jack suess, cio university of maryland, baltimore county april 5, 2009
TRANSCRIPT
![Page 1: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/1.jpg)
Jack Suess, CIOUniversity of Maryland, Baltimore County
April 5, 2009
![Page 2: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/2.jpg)
What’s the Problem?ShibbolethFederationsInCommon Federation
2
![Page 3: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/3.jpg)
Multiple usernames and passwords for users Multiple copies of personal data held by third
parties Duplication of effort across multiple institutions Service and resource providers having to
interface with multiple systems Difficulty in sharing resources between
institutions Anytime, anywhere access to resources Compliance with legislation (FERPA, GLB…)
![Page 4: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/4.jpg)
Scaling Enabling identity holder to authenticate Enabling service provider to control
authorization Providing security and privacy Ensuring accuracy and timeliness of
account and identity data
![Page 5: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/5.jpg)
Internet2 partnered with Middleware Architecture Committee for Education (MACE)◦Leading international identity architects
Ongoing work in the great challenges of digital identity◦Extending access beyond an organization to
facilitate ease of use and collaboration while maintaining security and privacy Shibboleth Single Sign-on and Federating Software InCommon Federation
◦Among other things….
![Page 6: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/6.jpg)
![Page 7: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/7.jpg)
7
Open source standards-based web single sign-on package (supports SAML v1.1, SAML v2)
Supports the Federated Identity model◦ Identity Provider (IdP) authenticates the browser
user and provides Attribute Assertions describing the user
◦Service Provider (SP) validates the Assertions, makes an Access Control decision, and provides Resources
◦Each player identified by a unique entityID value
Leverages local identity management system
![Page 8: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/8.jpg)
8
Enables access to both campus and external applications
Protects users’ privacy Helps your service partners Integrates well with other SAML2
software Adoption by 20+ other Higher
Education/Research federations around the world
![Page 9: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/9.jpg)
9
Access Application/Service Provider Site Identify Home Site Redirect to Home Site Shibboleth IdP Authenticate locally IdP determines which attributes to
release Redirect back to Application, carrying
Attribute Assertions SP site uses Assertions to determine
access rights, and to personalize
![Page 10: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/10.jpg)
Identity isn’t always released◦Elsevier Science Direct – license number and
opaque identifier for personalization (optional)◦Microsoft Dreamspark – affiliation◦Apple iTunesU – course number
But identity is needed by some◦WebAssign – name and course number
Defined in eduPerson schema and increasingly elsewhere
![Page 11: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/11.jpg)
![Page 12: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/12.jpg)
Circle [email protected]. Joe OvalPsych Prof.SSN 456.78.910
Password #1
Music ServiceID #4 j.o.123
Joe OvalPsych Prof.
DOB: 4/4/1955
Password #4
Grant Admin Service
ID #2 Joval
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Password #2
Grading Service
ID #3 Jo456
Dr. Joe Oval
Psych Prof.Password #3????
No coordination
Proprietary code
Batch uploads
Service ProvidersThe Challenging Way
![Page 13: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/13.jpg)
A group of member organisations who agree to a set of rules
An independent body managing the trust relationships between members
End user organisations ◦ Act as identity providers (IdPs) and optionally service
providers (SPs)◦ Authenticate end users◦ Release information (attributes) about individuals to
service providers Service and resource providers (SPs)◦ Accept information (attributes) and use to authorize (or
not authorize) access
![Page 14: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/14.jpg)
Common data/Attributes to exchange Shared technology, policy, process◦Rules of engagement◦ Information about how to connect◦Specifies accuracy, integrity, and use of
attributes◦Problem resolution
Registration mechanism for members Maintain member information Trouble shooting, ongoing development
![Page 15: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/15.jpg)
Circle University
Anonymous ID#
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle [email protected]. Joe OvalPsych Prof.SSN 456.78.910
Password #1
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
!
1. Single sign on
2. Services no longer manage user accounts & personal data stores
3. Reduced help-desk load
4. Standards-based technology
5. Home org and user controls privacy
The Federate
d Way
![Page 16: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/16.jpg)
Home
Circle University
Anonymous ID#
Dr. Joe Oval
Psych Prof.
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle University
ID # 123-321
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
!
The Role of the Federation
1. Agreed upon attribute vocabulary & definitions: member of, role, unique identifier, courses, …
2. Criteria for identity management practices (user accounts, credentialing, etc.), privacy stewardship, interop standards, technologies
3. Trusted exchange of participant information
4. Trusted “notary” for all universities and partners
VerifiedBy theFederation
VerifiedBy theFederation
VerifiedBy theFederation
VerifiedBy theFederation
![Page 17: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/17.jpg)
![Page 18: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/18.jpg)
US Research and Education Federation◦www.incommon.org◦Separate entity with its own governance◦Operations managed by Internet2◦Members are degree granting accredited
organization and their partners
![Page 19: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/19.jpg)
19
135 members representing 2.8 million individuals.◦ 96 higher education institutions,◦ 6 government agencies or non-profit laboratories, and ◦ 33 corporations (public and non-profit)
Agree to a common participation agreement that allows each to inter-operate with the others
InCommon sets basic practices for identity providers and service providers. ◦ Focus so far on campus identity management processes
and attributes
19
![Page 20: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/20.jpg)
National Science Foundation National Institutes of Health◦Piloting InCommon Silver for NIST LoA 2
services Research.gov TeraGrid
![Page 21: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/21.jpg)
Ease user account management Higher security Privacy maintained Greatly reduced integration work for each
service provider Policy driven release of identity Emerging tools provide option for user
consent in real time, as attributes are released
Standards
![Page 22: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/22.jpg)
Accurate implementation of licence conditions Users take better care of credentials Organizations take better care of assertions Information about individuals always up to
date◦Authentication is performed by the IdP◦Can authorize just-in-time per institution, role,
and/or entitlement or other characteristic Reduced user support requirements
![Page 23: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/23.jpg)
Used by InCommon to exchange attribute information
Standard schema used in identity management systems across HE, not just in InCommon
Defined by MACE-Directories working group
New needs arising as service providers diversify
![Page 24: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/24.jpg)
24
InCommon Identity Assurance Profiles◦Bronze compatible with NIST Level of
Assurance 1◦Silver compatible with NIST Level of
Assurance 2 Specifies criteria used to assess identity
providers◦ Identity Assurance Assessment Framework ◦Written for and by HE community to enhance
NIST 800-63
24
![Page 25: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/25.jpg)
A true standard of practice An audit independent of campus IT Additional legal addendum and fees A Silver designation for the IdM system
(or subsystem) A Silver attribute sent with each user’s
attributes (Silver is per user per occurrence)
Being piloted technically with NIH & 3 campuses
25
![Page 26: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/26.jpg)
Home
Circle University
Anonymous ID#
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Circle University
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
AffiliationEPPNGiven/SurNameTitleSSN
Password #1
Circle University
ID # 123-321
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
VerifiedBy theFederation
VerifiedBy theFederation
VerifiedBy theFederation
VerifiedBy theFederation
College AIdP: name, key, url, contacts, etc.SP1: name, key, url, contacts, etc.SP2: name, key, url, contacts, etc.
University B IdP: name, key, url, contacts, etc.SP1: name, key, url, contacts, etc.
University CIdP: name, key, url, contacts, etc.
Partner 1SP1: name, key, url, contacts, etc.
Partner 2 SP1: name, key, url, contacts, etc.SP2: name, key, url, contacts, etc.
Partner 3 …
InCommon Metadata
Bronze
Silver
Silver
InCommon
Federal Complia
nt Assuran
ce Levels
Silver
![Page 27: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/27.jpg)
![Page 28: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/28.jpg)
Steering Committee Advisors
Lois Brooks, Stanford University – Chair
Steve Cawley, University of Minnesota
Joel Cooper, Carleton CollegeClair Goldsmith, University of
Texas SystemKen Klingenstein, Internet2 (ex
officio), University of ColoradoTracy Mitrano, Cornell
UniversityKevin Morooney, Penn StateChris Shillum, ElsevierJack Suess, University of
Maryland, Baltimore CountyMike Teets, OCLC
Renee Frost, Internet2, University of Michigan
Norma Holland, EDUCAUSE (ex officio)
David Wasley, retired, UCOP
RoleManages the business and affairs of InCommon and its Federation, including oversight and recommendations on issues arising from the operation and management of the InCommon Federation.
![Page 29: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/29.jpg)
RL "Bob" Morgan, University of Washington – Co-Chair
Renee Shuey, Penn State – Co-Chair
Tom Barton, University of Chicago
Scott Cantor, The Ohio State University
Steven Carmody, Brown University
Paul Caskey, University of Texas System
Michael Gettes, MITKeith Hazelton, University of
Wisconsin – Madison
Ken Klingenstein, Internet2/InCommon Steering Committee
Mike LaHaye, Internet2David Walker, University of
California-DavisDavid Wasley, retired, UCOP
RoleProvides recommendations relating to the operation and management of InCommon with respect to technical issues.
![Page 30: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/30.jpg)
Collaboration InC-Library, InC-Student, InC-NIH, InC-Research,
InC-Apple, DreamsparkNational and International standards
Co-wrote SAML spec TAC members involved in WS-Fed, OASIS, Terena,
ISOC, and Liberty Alliance and other standards and federation organizations
Development Interfederation, Privacy and Consent,
Evolution of Federations
![Page 31: Jack Suess, CIO University of Maryland, Baltimore County April 5, 2009](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e425503460f94b343ef/html5/thumbnails/31.jpg)
Jack Suess◦ [email protected]
Resources◦ http://www.incommonfederation.org/◦ http://www.incommonfederation.org/assurance/◦ http://middleware.internet2.edu/◦ http://csrc.nist.gov/publications/PubsSPs.html