Implementing Federated Identity Management across a Multi-campus

Statewide System: The Texas Experience

William A. WeemsAssistant Vice PresidentAcademic Technology

Associate Dean Information TechnologyMedical School

U. Texas Health Science Center at Houston

2

BRIITE 20071004

Camelot in Cyberspace

• Everyone has a single authentication credential• Permits authentication of one’s physical identity by any

application to which it is presented.• If approved by the credentialed individual or required by

law, the application may then request specific personal attributes from trusted sources of authorities.

• The application utilizes the acquired personal attributes to make authorization decisions, activate additional workflow, create digital signatures, evaluate digital signatures, etc.

3

BRIITE 20071004

An authentication credential when presented to a relying party:1. can only be activated by the certified person,2. positively identifies the physical claimant,3. positively identifies the certifying authority

(CA) – i.e. the identity provider (IdP)4. provides a certified unique identifier issued

to the vetted individual and registered with the CA, and

5. asserts a defined level of assurance (LOA) that the credential is presentable only by the person it authenticates.

Concepts of “identity” vary widely, and the word is often imprecisely used.

Within the context of Identity Management, there are two types of “identity”; and, they relate to authentication and authorization.

What is Identity?

Two Kinds of Identity

• Physical Identity - which is unique to only one person or entity. (Its certification is the responsibility of a certifying/credentialing authority)

– Facial picture,– Fingerprints– Retina Scan

• Identity Attributes – are a time-varying set of attributes associated with each unique individual.

– Common name,– Address,– Institutional affiliations - e.g. faculty, student, staff, contractor,– Specific group memberships,– Roles,– Etc.

Identity Provider(IdP)

uth.tmc.edu

Person

IdP ObtainsPhysical

Characteristics

Identity Vetting & CredentialingAuthentication

IdentifierPermanently

Bound

AssignsEverlasting

Identifier

Digital Credential

IssuesDigital

Credential

Person Only Activation

PermanentIdentity

Database

Identity Provider(IdP)

uth.tmc.edu

PersonIdentifier Digital CredentialPermanently

Bound

AssignsEverlasting

Identifier

IssuesDigital

CredentialIdP Obtains

PhysicalCharacteristics

Person Only Activation

Using NetworkUsernamePassword

Identity Vetting & CredentialingUTHSC-H Username/Password Authentication

PermanentIdentity

Database

???????

?

Identity Provider(IdP)

uth.tmc.edu

PersonIdentifier Digital CredentialPermanently

Bound

AssignsEverlasting

Identifier

IssuesDigital

CredentialIdP Obtains

PhysicalCharacteristics

Person Only Activation

Identity Vetting & CredentialingUTHSC-H Two Factor Authentication

PermanentIdentity

Database

?

?

Ideally,  individuals would each like a single digital credential that

can be securely used to authenticate his or her identity

anytime authentication of identity is required to secure any

transaction.

UT Institution A

UTTouch

e-Learning

Grid

Computing

= Authentication of Some Kind = Authorization = User Password ???

UT Institution A

UT Institution B

UTTouch

Compliance

Training

e-Learning

Library

Grid

Computing

= Authentication of Some Kine = Authorization = User Password ???

Non-Federated Identity Management Clair Goldsmith, Ph.D. UT System

UTTouch

Compliance

Training

e-Learning

Library

Grid

Computing

= Credentialing / Authentication = Authorization = User Credential

Federated Identity Management Clair Goldsmith, Ph.D. UT System

UT System Federation

UT Institution A

UT Institution B

Today, most organizations and communities of interest recognize

that IdM systems and their associated policies and procedures are a necessity. However, nearly all

IdM projects currently utilize policies and procedures that are

applicable only to a single enterprise or community of interest.

Federal E-Authentication Initiativehttp://www.cio.gov/eauthentication/

• Levels of assurance (Different Requirements)– Level 1 – e.g. no identity vetting– Level 2 - e.g. specific identity vetting requirements– Level 3 – e.g. cryptographic tokens required– Level 4 – e.g. cryptographic hard tokens required

• Credential Assessment Framework Suite (CAF)• Federal Bridge Certification Authority (FBCA)

– http://www.cio.gov/fbca/– The FBCA is an information system that facilitates an

entity accepting certificates issued by another entity for a transaction.

UT Federation Strategic Authentication Goals

• Two types of authentication credentials– Single university ID (UID) and password (LOA 2 )– Public Key Digital ID on Token (two-factor

authentication using public/private keys) (LOA 3 => 4)• Digital Signatures

– Authenticates senders– Guarantees messages are unaltered, i.e. message

integrity– Provides for non-repudiation– Legal signature

• Encryption of email and other documents• Highly Secure Access Control• Potential for inherent global trust

Some Core IdM Concepts1. Any time the same certified authentication credential

is presented, relying parties can assume at some level of trust that the claimant is always the same physical person.

2. An authentication credential can be used to initially provision a system.

3. Once the credential is accepted, the relying party can, if so privileged, obtain certain “identity attributes” of a claimant from certified source(s) of authority.

4. Attribute exchange is determined by attribute release policies (ARPs) and attribute acceptance policies (AAPs).

Source of Authority (SOA) Responsibilities

• Identifying an individual,• Maintaining the appropriate records that define a

person's affiliations/ attributes,• Providing others with information about the

specifics of affiliation(s) and,• Determining if an affiliation/attribute is currently

active or inactive

An organizational entity officially responsible for identifying individuals having explicitly defined affiliations/attributes within an enterprise constitutes a “source of authority” (SOA). The SOA is responsible for

Identifiers & Privacy

1. Identifiers should NEVER be used as authenticators!

2. Personal attributes should NEVER be divulged to unapproved entities.

3. Collaboration requires that entities have identifiers.

4. eduPersonTargetedID: A persistent, non-reassigned, privacy preserving identifier for a principal shared between a pair of coordinating entities.

5. What to do when multiple entities must collectively know that they are considering and/or interacting with the same person?

21

BRIITE 20071004

UT System Identity Management Federation

• Established September 2006• Operates Under Authority of the UT Board of

Reagents• UT IdM Federation Board of Appointed Members• Policy and Procedure Federation Documents• Current Membership the 16 U. Texas Institutions

– 9 Academic Institutions– 6 Health Institutions– U.T. System

• > 40 Federated Applications Operational• An Employee Benefits Application for Use By All

employees under development

UT System IdM Federation: Governance

UT System Strategic Leadership Council

UT System Institutions

Rep

rese

nta

tio

n

and

Init

iati

ves

UT System IdM Federation Board

IT M

gm

t Prin

ciples

and

Po

licy

Business Drivers

Statem

ent o

f D

irection

Bo

ard

Mem

bersh

ip

Policy

Ou

trea

ch

© Clair Goldsmith

23

BRIITE 20071004

Governance: Issues to Ponder

• The Technical implementation aspects of Federation can get way ahead of Policy and Governance

• Governance entangled with power / autonomy conflicts• Priorities vary by institution• Conventions may be seen as dictates

• Managing trust relationships is complex enough when dealing with institutions within the same system (among “family”.) Complexity increases as diversity of membership increases

© Clair Goldsmith

24

BRIITE 20071004

UT System IdM FederationFoundation Documents

https://idm.utsystem.edu/utfed/

1. Federation Charter2. Membership Agreement3. Operating Practices and Procedures4. Membership Operating Practices (MOP)5. Fee Schedule6. Common Identity Attributes

References1. InCommon Federation

a. http://www.incommon.org/

2. UC Trust: The University of California Identity Management Federationa. http://www.ucop.edu/irc/itlc/uctrust/

3. U. Texas System Identity Management Federationa. https://idm.utsystem.edu/utfed/

4. SAFE: Signature and Authentication For Everyonea. http://www.safe-biopharma.org/