![Page 1: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/1.jpg)
Scared Straight… if you want to go outside…Authenticate Locally, Act Globally
![Page 2: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/2.jpg)
Topics
• Externalities who care about our IdM• Content
• Services
• Government
• Virtual organizations
• Internal federations
• Security, usability and privacy
• And now, for the rest of the story…
![Page 3: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/3.jpg)
Externalities
• Relying Parties want to use campus authn • For economies
• Not another sso to incorporate into the app• Avoid much of the costs of account management
• For scaling in users• Interest is tempered by legal
considerations, policy considerations, and unintended disruptive economic consequences
![Page 4: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/4.jpg)
Content
• To protect IPR (the JSTOR incident…)• To open up markets• Popular content – Ruckus, CDigix, etc• MS• Scholarly content – Google, OCLC
WorldCat• Scope of IdM may be an issue
![Page 5: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/5.jpg)
Services
• Student travel, charitable giving, web learning and testing, plagiarism testing service, etc.
• Allure for alumni services and other internal businesses
• Student loans, student testing, graduate school admissions, etc.
• The Teragrid
![Page 6: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/6.jpg)
Government
• NSF Fastlane Grant Submission• Dept of Agriculture Permits• Social Security• NIH• Dept of Ed
![Page 7: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/7.jpg)
Virtual Organizations
• The big team science efforts, and even smaller collaborations with real resources to be managed seriously
• Have their own IdM issues• Collaboration tools• Domain science identity management
• Today’s solutions are non-existent, insecure or widely despised…
• Could leverage federated identity for both ease of use and better security
![Page 8: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/8.jpg)
![Page 9: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/9.jpg)
Peering
![Page 10: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/10.jpg)
Possible peering parameters
• LOA • Attribute mapping• Economics• Liability• Privacy
![Page 11: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/11.jpg)
VOs plumbed to federations
![Page 12: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/12.jpg)
Inviting Attributes into your life…
• For privacy and secrecy• Albeit for a refined view of privacy
• For better security• Federated identity allows for stronger
security where needed in a manner scalable for both RP and the user.
• For efficiency
![Page 13: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/13.jpg)
The impacts on cyberinfrastructure
“The event was a nice example of why you get on an airplane and travel to a workshop - to make progress about 50 times faster than exchanging email and position papers! Having made this investment, we are ready to take the next concrete steps to make this vision a reality.
Improving security and usability at the same time. How often do you get a chance to do that? “
Charlie Catlett, Teragrid Director
![Page 14: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/14.jpg)
And Now for the Rest of the Story
• The Simple Life and the Simple User• The Full IdM Life • Real IdM Life and the Attribute Economy
![Page 15: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/15.jpg)
User
Application access controls(including network devices)
IdP
Shib
p2p
![Page 16: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/16.jpg)
User
Application access controls(including network devices)
IdP
Shib
p2p Source ofAuthority
Source ofAuthority
Source ofAuthority
Authn
Autograph
A Simple Life GUI
![Page 17: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/17.jpg)
User
Application access controls(including network devices)
IdP
Shib
p2p Source ofAuthority
Source ofAuthority
Source ofAuthority
A Full IdM Life
Local apps
![Page 18: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/18.jpg)
Relative Roles of Signet & Grouper
Grouper Signet
RBAC (role-based access control) model• Users are placed into
groups (aka “roles”)
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to effectively bestow privileges
• Grouper manages, well, groups
• Signet manages privileges
• Separates responsibilities for groups & privileges
![Page 19: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/19.jpg)
User
Application access controls(including network devices)
Shib
p2p Source ofAuthority
Source ofAuthority
Source ofAuthority
Authn
Autograph
A Full Life GUI
Signet/Grouper
IdP Local apps
![Page 20: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/20.jpg)
User
Application access controls(including network devices)
IdP
Shib
p2p Source ofAuthority
Source ofAuthority
Source ofAuthority
Portal
Gateway
Proxy
Source ofAuthority
Source ofAuthority
Source ofAuthority
Source ofAuthority
Source ofAuthority
Real Life
![Page 21: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/21.jpg)
User
Application access controls(including network devices)
IdP
Shib
p2p Source ofAuthority
Source ofAuthority
Source ofAuthority
VO ServiceCenter
Gateway
Source ofAuthority
Source ofAuthority
Source ofAuthority
IdP
![Page 22: Scared Straight… if you want to go outside… Authenticate Locally, Act Globally](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649f1d5503460f94c334f9/html5/thumbnails/22.jpg)
User
Application access controls(including network devices)
IdP
Shib
p2p
Autograph
Authn
Source ofAuthority
Source ofAuthority
S/GS/G
VO Service Center
Source ofAuthority
S/G
A VO Service Center Flow