EDUCAUSE 2006 October.

1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation EDUCAUSE 2006 October.
Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN 2011-10-17/18 Valter Nordh, NORDUnet / GU.

Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN /18 Valter Nordh, NORDUnet / GU.
Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden,

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012

Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
(Rev 1/11) UW System Identity and Access Management (IAM) Current Status and Roadmap Tom Jordan, IAM-TAG Chair Ty Letto, IAM Support Team Manager January,

(Rev 1/11) UW System Identity and Access Management (IAM) Current Status and Roadmap Tom Jordan, IAM-TAG Chair Ty Letto, IAM Support Team Manager January,
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
AAF Middleware update February16 2012 Presented by Terry Smith Technical Manager and Heath Marks Manager.

AAF Middleware update February Presented by Terry Smith Technical Manager and Heath Marks Manager.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Similar presentations

Ads by Google