SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW ......[ 45 ] Social to SAML is great… Social...
Transcript of SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW ......[ 45 ] Social to SAML is great… Social...
SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW WITH REAL-WORLD EXAMPLES
Todd Haddaway, University of Maryland, Baltimore County Jacob Farmer, Indiana University Dedra Chamberlin, Cirrus Identity
© 2015 Internet2
[ 2 ]
OVERVIEW
Social identities in higher ed: why and how with real-world examples
1. Business drivers for social identity integration 2. Gateways 3. Risk Assessment 4. Data Management and Privacy 5. Real-world example – UMBC parent access to PeopleSoft 6. Social -> SAML -> CAS -- IndianaU CAS/SAML/Social ID combo 7. Companion Services – Invitation, Account Linking 8. Closing
© 2015 Internet2
[ 3 ]
OVERVIEW
Social identities in higher ed: why and how with real-world examples
1. Business Drivers for Social Identities 2. Gateways 3. Risk Assessment 4. Data Management and Privacy 5. Real-world example – UMBC parent access to PeopleSoft 6. Social -> SAML -> CAS -- IndianaU CAS/SAML/Social ID combo 7. Companion Services – Invitation, Account Linking 8. Closing
© 2015 Internet2
[ 4 ]
How Universities Do Business
© 2015 Internet2
Services Customers
Username Password
Login with your University Account:
[ 5 ]
[ 6 ]
[ 7 ]
[ 8 ]
“Arms Length” Customers • Parents • Alumni/Donors • Research Collaborators • Continuing Ed Students • Guest Faculty • Prospective Students
© 2015 Internet2
[ 9 ]
Guest Accounts Only!
[ 10 ]
Guest Accounts and Their Cost
© 2015 Internet2
+ + =
[ 11 ]
Accessing a University Service
© 2015 Internet2
Alumni Services Portal University of Fabulous
Username Password
Login with your University Account:
[ 12 ]
Five Stages of Password Recovery
© 2015 Internet2
Username Password
Login with your University Account:
Sue
Sm@rtypants!
Denial
Alumni Services Portal University of Fabulous
Sorry. The username and/or password you entered are incorrect. Please try again or submit a forgot password request.
[ 13 ]
Five Stages of Password Recovery
© 2015 Internet2
Username Password
Login with your University Account:
Sue
Sm@rtypants!
Anger
Alumni Services Portal University of Fabulous
Sorry. The username and/or password you entered are incorrect. Please try again or submit a forgot password request.
[ 14 ]
Five Stages of Password Recovery
© 2015 Internet2
Username Password
Login with your University Account:
Sue
Sm@rtypants!
Bargaining
Alumni Services Portal University of Fabulous
Sorry. The username and/or password you entered are incorrect. Please try again or submit a forgot password request.
[ 15 ]
Five Stages of Password Recovery
© 2015 Internet2
Username Password
Login with your University Account:
Sue
1tsR33lyM3
Bargaining
Alumni Services Portal University of Fabulous
Sorry. The username and/or password you entered are incorrect. Please try again or submit a forgot password request.
[ 16 ]
Five Stages of Password Recovery
© 2015 Internet2
Username Password
Login with your University Account:
Susan
1tsR33lyM3
Bargaining
Alumni Services Portal University of Fabulous
Sorry. The username and/or password you entered are incorrect. Please try again or submit a forgot password request.
[ 17 ]
Five Stages of Password Recovery
© 2015 Internet2
Username Password
Login with your University Account:
Susan
Sm@rtypants!
Bargaining
Alumni Services Portal University of Fabulous
Sorry. The username and/or password you entered are incorrect. Please try again or submit a forgot password request.
[ 18 ]
Five Stages of Password Recovery
© 2015 Internet2
Username Password
Login with your University Account:
Susan
Sm@rtypants!
Depression
Alumni Services Portal University of Fabulous
Sorry. The username and/or password you entered are incorrect. Please try again or submit a forgot password request.
[ 19 ]
Five Stages of Password Recovery • Go through the password reset process • Keep password file on local device (encrypted or not) • Use a password manager like LastPass • Keep more post-it notes
Acceptance
[ 20 ]
Five Stages of Password Recovery
© 2015 Internet2
Alumni Services Portal University of Fabulous
Username
Password
Login with your University Account:
Don’t have (or remember) your University Account info? Login with:
[ 21 ]
Prospective Students
Alumni/Donors
Research Collaborators
Guest Faculty
Parents
Continuing Ed Students
Create a Virtual Gateway to
Expand Access
[ 22 ]
OVERVIEW
Social identities in higher ed: why and how with real-world examples
1. Business Drivers for Social Identities 2. Gateways 3. Risk Assessment 4. Data Management and Privacy 5. Real-world example – UMBC parent access to PeopleSoft 6. Social -> SAML -> CAS -- IndianaU CAS/SAML/Social ID combo 7. Companion Services – Invitation, Account Linking 8. Closing
© 2015 Internet2
[ 23 ]
Sharing Services Across Institutions
Campus 1 Campus 2 Campus 3 Campus 4
Service
[ 24 ]
Service
Campus 1 Campus 2 Campus 3 Campus 4
Trust Framework
[ 25 ]
Service
Campus 1 Campus 2 Campus 3 Campus 4
SAML
Trust Framework
[ 26 ]
Service
Campus 1
Campus 2
Campus 3
Campus 4 Google Facebook
SAML OAuth
• Social providers do not belong to the identity federation • Social providers use different authentication protocols
[ 27 ]
Service
Campus 1
Campus 2
Campus 3
Campus 4 Google
SAML
Gateway Service
[ 28 ]
Service
Campus 1
Campus 2
Campus 3 Google
SAML
Gateway Service
[ 29 ]
OVERVIEW
Social identities in higher ed: why and how with real-world examples
1. Business Drivers for Social Identities 2. Gateways 3. Risk Assessment 4. Data Management and Privacy 5. Real-world example – UMBC parent access to PeopleSoft 6. Social -> SAML -> CAS -- IndianaU CAS/SAML/Social ID combo 7. Companion Services – Invitation, Account Linking 8. Closing
© 2015 Internet2
[ 30 ]
Social Identity Risks • Trust – is this user who they say they are? • Social providers change their practices
– Google migration to OpenID Connect – LinkedIn APIs agreement changes – Google addition of fees for Google Cloud Service
• Inconsistent data and coping with user-driven updates – Facebook email – Twitter no email – MS WindowsLive multivalued email
• Using gateways as more than a broker creates lock-in risks
[ 31 ]
OVERVIEW
Social identities in higher ed: why and how with real-world examples
1. Business Drivers for Social Identities 2. Gateways 3. Risk Assessment 4. Data Management and Privacy 5. Real-world example – UMBC parent access to PeopleSoft 6. Social -> SAML -> CAS -- IndianaU CAS/SAML/Social ID combo 7. Companion Services – Invitation, Account Linking 8. Closing
© 2015 Internet2
[ 32 ]
Data Management and Attributes • Users provide data to social providers; agree to terms • Social providers expose that data via their APIs • Gateways act as a broker • Attribute mapping • Attribute enrichment (and associated workflow) Key question: How much do you want to tie a service to the gateway service?
[ 33 ]
API Integration and Data Flow
SocialIdentity
Providers
Campus SPs(Applications,
Enterprise Databases
Campus IDMS)Gateway
End User Authentication Campus Admins
End User Campus Admin
API key and secret
XA
PIs
SAM
L
Service Provider Integration
[ 34 ]
Campus Level Integration
Campus Level Integration
SocialIdentity
Providers
Campus SPs(Applications,
Enterprise Databases
Campus IDMS)
Gateway
End User Authentication Campus Admins
End User Campus Admin
API key and secret
API
s
SAM
L
[ 35 ]
Benefits of SP Level Integration • API Limits set per SP, not for entire campus • SP specific info on the User Consent screen during
login flow – increases trust
[ 36 ]
User Consent Screen
[ 37 ]
Privacy • API access to user data • Exposing and mining user data • Helping users understand where data originates,
how it is stored and shared • User visibility into data
[ 38 ]
OVERVIEW
Social identities in higher ed: why and how with real-world examples
1. Business Drivers for Social Identities 2. Gateways 3. Risk Assessment 4. Data Management and Privacy 5. Real-world example – UMBC parent access to PeopleSoft 6. Social -> SAML -> CAS -- IndianaU CAS/SAML/Social ID combo 7. Companion Services – Invitation, Account Linking 8. Closing
© 2015 Internet2
[ 39 ]
Social identities in higher ed: why and how with real-world examples
© 2015 Internet2
[ 40 ]
Social identities in higher ed: why and how with real-world examples
© 2015 Internet2
Grades??
[ 41 ]
Social identities in higher ed: why and how with real-world examples
© 2015 Internet2
Social Identities at UMBC
• Students use an invitation system to grant or revoke access • Using Google and Facebook credentials • Access to information becomes an issue between the student
and their parent • Eliminates a paper system of “permission to view”
[ 42 ]
Social identities in higher ed: why and how with real-world examples
© 2015 Internet2
Social Identities at UMBC
Today students can share • Course schedule • Grades
Coming soon • Student finances (view account balance and details) • Financial Aid (view awards and award status) • Advising (view notes taken during advising sessions)
[ 43 ]
Social identities in higher ed: why and how with real-world examples
© 2015 Internet2
Social Identities at UMBC
Live Demo (well, HOPEFULLY live)
[ 44 ]
OVERVIEW
Social identities in higher ed: why and how with real-world examples
1. Business Drivers for Social Identities 2. Gateways 3. Risk Assessment 4. Data Management and Privacy 5. Real-world example – UMBC parent access to PeopleSoft 6. Social -> SAML -> CAS -- IndianaU CAS/SAML/Social ID combo 7. Companion Services – Invitation, Account Linking 8. Closing
© 2015 Internet2
[ 45 ]
Social to SAML is great…
Social identities in higher ed: why and how with real-world examples
If your applications are using SAML. But what if you have a broad, diverse community of applications that are tied to using CAS? And, they are accustomed to having a globally unique identifier available for all of their users? IU’s Answer: Work with a partner to build
a Social -> SAML -> CAS gateway
© 2015 Internet2
[ 46 ]
OVERVIEW
Social identities in higher ed: why and how with real-world examples
1. Business Drivers for Social Identities 2. Gateways 3. Risk Assessment 4. Data Management and Privacy 5. Real-world example – UMBC parent access to PeopleSoft 6. Social -> SAML -> CAS -- IndianaU CAS/SAML/Social ID combo 7. Companion Services – Invitation, Account Linking 8. Closing
© 2015 Internet2
[ 47 ]
Invitation • If you don’t want everyone with a Google Account to
be authorized • Pre-provision authorized users • Sponsorship confers some degree of trust • Some methods:
– MACE Grouper for campus-wide guests – App specific invitation – Gateway-based invitation/authorization
[ 48 ]
Account Linking • Service Providers may expect a specific attribute or
identifier that a social identity provider won’t assert • Account linking ties together a variety of attributes
and identifiers across multiple identity providers • Users choose how to log in, the app gets the
attribute(s) it expects
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Campus Attr Social Attr
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
Account Linking Campus Identifier
Campus Service
Service Iden+fier
Account Linking DB
Account Linking Service
Campus 1
Campus 2
Campus 3 Google Facebook
SAML
Gateway Service
[ 71 ]
OVERVIEW
Social identities in higher ed: why and how with real-world examples
1. Business Drivers for Social Identities 2. Gateways 3. Risk Assessment 4. Data Management and Privacy 5. Real-world example – UMBC parent access to PeopleSoft 6. Social -> SAML -> CAS -- IndianaU CAS/SAML/Social ID combo 7. Companion Services – Invitation, Account Linking 8. Closing
© 2015 Internet2
[ 72 ]
Resources and Contacts InCommon Workgroups: • Social Identities Workgroup
https://spaces.internet2.edu/display/socialid/Home
• External Identities Workgroup https://spaces.internet2.edu/display/EXTID/Home
Todd Haddaway – [email protected]
Jacob Farmer – [email protected] Dedra Chamberlin – [email protected]
SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW WITH REAL-WORLD EXAMPLES
Todd Haddaway, University of Maryland, Baltimore County Jacob Farmer, Indiana University Dedra Chamberlin, Cirrus Identity
© 2015 Internet2