Practical Issues Associated with Sharing Federated Services
description
Transcript of Practical Issues Associated with Sharing Federated Services
Identity Management
Practical Issues Associated with Sharing Federated Services
William A. Weems
The University of Texas Health Science Center at Houston
2
Identity Management
What is the Collaborative Goal?
Make the sharing of restricted resources within an organization and across organizational boundaries as transparent to users as accessing public Web pages!
3
Identity Management
Ideally, individuals would each like a single digital credential that can be securely used to
authenticate his or her identity anytime authentication of
identity is required to secure any transaction.
4
Identity Management
Allows a person to use her federated identity credential for single sign-on access to restricted service applications provided by federation members for which she has privileges.
A Federated Credential
5
Identity Management
Ideally, a digital credential must
• positively identify a person,
• include the person’s permanent identifier
• positively identify the certifying authority - i.e. the identity provider (IdP),
• be presentable only by the person it authenticates,
• be tamper proof, and
• be accepted by all systems.
6
Identity Management
Two Categories of Identity
• Physical Identity – Assigned Identifier - Authentication– Facial picture– Fingerprints– DNA sample
• Identity Attributes – Authorization Attributes– Common name,– Address,– Institutional affiliations - e.g. faculty, student, staff, contractor,– Specific group memberships,– Roles,– Entitlements for specific services.– Etc.
What is Identity?
7
Identity Management
Identity Provider(IdP)
uth.tmc.edu
Person
IdP ObtainsPhysical
Characteristics
Identity Vetting & Credentialing
IdentifierPermanently
Bound
AssignsEverlasting
Identifier
Digital Credential
IssuesDigital
Credential
Person Only Activation
PermanentIdentity
Database
8
Identity Management
UTHSC-H Identity Management System
HRMS SIS GMEIS Guest MSUTP
INDIS
OAC7 OAC47
SecondaryDirectories
Sync
Person Registry
AuthoritativeEnterprise Directories
AuthorizationService
AuthenticationService
User Administration Tools
ChangePassword
AttributeManagement
Identity Reconciliation &
ProvisioningProcesses
9
Identity Management
Federal E-Authentication Initiativehttp://www.cio.gov/eauthentication/
• Levels of assurance (Different Requirements)– Level 1 – e.g. no identity vetting– Level 2 - e.g. specific identity vetting requirements– Level 3 – e.g. cryptographic tokens required– Level 4 – e.g. cryptographic hard tokens required
• Credential Assessment Framework Suite (CAF)
10
Identity Management
Identity Provider(IdP)
uth.tmc.edu
Federated Services Identity (IdP) & Resource Providers (RP)
Identity Provider(IdP)
utsystem.edu
Identity Provider(IdP)
bcm.edu
Resource Provider(RP)
library.tmc.edu
Blackboard(RP)
uth.tmc.edu
GMEIS(RP)
uth.tmc.edu
Identity Provider(IdP)
mdanderson.org
Identity Provider(IdP)
utmb.edu
FederationAsseration Service
e.g. InCommon
Public Key
Infrastructure
11
Identity Management
12
Identity Management
13
Identity Management
14
Identity Management
15
Identity Management
Person Cannot Login to Their IdP Authentication Service
• Potential Problems:– Does not know which password is being
requested.• Page must define which service is requesting the
username/password pair.– e.g. UTEID in the previous example
• Login page must describe a help resource
– Person typed password incorrectly• Person is told that “Authentication Failed” and to re-enter
his password
16
Identity Management
Person Authenticated But Unauthorized
• Potential Problems:– A statement only that “You Are Not Authorized”
leaves individual from other institution in the dark.• Who should person contact?
– Someone at their home institution?– Someone at the service provider institution?
• Solution: – Error page should provide guidance.
• e.g. If the service is a Blackboard LMS, a statement like “ Contact the course instructor, organizational leader or appropriate registrar’s office to receive authorization for access.
17
Identity Management
Multiple New Processes and Procedures to be Worked Through
• How are courses provisioned? – Manually: BB administrator adds names and
EPPNs (i.e. NetIDs) from lists obtained provided by source of authorities (SOAs) at relying institutions for appropriate courses?
– Automatically: Service Provider Applications (e.g. Blackboard) obtains authorization attributes from the IdP’s attribute authority and provisions the BB courses with the appropriate student information?