Incommon overview


Published on

Overview of Federated Identity Management and the InCommon Federation

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Barry Johnson
    Here to give you a crash course in Federated Identity Management and give you a little intro to Incommon.
  • Identity management is a system of verifying the identity of an individual and issuing electronic credentials so that person can access electronic resources.
    The system typically maintains identity information in a central repository.
    Because the system is authoritative, it is the source for establishing trust and using that trust to facilitate access to resources.
  • Identity management answers these basic questions:
    - Who are you? An individual provides information to establish his or her identity (such as a drivers license, passport, or other materials)
    - After this identity proofing, the system begins assigning attributes as part of the electronic record – name, address, email, and the like
    - With the system populated with this information, it can now be used for authentication – verifying that the person wanting access to a resource is the same one to which we issued credentials.
  • There are three actors involved in the identity management system:
    1 – the subject or user
    2 – the identity provider, which maintains the identity system, issues credentials, and provides necessary information to the service provider
    3 – the service provider – also known as the relying party or resource provider – owns or manages the restricted resource. The service provider takes the information provided by the identity provider – such as the name of the institution or the identity of the subject – to decide whether to allow access to the resource.
  • These are the three key terms for identity management – and they all start with “A”!
    Authentication typically is providing a user ID and password
    Authorization is the service provider making a decision about allowing access. Sometimes all that is needed is the name of a university.
    An attribute is a piece of information, such as a person’s name, email, or whether that person is faculty, staff or student.
  • Our user has an account at his university, but also must maintain separate accounts, including passwords, at any service he has access to:
    1) Learning management system
    2) Government services, such as research grant administration
    3) the soothing music service or online journals from the library
  • Problems faced in the identity management world:
    Typically, there are many applications, both on-campus and hosted solutions, that students and faculty need to to interact with.
    Many of these applications have a need to verify identities and provide access to only those who are covered under a university contract.
    To do that, some applications want access to your LDAP directory. Some require batch uploads. Some have users create accounts. So, every time you add a service provider, you increase the possibility of security breaches and data spills.
  • Federated identity management solves these problems.
    A federation is just a group of organizations that agree on a standard method for exchanging information.
    Everyone agrees on policies and such things as a common definition of each attribute.
    Now, instead of one-to-one, we can do one-to-many – which means the federation scales much more easily than individual relationships.
    Users also gain the convenience of using their campus IDs and passwords to access many resources.
  • The key concept to federated identity management is the separation of authentication and authorization – and the use of standards.
    Identity providers do the authentication – users no longer set up accounts at each service provider. Users thus enjoy single sign-on convenience with their university identity.
    A standard set of attributes, and standards-based software, allows information to be passed among the members of the federation for authorization to resources.
  • Here’s the scenario using federated identity
    - with federated identity, a user has just one account – the one provided by his university already used for email and other on-campus applications.
    - The online services and resources no longer manage user accounts or keep personal data
    - With only one user ID and password, help desks see dramatic reductions in calls.
    - Federation participants agree on common policies and use standards-based software and processes.
    - The home organization (i.e. university) maintains privacy and security.
  • When a user needs access to a resource, they are sent to their institutions login page.
    Since the institution and the resource provider are both part of the federation, they can trust each other’s practices and attribute assertions.
    After authentication, the home institution’s identity management system will send along the attributes about the user that the resource provider needs to know
    And if they look good, the user gets access the resource. Simple as that.
  • InCommon is the higher education and research federation in the U.S.
    InCommon serves as the trust agent for all participants.
  • Privacy, security and scalability are the heart of the benefits of InCommon and a federated identity management approach.
  • Single sign-on for users, using credentials they know and already use every day.
    Because the home institution controls the identity database and authenticates users for each service, there are fewer opportunities for security breaches.
    Personally identifying information stays on campus. The bare minimum of info needed for access is provided to the service, but no more.
    The institution saves time and money, because adding another federated service is relatively quick and easy. Since federated identity is also based on roles and status, changes in status (such as employment or enrollment) are reflected immediately.
    The service provider does the authorizing, based on attributes passed by the identity provider. SO, the service provider can concentrate on providing the service, as opposed to dealing with accounts.
  • This gives you a idea how many folks are part of Incommon.
    As September 2010, InCommon has 253 participants, including 180 colleges and universities.
  • InCommon participants include colleges and universities, government and non-profit research facilities and agencies, and sponsored partners – non-profit and for-profit entities that offer federated services.
  • Federated resources offered by InCommon participants affect many campus business and academic functions every day. There are a number of HR and student services applications, as well as learning management systems, and library databases.
  • Incommon overview

    1. 1. InCommon and Federated Identity Management 1
    2. 2. 2 What is Identity Management? • A system of standards, procedures and technologies that provides electronic credentials to individuals. • Maintains authoritative information about individuals. • Establishes the trust needed for transactions. • Facilitates and controls user access to online applications or resources.
    3. 3. 3 Identity Management Who are you? (identification) •Collect personally identifying information to prove you are who you say you are (identity proofing), such as drivers license, passport, or biometric data •Assign attributes [(name, address, college or university, department, role (faculty, staff, student), major, email address] How can you prove it? (authentication) •Verifying that the person seeking access to a resource is the one previously identified and approved
    4. 4. 4 Key Entities Three entities involved in gaining access to a resource: 1.Subject (i.e. user) – The person identified and the subject of assertions (or claims) about his or her identity. 2.Identity Provider – Typically the university or organization that maintains the identity system, identity-proofs the subject and issues a credential. Also provides assertions or claims to the service provider about a subject’s identity. 3.Service Provider (sometimes called the relying party) – Owner/provider of the protected resource to which the subject would like to access. Consumes the assertion from the identity provider and makes an authorization decision.
    5. 5. 5 Key Terms Authentication – Verification (via a user ID and password) that a subject is associated with an electronic identifier. This is the responsibility of the identity provider. Authorization – Determining whether a subject is eligible to gain access to a resource or service. The authorization decision is made by the service provider and is based on the attributes provided by the identity provider. Attribute – A single piece of information associated with an electronic identity database record, such as name, phone number, group affiliation, email address, major.
    6. 6. 6 1. Tedious user registration at all resources 2. Unreliable and outdated user data at resources 3. Different login process at each resource 4. Many different passwords 5. Identity provider may need to support multiple custom authentication methods and/or be asked for access to its identity database
    7. 7. The Problem • Growing number of applications – on-campus and outsourced or hosted • All of these service providers must: – Verify the identity of users (faculty, staff, students, others) – Know who’s eligible to access the service – Know the student is active and hasn’t left school • Increase in outsourced or cloud services raises concerns about the security and privacy of the identity data 7
    8. 8. A Solution: Federated Identity Management Federation: An association of organizations that come together to exchange information, as appropriate, about their users and resources in order to enable collaborations and transactions. All participants in a federation agree on the same policies and procedures related to identity management and the passing of attributes. Instead of one-to-one relationships, the federation allows one-to many relationships. 8
    9. 9. Federated Identity Management • Parties agree to leverage the identity provider’s database, rather than creating separate data stores • Users no longer register with the service provider, using their university credentials for transactions • Single sign-on convenience for users • Identity provider does the authentication; service provider does the authorization • Attributes are the key – maintain privacy and security 9
    10. 10. 10 1. Single sign on 2. Services no longer manage user accounts & personal data stores 3. Reduced help-desk load 4. Standards-based technology 5. Home org and user controls privacy
    11. 11. Attributes: Anonymous ID, Staff, Student, … Federated Access in 30 seconds Metadata, certificates, common attributes & meaning, federation registration authority, Shibboleth 4. If attributes are acceptable to resource policy, access is granted! 3. Authorization: Privacy- preserving exchange of agreed upon attributes 2. Federation-based trust exchange to verify partners and locations 1. Authentication: single-sign- on at home institution Home Institution – user signs in Online Resource
    12. 12. InCommon Federation InCommon is the federation for U.S. research and education, providing higher education and their commercial and non-profit partners with a common trust framework for access to online resources. 12
    13. 13. About InCommon • Through InCommon, campuses leverage their identity databases to allow for the use of one set of credentials to access multiple resources. • Online service providers no longer need to maintain user accounts. • Identity providers manage the levels of their users' privacy and information exchange. • InCommon uses SAML-based authentication and authorization systems (such as Shibboleth®) to enable scalable, trusted collaborations among its community of participants. 13
    14. 14. InCommon Federation Benefits • Convenience – Single sign-on with higher education credentials • Safety – Enhanced security with fewer data spills • Privacy – Release of only the minimum information necessary to gain access to resources (via attributes) • Scalability – Once implemented, federated access relatively simple to extend • Authentication – Campus does the authentication, maintaining control of user information • Authorization – Service provider makes access decisions based on attributes 14
    15. 15. InCommon Participants Year-by-Year 15 • 253 InCommon Participants (Sept. 2010) • Almost 5 million end-users (faculty, staff, students)
    16. 16.
    17. 17. Federated Resources Resources available via InCommon are many and diverse Business Functions • Benefits • Asset management • Talent management • Visas & INS compliance • Mobile alerts • Travel management • Energy management • Surveys and market analysis Learning and Research • Journals • Databases and analytical tools • Multi-media access • Homework labs • Quiz tools • Plagiarism detection • Software downloading • Alcohol awareness education • Student travel discounts • Transportation and ride-share services. Strong support from key higher education partners, such as: Microsoft, Apple, National Student Clearinghouse, NSF, NIH, Gov-affiliated Labs 17
    18. 18. InCommon and Federated Identity Management 18