1. Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security

2. kjk@internet2.edu Topics The State of Federated Identity Growth Interfederation The emergence of privacy managers and trust-based transparency The Attribute Ecosystem and the Tao of Attributes What it brings to Open Government Consistency of implementations Key constituencies Multiple and flexible LOA Roles Privacy and attributes Collaboration

3. kjk@internet2.edu A bit of background Internet identity work began in 2000 in the R&E sector Spread quickly into corporate sector via OASIS standards processes Corporate use cases limited to bi-lateral relationships R&E sector carried on multi-lateral federation work Created SAML, Shibboleth, InCommon, etc Widespread deployments began 2004-5 with exponential growth Building federations and trust more work than developing protocols

4. kjk@internet2.edu Growth of Federated Identity InCommon continues exponential growth, greater than 4M users, 200 major universities, research centers, and companies Internationally, growth is even more rapid; 25+ countries representing > 100M users Typical organization (Penn State) does 700,000 transactions a day with trust based on InCommon; reduces help desk cost by 85% Used for financial transactions, scholarly content access, access to national scientific resources, collaboration tools, social networking, etc.

5. kjk@internet2.edu Federation Soup Many US federations InCommon at the national R&E level UCTrust, Texas, CIC federation, etc at system and association level NCTrust, NJEdge, etc at comprehensive state levels Consistency in policies, technologies; diverse in communities served, standard attributes, etc.

6. kjk@internet2.edu Interfederation Connecting autonomous federations Critical for global scaling, accommodating state and local federations, integration across vertical sectors Has technical, financial and policy dimensions Elegant technical solution being developed in the eduGAIN project of Geant Policy activities in Kalmar2 Union, Kantara, Terena

7. kjk@internet2.edu MDX – metadata exchange protocol Institutions and organizations will pick a registrar to give their metadata to Institutions and organizations will pick an aggregator (or several) to get their partners metadata from Aggregators exchange metadata with each other and registrars If this sounds like DNS registration and routing, it is, one layer up In the land of data, metadata is king; imagine many new kinds of metadata

8. kjk@internet2.edu

9. Trust, Identity and the Internet Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities http://www.isoc.org/isoc/mission/initiative/trust.shtml ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC’s and protocols First target area is DKIM; subsequent targets include SIP and firewall traversal (trust-mediated transparency)

10. kjk@internet2.edu The Attribute Ecosystem Authentication is very important, but identity is just one of many attributes And attributes provide scalable access control, privacy, customization, linked identities, federated roles and more We now have our first transport mechanisms to move attributes around – SAML and federations There will be many sources of attributes, many consumers of attributes, query languages and other transport mechanisms Together, this attribute ecosystem is the “access control” layer of the Internet

11. kjk@internet2.edu Attribute use cases are rapidly emerging Disaster “first responders” attributes and qualifications dynamically Access-ability use cases Public input processes – anonymous but qualified respondents Grid relying parties aggregating VO and campus attributes The “IEEE” problem The “over legal age” and the difference in legal ages use cases Self-asserted attributes – friend, interests, preferences, etc

12. kjk@internet2.edu Key Issues Attribute aggregation Metadata of attributes, LOA, etc Sources of authority and delegation Schema management, mapping, etc User interface Privacy and legal issues

13. kjk@internet2.edu The Tao of Attributes workshop 属性之道 Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc. Participants were the best and brightest – the folks who invented LDAP, SAML, OpenId, etc. Webcast at http://videocast.nih.gov/PastEvents.asp Twittered at TAOA http://middleware.internet2.edu/tao-of-attributes/

14. kjk@internet2.edu What Federated Identity Delivers Consistency of implementations Key constituencies Roles Multiple and flexible LOA Privacy and attributes Collaboration

15. kjk@internet2.edu Consistency of implementations SAML 2.0 is a heavily-referenced and widely implemented OASIS standard Metadata format (ala Shibboleth) is a standard Interoperability among federations is well- established

16. kjk@internet2.edu Key constituencies served Researchers, graduate students, etc Research administration, management, etc Students, patients, etc Note that coverage in each of these constituencies is 100% - all organizational identities in a federation are federated Unaffiliated and general public via “homes for the homeless” providers, on a free or paid basis – eg UK, Denmark, ProtectNetwork, etc

17. kjk@internet2.edu Multiple and Flexible LOA LOA 1 – 4 all readily available (LOA 1 username/password to LOA 4 with holder of key) Federated two factor authentication (LOA 3) a VERY powerful concept; work now starting on approaches, leveraging new NIST standards Privacy and secrecy valuable by-products of the architecture

18. kjk@internet2.edu LOA and applications

19. kjk@internet2.edu Roles Scaling is based on roles, not identity Roles are flexible and dynamic – PI, admin, collabmin, etc Roles provide opportunities to offload NIH of administrative burdens in tracking changes Audit controls provided by institution

20. kjk@internet2.edu Privacy and attributes Attributes are the real win – for fine-grain access control, for privacy, for secrecy Permit access control decisions to be made at relying party or at identity provider (entitlements) Can deliver identity, opaque identifiers, non- correlating identifiers, etc EU guidelines on privacy are more nuanced than the US

21. kjk@internet2.edu Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.