Post on 17-Jan-2016
Practical Tools for Implementing Authentication and Managing
AuthorizationEducause SWR 2007
Barry Ribbeck
Director of Systems, Architecture and Infrastructure
Rice University
Thanks To Andrea Beesing, Cornell for the permission to use some of the material presented here
Subliminal humour by Steven WrightCopyright Barry Ribbeck and Andrea Bessing 2007. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Mainframe era
Ken Kennedy &
Parallel Computing
Growing Silos of AuthX
1985
EnterpriseDirectoryKeberos
2001-04
1999
2005GuestID & Shibboleth
2008
2008
Grouper
2006-07 2007-08
SignetYONMosaic1992
New Network
2005
I2 Shibboleth & Federations
Rice Time Line
Join InCommon
Rice University
S.W.:47.3% of all statistics are made up on the spot.• Located in Houston adjacent to Texas
Medical Center• ~5000 Students• ~1000 Faculty• ~2000 Staff• Tens of thousands of Alumni• Uncounted Friends
Groups and Roles
• S.W.:Some people would kill for a Nobel Peace Prize!
• Groups are abstractly associate people into a rational collections. Groups are tools that allows us to scale access control more easily.
• Roles are groupings of privileges
• Associating Groups to Roles provides a method to scale access control.
Identity, Credentials and LOA
• S.W.:Half the people you know are below average.• Who are you to me?• How do I know it is you logging in?• How do we measure trust in the offered
credential?• What tools do I use to assert an identity
credential?• What tools do I use to trust your identity and
credentialing processes?
Levels Of Assurance (LOA)Credential Trust Metric
S.W: Why do psychics have to ask your name?
Traditional Well knowncommunity
(faculty, staff,Students, Alumni)
Proxy AssertedAffiliates and Federated Users
Self Asserted Affiliates
Unknown Masses
The Business ContextS.W.:Everyone who believes in psycho-kinesis, raise
my hand.• Legislation driving better controls over access to information
– Authorized use only– Understanding who, when, why
• Privacy concerns• Continued high demand for new online services• Interest in identity federation for collaboration and
leveraging investments• Need to align with granting agency requirements
From Kansas to OzS.W.: 99% of lawyers give the rest a bad name.
• Enhancing authorization– Distributed access management solution– Grouper for group management– Signet for privilege management
• Enhancing authentication– Getting ready for federation = attention to business processes and
policy– Resources and tools provided by NMI and EDUCAUSE can help at
this stage or any stage
What happens if you are scared half to death – twice?
What is Distributed Access ManagementS.W.:To steal ideas from one person is plagiarism, to steal from many is research.
• Addresses the challenge of– Managing access rights for many types of users for
many resources
– Ensuring that access rights are adjusted as the individual’s relationship to the institution changes
• Set of central services in a distributed management model
• Tied into your identity management and integrated through common middleware
Creating Leveraged ResourcesA Phased Approach
• Authentication– Authentication - Kerberos, Web ISO– Automated credential management - (Home Grown and
Commercial Products)– Identity Repositories - Person Registries
• Authorization– Authorization Repositories - Directories– Group Management - Grouper– Privilege Management - Signet
AuthN & AuthZ: not just technology
Businessprocesses
Policy
Technology
Authentication of IT Resources
Information Security ofInstitutional Data
Training andawareness Account
managementIdentificationand registration
KerberosGrouper Signet
Directory
Ensuringusers have
ready accessto informationand resources
they are entitled to
Data accessstandards
Aligning IT with business process and policy: Grouper example
Unit Head,College of Sciences
Grouper stem: Admin 1: DanAdmin 2: Tim
Grouper stem: StatisticsAdmin: Marion
Grouper stem: MathAdmin: Judy
Grouper stem: EngineeringAdmin: Joe
Math&Stats facultyMath
studentsECE Students
Data accesspolicy& standards
Other Grouper Features
• Common API for program access• Better integration with applications and
other middleware components• Better support for automated
provisioning of institutional groups/roles based on source data
• Common interface for users, customizable using tiles and struts
Other Grouper Features
• Sophisticated group management capabilities to support many access management needs– Subgroups– Allows useful actions on these groups -- group
math, group nesting, negative authorizations– Traceback of indirect membership– Subscription feature
Signet: Privilege Management Tool
• Central repository for privilege information—who, what, when, why
• Maps assigned privileges into system-specific terms needed by applications
• Privileges are exported into applications and infrastructure services using the appropriate notification mechanisms (e-mail, xml, webmethods, etc)
• Web-based UI for managers and holders of privileges
• Supports life cycle controls for privileges
Signet: Use case #1- Self Service
• A user requests a change in account range or group in the Accounting Data Warehouse– Self-granting privilege with a prerequisite for
approval– Request triggers email to the person who can
grant the privilege
Signet: Use Case #2
• An application with its own authorization database wants to use the Signet UI as its front-end– The application’s authZ scheme can be integrated into
Signet as a subsystem. An initial synchronization is done to populate Signet with current privilege info from the application
– When a privilege change is made in Signet, a message is forwarded to the application’s internal database in the correct format
Signet Interface example
IAM/IdM: The Big Picture
What is Federated identity
The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains
TRANSLATION:
I can access a Grid resource at Penn State using my Rice NetID and password because I’m collaborating with a researcher there.
AuthN:Challenges in a federated world
• Service providers want to know things like:– How do you accomplish identity proofing and registration?– How do you confirm delivery of credentials?– Does your authentication protocol resist online password
guessing?
• Federal government is driving the development of standards for assessing level of assurance (LoA)
• LoA determines the measure of trust a service provider has agreed to accept regarding the credentials presented in a federated authentication transaction.
• Strategy for aligning authentication with broader goals is important
The NMI-EDIT Roadmap can help S.W.:A conclusion is a place you go when you get tired of thinking.
• Step by step approach aimed at considering broader issues related to authentication
• Draws on wealth of experience within higher education– Case studies– Policy examples– Roadmaps
• Tools for assessing gaps in LoA’s
Resources
• NMI-EDIT Enterprise Authentication Implementation Roadmap:
http://www.nmi-edit.org/roadmap/draft-authn-roadmap-03/• Grouper site:
http://grouper.internet2.edu• Signet site:
http://signet.internet2.edu– Cornell Identity Management program site: http://www.cit.cornell.
edu/services/identity/
• Cornell IT Policy Office web site: http://www.cit.cornell.edu/oit/PolicyOffice.html