SAML a mature six year old?

Glenn Wearen, Paul Caskey & Josh Howlett

Introduction

• Identity Management

• Edugate project

Firstly

• Identity Management (IdM)

• Identity and Access Management (IAM)

Identity Management-who?

Who?

• Students– Onsite / Offsite– Local / Remote– Undergraduate / Postgraduate– Full-time / Part-time– Primary / Post-primary

Who?

• Employees– Full-time– Part-time– Contractors– Temporary– Teaching– Administrative

Identity Management-what?

What?

• User– Firstname– Lastname– Password– Group– Role– Email– Id

– X500– Active Directory– eduPerson– SCHAC– Custom

Identity Management-when?

When?

• Registration– New Student– Transfer

• Re-registration– Undergraduate > Postgraduate > Lecturer

• Graduation

• Alumni

When?

• IdM Lifecycle– Provision– Promote– Demote– Disable– Enable– Deprovision– Reprovision– Synchronise

Identity Management-where?

Where?

• Registry• HR• Alumni database

• Email• Directory• Database• Library• External Services

Where?

• Resources

– Application• Webmail• Portal• VLE• Device

– Computing Resource• Desktop• Server• Grid

Where?

• Resources

• Internal– Remotely Accessible?

• External– Remotely Accessible?

Identity Management-why?

Why?

• Because we have to...

...as part of day to day responsibility

Why?

• Because we have to...

...if we get it wrong, the consequences can be far reaching.

Why?

• Because we have to...

...our users expect to be able to have some control over their digital identity.

Why?

• Because we have to...

... Student and employee login accounts are valuable.

Identity Management-how?

What is the best practice?

• Kim Cameron’s 7 Laws of Identity.– 1. User Control and Consent– 2. Minimal Disclosure for a Constrained Use– 3. Justifiable Parties– 4. Directed Identity– 5. Pluralism of Operators and Technologies– 6. Human Integration– 7. Consistent Experience Across Contexts

What is the best framework?

• Centralised

What is the best framework?

• Centralised

• Devolved

What is the best framework?

• Centralised

• Devolved– SAML (or similar)– Active Directory Inter-domain Trust– Kerberos– RADIUS

• User-centric

What is the best framework?

• Centralised

• Devolved

• User-centric

• Hybrid

?

Edugate

• e-INIS PRTLI Cycle 4 • Research Federated Access• Technology Trial• Pilot Project

Edugate

Research• Federated Models• Existing Federations

– Schema (x500, eduPerson, SCHAC)– Protocols (SAML based only)

• Policy– Governance (Direction)– Membership (Rules)

Edugate

Technology Trial

• Protocols and Standards– Shibboleth 1.3 & 2.0– ADFS– SAML– eduPerson

• Interoperability

• Performance and scalability

Edugate

Pilot Project• Services

– Managed IdP– Hosted IdP– Hosted SP

• Applications– Web-based– GRID

Summary

IAM

• Who

• What

• When

• Where

• Why

• How

Edugate

• Research

• Trial

• Pilot

Lastly

Questions

Athens

Federated Access as SSO for Campus.

Federated Access for HEI