Tackling the identity challenge The OpenAthens approach David Orrell, Talis Insight 2007, 6-7 November 2007

The shape and significance of identity systems now, and looking ahead User-centricity in identity The OpenAthens solution Topics

The shape and significance of identity systems now, and looking ahead

User-centricity in identity

The OpenAthens solution

Current situation The library sector, and publishers employ a variety of ‘ identity systems ’ : Athens, Shibboleth IP authentication Username/password LDAP, SQL, X.509 certificates In isolation, these fail to provide a complete solution

The library sector, and publishers employ a variety of ‘ identity systems ’ :

Athens, Shibboleth

IP authentication

Username/password

LDAP, SQL, X.509 certificates

In isolation, these fail to provide a complete solution

Several changes in the last 2-3 years have changed how we think of our online identity

‘ Federation ’ has become widely accepted as the future of identity architectures Federation means that identity providers and service providers are separate entities Decentralisation means no one entity holds the ‘ key ’ to the identity network Recent changes

‘ Federation ’ has become widely accepted as the future of identity architectures

Federation means that identity providers and service providers are separate entities

Decentralisation means no one entity holds the ‘ key ’ to the identity network

Standards dealing specifically with (federated) identities have emerged SAML WS-* + information cards OpenID Recent changes

Standards dealing specifically with (federated) identities have emerged

SAML

WS-* + information cards

OpenID

Users ’ view of identity has radically changed The web has become truly participatory Web APIs are opening up Collaboration, sharing, discovery Meanwhile…

Users ’ view of identity has radically changed

The web has become truly participatory

Web APIs are opening up

Collaboration, sharing, discovery

The identity environment Identity theft Phishing Threats Browser Apache IIS J2EE .NET PHP Ruby on Rails Open Source Applications Web 2.0 Social networking Blogging Wikis Instant messaging User trends Standards/ Protocols SAML OpenID Shibboleth X.509 CardSpace XACML LDAP WS-* Microformats

Identity and affiliation What is my (online) identity? My blog? My Facebook account? My MySpace page? My email, IM, Google Documents, ... What are my affiliations? My bank My university/college My employer

What is my (online) identity?

My blog?

My Facebook account?

My MySpace page?

My email, IM, Google Documents, ...

What are my affiliations?

My bank

My university/college

My employer

We now have several identity standards...the ‘ plumbing ’ of identity: SAML, WS-* In isolation they fail to address the whole user experience Standards + user experience leads to a new generation of identity technologies: OpenID, CardSpace

We now have several identity standards...the ‘ plumbing ’ of identity:

SAML, WS-*

In isolation they fail to address the whole user experience

Standards + user experience leads to a new generation of identity technologies:

OpenID, CardSpace

Seven laws of identity User Control and Consent Minimal Disclosure for a Constrained Use Justifiable Parties Directed Identity Pluralism of Operators and Technologies Human Integration Consistent Experience Across Contexts Kim Cameron, http://msdn2.microsoft.com/en-us/library/ms996456.aspx

User Control and Consent

Minimal Disclosure for a Constrained Use

Justifiable Parties

Directed Identity

Pluralism of Operators and Technologies

Human Integration

Consistent Experience Across Contexts

Kim Cameron, http://msdn2.microsoft.com/en-us/library/ms996456.aspx

Two user-centric identity systems OpenID My i dentity is a URL: http://dno. myopenid .com A decentralised system using existing web technologies Low trust, high scalability

OpenID

My i dentity is a URL:

http://dno. myopenid .com

A decentralised system using existing web technologies

Low trust, high scalability

Two user-centric identity systems Information cards Identity is analogous to a ‘ real-world ’ card Windows CardSpace is application to store and pick my card – a kind of wallet Takes identity out of the browser

Information cards

Identity is analogous to a ‘ real-world ’ card

Windows CardSpace is application to store and pick my card – a kind of wallet

Takes identity out of the browser

A mixture of technologies will find ways to co-exist Different technologies address different aspects of the online identity environment We are seeing a more user-centric view of identity Organisations will require some ‘ hand-holding ’ to make this work! Conclusions…

A mixture of technologies will find ways to co-exist

Different technologies address different aspects of the online identity environment

We are seeing a more user-centric view of identity

Organisations will require some ‘ hand-holding ’ to make this work!

Identity standards can form essential building blocks of modern web applications … … but building practical , yet effective architectures around them can be a major challenge

Introducing OpenAthens What is it? A set of standards-based, products and services for access and identity management Who and what is it for? Enables organisations, service providers and individuals to participate using federated identity standards

What is it?

A set of standards-based, products and services for access and identity management

Who and what is it for?

Enables organisations, service providers and individuals to participate using federated identity standards

Introducing OpenAthens Key qualities: Promotes choice and flexibility Standards-based and technology independent Practical Targeted to specific communities

Key qualities:

Promotes choice and flexibility

Standards-based and technology independent

Practical

Targeted to specific communities

So what is i t… 3 areas of focus: Outsourced identity services Identity infrastructure for Service Providers User-centric tools and services

3 areas of focus:

Outsourced identity services

Identity infrastructure for Service Providers

User-centric tools and services

Outsourced identity provision What do we mean by out-sourced? Allow someone else to manage the technology behind identity, while maintaining control over users ’ access Much like outsourcing our email provision or network access Need to carefully assess the reasons why you would , or would not want to out - source Different organisations will have different needs

What do we mean by out-sourced?

Allow someone else to manage the technology behind identity, while maintaining control over users ’ access

Much like outsourcing our email provision or network access

Need to carefully assess the reasons why you would , or would not want to out - source

Different organisations will have different needs

Why outsource? Low impact Low demands on specialist staff-resources Administration can be shared and delegated Gentle migration path from existing Athens Flexible Web-based administration Self-registration Bulk-account creation and automation Instant access to use reports and statistics

Low impact

Low demands on specialist staff-resources

Administration can be shared and delegated

Gentle migration path from existing Athens

Flexible

Web-based administration

Self-registration

Bulk-account creation and automation

Instant access to use reports and statistics

Why outsource? Easy to budget No hidden costs: Human resources, on-going support, loss of key personnel As little as £800pa for the smallest institutions Maximum of £9,500pa for the largest Reliability 99.999% availability 9-5 Service Desk support, 24x7 maintenance Backed up by SLA

Easy to budget

No hidden costs: Human resources, on-going support, loss of key personnel

As little as £800pa for the smallest institutions

Maximum of £9,500pa for the largest

Reliability

99.999% availability

9-5 Service Desk support, 24x7 maintenance

Backed up by SLA

Why outsource? Future-proofed Support for growing list of identity systems

Future-proofed

Support for growing list of identity systems

What about Service Providers? …

OpenAthensSP Standards-based AIM framework for service providers A set of components that enable Service Providers to support federated identity standards Independent of any one particular standard … but supports several

Standards-based AIM framework for service providers

A set of components that enable Service Providers to support federated identity standards

Independent of any one particular standard

… but supports several

Choice and flexibility Service Provider picks the technology suitable to connect to user communities Pre-packaged solutions for different communities Athens (inc. NHS) UK Access Management Federation

Service Provider picks the technology suitable to connect to user communities

Pre-packaged solutions for different communities

Athens (inc. NHS)

UK Access Management Federation

SP identity infrastructure OpenAthens SP component Existing or 3 rd party component Application Platform SQL SAML Shib ... Policy Audit Federation data LDAP

How does the process work? Preliminary consultation with Eduserv technical staff Support during integration On-going software support Future-proofed architecture

Preliminary consultation with Eduserv technical staff

Support during integration

On-going software support

Future-proofed architecture

End-user services …

MyAthens Recently re-launched and improved A simple place for resource discovery, search and organisation Is accessible via Athens and Shibboleth Available to the UKAMF, NHS and other Athens communities >850 000 regular users

Recently re-launched and improved

A simple place for resource discovery, search and organisation

Is accessible via Athens and Shibboleth

Available to the UKAMF, NHS and other Athens communities

>850 000 regular users

Athens toolbars Extending MyAthens into the browser …

Extending MyAthens into the browser …

http://www. openathens .net/aim [email_address]