Identity Management

Practical Issues Associated with Sharing Federated Services

William A. Weems

The University of Texas Health Science Center at Houston

2

Identity Management

What is the Collaborative Goal?

Make the sharing of restricted resources within an organization and across organizational boundaries as transparent to users as accessing public Web pages!

3

Identity Management

Ideally,  individuals would each like a single digital credential that can be securely used to

authenticate his or her identity anytime authentication of

identity is required to secure any transaction.

4

Identity Management

Allows a person to use her federated identity credential for single sign-on access to restricted service applications provided by federation members for which she has privileges.

A Federated Credential

5

Identity Management

Ideally, a digital credential must

• positively identify a person,

• include the person’s permanent identifier

• positively identify the certifying authority - i.e. the identity provider (IdP),

• be presentable only by the person it authenticates,

• be tamper proof, and

• be accepted by all systems.

6

Identity Management

Two Categories of Identity

• Physical Identity – Assigned Identifier - Authentication– Facial picture– Fingerprints– DNA sample

• Identity Attributes – Authorization Attributes– Common name,– Address,– Institutional affiliations - e.g. faculty, student, staff, contractor,– Specific group memberships,– Roles,– Entitlements for specific services.– Etc.

What is Identity?

7

Identity Management

Identity Provider(IdP)

uth.tmc.edu

Person

IdP ObtainsPhysical

Characteristics

Identity Vetting & Credentialing

IdentifierPermanently

Bound

AssignsEverlasting

Identifier

Digital Credential

IssuesDigital

Credential

Person Only Activation

PermanentIdentity

Database

8

Identity Management

UTHSC-H Identity Management System

HRMS SIS GMEIS Guest MSUTP

INDIS

OAC7 OAC47

SecondaryDirectories

Sync

Person Registry

AuthoritativeEnterprise Directories

AuthorizationService

AuthenticationService

User Administration Tools

ChangePassword

AttributeManagement

Identity Reconciliation &

ProvisioningProcesses

9

Identity Management

Federal E-Authentication Initiativehttp://www.cio.gov/eauthentication/

• Levels of assurance (Different Requirements)– Level 1 – e.g. no identity vetting– Level 2 - e.g. specific identity vetting requirements– Level 3 – e.g. cryptographic tokens required– Level 4 – e.g. cryptographic hard tokens required

• Credential Assessment Framework Suite (CAF)

10

Identity Management

Identity Provider(IdP)

uth.tmc.edu

Federated Services Identity (IdP) & Resource Providers (RP)

Identity Provider(IdP)

utsystem.edu

Identity Provider(IdP)

bcm.edu

Resource Provider(RP)

library.tmc.edu

Blackboard(RP)

uth.tmc.edu

GMEIS(RP)

uth.tmc.edu

Identity Provider(IdP)

mdanderson.org

Identity Provider(IdP)

utmb.edu

FederationAsseration Service

e.g. InCommon

Public Key

Infrastructure

11

Identity Management

12

Identity Management

13

Identity Management

14

Identity Management

15

Identity Management

Person Cannot Login to Their IdP Authentication Service

• Potential Problems:– Does not know which password is being

requested.• Page must define which service is requesting the

username/password pair.– e.g. UTEID in the previous example

• Login page must describe a help resource

– Person typed password incorrectly• Person is told that “Authentication Failed” and to re-enter

his password

16

Identity Management

Person Authenticated But Unauthorized

• Potential Problems:– A statement only that “You Are Not Authorized”

leaves individual from other institution in the dark.• Who should person contact?

– Someone at their home institution?– Someone at the service provider institution?

• Solution: – Error page should provide guidance.

• e.g. If the service is a Blackboard LMS, a statement like “ Contact the course instructor, organizational leader or appropriate registrar’s office to receive authorization for access.

17

Identity Management

Multiple New Processes and Procedures to be Worked Through

• How are courses provisioned? – Manually: BB administrator adds names and

EPPNs (i.e. NetIDs) from lists obtained provided by source of authorities (SOAs) at relying institutions for appropriate courses?

– Automatically: Service Provider Applications (e.g. Blackboard) obtains authorization attributes from the IdP’s attribute authority and provisions the BB courses with the appropriate student information?