2. Summary
1 year Pilot Project / 2 years in production
All IoT’s, Universities, Colleges, but only half
of HEAnet’s members
Core service at some institutions but light
use at others
3.
4. So, where to now?
1. Extended Attribute Schema
2. Higher Identity Assurance
3. Strong Authentiation
4. Account Provisioning
5. Cross institutional groups
6. New Identity Protocols
7. Statistics
8. Bilateral Trusts
9. Expansion beyond HEAnet
10. SSO for non-web applications
11. Aggregated identities
12. Logout
5. 1. Extended Attribute Schema
Students
• Do you have photos?
• Can I tell if a user is part-time/full-time?
• What course is the student pursuing?
Staff
• Cost-center code (for eProcurement)
• ResearcherID AuthorID
• Availability calendar
• Telephone number
6. 2. Higher Identity Assurance
Would you use Edugate for eProcurement?
• On-campus
(cross charging for campus services)
• Shared procurement portal
(Shannon Consortium Procurement Network)
• External suppliers
(vikingdirect.ie/officedepot.ie)
Service Provider will seek assurances that the identity is
sufficient quality to underpin a cardless financial
transaction
7. 3. Strong Authentication
Passwords are the root of all e-vil
• Easily shared
• Easily forgotten
• Frequently exposed
• No common password policy
• Password changes not enforced
8. 3. Strong Authentication
SSO helps to eliminate passwords
• Consolidating onto a single (or single+1)
credential allows for strong authentication
• 2-factor authentication / strong password policy
SSO systems can protect sensitive resources
• re-authentication
• ‘step-up’ authentication
9. 4. Account Provisioning
On-campus, provisioning is a minor problem,
but, for cloud/hosted/outsourced services
provisioning is a significant problem
Invitation systems require;
• email address of all potential users -1 time url
• approval workflows -open URL
10. 4. Account Provisioning
Bulk provisioning
• Handling of bulk files a significant risk
• Out of Sync almost immediately
• De-provisioning rarely handled
• Accounts created for users who might never login
11. 4. Account Provisioning
Just-in-Time provisioning
Standards emerging
• Simple Cloud Identity Management (SCIM)
But, service Providers familiar with;
• LDAP Enter username/password, authenticate, query for attributes
• Oauth Enter user ID, authenticate, get token, query for attributes
• API Enter a user identifier, query for attributes, forever
12. 5. Cross institutional groups
Cross institutional/federation groups
(Virtual Organisations)
• Identity provider doesn’t know all the collaboration
or projects that a user participates within.
• This makes it authorisation difficult for Service
Providers (e.g. Project Portal)
13. 5. Cross Institutional Groups
Establish an Edugate group repository;
• this can be queried by IdP’s during the
preparation of attributes for an assertion
• this can be queried by SP’s provided the
repository has a user identifier
• Self-asserted group membership
• Group membership approvals or invitations.
14. 6. New Identity Protocols
OpenID Connect
• Addresses weaknesses and shortcomings of OpenID
OAuth2
• Allows retrieval of user data when user is not present
WIF
• Predominant identity protocol for Microsoft services
15. 6. New Identity Protocols
Should Edugate add new protocols?
• Cost?
• Benefit?
16. 7. Statistics and Monitoring
Are my users able to access service X?
Why are my users accessing service Y?
How come I’ve no users from institution A?
Why are we so popular with institution B?
What is the most widely used Edugate service?
What is the least most used service?
Is Edugate being used? or being used more?
17. 7. Statistics and Monitoring
Is IdP X up?
Are there high rates of attrition?
Are [staff|students] able to authenticate?
18. 8.Proliferation of bilateral trusts
There are 29 bilateral trusts in Edugate, why
don’t these services join Edugate?
• Maybe not required (single institution)
• Tender awarded, Edugate not in the tender
• SP not a legal entity
Google Apps, Millennium, Blackboard Learn.
19. 9. Expansion beyond HEAnet?
More identity providers will mean more service
providers
•Private Colleges
•Health Services Sector (HSE/Hospitals/CPD)
•Industry Research Centers (Intel Labs / SFI participants)
•2nd Level schools
20. 10. SSO for non-web
SAML works well within the browser, but,
Outside the browser, it requires client support
• Native client support
Outlook Claims based authentication
• Or, with Moonshot;
Common library support (GSS/SASL/SSPI)
21. 11. Aggregated identities
Institution holds validated identity data and
enrollment status. This can be aggregated or
augmented with self-asserted data from other
sources;
• Social ID’s (Profile Pictures, friends, interests)
• Group membership repository
23. 12. Logout
Clicking on ‘Logout’ what should happen?
• Logout of the application, but IdP session persists
(Local Logout)
• Logout of the application, redirect to IdP session
killer page (partial logout)
• Logout of the application, redirect to IdP session
killer page, trigger logout of all services
• (global logout)
24. 12. Logout
Or should the SP force re-authentication at the
IdP after the logout button has been used (if the
IdP supports it.
25. So, where to now?
1. Extended Attribute Schema
2. Higher Identity Assurance
3. Strong Authentiation
4. Account Provisioning
5. Cross institutional groups
6. New Identity Protocols
7. Statistics
8. Bilateral Trusts
9. Expansion beyond HEAnet
10. SSO for non-web applications
11. Aggregated identities
12. Logout