practical tools for implementing authentication and managing authorization educause swr 2007 barry...
TRANSCRIPT
![Page 1: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/1.jpg)
Practical Tools for Implementing Authentication and Managing
AuthorizationEducause SWR 2007
Barry Ribbeck
Director of Systems, Architecture and Infrastructure
Rice University
Thanks To Andrea Beesing, Cornell for the permission to use some of the material presented here
Subliminal humour by Steven WrightCopyright Barry Ribbeck and Andrea Bessing 2007. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
![Page 2: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/2.jpg)
Mainframe era
Ken Kennedy &
Parallel Computing
Growing Silos of AuthX
1985
EnterpriseDirectoryKeberos
2001-04
1999
2005GuestID & Shibboleth
2008
2008
Grouper
2006-07 2007-08
SignetYONMosaic1992
New Network
2005
I2 Shibboleth & Federations
Rice Time Line
Join InCommon
![Page 3: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/3.jpg)
Rice University
S.W.:47.3% of all statistics are made up on the spot.• Located in Houston adjacent to Texas
Medical Center• ~5000 Students• ~1000 Faculty• ~2000 Staff• Tens of thousands of Alumni• Uncounted Friends
![Page 4: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/4.jpg)
Groups and Roles
• S.W.:Some people would kill for a Nobel Peace Prize!
• Groups are abstractly associate people into a rational collections. Groups are tools that allows us to scale access control more easily.
• Roles are groupings of privileges
• Associating Groups to Roles provides a method to scale access control.
![Page 5: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/5.jpg)
Identity, Credentials and LOA
• S.W.:Half the people you know are below average.• Who are you to me?• How do I know it is you logging in?• How do we measure trust in the offered
credential?• What tools do I use to assert an identity
credential?• What tools do I use to trust your identity and
credentialing processes?
![Page 6: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/6.jpg)
Levels Of Assurance (LOA)Credential Trust Metric
S.W: Why do psychics have to ask your name?
Traditional Well knowncommunity
(faculty, staff,Students, Alumni)
Proxy AssertedAffiliates and Federated Users
Self Asserted Affiliates
Unknown Masses
![Page 7: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/7.jpg)
The Business ContextS.W.:Everyone who believes in psycho-kinesis, raise
my hand.• Legislation driving better controls over access to information
– Authorized use only– Understanding who, when, why
• Privacy concerns• Continued high demand for new online services• Interest in identity federation for collaboration and
leveraging investments• Need to align with granting agency requirements
![Page 8: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/8.jpg)
From Kansas to OzS.W.: 99% of lawyers give the rest a bad name.
• Enhancing authorization– Distributed access management solution– Grouper for group management– Signet for privilege management
• Enhancing authentication– Getting ready for federation = attention to business processes and
policy– Resources and tools provided by NMI and EDUCAUSE can help at
this stage or any stage
What happens if you are scared half to death – twice?
![Page 9: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/9.jpg)
What is Distributed Access ManagementS.W.:To steal ideas from one person is plagiarism, to steal from many is research.
• Addresses the challenge of– Managing access rights for many types of users for
many resources
– Ensuring that access rights are adjusted as the individual’s relationship to the institution changes
• Set of central services in a distributed management model
• Tied into your identity management and integrated through common middleware
![Page 10: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/10.jpg)
Creating Leveraged ResourcesA Phased Approach
• Authentication– Authentication - Kerberos, Web ISO– Automated credential management - (Home Grown and
Commercial Products)– Identity Repositories - Person Registries
• Authorization– Authorization Repositories - Directories– Group Management - Grouper– Privilege Management - Signet
![Page 11: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/11.jpg)
AuthN & AuthZ: not just technology
Businessprocesses
Policy
Technology
Authentication of IT Resources
Information Security ofInstitutional Data
Training andawareness Account
managementIdentificationand registration
KerberosGrouper Signet
Directory
Ensuringusers have
ready accessto informationand resources
they are entitled to
Data accessstandards
![Page 12: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/12.jpg)
Aligning IT with business process and policy: Grouper example
Unit Head,College of Sciences
Grouper stem: Admin 1: DanAdmin 2: Tim
Grouper stem: StatisticsAdmin: Marion
Grouper stem: MathAdmin: Judy
Grouper stem: EngineeringAdmin: Joe
Math&Stats facultyMath
studentsECE Students
Data accesspolicy& standards
![Page 13: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/13.jpg)
Other Grouper Features
• Common API for program access• Better integration with applications and
other middleware components• Better support for automated
provisioning of institutional groups/roles based on source data
• Common interface for users, customizable using tiles and struts
![Page 14: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/14.jpg)
Other Grouper Features
• Sophisticated group management capabilities to support many access management needs– Subgroups– Allows useful actions on these groups -- group
math, group nesting, negative authorizations– Traceback of indirect membership– Subscription feature
![Page 15: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/15.jpg)
Signet: Privilege Management Tool
• Central repository for privilege information—who, what, when, why
• Maps assigned privileges into system-specific terms needed by applications
• Privileges are exported into applications and infrastructure services using the appropriate notification mechanisms (e-mail, xml, webmethods, etc)
• Web-based UI for managers and holders of privileges
• Supports life cycle controls for privileges
![Page 16: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/16.jpg)
Signet: Use case #1- Self Service
• A user requests a change in account range or group in the Accounting Data Warehouse– Self-granting privilege with a prerequisite for
approval– Request triggers email to the person who can
grant the privilege
![Page 17: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/17.jpg)
Signet: Use Case #2
• An application with its own authorization database wants to use the Signet UI as its front-end– The application’s authZ scheme can be integrated into
Signet as a subsystem. An initial synchronization is done to populate Signet with current privilege info from the application
– When a privilege change is made in Signet, a message is forwarded to the application’s internal database in the correct format
![Page 18: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/18.jpg)
Signet Interface example
![Page 19: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/19.jpg)
IAM/IdM: The Big Picture
![Page 20: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/20.jpg)
What is Federated identity
The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains
TRANSLATION:
I can access a Grid resource at Penn State using my Rice NetID and password because I’m collaborating with a researcher there.
![Page 21: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/21.jpg)
AuthN:Challenges in a federated world
• Service providers want to know things like:– How do you accomplish identity proofing and registration?– How do you confirm delivery of credentials?– Does your authentication protocol resist online password
guessing?
• Federal government is driving the development of standards for assessing level of assurance (LoA)
• LoA determines the measure of trust a service provider has agreed to accept regarding the credentials presented in a federated authentication transaction.
• Strategy for aligning authentication with broader goals is important
![Page 22: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/22.jpg)
The NMI-EDIT Roadmap can help S.W.:A conclusion is a place you go when you get tired of thinking.
• Step by step approach aimed at considering broader issues related to authentication
• Draws on wealth of experience within higher education– Case studies– Policy examples– Roadmaps
• Tools for assessing gaps in LoA’s
![Page 23: Practical Tools for Implementing Authentication and Managing Authorization Educause SWR 2007 Barry Ribbeck Director of Systems, Architecture and Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f345503460f94c5253e/html5/thumbnails/23.jpg)
Resources
• NMI-EDIT Enterprise Authentication Implementation Roadmap:
http://www.nmi-edit.org/roadmap/draft-authn-roadmap-03/• Grouper site:
http://grouper.internet2.edu• Signet site:
http://signet.internet2.edu– Cornell Identity Management program site: http://www.cit.cornell.
edu/services/identity/
• Cornell IT Policy Office web site: http://www.cit.cornell.edu/oit/PolicyOffice.html