Presentation is loading. Please wait.

Presentation is loading. Please wait.

Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.

Published byHomer Hood Modified over 8 years ago

Similar presentations

Presentation on theme: "Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members."— Presentation transcript:

1 Edugate Glenn Wearen HEAnet.

2 Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members Core service at some institutions but light use at others

3

4 So, where to now? 1.Extended Attribute Schema 2.Higher Identity Assurance 3.Strong Authentiation 4.Account Provisioning 5.Cross institutional groups 6.New Identity Protocols 7.Statistics 8.Bilateral Trusts 9.Expansion beyond HEAnet 10.SSO for non-web applications 11.Aggregated identities 12.Logout

5 1. Extended Attribute Schema Students Do you have photos? Can I tell if a user is part-time/full-time? What course is the student pursuing? Staff Cost-center code (for eProcurement) ResearcherID AuthorID Availability calendar Telephone number

6 2. Higher Identity Assurance Would you use Edugate for eProcurement? On-campus (cross charging for campus services) Shared procurement portal (Shannon Consortium Procurement Network) External suppliers (vikingdirect.ie/officedepot.ie) Service Provider will seek assurances that the identity is sufficient quality to underpin a cardless financial transaction

7 3. Strong Authentication Passwords are the root of all e-vil Easily shared Easily forgotten Frequently exposed No common password policy Password changes not enforced

8 3. Strong Authentication SSO helps to eliminate passwords Consolidating onto a single (or single+1) credential allows for strong authentication 2-factor authentication / strong password policy SSO systems can protect sensitive resources re-authentication ‘step-up’ authentication

9 4. Account Provisioning On-campus, provisioning is a minor problem, but, for cloud/hosted/outsourced services provisioning is a significant problem Invitation systems require; email address of all potential users -1 time url approval workflows -open URL

10 4. Account Provisioning Bulk provisioning Handling of bulk files a significant risk Out of Sync almost immediately De-provisioning rarely handled Accounts created for users who might never login

11 4. Account Provisioning Just-in-Time provisioning Standards emerging Simple Cloud Identity Management (SCIM) But, service Providers familiar with; LDAP Enter username/password, authenticate, query for attributes Oauth Enter user ID, authenticate, get token, query for attributes API Enter a user identifier, query for attributes, forever

12 5. Cross institutional groups Cross institutional/federation groups (Virtual Organisations) Identity provider doesn’t know all the collaboration or projects that a user participates within. This makes it authorisation difficult for Service Providers (e.g. Project Portal)

13 5. Cross Institutional Groups Establish an Edugate group repository; this can be queried by IdP’s during the preparation of attributes for an assertion this can be queried by SP’s provided the repository has a user identifier Self-asserted group membership Group membership approvals or invitations.

14 6. New Identity Protocols OpenID Connect Addresses weaknesses and shortcomings of OpenID OAuth2 Allows retrieval of user data when user is not present WIF Predominant identity protocol for Microsoft services

15 6. New Identity Protocols Should Edugate add new protocols? Cost? Benefit?

16 7. Statistics and Monitoring Are my users able to access service X? Why are my users accessing service Y? How come I’ve no users from institution A? Why are we so popular with institution B? What is the most widely used Edugate service? What is the least most used service? Is Edugate being used? or being used more?

17 7. Statistics and Monitoring Is IdP X up? Are there high rates of attrition? Are [staff|students] able to authenticate?

18 8.Proliferation of bilateral trusts There are 29 bilateral trusts in Edugate, why don’t these services join Edugate? Maybe not required (single institution) Tender awarded, Edugate not in the tender SP not a legal entity Google Apps, Millennium, Blackboard Learn.

19 9. Expansion beyond HEAnet? More identity providers will mean more service providers Private Colleges Health Services Sector (HSE/Hospitals/CPD) Industry Research Centers (Intel Labs / SFI participants) 2 nd Level schools

20 10. SSO for non-web SAML works well within the browser, but, Outside the browser, it requires client support Native client support Outlook Claims based authentication Or, with Moonshot; Common library support (GSS/SASL/SSPI)

21 11. Aggregated identities Institution holds validated identity data and enrollment status. This can be aggregated or augmented with self-asserted data from other sources; Social ID’s (Profile Pictures, friends, interests) Group membership repository

22 11. Aggregated identities Facebook/Twitter/Google hold self-asserted identity data. This can be aggregated or augmented with verified user data from other sources :-p

23 12. Logout Clicking on ‘Logout’ what should happen? Logout of the application, but IdP session persists (Local Logout) Logout of the application, redirect to IdP session killer page (partial logout) Logout of the application, redirect to IdP session killer page, trigger logout of all services (global logout)

24 12. Logout Or should the SP force re-authentication at the IdP after the logout button has been used (if the IdP supports it.

25 So, where to now? 1.Extended Attribute Schema 2.Higher Identity Assurance 3.Strong Authentiation 4.Account Provisioning 5.Cross institutional groups 6.New Identity Protocols 7.Statistics 8.Bilateral Trusts 9.Expansion beyond HEAnet 10.SSO for non-web applications 11.Aggregated identities 12.Logout

Download ppt "Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members."

Similar presentations

Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.

Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Www.kennisnet.nl Naam van de Auteur 7 januari 2008 Kennisnet Entree: federated authentication Pieter BruringTechnical Product Manager.

Naam van de Auteur 7 januari 2008 Kennisnet Entree: federated authentication Pieter BruringTechnical Product Manager.
Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.

Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.
Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,

Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education www.netprof.us.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
Integrating with UCSF’s Shibboleth system

Integrating with UCSF’s Shibboleth system

Similar presentations

Ads by Google