InCommon Overview [PPT]

dashingincestuousSecurity

Feb 22, 2014 (3 years and 5 months ago)

252 views

www.incommon.org

InCommon and

Federated Identity Management

1

www.incommon.org

www.incommon.org

2

What is Identity Management?


A system of standards, procedures and
technologies that provides electronic credentials to
individuals.



Maintains authoritative information about
individuals.



Establishes the trust needed for transactions.



Facilitates and controls user access to online
applications or resources.


www.incommon.org

3

Identity Management

Who are you? (identification)



Collect personally identifying information to prove you
are who you say you are (identity proofing), such as
drivers license, passport, or biometric data



Assign attributes [(name, address, college or university,
department, role (faculty, staff, student), major, email
address]


How can you prove it? (authentication)



Verifying that the person seeking access to a resource
is the one previously identified and approved


www.incommon.org

4

Identity Management


Authentication does not verify that the identity proofing is
correct. It establishes that the previously identified person
is the same one who is seeking access to a resource.




www.incommon.org

5

Key Entities


Three entities involved in gaining access to a resource:


1.
Subject (i.e. user)


The person identified and the subject of
assertions (or claims) about his or her identity.


2.
Identity Provider


Typically the university or organization that
maintains the identity system, identity
-
proofs the subject and issues a
credential. Also provides assertions or claims to the service provider
about a subject

s identity.


3.
Service Provider (sometimes called the relying party)


Owner/provider of the protected resource to which the subject would
like to access. Consumes the assertion from the identity provider and
makes an authorization decision.

www.incommon.org

6

Key Terms


Authentication



Verification (via a user ID and password) that a
subject is associated with an electronic identifier. This is the
responsibility of the identity provider.


Authorization



Determining whether a subject is eligible to gain
access to a resource or service. The authorization decision is made by
the service provider and is based on the attributes provided by the
identity provider.


Attribute



A single piece of information associated with an electronic
identity database record, such as name, phone number, group
affiliation, email address, major.

www.incommon.org

The Problem

The system of authentication and authorization, and the passing of
attributes, requires that the identity provider and service provider
agree on policies and procedures.

When you have one identity provider working with many service
providers


or one service provider working with many identity
providers


things get complicated.

Individual service providers keep subject information in their own
databases, or may want direct access to an identity provider

s
database, or may require frequent batch uploads of identity
information.

7

www.incommon.org

8

1.
Tedious user registration at all
resources

2.
Unreliable and outdated user
data at resources

3.
Different login process at each
resource

4.
Many different passwords

5.
Identity provider may need to
support multiple custom
authentication methods and/or
be asked for access to its
identity database

www.incommon.org

The Problem


Growing number of applications


on
-
campus and
outsourced or hosted


All of these service providers must:


Verify the identity of users (faculty, staff, students, others)


Know who

s eligible to access the service


Know the student is active and hasn

t left school


Increase in outsourced or cloud services raises concerns
about the security and privacy of the identity data

9

www.incommon.org

A Solution: Federated Identity Management

Federation: An association of organizations that come together to
exchange information, as appropriate, about their users and
resources in order to enable collaborations and transactions.


All participants in a federation agree on the same policies and
procedures related to identity management and the passing of
attributes.


Instead of one
-
to
-
one relationships, the federation allows one
-
to
many relationships.

10

www.incommon.org

Federated Identity Management


Parties agree to leverage the identity provider

s database,
rather than creating separate data stores


Users no longer register with the service provider, using their
university credentials for transactions


Single sign
-
on convenience for users


Identity provider does the authentication; service provider does
the authorization


Attributes are the key


maintain privacy and security




11

www.incommon.org

12

1. Single sign on

2. Services no longer manage
user accounts & personal data
stores

3. Reduced help
-
desk load

4. Standards
-
based technology

5. Home org and user controls
privacy

www.incommon.org

InCommon Federation

InCommon is the federation for U.S. research and education,
providing higher education and their commercial and non
-
profit
partners with a common trust framework for access to online
resources.

13

www.incommon.org

About InCommon


Through InCommon, campuses leverage their identity databases
to allow for the use of one set of credentials to access multiple
resources.



Online service providers no longer need to maintain user
accounts.



Identity providers manage the levels of their users' privacy and
information exchange.



InCommon uses SAML
-
based authentication and authorization
systems (such as Shibboleth®) to enable scalable, trusted
collaborations among its community of participants.

14

www.incommon.org

InCommon Federation Benefits


Convenience


Single sign
-
on with higher education
credentials


Safety


Enhanced security with fewer data spills


Privacy


Release of only the minimum information necessary
to gain access to resources (via attributes)


Scalability


Once implemented, federated access relatively
simple to extend


Authentication


Campus does the authentication, maintaining
control of user information


Authorization


Service provider makes access decisions
based on attributes

15

www.incommon.org

Attributes: Anonymous ID, Staff, Student, …

Federated Access in 30 seconds

Metadata, certificates, common attributes &
meaning, federation registration authority,
Shibboleth

4. If attributes are acceptable
to resource policy, access
is granted!


3. Authorization: Privacy
-
preserving exchange of
agreed upon attributes


2. Federation
-
based trust
exchange to verify partners
and locations


1. Authentication: single
-
sign
-
on at home institution

Home Institution


user signs in

Online Resource

www.incommon.org

InCommon Participants Year
-
by
-
Year

17

0
50
100
150
200
250
300
350
400
450
2004
2005
2006
2007
2008
2009
2010
2011
2012
(June)
Number of Participants


400+ InCommon Participants


Almost 6 million end
-
users (faculty, staff, students)


www.incommon.org

18

www.incommonfederation.org/participants

www.incommon.org

Federated Resources

Resources available via InCommon are many and diverse

Business Functions


Benefits


Asset management


Talent management


Visas & INS compliance


Mobile alerts


Travel management


Energy management


Surveys and market analysis

Learning and Research


Journals


Databases and analytical tools


Multi
-
media access


Homework labs


Quiz tools


Plagiarism detection


Software downloading


Alcohol awareness education


Student travel discounts


Transportation and ride
-
share
services.


Strong support from key higher education partners, such as: Microsoft,
Apple, National Student Clearinghouse, NSF, NIH, Gov
-
affiliated Labs


19

www.incommon.org

InCommon Assurance Profiles


Bronze and Silver profiles equate to the U.S.
government

s NIST 800
-
63 levels of assurance 1 and 2,
respectively


Require more stringent identity proofing policies and
procedures, allowing for access to higher
-
risk
applications (such as financial service apps)


Status: Several universities working through the policy
and technical processes for implementing Silver


CIC universities (Big Ten schools and the Univ. of Chicago)

assurance.incommon.org

20

www.incommon.org

InCommon Collaboration Groups


Collaboration


InC
-
Library


InC
-
Student


InC
-
NIH


InC
-
Research Agencies


US Federations




https://spaces.internet2.edu/display/InCCollaborate/

21

www.incommon.org

Outreach and Education


IAM Online


Monthly presentations on identity and access management.
www.incommon.org/iamonline


CAMP, Advance CAMP, Day CAMP


Conferences focused on federated
identity and access management.
www.incommon.org/camp


Affiliate Program


Linking higher ed with partners able to help build the
necessary underlying infrastructure that supports federated access.
www.incommon.org/affiliate


Shibboleth Workshop Series


Intensive workshops to learn and install
Shibboleth.
www.incommon.org/educate/shibboleth


www.incommon.org

23


Service developed by and for the higher education community. InCommon is
a non
-
profit, community
-
governed organization


the primary driver is to
provide value to the community.



Unlimited SSL certificates, and (soon) unlimited personal certificates (for
signing, encryption, code signing and authentication)



One fixed annual fee.



One publicly signed certificate source for all campus servers and domains



Includes all domains owned by the college or university


such as
professional organizations or athletic sites (including any .org, .com, .net or
others).



Internet2 members receive a 25 percent discount


InCommon Cert Service

www.incommon.org

InCommon and

Federated Identity Management

24

www.incommon.org

info@incommon.org