SlideShare a Scribd company logo

Identity and User Access Management.pptx

Download as PPTX, PDF
I
irfanullahkhan64

Identity and Access Management for User login and departmental level and federation level. User can be easily manageable through identity and access Management

Technology
1 of 90
Identity and Access Management
Agenda 2 Campus Identity to Federated Identity 1 Campus Identity 3 Federated Identity 4 Identity and Business Models • Welcome and Introductions • Eduroam and Identity services • Introduction to Identity on Campus • Identity and the Campus network • Identity and Cloud Services • Defining users • Introduction to identity Federations • Identity and access management for researchers • Identity Federations for Service Providers • Value Proposition and Business Models • Risk Management and Identity • Discussions
Session 1: Campus Identity • Welcome and Introductions • Eduroam and Identity services • Introduction to Identity on Campus • Identity and the Campus network
Welcome and Introductions Terry Smith  Technical engagement and support manager  Chair of the APAN Identity and Access Task Force Heather Flanagan Nicol Harris
Introduce yourselves Please introduce yourself …  Name  Country of origin  Organisation / Affiliation you represent  Level of IAM  Within your organisations  Across your country
eduroam
What is eduroam
eduroam and Identity Services In this video, we will discuss eduroam and how it fits in an identity management service portfolio.
Where can you use eduroam?
eduroam tools Configuration Assistant Tool (CAT) Local eduroam administrators enter their eduroam configuration details and based on them, eduroam CAT builds customised installers for a number of popular platforms.  The installer built specific to each organisation  Your organisation MUST be able to login to CAT!  Login if via edugain  Technical Resources available…  https://www.eduroam.org/configuration-assistant-tool-cat/
Introduction to Identity on Campus In this video, we’re going to talk about the technology and governance that needs to be in place for a campus identity system. With this as a baseline, a campus will be in a solid position for supporting single-sign-on, and from there, to supporting federated identity.
Design Goals for Identity and R&E The dream - providing users with a single login that grants access to any resource, irrespective of device or physical location. When designing for Identity Management (IdM) start with your desired end goals and then work backwards. • Single Sign On (SSO) • Role-based access to network resources • Support for traveling scholars (think “eduroam”) • Tools for collaboration • Shared access to remote instruments • Your wish list goes here
Why Focus on Campus Networks? • Individual institutions are the authoritative source for domain data • The campus network is the foundation for research and education activities • The best path to network capacity, equipment and personnel • No researcher is connected directly to a national R&E network • They are all connected to campus or enterprise networks for access
Benefits for Campus Network Operators When staff and money are in short supply, any new effort must add value to entire campus plan. IdM can provide: • better utilization data • better security • better management for restricted resources These things come at a cost as there are new services and software to manage and someone will have to maintain data integrity on an on-going basis. The value goes beyond IdM.
We Already Understand the Model A good network design is modular and hierarchical, with a clear separation of functions: core, distribution, and access. Good campus networks will leverage:  Domain-based span of control  Layered services built around your core  Scalable, interoperable, standards-based technical choices The Identity Management model is much the same
Identity Management Services Capabilities  Centered on the User Identifier (NetID) - A single unique University wide identifier bound to the individual user and used at log-in to provision:  Authentication  Quickly verify user identities (Who you are)  Authorization  Control users access (What you can access)  Administration  Manage user privileges by role, group, status, etc.  Allows for fine-grained policy application
One Way to Think About It - Interdomain Routing • IGP/iBGP • ASN • eBGP Identity management • Campus IdM • Federation • Inter-Federation  If you are a network engineer you all ready deal with local policy and global transit as part of your day job.  You would not allow an unmanaged device on your network – why allow an unmanaged end user?
The Late Mover Advantage  In the last ten years R&E networks have seen a lot of progress in Identity Management. • Common Standards • Common Software • With Open Source options! • Common Profiles • Common Practices and Policies  New entrants benefit from the lessons already learned
Case Examples  As you dig into the details of Identity Management you may be interested in specific examples of both campus and NREN deployments. There are many successful cases to choose from but these two have excellent documentation with robust links to resources. • NREN: Canadian Access Federation (CAF) – CANARIE • http://canarie.ca/identity/caf/ • Also includes links to a packaged solution using common tools  https://github.com/canariecaf • Campus: Rutgers, The State University of New Jersey • https://idms.rutgers.edu/
Communities of Practice  The R&E community has several well developed forums for Identity practitioners which are open to new participants. These forums include training resources, special advanced topic working groups, and documentation on current best practices. The sites provide both technical and policy guidance. • REFEDS (Research and Education FEDerations group) • EU-based group https://refeds.org/ • InCommon(operated by Internet2 Staff) • US/Internet2 Based group https://www.incommon.org/ • eduroam (education roaming) • secure, world-wide roaming access service • https://www.eduroam.org/ • eduGAIN (operated by GÉANT) • interconnects identity federations around the world • http://www.eduGAIN.org/
The Tool Box There are many ways to put together Authentication and Authorization services and lots of options for centralized data management. There are also good open source tools for identity federation management. These tools rely on your underlying network and wireless infrastructure and can be customized to match your campus plan. Two commonly used examples: • Shibboleth: Federated Services (IdP/SP) • https://shibboleth.net/ • CAS (central authentication service for SSO) • http://www.ja-sig.org/products/cas/overview/index.html
Building Identity Block by Block  Elements of IdM • unique identifier • directory • authentication • password store • authorization • federation • identity provider • service provider • directory service Deployment Examples • netid • ldap • cas • kerberos • mysql • shibboleth Note that all of the examples require customization based on your local policy
Getting Started Create a campus inventory that includes: • Your existing data sources • Your current authentication sites and methods • Your current authorization polices and methods • Your existing software and services • A survey of your users to gather requirements for both internal and external identity based access • Your institutional policies on user data • Including privacy, security, and acceptable use
The TIER Project Community Approach to Consistent Identity Management TIER is a community-driven effort, coordinated by Internet2, to develop a consistent approach to identity and access management (IAM) that simplifies campus processes and advances inter-institutional collaboration and research. TIER is both an open-source toolset and a campus practice set focused on:  sustaining the community software investment  integrating the software and project teams together  extending the software and practices to support common contributed use cases.
Technology on Campus (with many thanks to Chris Phillips and Tom Barton, “Demystifying Privilege and Access Management” IAM Online session in August 2012)
Campus Identity Systems evolution Campus IAM  Identities  Registries of who/what, identifiers, attributes, systems integration  Credentials & authentication  Internal, external  Linked to Identity  Access management  Roles, rules, entitlement, affiliation, groups, privileges, policy, authority, delegation, etc.
Factors to Consider in IAM Platforms Variable distance from the data  Local - Systems of Record, home grown, commercial  Internally, apps enjoy tightly coupled access to fresh data  Usually ‘behind the wall’  Federated – apps aware of more than local & remote systems of record  accept other identities underpinned by a trust decision  Foot in both worlds at times -- inside & outside the wall.  Data ‘distance’ further out  Upon sign-in of user, or provisioning task  Cloud (aka SaaS, PaaS) - apps abstracted away lower level details, could be furthest away from your fresh data  Similar challenges as federated  SLAs may or may not be under your control  Outside the wall  Deployment profile & app sophistication guide data management
Factors: Design and Intent  Different design patterns  Rigid data structures vs. elastic ones  Sometimes flexibility to a fault – not prescriptive enough  Philosophical design differences  Intentionally designed to support externalized AuthN/Z vs. bolt on  Implementer intentions  Walled garden product may cause challenges  Effort to keep current  Balance between get it done now vs. perfect design
Factors: Governance and Process  Governance  Clarity around:  Who says who says  Authorization model:  Centralized or distributed?  Application or data centric?  Process and Practices  Are change control practices in place & recognize the implications of local, federated, and cloud use styles?  System Of Record steward may not realize:  Dependencies on their data and change turnaround  How far flung systems of record data may be
The Evolution of Access Management
Identity and the Campus Network In this video segment, we will discuss the critical role campus networks play in supporting trusted identities in the Research and Education space. We will consider what the best sources are for user data, who should maintain those sources and how, and how to work with trusted partners on and off campus for additional data exchange.
Session 2: Campus Identity to Federated Identity • Identity and Cloud Services • Defining users • Introduction to identity Federations
In this video segment, we will look at the concept of cloud services and what those services mean for identity and access management, from both the campus and the vendor perspectives. We will cover some best practices in this space, as well as practices to avoid as two parties enter into a cloud services agreement.  Campus Identity05-Identity and the Campus Network.wmv
Cloud Services – Easy?  Not generally – can be complicated and time consuming  Provisioning individually per service is difficult on both the user and the campus  Using a shared account let’s the service provider pick their favorite number around licensing  Think about control over provisioning, de- provisioning, and support for the privacy requirements the campus has to follow
Handling Authentication DON'T assume successful authentication means the user is authorized for service. • Campus: CONSIDER stronger authentication (e.g., multi-factor) over password strengthening (increasing length, complexity requirements) • Vendor: DO let the identity provider handle authentication • Vendor: DO rely on browser- based authentication for non- browser applications. • Vendor: DON’T use service- specific passwords unless there are no alternatives. • Vendor: DO use forced re- authentication when appropriate.
Identifiers  Both Campus and Vendor: DO support a varied set of identifiers.  Both Campus and Vendor: CONSIDER the use of eduPersonTargetedID where appropriate.  Both Campus and Vendor: DO use standard definitions of identifiers and attributes.  Both Campus and Vendor: DON'T mistake eduPersonPrincipalName for a valid email address.  Campus: DO standardize internally on a stable "serial number" for users.  Campus: DO make eduPersonPrincipalName useful.
Provisioning and De-provisioning • Campus: DO expect the typical vendor to have a single, set model for creating user accounts on their systems. • Campus: DO practice "defensive programming" when setting up provisioning services. • Campus: DON'T require out-of- band acceptance of Terms of Use. • Campus: DON'T expect robust de-provisioning support. • Campus: DO handle username changes. • Vendor: DO support just-in-time provisioning based on user attributes passed in SAML assertions whenever possible. • Vendor: DO consider standardizing your provisioning (and de-provisioning) APIs. • Vendor: DO manage your provisioning API in a way that respects the service subscriber interests.
Defining users Does your definition and expectations of a student match that of the service provider? Do you have a shared understanding of staff, and does this include contractors or visiting professors? It is important to have a basic shared understanding of how you group and classify your users when you starting looking at offering services via federated identity management.  Campus Identity06-Defining Users.mp4
Attributes Attributes make the federation  Defining a CORE set of attributes will improve the uptake of the federations, particularly service providers.  Removes the need for SPs to negotiate with each IdP  Easier integration for eduGAIN  Research and Scholarly entity category
Which attributes? User Identifiers  eduPersontargetedID  eduPersonPrincipalName  UID  ORCID  auEduPersonSharedToken  eduPersonUniqueID Personalisation  Display Name  GivenName  Surname  Title  eMail Group membership  eduPersonPrincialName  eduPersonEntitlement  Group Member Organisational  Organisation Name  Organisation domain name  Organisation GRID  Organisation ISNI
Issues with attribute release  Date protection and privacy  Most governments will a have privacy act that may restrict what and how user’s personal attributes are managed  Cultural  The Organisational culture  People  Security  Your organisations security teams may have a perspective on attribute release which may be influenced by historic events.
Attribute discussion What attributes would your organisations be willing to release? What attributes would be difficult to release? How could you require attribute release?
Federations with attributes  Defined CORE and Optional attributes  CORE Attributes are listed in the federation rules  Service providers MUST declare which attributes they want and why they want them!  SP Attribute requirements defined in metadata  Simplified Service provider integration  Easier to introduce new attributes
Federations without attributes  Services providers must negotiate attribute release with every Identity provider – doesn't scale well  Define Attribute categories to help  Research and Scholarly  Always a talking point at REFEDs
Attribute Authorities Attribute authorities are a special case of an Identity provider  Provide additional attributes that are outside the organisational domain  Entitlements  Federation wide group membership  Can be operated by federation, a service provider or community
Introduction to Identity Federations In this video, we will look at what an Identity Federation is, what benefits engaging with an Identity federation can bring to your campus and how you can join an Identity Federation to achieve these benefits. In the examples given, we are mostly talking about SAML identity federations, but the principles of federation are similar with other technologies such as OpenID Connect or RADIUS access via eduroam.  Federated Identity01-Introduction to Identity Federations.mp4
Federation aims and goals What will be the initial aims and goals of your national federation?  Simplify access to publisher content  Support research activities  Access global resources in eduGAIN  Improve collaboration between organisations  Reduce work load and support costs for your members  Improve access for users  Providing specific shared services (e.g. Library system)
Building Blocks of Federation Attributes Identity Provider / Service Provider Discovery Federation Tools Metadata Policy
Identity Providers Organisations with users run Identity Providers  Provide a login page  Provides a mechanism for consent of attribute release  Login page is branded to the organisation  Login against the organisation LDAP or AD  Manages password reset  Provisions and de-provisions accounts  Agrees to the federation policies
Service Providers Run by organisations that have something to offer the federation community  Hands off authentication to IdPs  Obtains attributes from IdPs  Agrees to the federation policies
Discovery A mechanism they allows the user to select their organisation where they will login. Discovery can occur at either  The federation  All IdPs will be listed  User can select to have their IdP always selected  Federation look and feel  By the service  SP can list a sub-set of IdPs  Look and feel is that of the SP  Users quickly understand the extra step in authentication
Some live examples Login using the federation discovery service The AAF Attribute Validator Using a service provided discovery service AARNET’s Cloudstor
Metadata The Metadata is a technical document that contains technical details of all IdPs and SPs in the federation.  Cryptographically signed by the federation operator  Policy and Processes determine which IdPs and SPs are published in the metadata  All IdPs and SPs regularly consume the metadata  Provides the trust in the federation! Example Federation metadata
Federation tools  Registry  Manages IdP and SP technical details  Approval workflow  Discovery Service  Virtual Home – Home for the homeless  Metadata generation  Testing tools  Monitoring tools  Reporting tools The AAF Federation tools
Session 3: Federated Identity • Identity and access management for researchers • Identity Federations for Service Providers
Identity and Access Management for Researchers In this video segment, we’ll look at what the research community requires from identity services, how identity federations can enable research, and specific use cases to demonstrate the need and value of identity services to the research community.  Federated Identity02-Identity and Access Management for Researchers.mp4
Virtual Organization and Research Groups • The “Buried Scholar” problem • Improve the reputation of both the campus and the researcher by having a campus-branded identity • Some regions start with having a regionally branded identity, pooling the resources to focus on SSO first, and site-specific support later • More efficiently allocate resources by having federated identity as a campus or NREN-based service, rather than having individual research departments build this on their own • Global science and research opportunities • Scientists can more easily participate in global collaboration when the collaborations do not have to set up individual accounts
Research on Researcher Needs • Original FIM4R paper in 2012 described a set of recommendations to the research communities, technology providers, and funding agencies • The core use cases came from large research organizations with funding https://cdsweb.cern.ch/record/1442597 • The “Advancing Technologies and Federated Communities”, also in 2012, described a set of recommendations around technology, policy, funding, and legal issues. • A more generalized approach than the FIM paper, but the recommendations are largely the same https://www.terena.org/publications/files/2012-AAA-Study-report-final.pdf
FIM4R Findings Summarized • Federated technologies are good. Take advantage of them. • The infrastructure needs to be improved to take advantage of federated technologies. Do it. • Relying on the older models of local account creation and IP-based ACLs is easier. This is a very limited view. Stop it. • If you can’t fix it all yourself (and you can’t), facilitate the efforts of groups that can. Build relationships, target your spending or funding to make the biggest impact.
Collaboration Tools for science • Document Management • Storage and retrieval • Version Control • Search • Categorize • Information Management • Calendar • Contacts • Blogs • Discussions • Wikis • Collaboration • Access Controls • project workspaces • Task lists • workflows • data sharing • project discussions
Traditional approach to collaboration tools Cloud Google Docs Institutional infrastructure SharePoint @ NIH Collaboration Identity (username/password) cwhalen1234@gmail.com collaborator1234@gmail.com Institutional Identity (username/password) christopher.whalen@nih.gov collaborator1234@university.ed.uk christopher.whalen@nih.gov collaborator1234@nihext.nih.gov christopher.whalen@nih.gov collaborator1234@university.ed.uk
Virtual organization/federation approach to collaboration tools Cloud with VO Collaboration Tool Institutional infrastructure SharePoint @ NIH using the VO christopher.whalen@nih.gov collaborator1234@university.ed.uk collaborator1234@university.ed.uk Collaboration Identity (username/password) Institutional Identity (username/password) christopher.whalen@nih.gov christopher.whalen@nih.gov collaborator1234@university.ed.uk christopher.whalen@nih.gov collaborator1234@university.ed.uk
Scientific Tools for researchers Translational Science has experienced an explosion of data Challenges of sharing databases High Performance Computing resources Sequencing Analysis Data Management tools for clinical trials and studies Specimen, compound, databases Support Validation and auditing
Why Federated Identity? Why not Google, Facebook, Yahoo!, Twitter..? Interfederation Research Participants (eduGAIN via InCommon, Canarie, etc.) are responsible for investigating and compliance with international privacy law of the countries where research occurs or research subjects reside - Susan Blair, Chief Privacy Officer, University of Florida, Internet2 Global Summit 2015 • Google Policy: “Information we collect when you are signed into Google, in addition to information we obtain about you from partners, may be associated with your Google Account. When information is associated with your Google Account, we treat it as personal information.”
ORCID Vision ORCID’s vision is a world where all who participate in research, scholarship, and innovation are uniquely identified and connected to their contributions across disciplines, borders, and time. Mission ORCID provides an identifier for individuals to use with their name as they engage in research, scholarship, and innovation activities. We provide open tools that enable transparent and trustworthy connections between researchers, their contributions, and affiliations. We provide this service to help people find information and to simplify reporting and analysis.
What is ORCID? ORCID is a nonprofit helping create a world in which all who participate in research, scholarship and innovation are uniquely identified and connected to their contributions and affiliations, across disciplines, borders, and time.  https://orcid.org/
ORCID’s integration and engagement program ORCID’s mantra is “enter once, re-use often” and, to achieve this in a reliable, trustworthy, and transparent way, it’s essential that organizations play their part by creating validated assertions about the connections between them and their researchers.
ORCID and Federations  ORCID Provide an Institution login option via eduGAIN  The researcher's ORCID is for life, it is independent of the organisation the user belongs too  The researcher’s ORCID can be held in the eduPerson attribute eduPersonORCID  The eduPersonORCID can be consumed by federation services  Being built into new service such as the Australian Data Life Cycle project.
Identity Federation for Service Providers In this video series, we have mostly focused on the benefits that identity federation can bring to the campus. For this segment, we will briefly look at the benefits that Service Providers can realise when engaging with federations.  Federated Identity03-Identity Federation for Service Providers.mp4
Benefits Verified Affiliation  Unique, verified information about user states  Accurate and up-to-date information  Basic grouping information for students, staff, employees and alumni  Automated verification of status
Benefits Reduced Overhead  Reduced overhead for user support  No need to support per service username and password  Easier for users to manage smaller number of credentials  User support managed by the campus +  Reduced integration effort (do once, reuse many)
Benefits Increase Customer Base  Opportunity of global research and education federations  Benefits of inter-federation via eduGAIN  Opt-in to have your data shared with other federations via eduGAIN  Service available in multiple nation federations across the globe +  Able to address RFOs that require federated authentication
Benefits Improved Security  Managing personal data brings risks and responsibilities  Reduced Attack surface  Risk of fines for mismanagement of data  Minimising personal data held locally helps manage these risks  Greater attention can be paid to securing connection to campus.
Identity and Business Models • Value Proposition and Business Models • Risk Management and Identity • Discussions
Value Proposition and Business Models In this video, we will look at the value proposition that underlies federated identity services, and discuss what may be useful in a business model to plan for ongoing support of the necessary infrastructure. Identity services are not without financial cost, but there are solid arguments to be made for funding and support on your campus.  Identity and Business Models01-Value Proposition and Business Models.mp4
Business Context for Identity Federation Identity is highly strategic to some commercial providers, who are trying to control the space. An anchor service such as a social network or email service often makes these providers attractive to users. Services are also moving onto Cloud platforms that feature easy integration with the operator’s AAI. This is leading to the adoption of non-interoperable AAI. Trust is becoming a significant issue. While the network creates many positive opportunities it also introduces risks, particularly with the growth of Cloud. Users (or their organisations) do not trust some of these entities, and some actors are even considered hostile. In an increasingly constrained budgetary environment, funders are consolidating funding on horizontal activities such as eID. Positioning and communicating our T&I work is more critical than ever; the NRENs must articulate how we add value, given these other activities.
Building a Business Model  Learn about the technology required (in this case, the tools and platforms around identity and access management)  Understand and develop the policies required (including federation policies, organizational policies, and security policies)  Develop a business model regarding the operations of the federation (often the service will need to be self-sustaining; grant funds help but cannot be a long-term solution)  Create a Service Delivery system to support the use of the service (for example, web content and a knowledge base for help desk support, training, communication and outreach, and marketing)
The Value Proposition for Identity Federations  https://wiki.refeds.org/x/MoA4  Authors: Chris Phillips (CANARIE), Lucy Lynch (NSRC), Nicole Harris (REFEDS/GÉANT), Heath Marks (AAF)  Editor: Heather Flanagan (REFEDS/Spherical Cow Group)  Contributors: Ann Harding (SWITCH), Klaas Wierenga (Cisco)
What is the Value?  Collaboration Opportunities  Reputation and Branding  Network Security  Budget and Business
How to Make Federated Identity Work  Identify the business model  Make the case  Track metrics  Report on the value received  Aim for early sustainability
Risk Management and Identity This video will look at one of the most common areas of difficulty for campuses when using identity federations – effective and safe attribute release. We will cover how to understand the risks associated with releasing personal data, how to define legitimate reasons and processes for safely releasing data and how to justify data release within a federated environment.  Identity and Business Models02-Risk Management and Identity.mp4
Discussion on Risk How will you approach Attribute Release in your nation?
With thanks… “the voice that articulates the mutual needs of research and education identity federations worldwide” https://www.refeds.org
With thanks… TheNSRCcultivatescollaborationamongacommunityofpeerstobuildandimproveaglobal Internetthatbenefitsallparties.WefacilitatethegrowthofsustainableInternetinfrastructurevia technicaltrainingandengineeringassistancetoenrichthenetworkofnetworks. Ourgoalistoconnectpeople. www.nsrc.org
General Discussion Time for any final questions and general discussion…
Thanks Thank you for attending See you at the APAN Identity and Access Manager working party meeting on Wednesday

Recommended

Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Tudor Damian
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
Marlabs Capabilities Overview: Digital Asset Management (DAM)
Marlabs Capabilities Overview: Digital Asset Management (DAM)Marlabs Capabilities Overview: Digital Asset Management (DAM)
Marlabs Capabilities Overview: Digital Asset Management (DAM)Marlabs
 
Data Domain-Driven Design
Data Domain-Driven DesignData Domain-Driven Design
Data Domain-Driven DesignKiran Kumar Chittoori
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 

Recommended

Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Tudor Damian
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
Marlabs Capabilities Overview: Digital Asset Management (DAM)
Marlabs Capabilities Overview: Digital Asset Management (DAM)Marlabs Capabilities Overview: Digital Asset Management (DAM)
Marlabs Capabilities Overview: Digital Asset Management (DAM)Marlabs
 
Data Domain-Driven Design
Data Domain-Driven DesignData Domain-Driven Design
Data Domain-Driven DesignKiran Kumar Chittoori
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
DSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
DSS.LV - Principles Of Data Protection - March2015 By Arturs FilatovsDSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
DSS.LV - Principles Of Data Protection - March2015 By Arturs FilatovsAndris Soroka
 
Securing your Cloud Deployment
Securing your Cloud DeploymentSecuring your Cloud Deployment
Securing your Cloud DeploymentHrusostomos Vicatos
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentAlexey Pyshkin
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage PreventionMicrosoft TechNet - Belgium and Luxembourg
 
Bringing the Cloud Back to Earth
Bringing the Cloud Back to EarthBringing the Cloud Back to Earth
Bringing the Cloud Back to EarthSri Chalasani
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think Uni Systems S.M.S.A.
 
Identity Management: Tools, processes & services
Identity Management: Tools, processes & servicesIdentity Management: Tools, processes & services
Identity Management: Tools, processes & servicesJISC Netskills
 
Radu crahmaliuc 23feb2012
Radu crahmaliuc 23feb2012Radu crahmaliuc 23feb2012
Radu crahmaliuc 23feb2012Agora Group
 
Observability in serverless solutions
Observability in serverless solutionsObservability in serverless solutions
Observability in serverless solutionsLeonardo Murillo
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureArchitect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureDatabricks
 
Going Global with Itoc and AWS
Going Global with Itoc and AWS Going Global with Itoc and AWS
Going Global with Itoc and AWS Mark Promnitz
 
Software Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectSoftware Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectATMOSPHERE .
 
Connected development data
Connected development dataConnected development data
Connected development dataRob Worthington
 
2017 bio it world
2017 bio it world2017 bio it world
2017 bio it worldChris Dwan
 
Neo4j + Process Tempo present Plan Your Cloud Migration with Confidence
Neo4j + Process Tempo present Plan Your Cloud Migration with ConfidenceNeo4j + Process Tempo present Plan Your Cloud Migration with Confidence
Neo4j + Process Tempo present Plan Your Cloud Migration with ConfidenceNeo4j
 
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...Blackboard APAC
 
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...ATMOSPHERE .
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeHimani Singh
 
Evaluating the Cloud
Evaluating the CloudEvaluating the Cloud
Evaluating the CloudSociusPartner
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

More Related Content

Similar to Identity and User Access Management.pptx

DSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
DSS.LV - Principles Of Data Protection - March2015 By Arturs FilatovsDSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
DSS.LV - Principles Of Data Protection - March2015 By Arturs FilatovsAndris Soroka
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentAlexey Pyshkin
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
Bringing the Cloud Back to Earth
Bringing the Cloud Back to EarthBringing the Cloud Back to Earth
Bringing the Cloud Back to EarthSri Chalasani
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think Uni Systems S.M.S.A.
 
Identity Management: Tools, processes & services
Identity Management: Tools, processes & servicesIdentity Management: Tools, processes & services
Identity Management: Tools, processes & servicesJISC Netskills
 
Radu crahmaliuc 23feb2012
Radu crahmaliuc 23feb2012Radu crahmaliuc 23feb2012
Radu crahmaliuc 23feb2012Agora Group
 
Observability in serverless solutions
Observability in serverless solutionsObservability in serverless solutions
Observability in serverless solutionsLeonardo Murillo
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureArchitect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureDatabricks
 
Going Global with Itoc and AWS
Going Global with Itoc and AWS Going Global with Itoc and AWS
Going Global with Itoc and AWS Mark Promnitz
 
Software Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectSoftware Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectATMOSPHERE .
 
Connected development data
Connected development dataConnected development data
Connected development dataRob Worthington
 
2017 bio it world
2017 bio it world2017 bio it world
2017 bio it worldChris Dwan
 
Neo4j + Process Tempo present Plan Your Cloud Migration with Confidence
Neo4j + Process Tempo present Plan Your Cloud Migration with ConfidenceNeo4j + Process Tempo present Plan Your Cloud Migration with Confidence
Neo4j + Process Tempo present Plan Your Cloud Migration with ConfidenceNeo4j
 
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...Blackboard APAC
 
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...ATMOSPHERE .
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeHimani Singh
 
Evaluating the Cloud
Evaluating the CloudEvaluating the Cloud
Evaluating the CloudSociusPartner
 

Similar to Identity and User Access Management.pptx (20)

DSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
DSS.LV - Principles Of Data Protection - March2015 By Arturs FilatovsDSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
DSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
 
Securing your Cloud Deployment
Securing your Cloud DeploymentSecuring your Cloud Deployment
Securing your Cloud Deployment
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product Development
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
Bringing the Cloud Back to Earth
Bringing the Cloud Back to EarthBringing the Cloud Back to Earth
Bringing the Cloud Back to Earth
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think
 
Identity Management: Tools, processes & services
Identity Management: Tools, processes & servicesIdentity Management: Tools, processes & services
Identity Management: Tools, processes & services
 
Radu crahmaliuc 23feb2012
Radu crahmaliuc 23feb2012Radu crahmaliuc 23feb2012
Radu crahmaliuc 23feb2012
 
Observability in serverless solutions
Observability in serverless solutionsObservability in serverless solutions
Observability in serverless solutions
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureArchitect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh Architecture
 
Going Global with Itoc and AWS
Going Global with Itoc and AWS Going Global with Itoc and AWS
Going Global with Itoc and AWS
 
Software Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectSoftware Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE project
 
Connected development data
Connected development dataConnected development data
Connected development data
 
2017 bio it world
2017 bio it world2017 bio it world
2017 bio it world
 
Neo4j + Process Tempo present Plan Your Cloud Migration with Confidence
Neo4j + Process Tempo present Plan Your Cloud Migration with ConfidenceNeo4j + Process Tempo present Plan Your Cloud Migration with Confidence
Neo4j + Process Tempo present Plan Your Cloud Migration with Confidence
 
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
 
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Evaluating the Cloud
Evaluating the CloudEvaluating the Cloud
Evaluating the Cloud
 

Recently uploaded

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Identity and User Access Management.pptx

  • 1. Identity and Access Management
  • 2. Agenda 2 Campus Identity to Federated Identity 1 Campus Identity 3 Federated Identity 4 Identity and Business Models • Welcome and Introductions • Eduroam and Identity services • Introduction to Identity on Campus • Identity and the Campus network • Identity and Cloud Services • Defining users • Introduction to identity Federations • Identity and access management for researchers • Identity Federations for Service Providers • Value Proposition and Business Models • Risk Management and Identity • Discussions
  • 3. Session 1: Campus Identity • Welcome and Introductions • Eduroam and Identity services • Introduction to Identity on Campus • Identity and the Campus network
  • 4. Welcome and Introductions Terry Smith  Technical engagement and support manager  Chair of the APAN Identity and Access Task Force Heather Flanagan Nicol Harris
  • 5. Introduce yourselves Please introduce yourself …  Name  Country of origin  Organisation / Affiliation you represent  Level of IAM  Within your organisations  Across your country
  • 8.
  • 9. eduroam and Identity Services In this video, we will discuss eduroam and how it fits in an identity management service portfolio.
  • 10. Where can you use eduroam?
  • 11. eduroam tools Configuration Assistant Tool (CAT) Local eduroam administrators enter their eduroam configuration details and based on them, eduroam CAT builds customised installers for a number of popular platforms.  The installer built specific to each organisation  Your organisation MUST be able to login to CAT!  Login if via edugain  Technical Resources available…  https://www.eduroam.org/configuration-assistant-tool-cat/
  • 12. Introduction to Identity on Campus In this video, we’re going to talk about the technology and governance that needs to be in place for a campus identity system. With this as a baseline, a campus will be in a solid position for supporting single-sign-on, and from there, to supporting federated identity.
  • 13. Design Goals for Identity and R&E The dream - providing users with a single login that grants access to any resource, irrespective of device or physical location. When designing for Identity Management (IdM) start with your desired end goals and then work backwards. • Single Sign On (SSO) • Role-based access to network resources • Support for traveling scholars (think “eduroam”) • Tools for collaboration • Shared access to remote instruments • Your wish list goes here
  • 14. Why Focus on Campus Networks? • Individual institutions are the authoritative source for domain data • The campus network is the foundation for research and education activities • The best path to network capacity, equipment and personnel • No researcher is connected directly to a national R&E network • They are all connected to campus or enterprise networks for access
  • 15. Benefits for Campus Network Operators When staff and money are in short supply, any new effort must add value to entire campus plan. IdM can provide: • better utilization data • better security • better management for restricted resources These things come at a cost as there are new services and software to manage and someone will have to maintain data integrity on an on-going basis. The value goes beyond IdM.
  • 16. We Already Understand the Model A good network design is modular and hierarchical, with a clear separation of functions: core, distribution, and access. Good campus networks will leverage:  Domain-based span of control  Layered services built around your core  Scalable, interoperable, standards-based technical choices The Identity Management model is much the same
  • 17. Identity Management Services Capabilities  Centered on the User Identifier (NetID) - A single unique University wide identifier bound to the individual user and used at log-in to provision:  Authentication  Quickly verify user identities (Who you are)  Authorization  Control users access (What you can access)  Administration  Manage user privileges by role, group, status, etc.  Allows for fine-grained policy application
  • 18. One Way to Think About It - Interdomain Routing • IGP/iBGP • ASN • eBGP Identity management • Campus IdM • Federation • Inter-Federation  If you are a network engineer you all ready deal with local policy and global transit as part of your day job.  You would not allow an unmanaged device on your network – why allow an unmanaged end user?
  • 19. The Late Mover Advantage  In the last ten years R&E networks have seen a lot of progress in Identity Management. • Common Standards • Common Software • With Open Source options! • Common Profiles • Common Practices and Policies  New entrants benefit from the lessons already learned
  • 20. Case Examples  As you dig into the details of Identity Management you may be interested in specific examples of both campus and NREN deployments. There are many successful cases to choose from but these two have excellent documentation with robust links to resources. • NREN: Canadian Access Federation (CAF) – CANARIE • http://canarie.ca/identity/caf/ • Also includes links to a packaged solution using common tools  https://github.com/canariecaf • Campus: Rutgers, The State University of New Jersey • https://idms.rutgers.edu/
  • 21. Communities of Practice  The R&E community has several well developed forums for Identity practitioners which are open to new participants. These forums include training resources, special advanced topic working groups, and documentation on current best practices. The sites provide both technical and policy guidance. • REFEDS (Research and Education FEDerations group) • EU-based group https://refeds.org/ • InCommon(operated by Internet2 Staff) • US/Internet2 Based group https://www.incommon.org/ • eduroam (education roaming) • secure, world-wide roaming access service • https://www.eduroam.org/ • eduGAIN (operated by GÉANT) • interconnects identity federations around the world • http://www.eduGAIN.org/
  • 22. The Tool Box There are many ways to put together Authentication and Authorization services and lots of options for centralized data management. There are also good open source tools for identity federation management. These tools rely on your underlying network and wireless infrastructure and can be customized to match your campus plan. Two commonly used examples: • Shibboleth: Federated Services (IdP/SP) • https://shibboleth.net/ • CAS (central authentication service for SSO) • http://www.ja-sig.org/products/cas/overview/index.html
  • 23. Building Identity Block by Block  Elements of IdM • unique identifier • directory • authentication • password store • authorization • federation • identity provider • service provider • directory service Deployment Examples • netid • ldap • cas • kerberos • mysql • shibboleth Note that all of the examples require customization based on your local policy
  • 24. Getting Started Create a campus inventory that includes: • Your existing data sources • Your current authentication sites and methods • Your current authorization polices and methods • Your existing software and services • A survey of your users to gather requirements for both internal and external identity based access • Your institutional policies on user data • Including privacy, security, and acceptable use
  • 25. The TIER Project Community Approach to Consistent Identity Management TIER is a community-driven effort, coordinated by Internet2, to develop a consistent approach to identity and access management (IAM) that simplifies campus processes and advances inter-institutional collaboration and research. TIER is both an open-source toolset and a campus practice set focused on:  sustaining the community software investment  integrating the software and project teams together  extending the software and practices to support common contributed use cases.
  • 26. Technology on Campus (with many thanks to Chris Phillips and Tom Barton, “Demystifying Privilege and Access Management” IAM Online session in August 2012)
  • 27. Campus Identity Systems evolution Campus IAM  Identities  Registries of who/what, identifiers, attributes, systems integration  Credentials & authentication  Internal, external  Linked to Identity  Access management  Roles, rules, entitlement, affiliation, groups, privileges, policy, authority, delegation, etc.
  • 28. Factors to Consider in IAM Platforms Variable distance from the data  Local - Systems of Record, home grown, commercial  Internally, apps enjoy tightly coupled access to fresh data  Usually ‘behind the wall’  Federated – apps aware of more than local & remote systems of record  accept other identities underpinned by a trust decision  Foot in both worlds at times -- inside & outside the wall.  Data ‘distance’ further out  Upon sign-in of user, or provisioning task  Cloud (aka SaaS, PaaS) - apps abstracted away lower level details, could be furthest away from your fresh data  Similar challenges as federated  SLAs may or may not be under your control  Outside the wall  Deployment profile & app sophistication guide data management
  • 29. Factors: Design and Intent  Different design patterns  Rigid data structures vs. elastic ones  Sometimes flexibility to a fault – not prescriptive enough  Philosophical design differences  Intentionally designed to support externalized AuthN/Z vs. bolt on  Implementer intentions  Walled garden product may cause challenges  Effort to keep current  Balance between get it done now vs. perfect design
  • 30. Factors: Governance and Process  Governance  Clarity around:  Who says who says  Authorization model:  Centralized or distributed?  Application or data centric?  Process and Practices  Are change control practices in place & recognize the implications of local, federated, and cloud use styles?  System Of Record steward may not realize:  Dependencies on their data and change turnaround  How far flung systems of record data may be
  • 31. The Evolution of Access Management
  • 32. Identity and the Campus Network In this video segment, we will discuss the critical role campus networks play in supporting trusted identities in the Research and Education space. We will consider what the best sources are for user data, who should maintain those sources and how, and how to work with trusted partners on and off campus for additional data exchange.
  • 33.
  • 34. Session 2: Campus Identity to Federated Identity • Identity and Cloud Services • Defining users • Introduction to identity Federations
  • 35. In this video segment, we will look at the concept of cloud services and what those services mean for identity and access management, from both the campus and the vendor perspectives. We will cover some best practices in this space, as well as practices to avoid as two parties enter into a cloud services agreement.  Campus Identity05-Identity and the Campus Network.wmv
  • 36. Cloud Services – Easy?  Not generally – can be complicated and time consuming  Provisioning individually per service is difficult on both the user and the campus  Using a shared account let’s the service provider pick their favorite number around licensing  Think about control over provisioning, de- provisioning, and support for the privacy requirements the campus has to follow
  • 37. Handling Authentication DON'T assume successful authentication means the user is authorized for service. • Campus: CONSIDER stronger authentication (e.g., multi-factor) over password strengthening (increasing length, complexity requirements) • Vendor: DO let the identity provider handle authentication • Vendor: DO rely on browser- based authentication for non- browser applications. • Vendor: DON’T use service- specific passwords unless there are no alternatives. • Vendor: DO use forced re- authentication when appropriate.
  • 38. Identifiers  Both Campus and Vendor: DO support a varied set of identifiers.  Both Campus and Vendor: CONSIDER the use of eduPersonTargetedID where appropriate.  Both Campus and Vendor: DO use standard definitions of identifiers and attributes.  Both Campus and Vendor: DON'T mistake eduPersonPrincipalName for a valid email address.  Campus: DO standardize internally on a stable "serial number" for users.  Campus: DO make eduPersonPrincipalName useful.
  • 39. Provisioning and De-provisioning • Campus: DO expect the typical vendor to have a single, set model for creating user accounts on their systems. • Campus: DO practice "defensive programming" when setting up provisioning services. • Campus: DON'T require out-of- band acceptance of Terms of Use. • Campus: DON'T expect robust de-provisioning support. • Campus: DO handle username changes. • Vendor: DO support just-in-time provisioning based on user attributes passed in SAML assertions whenever possible. • Vendor: DO consider standardizing your provisioning (and de-provisioning) APIs. • Vendor: DO manage your provisioning API in a way that respects the service subscriber interests.
  • 40. Defining users Does your definition and expectations of a student match that of the service provider? Do you have a shared understanding of staff, and does this include contractors or visiting professors? It is important to have a basic shared understanding of how you group and classify your users when you starting looking at offering services via federated identity management.  Campus Identity06-Defining Users.mp4
  • 41. Attributes Attributes make the federation  Defining a CORE set of attributes will improve the uptake of the federations, particularly service providers.  Removes the need for SPs to negotiate with each IdP  Easier integration for eduGAIN  Research and Scholarly entity category
  • 42. Which attributes? User Identifiers  eduPersontargetedID  eduPersonPrincipalName  UID  ORCID  auEduPersonSharedToken  eduPersonUniqueID Personalisation  Display Name  GivenName  Surname  Title  eMail Group membership  eduPersonPrincialName  eduPersonEntitlement  Group Member Organisational  Organisation Name  Organisation domain name  Organisation GRID  Organisation ISNI
  • 43. Issues with attribute release  Date protection and privacy  Most governments will a have privacy act that may restrict what and how user’s personal attributes are managed  Cultural  The Organisational culture  People  Security  Your organisations security teams may have a perspective on attribute release which may be influenced by historic events.
  • 44. Attribute discussion What attributes would your organisations be willing to release? What attributes would be difficult to release? How could you require attribute release?
  • 45. Federations with attributes  Defined CORE and Optional attributes  CORE Attributes are listed in the federation rules  Service providers MUST declare which attributes they want and why they want them!  SP Attribute requirements defined in metadata  Simplified Service provider integration  Easier to introduce new attributes
  • 46. Federations without attributes  Services providers must negotiate attribute release with every Identity provider – doesn't scale well  Define Attribute categories to help  Research and Scholarly  Always a talking point at REFEDs
  • 47. Attribute Authorities Attribute authorities are a special case of an Identity provider  Provide additional attributes that are outside the organisational domain  Entitlements  Federation wide group membership  Can be operated by federation, a service provider or community
  • 48. Introduction to Identity Federations In this video, we will look at what an Identity Federation is, what benefits engaging with an Identity federation can bring to your campus and how you can join an Identity Federation to achieve these benefits. In the examples given, we are mostly talking about SAML identity federations, but the principles of federation are similar with other technologies such as OpenID Connect or RADIUS access via eduroam.  Federated Identity01-Introduction to Identity Federations.mp4
  • 49. Federation aims and goals What will be the initial aims and goals of your national federation?  Simplify access to publisher content  Support research activities  Access global resources in eduGAIN  Improve collaboration between organisations  Reduce work load and support costs for your members  Improve access for users  Providing specific shared services (e.g. Library system)
  • 50. Building Blocks of Federation Attributes Identity Provider / Service Provider Discovery Federation Tools Metadata Policy
  • 51. Identity Providers Organisations with users run Identity Providers  Provide a login page  Provides a mechanism for consent of attribute release  Login page is branded to the organisation  Login against the organisation LDAP or AD  Manages password reset  Provisions and de-provisions accounts  Agrees to the federation policies
  • 52. Service Providers Run by organisations that have something to offer the federation community  Hands off authentication to IdPs  Obtains attributes from IdPs  Agrees to the federation policies
  • 53. Discovery A mechanism they allows the user to select their organisation where they will login. Discovery can occur at either  The federation  All IdPs will be listed  User can select to have their IdP always selected  Federation look and feel  By the service  SP can list a sub-set of IdPs  Look and feel is that of the SP  Users quickly understand the extra step in authentication
  • 54. Some live examples Login using the federation discovery service The AAF Attribute Validator Using a service provided discovery service AARNET’s Cloudstor
  • 55. Metadata The Metadata is a technical document that contains technical details of all IdPs and SPs in the federation.  Cryptographically signed by the federation operator  Policy and Processes determine which IdPs and SPs are published in the metadata  All IdPs and SPs regularly consume the metadata  Provides the trust in the federation! Example Federation metadata
  • 56. Federation tools  Registry  Manages IdP and SP technical details  Approval workflow  Discovery Service  Virtual Home – Home for the homeless  Metadata generation  Testing tools  Monitoring tools  Reporting tools The AAF Federation tools
  • 57.
  • 58. Session 3: Federated Identity • Identity and access management for researchers • Identity Federations for Service Providers
  • 59. Identity and Access Management for Researchers In this video segment, we’ll look at what the research community requires from identity services, how identity federations can enable research, and specific use cases to demonstrate the need and value of identity services to the research community.  Federated Identity02-Identity and Access Management for Researchers.mp4
  • 60. Virtual Organization and Research Groups • The “Buried Scholar” problem • Improve the reputation of both the campus and the researcher by having a campus-branded identity • Some regions start with having a regionally branded identity, pooling the resources to focus on SSO first, and site-specific support later • More efficiently allocate resources by having federated identity as a campus or NREN-based service, rather than having individual research departments build this on their own • Global science and research opportunities • Scientists can more easily participate in global collaboration when the collaborations do not have to set up individual accounts
  • 61. Research on Researcher Needs • Original FIM4R paper in 2012 described a set of recommendations to the research communities, technology providers, and funding agencies • The core use cases came from large research organizations with funding https://cdsweb.cern.ch/record/1442597 • The “Advancing Technologies and Federated Communities”, also in 2012, described a set of recommendations around technology, policy, funding, and legal issues. • A more generalized approach than the FIM paper, but the recommendations are largely the same https://www.terena.org/publications/files/2012-AAA-Study-report-final.pdf
  • 62. FIM4R Findings Summarized • Federated technologies are good. Take advantage of them. • The infrastructure needs to be improved to take advantage of federated technologies. Do it. • Relying on the older models of local account creation and IP-based ACLs is easier. This is a very limited view. Stop it. • If you can’t fix it all yourself (and you can’t), facilitate the efforts of groups that can. Build relationships, target your spending or funding to make the biggest impact.
  • 63. Collaboration Tools for science • Document Management • Storage and retrieval • Version Control • Search • Categorize • Information Management • Calendar • Contacts • Blogs • Discussions • Wikis • Collaboration • Access Controls • project workspaces • Task lists • workflows • data sharing • project discussions
  • 64. Traditional approach to collaboration tools Cloud Google Docs Institutional infrastructure SharePoint @ NIH Collaboration Identity (username/password) cwhalen1234@gmail.com collaborator1234@gmail.com Institutional Identity (username/password) christopher.whalen@nih.gov collaborator1234@university.ed.uk christopher.whalen@nih.gov collaborator1234@nihext.nih.gov christopher.whalen@nih.gov collaborator1234@university.ed.uk
  • 65. Virtual organization/federation approach to collaboration tools Cloud with VO Collaboration Tool Institutional infrastructure SharePoint @ NIH using the VO christopher.whalen@nih.gov collaborator1234@university.ed.uk collaborator1234@university.ed.uk Collaboration Identity (username/password) Institutional Identity (username/password) christopher.whalen@nih.gov christopher.whalen@nih.gov collaborator1234@university.ed.uk christopher.whalen@nih.gov collaborator1234@university.ed.uk
  • 66. Scientific Tools for researchers Translational Science has experienced an explosion of data Challenges of sharing databases High Performance Computing resources Sequencing Analysis Data Management tools for clinical trials and studies Specimen, compound, databases Support Validation and auditing
  • 67. Why Federated Identity? Why not Google, Facebook, Yahoo!, Twitter..? Interfederation Research Participants (eduGAIN via InCommon, Canarie, etc.) are responsible for investigating and compliance with international privacy law of the countries where research occurs or research subjects reside - Susan Blair, Chief Privacy Officer, University of Florida, Internet2 Global Summit 2015 • Google Policy: “Information we collect when you are signed into Google, in addition to information we obtain about you from partners, may be associated with your Google Account. When information is associated with your Google Account, we treat it as personal information.”
  • 68. ORCID Vision ORCID’s vision is a world where all who participate in research, scholarship, and innovation are uniquely identified and connected to their contributions across disciplines, borders, and time. Mission ORCID provides an identifier for individuals to use with their name as they engage in research, scholarship, and innovation activities. We provide open tools that enable transparent and trustworthy connections between researchers, their contributions, and affiliations. We provide this service to help people find information and to simplify reporting and analysis.
  • 69. What is ORCID? ORCID is a nonprofit helping create a world in which all who participate in research, scholarship and innovation are uniquely identified and connected to their contributions and affiliations, across disciplines, borders, and time.  https://orcid.org/
  • 70. ORCID’s integration and engagement program ORCID’s mantra is “enter once, re-use often” and, to achieve this in a reliable, trustworthy, and transparent way, it’s essential that organizations play their part by creating validated assertions about the connections between them and their researchers.
  • 71. ORCID and Federations  ORCID Provide an Institution login option via eduGAIN  The researcher's ORCID is for life, it is independent of the organisation the user belongs too  The researcher’s ORCID can be held in the eduPerson attribute eduPersonORCID  The eduPersonORCID can be consumed by federation services  Being built into new service such as the Australian Data Life Cycle project.
  • 72. Identity Federation for Service Providers In this video series, we have mostly focused on the benefits that identity federation can bring to the campus. For this segment, we will briefly look at the benefits that Service Providers can realise when engaging with federations.  Federated Identity03-Identity Federation for Service Providers.mp4
  • 73. Benefits Verified Affiliation  Unique, verified information about user states  Accurate and up-to-date information  Basic grouping information for students, staff, employees and alumni  Automated verification of status
  • 74. Benefits Reduced Overhead  Reduced overhead for user support  No need to support per service username and password  Easier for users to manage smaller number of credentials  User support managed by the campus +  Reduced integration effort (do once, reuse many)
  • 75. Benefits Increase Customer Base  Opportunity of global research and education federations  Benefits of inter-federation via eduGAIN  Opt-in to have your data shared with other federations via eduGAIN  Service available in multiple nation federations across the globe +  Able to address RFOs that require federated authentication
  • 76. Benefits Improved Security  Managing personal data brings risks and responsibilities  Reduced Attack surface  Risk of fines for mismanagement of data  Minimising personal data held locally helps manage these risks  Greater attention can be paid to securing connection to campus.
  • 77.
  • 78. Identity and Business Models • Value Proposition and Business Models • Risk Management and Identity • Discussions
  • 79. Value Proposition and Business Models In this video, we will look at the value proposition that underlies federated identity services, and discuss what may be useful in a business model to plan for ongoing support of the necessary infrastructure. Identity services are not without financial cost, but there are solid arguments to be made for funding and support on your campus.  Identity and Business Models01-Value Proposition and Business Models.mp4
  • 80. Business Context for Identity Federation Identity is highly strategic to some commercial providers, who are trying to control the space. An anchor service such as a social network or email service often makes these providers attractive to users. Services are also moving onto Cloud platforms that feature easy integration with the operator’s AAI. This is leading to the adoption of non-interoperable AAI. Trust is becoming a significant issue. While the network creates many positive opportunities it also introduces risks, particularly with the growth of Cloud. Users (or their organisations) do not trust some of these entities, and some actors are even considered hostile. In an increasingly constrained budgetary environment, funders are consolidating funding on horizontal activities such as eID. Positioning and communicating our T&I work is more critical than ever; the NRENs must articulate how we add value, given these other activities.
  • 81. Building a Business Model  Learn about the technology required (in this case, the tools and platforms around identity and access management)  Understand and develop the policies required (including federation policies, organizational policies, and security policies)  Develop a business model regarding the operations of the federation (often the service will need to be self-sustaining; grant funds help but cannot be a long-term solution)  Create a Service Delivery system to support the use of the service (for example, web content and a knowledge base for help desk support, training, communication and outreach, and marketing)
  • 82. The Value Proposition for Identity Federations  https://wiki.refeds.org/x/MoA4  Authors: Chris Phillips (CANARIE), Lucy Lynch (NSRC), Nicole Harris (REFEDS/GÉANT), Heath Marks (AAF)  Editor: Heather Flanagan (REFEDS/Spherical Cow Group)  Contributors: Ann Harding (SWITCH), Klaas Wierenga (Cisco)
  • 83. What is the Value?  Collaboration Opportunities  Reputation and Branding  Network Security  Budget and Business
  • 84. How to Make Federated Identity Work  Identify the business model  Make the case  Track metrics  Report on the value received  Aim for early sustainability
  • 85. Risk Management and Identity This video will look at one of the most common areas of difficulty for campuses when using identity federations – effective and safe attribute release. We will cover how to understand the risks associated with releasing personal data, how to define legitimate reasons and processes for safely releasing data and how to justify data release within a federated environment.  Identity and Business Models02-Risk Management and Identity.mp4
  • 86. Discussion on Risk How will you approach Attribute Release in your nation?
  • 87. With thanks… “the voice that articulates the mutual needs of research and education identity federations worldwide” https://www.refeds.org
  • 89. General Discussion Time for any final questions and general discussion…
  • 90. Thanks Thank you for attending See you at the APAN Identity and Access Manager working party meeting on Wednesday