Federated Access Management Why carry two cards into the Library, when you already have one? John Paschoud InfoSystems Engineer, LSE Library London School of Economics & Political Science, UK [email_address] Copyright John Paschoud 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. The intellectual property of others in all contributed and referenced material is acknowledged.

Wouldn't it be nice if ... … Libraries were as clever as banks? I can put the card and PIN from my bank, ...into an ATM belonging to (almost) any bank (in the world), And money comes out! (assuming I've got some in my account) ...it even comes out in the right currency for where I am!

… Libraries were as clever as banks?

I can put the card and PIN from my bank,

...into an ATM belonging to (almost) any bank (in the world),

And money comes out! (assuming I've got some in my account)

...it even comes out in the right currency for where I am!

WELL... I'm a member of several libraries (LSE, LoC, Lewisham)... My LSE library card is probably the most impressive, in terms of rights-of-access, so... It gets me through the turnstiles into the library where I happen to work And I've got it because I'm a staff member at LSE (my ‘affiliation’), and LSE performs IDENTITY MANAGEMENT of me (LSE is my ‘Identity Provider’) If I can prove this affiliation with LSE, lots of other libraries are willing to let me in, and some will even give me other rights!

I'm a member of several libraries (LSE, LoC, Lewisham)...

My LSE library card is probably the most impressive, in terms of rights-of-access, so...

It gets me through the turnstiles into the library where I happen to work

And I've got it because I'm a staff member at LSE (my ‘affiliation’), and LSE performs IDENTITY MANAGEMENT of me (LSE is my ‘Identity Provider’)

If I can prove this affiliation with LSE, lots of other libraries are willing to let me in, and some will even give me other rights!

BUT... To get this access (in most places), I have to use my LSE card to prove my identity (the photo matches) and affiliation with LSE; then Leeds Uni (for example) will register me as a visiting user - thereby doing IDENTITY MANAGEMENT of me themselves (what a waste!) ...and issue me with a Leeds Uni card; ...which I can use to get through their turnstiles. If their turnstiles (etc) could only read my LSE card (and everything was connected to the Internet - everything is, isn't it???), Leeds and LSE could do FEDERATED ACCESS MANAGEMENT ! This would allow LSE to use the information on my card to AUTHENTICATE that it was really me, and let Leeds (just the turnstiles - no people need be involved - except me) know some things about me... ( NOT necessarily my identity , but maybe things about my current status at LSE - such as whether I'd recently been sacked, so my card was no longer valid; or that I’m a really important LSE Library staff member .)

To get this access (in most places), I have to use my LSE card to prove my identity (the photo matches) and affiliation with LSE;

then Leeds Uni (for example) will register me as a visiting user - thereby doing IDENTITY MANAGEMENT of me themselves (what a waste!)

...and issue me with a Leeds Uni card; ...which I can use to get through their turnstiles.

If their turnstiles (etc) could only read my LSE card (and everything was connected to the Internet - everything is, isn't it???), Leeds and LSE could do FEDERATED ACCESS MANAGEMENT !

This would allow LSE to use the information on my card to AUTHENTICATE that it was really me, and let Leeds (just the turnstiles - no people need be involved - except me) know some things about me...

( NOT necessarily my identity , but maybe things about my current status at LSE - such as whether I'd recently been sacked, so my card was no longer valid; or that I’m a really important LSE Library staff member .)

-- It would be up to Leeds to decide what this information AUTHORISED me to do (maybe my 'important library staff member' status gets me some other privileges, like an offer of a cup of tea from the librarian whilst I browse the stacks?) Note that Leeds DON'T really NEED to know who I am , if they have a TRUSTWORTHY way of knowing that LSE knows who I am (And that if I do burn down the Edward Boyle Library, they can invoke a process to demand my identity from LSE using the system records, and hunt me down!) After all, LSE has gone to all the trouble of checking carefully who I was when they gave me a job.

It would be up to Leeds to decide what this information AUTHORISED me to do

(maybe my 'important library staff member' status gets me some other privileges, like an offer of a cup of tea from the librarian whilst I browse the stacks?)

Note that Leeds DON'T really NEED to know who I am , if they have a TRUSTWORTHY way of knowing that LSE knows who I am

(And that if I do burn down the Edward Boyle Library, they can invoke a process to demand my identity from LSE using the system records, and hunt me down!)

After all, LSE has gone to all the trouble of checking carefully who I was when they gave me a job.

-- Of course, this doesn't work yet. And the banking network isn't quite as clever as this, either But the banks HAVE all agreed some standards – at the simpler levels so that all their ATM readers can read everyone's cards; and at higher levels in terms of secure messages between them so that, say, the ATM of an ICICI Bank branch in New Delhi can check that I do have the equivalent of 50,000 Rupees in my HSBC account in Britain. And we (university libraries) CAN now do the equivalent of this with FEDERATED ACCESS MANAGEMENT to online resources… … using the UK Access Management Federation for Education & Research, and compatible technologies (including but not limited to Shibboleth)

Of course, this doesn't work yet.

And the banking network isn't quite as clever as this, either

But the banks HAVE all agreed some standards –

at the simpler levels so that all their ATM readers can read everyone's cards; and

at higher levels in terms of secure messages between them so that, say, the ATM of an ICICI Bank branch in New Delhi can check that I do have the equivalent of 50,000 Rupees in my HSBC account in Britain.

And we (university libraries) CAN now do the equivalent of this with FEDERATED ACCESS MANAGEMENT to online resources…

… using the UK Access Management Federation for Education & Research, and compatible technologies (including but not limited to Shibboleth)

Animation: even 2-dimensional people need Access Management

What do our Users want from Access Management? Nothing! - they just want to get stuff. Now! Single Sign-On (as far as possible) to our own services, and to all the resources we subscribe on their behalf no need to remember so many passwords for different services Access from Anywhere from home, travelling, or working at other institutions or libraries Improved Privacy of personal information, and of research being pursued

Nothing! - they just want to get stuff. Now!

Single Sign-On (as far as possible)

to our own services, and to all the resources we subscribe on their behalf

no need to remember so many passwords for different services

Access from Anywhere

from home, travelling, or working at other institutions or libraries

Improved Privacy

of personal information, and of research being pursued

What do We want from Access Management? (“We” being the people whose job is to provide institutional information services) Improved security for licensed resources, so publishers we deal with are happy (and generous!) Good privacy-protection for users, to meet our legal obligations Low-hassle support for our on-campus and mobile users Opportunity for ‘fine-grain’ authorization control, so we can know (and manage) Who-Has-Access-to-What Access for visiting users to whatever they are entitled by their home institutions …which we don’t need to know about!

(“We” being the people whose job is to provide institutional information services)

Improved security for licensed resources, so publishers we deal with are happy (and generous!)

Good privacy-protection for users, to meet our legal obligations

Low-hassle support for our on-campus and mobile users

Opportunity for ‘fine-grain’ authorization control, so we can know (and manage) Who-Has-Access-to-What

Access for visiting users to whatever they are entitled

by their home institutions

…which we don’t need to know about!

Objectives of Federated Access Management Effective Single Sign-On to non-public online resources… … across many domains Distribution of Authentication, Authorisation and Accounting functions in the AM process to appropriate parties Improved security for resources that are non-public due to: Licensing restrictions / Commercial intellectual property Confidentiality Improved privacy of end-user personal information Reduced duplicated administration of user identities & passwords (Cite Clifford Lynch and the Coalition for Networked Information, 1998, for where these principles were seminally defined)

Effective Single Sign-On to non-public online resources…

… across many domains

Distribution of Authentication, Authorisation and Accounting functions in the AM process to appropriate parties

Improved security for resources that are non-public due to:

Licensing restrictions / Commercial intellectual property

Confidentiality

Improved privacy of end-user personal information

Reduced duplicated administration of user identities & passwords

(Cite Clifford Lynch and the Coalition for Networked Information, 1998, for where these principles were seminally defined)

Appropriate Division of Labour (Labor) With Federated Access Management, functions are carried out by appropriate parties: Identity Provider (typically a university/college/library) does Authentication (of it’s own registered users) “ IdP” -- “AuthN” Service Provider (typically a publisher) does Authorization ideally based on a common role (“student”) and affiliation (“lse.ac.uk”) “ SP” -- “AuthZ” (the “z” shows how you frequently have to discuss this with Americans, who can’t spell properly) A Federation provides a trust framework between parties, operates ‘Where Are You From’ ( “WAYF” ) service Needed where users from many IdPs are accessing many SPs (Athens, and some other people, may call this a ‘Home Domain Discovery Service’) Athens isn’t a federation It’s quite simple to create an ad-hoc federation of your own, e.g. for a project

With Federated Access Management, functions are carried out by appropriate parties:

Identity Provider (typically a university/college/library) does Authentication (of it’s own registered users)

“ IdP” -- “AuthN”

Service Provider (typically a publisher) does Authorization ideally based on a common role (“student”) and affiliation (“lse.ac.uk”)

“ SP” -- “AuthZ”

(the “z” shows how you frequently have to discuss this with Americans, who can’t spell properly)

A Federation provides a trust framework between parties, operates ‘Where Are You From’ ( “WAYF” ) service

Needed where users from many IdPs are accessing many SPs

(Athens, and some other people, may call this a ‘Home Domain Discovery Service’)

Athens isn’t a federation

It’s quite simple to create an ad-hoc federation of your own, e.g. for a project

The Institution as Service Provider (too) We can share resources in collaborations within the academic community providing controlled access to users from other institutions, without needing to administer usernames/passwords for them as LSE and Columbia (NY) did for a collaborative Anthropology teaching project (DART) We can set up our repository, e-learning or any other service as a Service Provider as LSE has done for Exam Papers and other ‘members only’ collections

We can share resources in collaborations within the academic community

providing controlled access to users from other institutions, without needing to administer usernames/passwords for them

as LSE and Columbia (NY) did for a collaborative Anthropology teaching project (DART)

We can set up our repository, e-learning or any other service as a Service Provider

as LSE has done for Exam Papers and other ‘members only’ collections

Access to internal resources: LSE Exam Papers collection

Costs and Benefits of adopting Federated Access Management? Costs (for an institution): Institution’s directory must be in good shape and set up to support an Identity Provider (IdP) service (just as it does for “AthensDA”) IdP middleware needs installing and maintaining (or subscribed-to from an external provider) Benefits (for an institution): Reduced overheads in password support No difference in on-campus and off-campus access More flexible access control – e.g. different categories of users to different levels of access (or none) to a resource Access control maintenance for different internal services (most with role-based access) is eliminated !

Costs (for an institution):

Institution’s directory must be in good shape and set up to support an Identity Provider (IdP) service

(just as it does for “AthensDA”)

IdP middleware needs installing and maintaining

(or subscribed-to from an external provider)

Benefits (for an institution):

Reduced overheads in password support

No difference in on-campus and off-campus access

More flexible access control – e.g. different categories of users to different levels of access (or none) to a resource

Access control maintenance for different internal services (most with role-based access) is eliminated !

Access via a library portal to external resources A user can just go to the list of e-resources in the library’s portal. In the LSE Library’s case our ‘Electronic Library’ is run from Endeavor’s Encompass system: … but it could just be a list of links on a ‘hand-crafted’ web page

A user can just go to the list of e-resources in the library’s portal.

In the LSE Library’s case our ‘Electronic Library’ is run from Endeavor’s Encompass system:

… but it could just be a list of links on a ‘hand-crafted’ web page

Access via a library portal to external resources The expanded list shows a link direct to the Service Provider, in this case Elsevier

Access via a library portal to external resources After clicking link in library portal:

Demonstration: What does FAM look like to an end-user? Elsevier Science Direct – an ‘early-adopting’ publisher … dealing with a global customer base … needs-to-know only whether user is from a licensed institution http://www.sciencedirect.com/ (and use ‘Athens/Other Institution Login’) LSE Projects wiki – a highly-restricted institutional resource … with users spread across 10+ HE institutions (current project partners) … needs to know personal identity and other user attributes https://gabriel.lse.ac.uk/twiki/bin/view/Projects/AboutJohnPaschoud (and then ‘Edit’ this page) Shibboleth Wiki – a global discussion space https://spaces.internet2.edu/display/SHIB/WebHome (and use ‘Log In’) Note how access to the 2 wikis, by individuals authenticated at many IdPs, could be paralleled in implementation of access to SCONUL-type shared online resources.

Elsevier Science Direct – an ‘early-adopting’ publisher

… dealing with a global customer base

… needs-to-know only whether user is from a licensed institution

http://www.sciencedirect.com/ (and use ‘Athens/Other Institution Login’)

LSE Projects wiki – a highly-restricted institutional resource

… with users spread across 10+ HE institutions (current project partners)

… needs to know personal identity and other user attributes

https://gabriel.lse.ac.uk/twiki/bin/view/Projects/AboutJohnPaschoud

(and then ‘Edit’ this page)

Shibboleth Wiki – a global discussion space

https://spaces.internet2.edu/display/SHIB/WebHome (and use ‘Log In’)

Note how access to the 2 wikis, by individuals authenticated at many IdPs, could be paralleled in implementation of access to SCONUL-type shared online resources.

How does FAM (using Shibboleth) work? Resource WAYF Identity Provider Service Provider Web Site 1 ACS I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. AR Handle Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

Relevant Standards to FAM SAML : Security Assertion Markup Language (OASIS) http://xml.coverpages.org/saml.html Shibboleth : an open source profile SAML implementation for federated access management (Internet2 Network Middleware Initiative) http://shibboleth.internet2.edu/ … most current country-level and international initiatives in FAM are ‘Shibboleth-compliant’, or converging on interoperability with Shibboleth … but many other implementations of SAML now exist across other business sectors, and Guanxi and AthensIM are two implementations that have been developed within the UK community eduPerson : an LDAP object class to describe people in (higher) education (EDUCAUSE / Internet2) http:// www.educause.edu/eduperson /

SAML : Security Assertion Markup Language (OASIS)

http://xml.coverpages.org/saml.html

Shibboleth : an open source profile SAML implementation for federated access management (Internet2 Network Middleware Initiative)

http://shibboleth.internet2.edu/

… most current country-level and international initiatives in FAM are ‘Shibboleth-compliant’, or converging on interoperability with Shibboleth

… but many other implementations of SAML now exist across other business sectors, and Guanxi and AthensIM are two implementations that have been developed within the UK community

eduPerson : an LDAP object class to describe people in (higher) education (EDUCAUSE / Internet2)

http:// www.educause.edu/eduperson /

Attributes in Common use eduPersonScopedAffiliation indicates the user’s relationship (e.g., staff, student, etc.) with the organisation (IdP). For many applications, examination of this attribute is sufficient to determine whether the user has sufficient privilege to access the resource. MEMBER@lse.ac.uk; EMPLOYEE@lse.ac.uk eduPersonTargetedID If a service provider is presented only with the affiliation of an anonymous subject, as provided by eduPersonScopedAffiliation, it cannot provide service personalisation or usage monitoring across sessions. These capabilities are enabled by the eduPersonTargetedID attribute, which provides a persistent user pseudonym, distinct for each service provider. 7k8KHKGmt0pLmxT8JSB96U9YTTc=@lse.ac.uk eduPersonPrincipalName used where a persistent user identifier, consistent across different services, is required. It often corresponds to the user’s single sign-on (SSO) name, and may be useful for securing both internal institutional services and external services where access control lists are used. [email_address] eduPersonEntitlement enables an organisation to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource. A user may possess different values of the eduPersonEntitlement attribute relevant to different resources.

eduPersonScopedAffiliation

indicates the user’s relationship (e.g., staff, student, etc.) with the organisation (IdP). For many applications, examination of this attribute is sufficient to determine whether the user has sufficient privilege to access the resource.

MEMBER@lse.ac.uk; EMPLOYEE@lse.ac.uk

eduPersonTargetedID

If a service provider is presented only with the affiliation of an anonymous subject, as provided by eduPersonScopedAffiliation, it cannot provide service personalisation or usage monitoring across sessions. These capabilities are enabled by the eduPersonTargetedID attribute, which provides a persistent user pseudonym, distinct for each service provider.

7k8KHKGmt0pLmxT8JSB96U9YTTc=@lse.ac.uk

eduPersonPrincipalName

used where a persistent user identifier, consistent across different services, is required. It often corresponds to the user’s single sign-on (SSO) name, and may be useful for securing both internal institutional services and external services where access control lists are used.

[email_address]

eduPersonEntitlement

enables an organisation to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource. A user may possess different values of the eduPersonEntitlement attribute relevant to different resources.

Worldwide -- Federated SAML Adoption within Higher Education Australia Belgium Canada China Denmark Finland France Germany Greece New Zealand Norway Spain Spain Sweden Switzerland The Netherlands United Kingdom United States

Australia

Belgium

Canada

China

Denmark

Finland

France

Germany

Greece

New Zealand

Norway

Spain

Spain

Sweden

Switzerland

The Netherlands

United Kingdom

United States

The job (for JISC) isn’t over! Recognising gaps in support for institutions, as experience is gained Better presentation of practical guides Identity Management by institutions Levels of Assurance for different resources The Identity Project Undertaking a national survey of (all 641) institutions Producing a model for institutional IdM audits Reporting on issues for Health, National Grid Service and others (Make sure your institution has completed the Identity Management survey at www.identity-project.info !) The ES-LoA Project Analysing levels of AuthN and AuthZ required for different services Recommending how these can be expressed in Federation-approved attributes

Recognising gaps in support for institutions, as experience is gained

Better presentation of practical guides

Identity Management by institutions

Levels of Assurance for different resources

The Identity Project

Undertaking a national survey of (all 641) institutions

Producing a model for institutional IdM audits

Reporting on issues for Health, National Grid Service and others

(Make sure your institution has completed the Identity Management survey at www.identity-project.info !)

The ES-LoA Project

Analysing levels of AuthN and AuthZ required for different services

Recommending how these can be expressed in Federation-approved attributes

The job – for your institutions JISC will be fully funding use of Athens for you, until July 2008, so… Institutional readiness audit Consider using The Identity Project survey as a basis - and contribute to our understanding of the national picture too. Choose option: Implement Identity Provider in-house Use a contractor to implement Identity Provider Subscribe to an outsourced Identity Provider Join the UK Federation Plan managed conversion of links to subscribed resources Plan end user information campaign

JISC will be fully funding use of Athens for you, until July 2008, so…

Institutional readiness audit

Consider using The Identity Project survey as a basis - and contribute to our understanding of the national picture too.

Choose option:

Implement Identity Provider in-house

Use a contractor to implement Identity Provider

Subscribe to an outsourced Identity Provider

Join the UK Federation

Plan managed conversion of links to subscribed resources

Plan end user information campaign

www.ukfederation.org.uk www.jisc.ac.uk/federation.html http:// www.angel.ac.uk/ShibbolethAtLSE www.identity-project.info [email_address] [email_address]