1. University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington 16-17 October 2007

2. University of Washington

3. What is IAM? Critical IT infrastructure Intersection of what NW engineers don’t want to do *with* what app developers don’t want to do Combines technologies, business processes, governance, and policies to: –Manage digital identities –Specify how ids access resources

4. University of Washington Terminology Authentication: says who you are Authorization: says what you can do Credentials: what you provide as ID Federation: collection of orgs that agree to operate under a certain rule-set

5. University of Washington Terminology Identification: Process by which info about a person is used to provide some LOA Level of Assurance (LOA)- Degree of certainty that someone is who they say they are –Low is OK for some things –For patient information (PHI), need high

6. University of Washington What drives the need? Collaboration Research and education, governments, global health, … Administrative applications Growing complexity and the need to simplify Risk mitigation

7. University of Washington IAM-supported Collaboration Wiki, blog, email, calendar, IM Document sharing/editing Phone/videoconference Data sharing More about outreach, ease of access, enablement

8. University of Washington Why is IAM necessary? To ensure the intended people access intended services Organizations have to manage users/ids efficiently and accurately –While enabling them to get their work done Digital IDs are taking on an increasingly important role for how we collaborate and share networked resources

9. University of Washington Identity Management Trends Pervasive in business processes Inserting NetIDs as early as possible –e.g. NetIDs for student applicants, contractors, etc. –Identities/NetIDs useful for life, e.g. alumni, retirees

10. University of Washington Sources of Information Human Resource db Research/grants db Student db Other dbs provide info about affiliations

11. University of Washington Person Registry Is knowing someone is a student enough? Is this person an employee and a student? Is this person affiliated with the institution?

12. University of Washington Federated Authentication Scholarship is global Less allegiance to institution, more to research Worldwide peers, now the norm Access to partners is now: –Simple and more flexible –More secure

13. University of Washington What is Shibboleth? Standards-based (SAML) Web SSO pkg Open Source Uses local IdM system to get to campus and other institution’s apps Protects user’s privacy and inst’s data Plays well with others, helps svc partners

14. University of Washington Federations Usually HE but doesn’t need to be limited Mostly Shib-based, not all though Use cases: –content access –collaboration support – wireless roaming

15. University of Washington

16. Identity Lifecycle Management Managing users One NetID per person Credentials Provisioning Enabling self-service

17. University of Washington Managing Identity Provision accounts Associate accounts with identities/people Groups are created and managed Accounts are given privileges Credentials are issued Authn, Authz, and Federation happen

18. University of Washington Group and Access Management Several sources determine where a person fits A person belongs to several groups One person often has several affiliations Access can be based on: –Affiliation –Group membership –Roles –Privileges

19. University of Washington Access Management Authentication: –Single sign-on, fewer sign-ons –LOA, # of credentials Federation and trust Authorization: –access control, role-based, federation Security auditing

20. University of Washington Enterprise IAM Infrastructure Enterprise user database –Person registry, directory driven from large business sources, e.g. staff, student, affiliates Enterprise group management –Driven from business sources, e.g. courses, departments, ad-hoc Enterprise privilege management –Delegated, role/function/affiliation-based

21. University of Washington Consolidation supports Collaboration Provides a centrally-coordinated service –Allows for distributed management of content –No need to manage multiple instances –Single place for auditing and reporting –Eases mgmt of security issues for apps –One set of tools and data for apps The stuff of academic life and often inter- institutional

22. University of Washington Challenges with Centralizing Governance, mgmt of data Defining rules, delegation Compliance and regulations Consensus and support for central svcs Responsibility and accountability

23. University of Washington Policy and Governance Questions Who is responsible for IDM? What collaboration scenarios are important to Research and Education? Who will approve policies? Who is part of the federation? Who decides and develops policies? Who owns the source data?

24. University of Washington Technical Challenges Delivering information to apps Mobility, portability –anywhere, anyhow, anytime computing Interface consistency cross-location Diversity of apps and platforms Advanced app requirements Interoperability

25. University of Washington IAM Benefits Supports collaboration Enables global federated authentication Simplifies and secures Reduces help desk load Enables –Shared management –Operating efficiencies

26. University of Washington Advancing IAM Efforts Fostering technical standards Aggregating and disseminating technical design and implementation strategies Fostering opportunities for others to deploy products Integrating efforts with specific scientific and research communities

27. University of Washington Resources http://www.terena.org/activities/tf-emc2/ middleware.internet2.org http://middleware.internet2.edu/MACE/ www.nmi-edit.org/roadmap/draft-authn- roadmap-03/

28. University of Washington Questions?