University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007 University of Washington What is IAM? Critical IT infrastructure Intersection of what NW engineers dont want to do *with* what app developers dont want to do Combines technologies, business processes, governance, and policies to: Manage digital identities Specify how ids access resources University of Washington Terminology Authentication: says who you are Authorization: says what you can do Credentials: what you provide as ID Federation: collection of orgs that agree to operate under a certain rule-set University of Washington Terminology Identification: Process by which info about a person is used to provide some LOA Level of Assurance (LOA)- Degree of certainty that someone is who they say they are Low is OK for some things For patient information (PHI), need high University of Washington What drives the need? Collaboration Research and education, governments, global health, Administrative applications Growing complexity and the need to simplify Risk mitigation University of Washington IAM-supported Collaboration Wiki, blog,, calendar, IM Document sharing/editing Phone/videoconference Data sharing More about outreach, ease of access, enablement University of Washington Why is IAM necessary? To ensure the intended people access intended services Organizations have to manage users/ids efficiently and accurately While enabling them to get their work done Digital IDs are taking on an increasingly important role for how we collaborate and share networked resources University of Washington Identity Management Trends Pervasive in business processes Inserting NetIDs as early as possible e.g. NetIDs for student applicants, contractors, etc. Identities/NetIDs useful for life, e.g. alumni, retirees University of Washington Sources of Information Human Resource db Research/grants db Student db Other dbs provide info about affiliations University of Washington Person Registry Is knowing someone is a student enough? Is this person an employee and a student? Is this person affiliated with the institution? University of Washington Federated Authentication Scholarship is global Less allegiance to institution, more to research Worldwide peers, now the norm Access to partners is now: Simple and more flexible More secure University of Washington What is Shibboleth? Standards-based (SAML) Web SSO pkg Open Source Uses local IdM system to get to campus and other institutions apps Protects users privacy and insts data Plays well with others, helps svc partners University of Washington Federations Usually HE but doesnt need to be limited Mostly Shib-based, not all though Use cases: content access collaboration support wireless roaming University of Washington Identity Lifecycle Management Managing users One NetID per person Credentials Provisioning Enabling self-service University of Washington Managing Identity Provision accounts Associate accounts with identities/people Groups are created and managed Accounts are given privileges Credentials are issued Authn, Authz, and Federation happen University of Washington Group and Access Management Several sources determine where a person fits A person belongs to several groups One person often has several affiliations Access can be based on: Affiliation Group membership Roles Privileges University of Washington Access Management Authentication: Single sign-on, fewer sign-ons LOA, # of credentials Federation and trust Authorization: access control, role-based, federation Security auditing University of Washington Enterprise IAM Infrastructure Enterprise user database Person registry, directory driven from large business sources, e.g. staff, student, affiliates Enterprise group management Driven from business sources, e.g. courses, departments, ad-hoc Enterprise privilege management Delegated, role/function/affiliation-based University of Washington Consolidation supports Collaboration Provides a centrally-coordinated service Allows for distributed management of content No need to manage multiple instances Single place for auditing and reporting Eases mgmt of security issues for apps One set of tools and data for apps The stuff of academic life and often inter- institutional University of Washington Challenges with Centralizing Governance, mgmt of data Defining rules, delegation Compliance and regulations Consensus and support for central svcs Responsibility and accountability University of Washington Policy and Governance Questions Who is responsible for IDM? What collaboration scenarios are important to Research and Education? Who will approve policies? Who is part of the federation? Who decides and develops policies? Who owns the source data? University of Washington Technical Challenges Delivering information to apps Mobility, portability anywhere, anyhow, anytime computing Interface consistency cross-location Diversity of apps and platforms Advanced app requirements Interoperability University of Washington IAM Benefits Supports collaboration Enables global federated authentication Simplifies and secures Reduces help desk load Enables Shared management Operating efficiencies University of Washington Advancing IAM Efforts Fostering technical standards Aggregating and disseminating technical design and implementation strategies Fostering opportunities for others to deploy products Integrating efforts with specific scientific and research communities University of Washington Resourcesmiddleware.internet2.orgroadmap-03/ University of Washington Questions?