Practical Tools for Implementing Authentication and Managing

AuthorizationEducause SWR 2007

Barry Ribbeck

Director of Systems, Architecture and Infrastructure

Rice University

Thanks To Andrea Beesing, Cornell for the permission to use some of the material presented here

Subliminal humour by Steven WrightCopyright Barry Ribbeck and Andrea Bessing 2007. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Mainframe era

Ken Kennedy &

Parallel Computing

Growing Silos of AuthX

1985

EnterpriseDirectoryKeberos

2001-04

1999

2005GuestID & Shibboleth

2008

2008

Grouper

2006-07 2007-08

SignetYONMosaic1992

New Network

2005

I2 Shibboleth & Federations

Rice Time Line

Join InCommon

Rice University

S.W.:47.3% of all statistics are made up on the spot.• Located in Houston adjacent to Texas

Medical Center• ~5000 Students• ~1000 Faculty• ~2000 Staff• Tens of thousands of Alumni• Uncounted Friends

Groups and Roles

• S.W.:Some people would kill for a Nobel Peace Prize!

• Groups are abstractly associate people into a rational collections. Groups are tools that allows us to scale access control more easily.

• Roles are groupings of privileges

• Associating Groups to Roles provides a method to scale access control.

Identity, Credentials and LOA

• S.W.:Half the people you know are below average.• Who are you to me?• How do I know it is you logging in?• How do we measure trust in the offered

credential?• What tools do I use to assert an identity

credential?• What tools do I use to trust your identity and

credentialing processes?

Levels Of Assurance (LOA)Credential Trust Metric

S.W: Why do psychics have to ask your name?

Traditional Well knowncommunity

(faculty, staff,Students, Alumni)

Proxy AssertedAffiliates and Federated Users

Self Asserted Affiliates

Unknown Masses

The Business ContextS.W.:Everyone who believes in psycho-kinesis, raise

my hand.• Legislation driving better controls over access to information

– Authorized use only– Understanding who, when, why

• Privacy concerns• Continued high demand for new online services• Interest in identity federation for collaboration and

leveraging investments• Need to align with granting agency requirements

From Kansas to OzS.W.: 99% of lawyers give the rest a bad name.

• Enhancing authorization– Distributed access management solution– Grouper for group management– Signet for privilege management

• Enhancing authentication– Getting ready for federation = attention to business processes and

policy– Resources and tools provided by NMI and EDUCAUSE can help at

this stage or any stage

What happens if you are scared half to death – twice?

What is Distributed Access ManagementS.W.:To steal ideas from one person is plagiarism, to steal from many is research.

• Addresses the challenge of– Managing access rights for many types of users for

many resources

– Ensuring that access rights are adjusted as the individual’s relationship to the institution changes

• Set of central services in a distributed management model

• Tied into your identity management and integrated through common middleware

Creating Leveraged ResourcesA Phased Approach

• Authentication– Authentication - Kerberos, Web ISO– Automated credential management - (Home Grown and

Commercial Products)– Identity Repositories - Person Registries

• Authorization– Authorization Repositories - Directories– Group Management - Grouper– Privilege Management - Signet

AuthN & AuthZ: not just technology

Businessprocesses

Policy

Technology

Authentication of IT Resources

Information Security ofInstitutional Data

Training andawareness Account

managementIdentificationand registration

KerberosGrouper Signet

Directory

Ensuringusers have

ready accessto informationand resources

they are entitled to

Data accessstandards

Aligning IT with business process and policy: Grouper example

Unit Head,College of Sciences

Grouper stem: Admin 1: DanAdmin 2: Tim

Grouper stem: StatisticsAdmin: Marion

Grouper stem: MathAdmin: Judy

Grouper stem: EngineeringAdmin: Joe

Math&Stats facultyMath

studentsECE Students

Data accesspolicy& standards

Other Grouper Features

• Common API for program access• Better integration with applications and

other middleware components• Better support for automated

provisioning of institutional groups/roles based on source data

• Common interface for users, customizable using tiles and struts

Other Grouper Features

• Sophisticated group management capabilities to support many access management needs– Subgroups– Allows useful actions on these groups -- group

math, group nesting, negative authorizations– Traceback of indirect membership– Subscription feature

Signet: Privilege Management Tool

• Central repository for privilege information—who, what, when, why

• Maps assigned privileges into system-specific terms needed by applications

• Privileges are exported into applications and infrastructure services using the appropriate notification mechanisms (e-mail, xml, webmethods, etc)

• Web-based UI for managers and holders of privileges

• Supports life cycle controls for privileges

Signet: Use case #1- Self Service

• A user requests a change in account range or group in the Accounting Data Warehouse– Self-granting privilege with a prerequisite for

approval– Request triggers email to the person who can

grant the privilege

Signet: Use Case #2

• An application with its own authorization database wants to use the Signet UI as its front-end– The application’s authZ scheme can be integrated into

Signet as a subsystem. An initial synchronization is done to populate Signet with current privilege info from the application

– When a privilege change is made in Signet, a message is forwarded to the application’s internal database in the correct format

Signet Interface example

IAM/IdM: The Big Picture

What is Federated identity

The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains

TRANSLATION:

I can access a Grid resource at Penn State using my Rice NetID and password because I’m collaborating with a researcher there.

AuthN:Challenges in a federated world

• Service providers want to know things like:– How do you accomplish identity proofing and registration?– How do you confirm delivery of credentials?– Does your authentication protocol resist online password

guessing?

• Federal government is driving the development of standards for assessing level of assurance (LoA)

• LoA determines the measure of trust a service provider has agreed to accept regarding the credentials presented in a federated authentication transaction.

• Strategy for aligning authentication with broader goals is important

The NMI-EDIT Roadmap can help S.W.:A conclusion is a place you go when you get tired of thinking.

• Step by step approach aimed at considering broader issues related to authentication

• Draws on wealth of experience within higher education– Case studies– Policy examples– Roadmaps

• Tools for assessing gaps in LoA’s

Resources

• NMI-EDIT Enterprise Authentication Implementation Roadmap:

http://www.nmi-edit.org/roadmap/draft-authn-roadmap-03/• Grouper site:

http://grouper.internet2.edu• Signet site:

http://signet.internet2.edu– Cornell Identity Management program site: http://www.cit.cornell.

edu/services/identity/

• Cornell IT Policy Office web site: http://www.cit.cornell.edu/oit/PolicyOffice.html