NSF Middleware Initiative: Identity and Privilege Management Model
description
Transcript of NSF Middleware Initiative: Identity and Privilege Management Model
Practices from the Field
NSF Middleware Initiative: Identity and Privilege
Management Model
Michael Gettes, Duke University
Jim Phelps, UW-MadisonEDUCAUSE October 2005
2
EDUCAUSE 2005 Topics
• What is Identity and Access Management (IAM)?
• An Institutional view of IAM– Roles, Privileges and Authentication
• Basic IAM functions mapped to NMI/MACE components
• Open Source solutions coming to a store near you
• Outside Forces• Q & A (we take questions as we go also)
3
EDUCAUSE 2005 IAM and Application Integration
4
EDUCAUSE 2005 IAM is…
• “Hi! I’m Lisa.” (Identity)• “…and here’s my NetID / password to prove it.”
(Authentication)• “I want to do some E-Reserves reading.”
(Authorization : Allowing Lisa to use theservices for which she’s authorized)
• “And I want to change my grade in last semester’s Physics course.”
(Authorization : Preventing her from doing things she’s not supposed to do)
5
EDUCAUSE 2005 What questions are common to these scenarios?
• Are the people using these services who they claim to be?
• Are they a member of our campus community?• Have they been given permission?• Is their privacy being protected?• Policy/process issues lurk nearby
6
EDUCAUSE 2005 Vision of a better way to do IAM
Reflect
Join
Credential
Manage Affil/Groups
Manage Privileges
Provision
Relay
Authenticate
Authorize
Log
•IAM as a middleware layer at the service of any number of applications•Requires an expanded set of basic functions
7
EDUCAUSE 2005 Basic IAM functions
Systems of Record
Stdnt
HR
Other
Enterprise Directory
Registr
y LD
AP
8
EDUCAUSE 2005
Role- and Privilege-based AuthZ
• Privileges are what you can do • Roles are who you are, which can be
the used for policy-based privileges • Both are viable, complementary for
authorization
9
EDUCAUSE 2005 Privilege Management Feature Summary
By authority of the Dean grantor
principal investigators role (group)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projectsup to $100,000
limits
until January 1, 2006 condition
10
EDUCAUSE 2005 Basic IAM functions mapped to theNMI / MACE components
System
s of R
ecord
Enterprise Directory
11
EDUCAUSE 2005 The Environment
System
s of R
ecord
Enterprise DirectoryApps / Resources
12
EDUCAUSE 2005
How full IdM layer helps
• Improves scalability: IdM process automation
• Improves agility: Keeping up with demands
• Reduces complexity of IT ecosystem– Complexity as friction (wasted resources)
• Improved user experience
• Functional specialization: App developer can concentrate on app-specific functionality
13
EDUCAUSE 2005 The Environment
System
s of R
ecord
Enterprise DirectoryApps / Resources
Grouper Signet Shibboleth
14
EDUCAUSE 2005 Managing Roles & Privileges:The Internet2 way
Grouper Signet
Role-Based Access Control (RBAC) model
• Users are placed into groups
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to effectively bestow privileges
• Signet manages privileges
• Grouper manages, well, groups
15
EDUCAUSE 2005 Grouper
• Grouper project of Internet2 MACE• Infrastructure at University of Chicago
– User interface at Bristol University in UK– $upport from NSF Middleware Initiative (NMI)
• http://middleware.internet2.edu/dir/groups
16
EDUCAUSE 2005 Signet
• Project Signet of Internet2 MACE– Development based at Stanford
– $upport from NSF Middleware Initiative
• http://middleware.internet2.edu/signet
17
EDUCAUSE 2005 IAM functions
Reflect Data of interest
Join Identity across SoR
Credential NetID, other
Manage Affil/Groups AuthZ info
Manage Privileges More AuthZ info
Provision Gen. AuthNZ info into app space
Relay AuthZ info to app on request
Authenticate Identity claim
Authorize access decision (allow/deny)
Log usage for audit, accounting,…
18
EDUCAUSE 2005 Terminology
• CSP - Credential Service Provider - A trusted entity issuing electronic credentials to subscribers (aka Identity Provider)
• RA - Registration Authority - Vouches for the identity of a subscriber to a CSP
• Identity Proofing - Process by which CSP and RA uniquely identify a person/entity
• RP - Relying Party - an entity relying upon the credentials issued by a CSP (aka Service Provider)
• LoA - Level of Assurance - Classification of ID proofing suitable for electronic use to control access to information
19
EDUCAUSE 2005 What is a Federation?
• A collection of organizations, having implemented some form of Identity Management, where Credential Service Providers (CSP, Universities) and Service Providers (SP, Content Providers) agree to “rules of engagement” (policy and attributes) using federating software (Shibboleth, SAML, PKI)
20
EDUCAUSE 2005 What is a Federation?
• Sounds simple? It can be. It can be made really complex, really fast.
• www.nmi-edit.org for more info• CSPs and SPs retain control over their environments
(identity data and access ctrl)• www.InCommonFederation.org
– Approx 25 participants, Launched 4/2005
• Inqueue.internet2.edu– Testing/Playground for InCommon– >140 participants and growing
21
EDUCAUSE 2005 Shibboleth and Federation
• A note from our sponsors: Internet2 and NSF Middleware Initiatives
• It’s real, uses SAML• Open source, freely available• Takes between 3 hours and 3 years to install
-- depending on IdM infra• In production at various schools (duke!)
– For internal apps & external Univ vendors
• shibboleth.internet2.edu
22
EDUCAUSE 2005 Inter-institutional integration
• Virtual Organization (VOs)– GridShib development to enhance VOs working
with Institutional Identity Mgmt Systems
• Federations
• Federal E-Authentication Initiative
• League of Federations– The Interfederation Interoperability Working
Group (IIWG). yes, it’s real
23
EDUCAUSE 2005 Outside Forces…
• Homeland Security Presidential Directive #12– Policy for a Common Identification Standard for Federal
Employees and Contractors– States there will be mandatory, Government-wide
standards for secure authentication (not just E)
• OMB E-Authentication Guidance M-04-04• NIST Special Pub 800-63 (Electronic Authentication
Guideline)– Defines 4 Levels of Assurance for E-Authentication.
Impacts Credentialing.
• Federal E-Authentication Initiative ***• Credential Assessment Framework
24
EDUCAUSE 2005 www.cio.gov/eauthentication
• US Government’s activity to implement HSPD-12 based on NIST SP800-63 to manage access to at least 24 major areas of service within the USG.
• It will utilize technologies based on SAML and PKI/X.509 (shibboleth, Bridge Certification Authority and Hierarchical PKI models, other technologies as appropriate)
25
EDUCAUSE 2005 Credential Assessment Framework (CAF)
• Processes to assess the efficacy of a CSP. We, institutions of Higher Education, can all be seen as CSPs as well as Relying Parties for the services we offer ourselves and each other.
• CAF is really only concerned for CSPs used by the Federal eAuth activities but there are lots of interconnects between HE and Fed so it impacts us in many ways. Hence, various projects active.
26
EDUCAUSE 2005
One key resource to help you start building the IdM infrastructure
• Enterprise Directory Implementation Roadmaphttp://www.nmi-edit.org/roadmap/ directories.html
• Parallel project planning paths:– Technology/Architecture
– Policy/Management
27
EDUCAUSE 2005 The Environment
System
s of R
ecord
Enterprise DirectoryApps / Resources
Grouper Signet Shibboleth
28
EDUCAUSE 2005 Questions?
29
EDUCAUSE 2005
30
EDUCAUSE 2005
Responding to requests:A new approach at UW-Madison
• Campus leaders are defining new ways of channeling and responding to requests
• Groups like the AuthNZ Coordinating Team (ACT) anticipate policy issues and sort through the concerns
• They route findings and recommendations to the CIO office
• The CIO Office take the issue to an appropriate campus body*
31
EDUCAUSE 2005
32
EDUCAUSE 2005
Responding to requests:A new approach
• The Identity Management Leadership Group (IMLG) will provide leadership on IdM issues when responding to:
• Submission and/or maintenance of information online
• Privacy protection• Increased compliance demands• Increased security threats
33
EDUCAUSE 2005
Why a new group?
• Technology is now more robust and services are considered foundational to the institution
• Broader scope, e.g., new populations
• New policy issues and more of them
• Need for flexibility and quick turn-around time