SlideShare a Scribd company logo

Real World Identity Managment

John Lewis
John Lewis

Today's IT industry is awash with offerings in the identity management space. In this session the presenter will explore real, tactical things we can do now to start solving the identity management issues in our enterprises and take a look at current efforts in the higher education community. We will consider technologies, key standards, as well as the policy and procedure issues we must address, regardless of technology, to achieve proper governance over our enterprise identities.

TechnologyBusiness
1 of 28
Download to read offline
Real-World Identity Management Solutions John A. Lewis Chief Software Architect Unicon, Inc. 28 July 2009 Campus Technology Boston, Massachusetts © Copyright Unicon, Inc., 2009. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial- Share Alike 3.0 United States License. To view a copy of this license, visit: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Why Makes Identity Important? ● Connects – Users – Applications ● Lots of other things – security, privacy, spam, – secrecy, trust, authority, – collaboration, convenience, – ... 2
What Is Identity Management? “A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” – Burton Group ● Account creation, directories, authentication, authorization access controls, ... ● Includes policy, process, governance, trust ● Need new ways of thinking about controlling access to IT services 3
Identity Management Lifecycle ● Provisioning – Initial Account creation – When to establish a persistent identity? ● Account updates – Self-service? For which attributes? – Central administrative changes ● Role maintenance – Adding, changing, removing roles ● Suspending / Removing / Restoring – When to do this? How long to retain it? 4
5
● EDUCAUSE Top 10 IT Issues ● 2003 #3 Security & Identity Management ● 2004 #3 Security & Identity Management ● 2005 #2 Security & Identity Management ● 2006 #1 Security & Identity Management ● 2007 #4 Identity / Access Management (Security at #2) ● 2008 #5 Identity / Access Management (Security at #1) 6
Challenge & Goal ● Challenge: Fragmented Identity Landscape – Many systems of records – Many applications – Many passwords – Many overlapping roles ● Goal: Ease-Of-Use for Students/Faculty/Staff – Enable seamless access to resources – Enforce security and privacy – Create a sense of a unified Enterprise 7
Evolution of User Identity ● Application Silos – Each with their own logins and passwords ● Common Directories / Databases – Central store for person information ● Single Sign-On – Central login system for multiple applications ● Federated Identity – Trusted identity information from others 8
Emerging Best Practices ● Automate Provisioning across systems ● Separate Authentication and Authorization ● Use Roles for Access Control & Dynamic Rules ● Provide Delegated Administration ● Multiple Authoritative Sources for Attributes ● Allow Account Names to change 9
Federated Identities 10
Developing a Coherent Cyberinfrastructure from Local Campus to National Facilities: Challenges and Strategies A Workshop Report and Recommendations EDUCAUSE Campus Cyberinfrastructure Working Group and Coalition for Academic Scientific Computation February 2009 Short Link: http://bit.ly/jsTvH 11
Strategic Recommendation 2.3.1 “Agencies, campuses, and national and state organizations should adopt a single, open, standards-based system for identity management, authentication, and authorization, thus improving the usability and interoperability of CI resources throughout the nation.” 12
Tactical Recommendation 2.3.1a The global federated system for identity management, authentication, and authorization that is supported by the InCommon Federation should be adopted with an initial focus on major research universities and colleges. After an initial deployment in research-oriented functions involving research universities, such an identity management strategy for CI should be implemented generally within funding agencies and other educational institutions. 13
Why Federated Identity? ● Authoritative information – Users, privileges, attributes ● Improved security – Fewer user accounts in the world ● Privacy when needed – Fine control over attribute sharing ● Saves time & money – Less work administrating users 14
What Is SAML? ● Security Assertion Markup Language (SAML) ● XML-based Open Standard ● Exchange authentication and authorization data between security domains – Identity Provider (a producer of assertions) – Service Provider (a consumer of assertions) ● Approved by OASIS Security Services – SAML 1.0 November 2002 – SAML 2.0 March 2005 15
Major SAML Applications ● Proquest ● Microsoft DreamSpark ● Project MUSE ● Moodle, Joomla, Drupal ● Thomson Gale ● JSTOR, ArtSTOR, OCLC ● Elsevier ScienceDirect ● Blackboard & WebCT ● Google Apps ● WebAssign & TurnItIn ● ExLibris MetaLib ● MediaWiki / Confluence ● Sakai & Moodle ● National Institutes of Health ● uPortal ● National Digital Science ● DSpace, Fedora Library ● Ovid 16
How Federated Identity Works ● A user tries to access a protected application ● The user tells the application where it’s from ● The user logs in at home ● Home tells the application about the user ● The user is rejected or accepted 17
1. I'd like access 2. Where are you from? 3. Please login at home 4. I'd like to login for SP Identity 5. Login Service User Provider Provider 6. Here is data about you for the SP – send it 7. Here is the data from my IdP 8. Access Granted / Access Denied User Application / Directory Database 18
JISC Video on Federated Identity ● Great YouTube video that introduces Federated Identity & Access Management concepts Short Link: http://bit.ly/YhqkD 19
Shibboleth 20
Shibboleth ● Enterprise federated identity software – Based on standards (principally SAML) – Extensive architectural work to integrate with existing systems – Designed for deployment by communities ● Most widely used in education, government ● Broadly adopted in Europe ● 2.0 release implements SAML 2 – Backward compatible with 1.3 21
Shibboleth Project ● Free & Open Source – Apache 2.0 license ● Enterprise and Federation oriented ● Started 2000 with first released code in 2003 ● Excellent community support – http://shibboleth.internet2.edu – shibboleth-announce@internet2.edu 22
Join the Federation! 23
24
Role of a Federation ● Agreed upon Attribute Definitions – Group, Role, Unique Identifier, Courses, … ● Criteria for IdM & IdP practices – user accounts, credentialing, personal information stewardship, interoperability standards, technologies, ... ● Digital Certificates ● Trusted “notary” for all members ● Not needed for Federated IdM, but does make things even easier 25
InCommon Federation ● Federation for U.S. Higher Education & Research (and Partners) ● Over Three Million Users ● 163 Organizations ● Self-organizing & Heterogeneous ● Policy Entrance bar intentionally set low ● Doesn’t impose lots of rules and standards ● http://www.incommonfederation.org/ 26
Other Emerging Projects / Standards ● Grouper grouper.internet2.edu – Access Management via sophisticated group structures, protocols ● Comanage middleware.internet2.edu/co – Collaborative Organization Management Platform with wide variety of “domesticated” applications ● XACML - eXtensible Access Control Markup Language – declarative access control policy language and a processing model for interpret the policies ● SPML - Service Provisioning Markup Language – framework for exchanging user, resource, and service provisioning information between organizations 27
Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. jlewis@unicon.net www.unicon.net 28

Recommended

Hope x talk
Hope x talkHope x talk
Hope x talkKaliya "Identity Woman" Young
 
Comparing SOAs for the Internet of Things
Comparing SOAs for the Internet of ThingsComparing SOAs for the Internet of Things
Comparing SOAs for the Internet of ThingsDominique Guinard
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformRamesh Nagappan
 
Identity Managment
Identity ManagmentIdentity Managment
Identity ManagmentAlanoud Alqoufi
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
Download presentation
Download presentationDownload presentation
Download presentationwebhostingguy
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethAndrew Petro
 

Recommended

Hope x talk
Hope x talkHope x talk
Hope x talkKaliya "Identity Woman" Young
 
Comparing SOAs for the Internet of Things
Comparing SOAs for the Internet of ThingsComparing SOAs for the Internet of Things
Comparing SOAs for the Internet of ThingsDominique Guinard
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformRamesh Nagappan
 
Identity Managment
Identity ManagmentIdentity Managment
Identity ManagmentAlanoud Alqoufi
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
Download presentation
Download presentationDownload presentation
Download presentationwebhostingguy
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethAndrew Petro
 
Eunis federation2
Eunis federation2Eunis federation2
Eunis federation2HEAnet
 
Open Standards For Social Business Apps
Open Standards For Social Business AppsOpen Standards For Social Business Apps
Open Standards For Social Business AppsIBM Connections Developers
 
Building Mobile (app) Masterpiece with Distributed Agile
Building Mobile (app) Masterpiece with Distributed AgileBuilding Mobile (app) Masterpiece with Distributed Agile
Building Mobile (app) Masterpiece with Distributed AgileWee Witthawaskul
 
Edugate Futures
Edugate FuturesEdugate Futures
Edugate FuturesHEAnet
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Evernym
 
Identity mediation for enterprise identity bus
Identity mediation for enterprise identity busIdentity mediation for enterprise identity bus
Identity mediation for enterprise identity busPushpalanka Jayawardhana
 
Javaday jplaton presentation final
Javaday jplaton presentation finalJavaday jplaton presentation final
Javaday jplaton presentation finalGeorge Fylaktopoulos
 
BYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility ManagerBYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility ManagerWSO2
 
Creating a Cross-Corporate Knowledge Pool
Creating a Cross-Corporate Knowledge PoolCreating a Cross-Corporate Knowledge Pool
Creating a Cross-Corporate Knowledge PoolEnterprise 2.0 Conference
 
Solid: an introduction
Solid: an introduction Solid: an introduction
Solid: an introduction Vittorio Scarano
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarJohn Lewis
 
WSO2Con'14 US - From Shadow IT to Empowered IT
WSO2Con'14 US - From Shadow IT to Empowered ITWSO2Con'14 US - From Shadow IT to Empowered IT
WSO2Con'14 US - From Shadow IT to Empowered ITAsanka Abeysinghe
 
Making bimodal it_a_reality_final
Making bimodal it_a_reality_finalMaking bimodal it_a_reality_final
Making bimodal it_a_reality_finalCentric Consulting
 
Mobile Device Security - Responsible Not Repressive
Mobile Device Security - Responsible Not RepressiveMobile Device Security - Responsible Not Repressive
Mobile Device Security - Responsible Not RepressiveMike Brannon
 
Session 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySession 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySantosh Satam
 
Datacare Company Profile Sept 2010
Datacare Company Profile Sept 2010Datacare Company Profile Sept 2010
Datacare Company Profile Sept 2010Fredrick Kariuki
 
Gregory Touretsky - Intel IT- Open Cloud Journey
Gregory Touretsky - Intel IT- Open Cloud JourneyGregory Touretsky - Intel IT- Open Cloud Journey
Gregory Touretsky - Intel IT- Open Cloud JourneyCloud Native Day Tel Aviv
 
2020 | Metadata Day | LinkedIn
2020 | Metadata Day | LinkedIn2020 | Metadata Day | LinkedIn
2020 | Metadata Day | LinkedInDeepak Chandramouli
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101Mike Schwartz
 
Ignou MCA 6th Semester Synopsis
Ignou MCA 6th Semester SynopsisIgnou MCA 6th Semester Synopsis
Ignou MCA 6th Semester SynopsisHitesh Jangid
 
Jasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus SolutionJasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus SolutionJohn Lewis
 
IMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade ExchangeIMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade ExchangeJohn Lewis
 

More Related Content

Similar to Real World Identity Managment

Eunis federation2
Eunis federation2Eunis federation2
Eunis federation2HEAnet
 
Building Mobile (app) Masterpiece with Distributed Agile
Building Mobile (app) Masterpiece with Distributed AgileBuilding Mobile (app) Masterpiece with Distributed Agile
Building Mobile (app) Masterpiece with Distributed AgileWee Witthawaskul
 
Edugate Futures
Edugate FuturesEdugate Futures
Edugate FuturesHEAnet
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Evernym
 
Identity mediation for enterprise identity bus
Identity mediation for enterprise identity busIdentity mediation for enterprise identity bus
Identity mediation for enterprise identity busPushpalanka Jayawardhana
 
Javaday jplaton presentation final
Javaday jplaton presentation finalJavaday jplaton presentation final
Javaday jplaton presentation finalGeorge Fylaktopoulos
 
BYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility ManagerBYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility ManagerWSO2
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarJohn Lewis
 
WSO2Con'14 US - From Shadow IT to Empowered IT
WSO2Con'14 US - From Shadow IT to Empowered ITWSO2Con'14 US - From Shadow IT to Empowered IT
WSO2Con'14 US - From Shadow IT to Empowered ITAsanka Abeysinghe
 
Making bimodal it_a_reality_final
Making bimodal it_a_reality_finalMaking bimodal it_a_reality_final
Making bimodal it_a_reality_finalCentric Consulting
 
Mobile Device Security - Responsible Not Repressive
Mobile Device Security - Responsible Not RepressiveMobile Device Security - Responsible Not Repressive
Mobile Device Security - Responsible Not RepressiveMike Brannon
 
Session 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySession 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySantosh Satam
 
Datacare Company Profile Sept 2010
Datacare Company Profile Sept 2010Datacare Company Profile Sept 2010
Datacare Company Profile Sept 2010Fredrick Kariuki
 
Gregory Touretsky - Intel IT- Open Cloud Journey
Gregory Touretsky - Intel IT- Open Cloud JourneyGregory Touretsky - Intel IT- Open Cloud Journey
Gregory Touretsky - Intel IT- Open Cloud JourneyCloud Native Day Tel Aviv
 
Ignou MCA 6th Semester Synopsis
Ignou MCA 6th Semester SynopsisIgnou MCA 6th Semester Synopsis
Ignou MCA 6th Semester SynopsisHitesh Jangid
 

Similar to Real World Identity Managment (20)

Eunis federation2
Eunis federation2Eunis federation2
Eunis federation2
 
Open Standards For Social Business Apps
Open Standards For Social Business AppsOpen Standards For Social Business Apps
Open Standards For Social Business Apps
 
Building Mobile (app) Masterpiece with Distributed Agile
Building Mobile (app) Masterpiece with Distributed AgileBuilding Mobile (app) Masterpiece with Distributed Agile
Building Mobile (app) Masterpiece with Distributed Agile
 
Edugate Futures
Edugate FuturesEdugate Futures
Edugate Futures
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
 
Identity mediation for enterprise identity bus
Identity mediation for enterprise identity busIdentity mediation for enterprise identity bus
Identity mediation for enterprise identity bus
 
Javaday jplaton presentation final
Javaday jplaton presentation finalJavaday jplaton presentation final
Javaday jplaton presentation final
 
BYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility ManagerBYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility Manager
 
Creating a Cross-Corporate Knowledge Pool
Creating a Cross-Corporate Knowledge PoolCreating a Cross-Corporate Knowledge Pool
Creating a Cross-Corporate Knowledge Pool
 
Solid: an introduction
Solid: an introduction Solid: an introduction
Solid: an introduction
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour Webinar
 
WSO2Con'14 US - From Shadow IT to Empowered IT
WSO2Con'14 US - From Shadow IT to Empowered ITWSO2Con'14 US - From Shadow IT to Empowered IT
WSO2Con'14 US - From Shadow IT to Empowered IT
 
Making bimodal it_a_reality_final
Making bimodal it_a_reality_finalMaking bimodal it_a_reality_final
Making bimodal it_a_reality_final
 
Mobile Device Security - Responsible Not Repressive
Mobile Device Security - Responsible Not RepressiveMobile Device Security - Responsible Not Repressive
Mobile Device Security - Responsible Not Repressive
 
Session 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySession 4 Enterprise Mobile Security
Session 4 Enterprise Mobile Security
 
Datacare Company Profile Sept 2010
Datacare Company Profile Sept 2010Datacare Company Profile Sept 2010
Datacare Company Profile Sept 2010
 
Gregory Touretsky - Intel IT- Open Cloud Journey
Gregory Touretsky - Intel IT- Open Cloud JourneyGregory Touretsky - Intel IT- Open Cloud Journey
Gregory Touretsky - Intel IT- Open Cloud Journey
 
2020 | Metadata Day | LinkedIn
2020 | Metadata Day | LinkedIn2020 | Metadata Day | LinkedIn
2020 | Metadata Day | LinkedIn
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Ignou MCA 6th Semester Synopsis
Ignou MCA 6th Semester SynopsisIgnou MCA 6th Semester Synopsis
Ignou MCA 6th Semester Synopsis
 

More from John Lewis

Jasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus SolutionJasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus SolutionJohn Lewis
 
IMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade ExchangeIMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade ExchangeJohn Lewis
 
New Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTINew Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTIJohn Lewis
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCJohn Lewis
 
Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)John Lewis
 
Sakai uPortal Integration Options
Sakai uPortal Integration OptionsSakai uPortal Integration Options
Sakai uPortal Integration OptionsJohn Lewis
 
Sprint Portlet MVC Seminar
Sprint Portlet MVC SeminarSprint Portlet MVC Seminar
Sprint Portlet MVC SeminarJohn Lewis
 
Agile Engineering
Agile EngineeringAgile Engineering
Agile EngineeringJohn Lewis
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring SecurityJohn Lewis
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVCJohn Lewis
 
Leveraging Open Source
Leveraging Open SourceLeveraging Open Source
Leveraging Open SourceJohn Lewis
 
Java Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) SpecificationJava Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) SpecificationJohn Lewis
 
Open Source Licensing
Open Source LicensingOpen Source Licensing
Open Source LicensingJohn Lewis
 

More from John Lewis (14)

Jasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus SolutionJasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus Solution
 
IMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade ExchangeIMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade Exchange
 
New Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTINew Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTI
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVC
 
Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)
 
Sakai uPortal Integration Options
Sakai uPortal Integration OptionsSakai uPortal Integration Options
Sakai uPortal Integration Options
 
Sprint Portlet MVC Seminar
Sprint Portlet MVC SeminarSprint Portlet MVC Seminar
Sprint Portlet MVC Seminar
 
Agile Engineering
Agile EngineeringAgile Engineering
Agile Engineering
 
Scrum Process
Scrum ProcessScrum Process
Scrum Process
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring Security
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVC
 
Leveraging Open Source
Leveraging Open SourceLeveraging Open Source
Leveraging Open Source
 
Java Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) SpecificationJava Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) Specification
 
Open Source Licensing
Open Source LicensingOpen Source Licensing
Open Source Licensing
 

Recently uploaded

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Real World Identity Managment

  • 1. Real-World Identity Management Solutions John A. Lewis Chief Software Architect Unicon, Inc. 28 July 2009 Campus Technology Boston, Massachusetts © Copyright Unicon, Inc., 2009. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial- Share Alike 3.0 United States License. To view a copy of this license, visit: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
  • 2. Why Makes Identity Important? ● Connects – Users – Applications ● Lots of other things – security, privacy, spam, – secrecy, trust, authority, – collaboration, convenience, – ... 2
  • 3. What Is Identity Management? “A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” – Burton Group ● Account creation, directories, authentication, authorization access controls, ... ● Includes policy, process, governance, trust ● Need new ways of thinking about controlling access to IT services 3
  • 4. Identity Management Lifecycle ● Provisioning – Initial Account creation – When to establish a persistent identity? ● Account updates – Self-service? For which attributes? – Central administrative changes ● Role maintenance – Adding, changing, removing roles ● Suspending / Removing / Restoring – When to do this? How long to retain it? 4
  • 5. 5
  • 6. EDUCAUSE Top 10 IT Issues ● 2003 #3 Security & Identity Management ● 2004 #3 Security & Identity Management ● 2005 #2 Security & Identity Management ● 2006 #1 Security & Identity Management ● 2007 #4 Identity / Access Management (Security at #2) ● 2008 #5 Identity / Access Management (Security at #1) 6
  • 7. Challenge & Goal ● Challenge: Fragmented Identity Landscape – Many systems of records – Many applications – Many passwords – Many overlapping roles ● Goal: Ease-Of-Use for Students/Faculty/Staff – Enable seamless access to resources – Enforce security and privacy – Create a sense of a unified Enterprise 7
  • 8. Evolution of User Identity ● Application Silos – Each with their own logins and passwords ● Common Directories / Databases – Central store for person information ● Single Sign-On – Central login system for multiple applications ● Federated Identity – Trusted identity information from others 8
  • 9. Emerging Best Practices ● Automate Provisioning across systems ● Separate Authentication and Authorization ● Use Roles for Access Control & Dynamic Rules ● Provide Delegated Administration ● Multiple Authoritative Sources for Attributes ● Allow Account Names to change 9
  • 11. Developing a Coherent Cyberinfrastructure from Local Campus to National Facilities: Challenges and Strategies A Workshop Report and Recommendations EDUCAUSE Campus Cyberinfrastructure Working Group and Coalition for Academic Scientific Computation February 2009 Short Link: http://bit.ly/jsTvH 11
  • 12. Strategic Recommendation 2.3.1 “Agencies, campuses, and national and state organizations should adopt a single, open, standards-based system for identity management, authentication, and authorization, thus improving the usability and interoperability of CI resources throughout the nation.” 12
  • 13. Tactical Recommendation 2.3.1a The global federated system for identity management, authentication, and authorization that is supported by the InCommon Federation should be adopted with an initial focus on major research universities and colleges. After an initial deployment in research-oriented functions involving research universities, such an identity management strategy for CI should be implemented generally within funding agencies and other educational institutions. 13
  • 14. Why Federated Identity? ● Authoritative information – Users, privileges, attributes ● Improved security – Fewer user accounts in the world ● Privacy when needed – Fine control over attribute sharing ● Saves time & money – Less work administrating users 14
  • 15. What Is SAML? ● Security Assertion Markup Language (SAML) ● XML-based Open Standard ● Exchange authentication and authorization data between security domains – Identity Provider (a producer of assertions) – Service Provider (a consumer of assertions) ● Approved by OASIS Security Services – SAML 1.0 November 2002 – SAML 2.0 March 2005 15
  • 16. Major SAML Applications ● Proquest ● Microsoft DreamSpark ● Project MUSE ● Moodle, Joomla, Drupal ● Thomson Gale ● JSTOR, ArtSTOR, OCLC ● Elsevier ScienceDirect ● Blackboard & WebCT ● Google Apps ● WebAssign & TurnItIn ● ExLibris MetaLib ● MediaWiki / Confluence ● Sakai & Moodle ● National Institutes of Health ● uPortal ● National Digital Science ● DSpace, Fedora Library ● Ovid 16
  • 17. How Federated Identity Works ● A user tries to access a protected application ● The user tells the application where it’s from ● The user logs in at home ● Home tells the application about the user ● The user is rejected or accepted 17
  • 18. 1. I'd like access 2. Where are you from? 3. Please login at home 4. I'd like to login for SP Identity 5. Login Service User Provider Provider 6. Here is data about you for the SP – send it 7. Here is the data from my IdP 8. Access Granted / Access Denied User Application / Directory Database 18
  • 19. JISC Video on Federated Identity ● Great YouTube video that introduces Federated Identity & Access Management concepts Short Link: http://bit.ly/YhqkD 19
  • 21. Shibboleth ● Enterprise federated identity software – Based on standards (principally SAML) – Extensive architectural work to integrate with existing systems – Designed for deployment by communities ● Most widely used in education, government ● Broadly adopted in Europe ● 2.0 release implements SAML 2 – Backward compatible with 1.3 21
  • 22. Shibboleth Project ● Free & Open Source – Apache 2.0 license ● Enterprise and Federation oriented ● Started 2000 with first released code in 2003 ● Excellent community support – http://shibboleth.internet2.edu – shibboleth-announce@internet2.edu 22
  • 24. 24
  • 25. Role of a Federation ● Agreed upon Attribute Definitions – Group, Role, Unique Identifier, Courses, … ● Criteria for IdM & IdP practices – user accounts, credentialing, personal information stewardship, interoperability standards, technologies, ... ● Digital Certificates ● Trusted “notary” for all members ● Not needed for Federated IdM, but does make things even easier 25
  • 26. InCommon Federation ● Federation for U.S. Higher Education & Research (and Partners) ● Over Three Million Users ● 163 Organizations ● Self-organizing & Heterogeneous ● Policy Entrance bar intentionally set low ● Doesn’t impose lots of rules and standards ● http://www.incommonfederation.org/ 26
  • 27. Other Emerging Projects / Standards ● Grouper grouper.internet2.edu – Access Management via sophisticated group structures, protocols ● Comanage middleware.internet2.edu/co – Collaborative Organization Management Platform with wide variety of “domesticated” applications ● XACML - eXtensible Access Control Markup Language – declarative access control policy language and a processing model for interpret the policies ● SPML - Service Provisioning Markup Language – framework for exchanging user, resource, and service provisioning information between organizations 27
  • 28. Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. jlewis@unicon.net www.unicon.net 28