Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Federations: Here and Now Renée Shuey Penn State and InCommon.

Published byLouise Banks Modified over 8 years ago

Similar presentations

Presentation on theme: "Identity Federations: Here and Now Renée Shuey Penn State and InCommon."— Presentation transcript:

1 Identity Federations: Here and Now Renée Shuey Penn State and InCommon

2 Agenda The need for Federations in Higher Ed. Federation Overview Federating Software: Shibboleth InCommon: the US Higher Ed federation Other Federations: Europe and the U.S. government’s eAuthentication federation Penn State federation use cases Q&A

3 The Problem for Higher Education Increasing collaboration Mandates for increased research consortia Increasing number of on-line resources Access management complexities for resource providers Usability: Account management Current Federal and State laws (e. g., FERPA, HIPAA, Gramm-Leach-Bliley Act)

4 The Opportunity for Higher Education Simplified Usability for all collaborations Home organizations carefully manage the release of personal information On-line resource providers focus on the protection and authorization of use of their on-line resources.

5 The Rising Call for Better On-line Collaboration Instructors sharing course materials through learning partnerships Researchers coordinating remote instruments and data gathering Growing on-line collections Increasing diversity of content providers eCommerce partnering in Higher Ed (Software, Music, etc.) Institutions working with outsourced learning management systems for course hosting, grading, scheduling, testing, Network security monitoring Visiting scholar access rights with peer institutions Federal Government resources and administration financial aid, grant submissions, etc.

6 Federations Otherwise independent entities that give up a certain degree of autonomy in order to achieve a common set of goals. Working together requires Common way to express meaning Agreed upon ways to convey information Acceptable governance and trust models

7 Identity Federations Enroll, authenticate and attribute locally...Act federally IdP provides trustworthy needed identity information to Resource Providers Part of access management decision Trust established through Federation Operator by means of standards, rules, and participation agreements

8 Federations and Trust Requires common IdP and RP practices Federation governance roles include Establishing the rules Overseeing adherence (e.g., audits) Degrees of trust may be inherent/useful Allows flexibility in IdP and RP services What happens when trust is violated? Liability and indemnification

9 Not all Federations are the same... Identity federations may have different rules or constraints on identity release For example in Europe... Some may choose to offer on-line services as well, or hold contracts for resources on behalf of members Some are for specific business purposes or industries, etc.

10

11 With InCommon - The Home organization manages accounts and the release of personal information

12 InCommon Federation Created to support Higher Education and its research and business partners Federation operator is an LLC formed by Internet2 Builds on existing campus identity management and single sign-on systems Makes use of industry standards and open source federating software, Shibboleth

13 Shibboleth The Shibboleth software implements the OASIS SAML v1.1 specification, providing a federated Single-SignOn and attribute exchange framework. OASIS SAML v1.1 shibboleth.internet2.edu Built on OpenSAML, also created by the Internet2 community: OpenSAML is a set of open-source libraries in Java and C++ which can be used to build, transport, and parse SAML messages. www.opensaml.org

14

15 InCommon Participation Requirements Common identity attributes Software Guidelines www.incommonfederation.org/ops/softguide.html Transparency of Policy and Practices POP (Participant Operational Practices) Participation Agreement Minimal “bar” to entry Limited Liability; No Indemnification General Liability Insurance Modest annual fee

16 InCommon’s Governance & Committee’s Steering Committee Tracy Mitrano, Cornell – Chair Jerry Campbell, University of Southern California – Vice Chair Christopher Crowhurst, Thomson Learning Clair Goldsmith, University of Texas System Ken Klingenstein, Internet2 Mark Luker, Educause Peggy Plympton, Lehigh University Carrie Regenstein, Carnegie Mellon University Gene Spencer, Bucknell University Mike Teets, OCLC Technical Advisory Committee RL "Bob" Morgan, University of Washington – Co-Chair Renee Shuey, Penn State – Co-Chair Tom Barton, University of Chicago Scott Cantor, The Ohio State University Steven Carmody, Brown University Keith Hazelton, University of Wisconsin - Madison Walter Hoehn, University of Memphis Ken Klingenstein, InCommon Steering Committee Mike LaHaye, Internet2 David Wasley, retired (U. Calif.)

17 Current InCommon Participants: 27 Case Western Reserve University Cornell University Dartmouth *Elsevier ScienceDirect Georgetown University *HAM - Texas Medical Center Library *Internet2 Miami University *Napster, LLC *OCLC Ohio University *OhioLink - The Ohio Library & Information Network Penn State SUNY Buffalo The Ohio State University The University of Chicago *Turn It In University of Alabama at Birmingham University of California, Irvine University of California, Los Angeles University of California, Office of the President University of California, San Diego University of Rochester University of Southern California University of Virginia University of Washington *WebAssign * Sponsored Participant

18 Federations using Shibboleth in Europe Established national Federations Finland (HAKA) Switzerland (SWITCHaai) National Federations getting ready United Kingdom Denmark, Germany, Sweden (SWIF) REFEDS – Research and Education Federations Toward federating federations: http://www.terena.nl/activities/refeds/

19 eAuthentication Federation (EAF) For all Federal agency outward facing applications 24 agencies: USDA, NIH, DOEd, NSF, etc... Over 600 applications Members are Federal agencies and Credential Service Providers Many of the applications are of interest to Higher Education

20 EAF Organization EAF Executive Business & Legal Rules, FPKI Cert Policies Fed PKI OA XCert and MOA Interop Lab SAML Spec. CAF Polic y Operation s Provider s FPKIPA

21 Components of EAF Organized around Assurance Levels 1, 2 for assertion-based credentials Local authentication followed by identity message to agency application Business and Legal rules imposed on applications and Credential Providers alike 3, 4 for cryptography-based PKI predominates Serviced by Federal PKI Policy Authority and Federal PKI Operational Authority Major growth area for Federal Apps in first round

22 Linking Federations How can federations interoperate? Information models must be compatible Conversion may be difficult Communication protocols Gateways are hard and may break trust models Governance and trust models Must be equivalent at some level

23 Governance & Linking Federations Governance sets community standards May need to enhance or redefine somewhat Must uphold inter-federation agreement Responsible for trust between federations May require stronger role within federation May affect existing participation agreements May incur new liabilities, etc. Federation services might not interoperate

24 Linking InCommon and eAuthentication Higher Ed is an important community for many Federal agency applications Both have federations in place Have been working together for > year Compatible technology Similar identity attributes InCommon has richer set InCommon includes privacy protections

25 Linking InCommon and eAuthentication Trust issues eAuth defines 4 levels of identity assurance InCommon currently allows ‘best effort’ will need to define at least one compatible LOA Privacy Operational issues Will need to include LOA in identity assertions Will need to tag metadata, etc...

26 Linking InCommon and eAuthentication Where we are now Draft Memorandum of Agreement Draft “InCommon Bronze” requirements Based on eAuth Level 1 Working on inter-federation assessment Identifying WG's to address operation, policy, and technical issues – May 10 Goal - Interoperability by Fall '06

27 Penn State, InCommon, & Shibboleth Using Shibboleth since Summer '02 InCommon provides trust model for access to external resource providers Production Uses Napster WebAssign ANGEL Course Management System WorldWide University Network (WUN) LionShare

28 Penn State, InCommon & Shibboleth Pilot or discussion phase Office of Student Aid PHEAA/AES Career Services Simplicity ITS-Teaching and Learning with Technology NETg Thomson Publishing Turnitin ITS-Digital Library Technology Elsevier, OCLC, JSTOR, and others

29 Penn State and the eAuthentication Pilot Credential Assessment Jan '05 - LOA 1 Identified issues Password guessing, strength, expiration Authorization to Operate Statement Stored secret (password resets) Documentation Align policies and practices Proposed solution – approved by GSA/NIST GAP Analysis University of Washington, Penn State, and Cornell University

30 Penn State and the eAuthentication Pilot FastLane pilot An interactive real-time system used to conduct NSF business over the Internet. Application assessed as level of assurance 1 Used by faculty to submit grant proposals, check status, participate in panels, enter financial transactions Credential Service Provider assessed as a level of assurance 1

31 Useful URLs and pointers  http://www.nmi-edit.org http://www.nmi-edit.org  http://shibboleth.internet2.edu http://shibboleth.internet2.edu  Subscribe to shib mailing lists  http://www.incommonfederation.org/ http://www.incommonfederation.org/  http://lionshare.its.psu.edu  Emerging issues/technologies/recipes  http://middleware.internet2.edu/signet/ http://middleware.internet2.edu/signet/  SAML 2.0: http://www.oasis-open.org/

32 Questions? Contact Information Renee Shuey rshuey@psu.edu

Download ppt "Identity Federations: Here and Now Renée Shuey Penn State and InCommon."

Similar presentations

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.

The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.
1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation EDUCAUSE 2006 October.

1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation EDUCAUSE 2006 October.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Federated Access: Identity Management and Access to Protected Resources Renée Woodten Frost Associate Director, Middleware & Security

Federated Access: Identity Management and Access to Protected Resources Renée Woodten Frost Associate Director, Middleware & Security
US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.

US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.

Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,

Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,
EAuthentication in Higher Education Tim Bornholtz Session 58.

EAuthentication in Higher Education Tim Bornholtz Session 58.
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.

Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.
1 Update on the InCommon Federation, Higher Education’s Community of Trust EDUCAUSE 2005 October 19 10:30am-11:20am.

1 Update on the InCommon Federation, Higher Education’s Community of Trust EDUCAUSE 2005 October 19 10:30am-11:20am.
Updates on Shib, a bit of InCommon and International Federations.

Updates on Shib, a bit of InCommon and International Federations.
1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation Clair Goldsmith,

1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation Clair Goldsmith,
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Similar presentations

Ads by Google