trends in identity management
DESCRIPTION
Trends in Identity Management. Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007. Topics. Federated Identity Extending enterprise security Application to network security protocols Peer-to-Peer Identity OpenID Convergence & Divergence - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/1.jpg)
Trends in Identity Management
Nate Klingenstein
Internet2EDUCAUSE Security Professional 2007
![Page 2: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/2.jpg)
Topics
• Federated Identity• Extending enterprise security• Application to network security protocols
• Peer-to-Peer Identity• OpenID
• Convergence & Divergence• Web Access Federations and Network
Security• Do these communities meaningfully overlap?
![Page 3: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/3.jpg)
Federated Identity
• Leverages local identities to access remote resources• Enterprise directories & authentication
• Organizations trust each other• Decentralized center
• Multiple federations• Federated identity is distinct from
federations• Can have federated ID without federations
![Page 4: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/4.jpg)
Technical Basis of Exchange
• Attributes• Identity Providers (IdP)
• Asserts authentication and attribute information
• Service Providers (SP)• Receives and processes attributes and
authentications• Metadata
![Page 5: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/5.jpg)
Trust Basis for Exchange
• IdP asserts good information• SP disposes of information received
properly• Logging
• Tracking down malfeasants is cooperative but always possible
• Everything always boils down to a bilateral exchange
![Page 6: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/6.jpg)
Trust Basis for Exchange
• Centralized federation services• Metadata• Auditing• Attribute standardization• Other rules
• Extensions and merges of existing identities• Virtual Organizations
![Page 7: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/7.jpg)
Trust Basis for Exchange
• Centralized federation services• Metadata• Auditing• Attribute standardization• Other rules
• Extensions and merges of existing identities• Virtual Organizations
![Page 8: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/8.jpg)
SAML-based Higher Ed Federations
• Australia• Belgium• Canada• China • Denmark• Finland
• France • Germany • Greece • New Zealand• Norway• Spain
• Spain • Sweden• Switzerland • The Netherlands• United Kingdom• United States
![Page 9: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/9.jpg)
InCommonU.S. Higher Ed Federation
• Multiple levels of assurance• Bronze, Silver, Gold, or basic
• Identity information managed by central IT• Where are the attributes you need?
• No guidance on attribute release• http://www.incommonfederation.org
![Page 10: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/10.jpg)
Security Assertion Standards
• SAML 1.1 (Shibboleth 1.x)• SAML 2.0• ID-WSF• WS-Trust• WS-Security• Many other WS-*• Many other others
![Page 11: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/11.jpg)
Standards Convergence
ID-FF 1.1
SAML 1.0 SAML 1.1
Shibboleth 1.x
ID-FF 1.2
SAML 2.0
2002 2003 2004
![Page 12: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/12.jpg)
Peer-to-Peer Trust
• Self-issued credentials• Usually bootstrapped through personal
interaction• Joe sent me his PKC in an IM, and I know
this is Joe because of our secret handshake• And I know that’s his screen-name because…
• Differentiate between quality of initial authentication and subsequent value
• Unauthenticated email sure is popular…
![Page 13: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/13.jpg)
OpenID
• Codification of that community trust• Using URL’s• A simple protocol• Basic attributes• Plug-ins for most web environments
• Many other approaches, some based on heavier technology
• Deployed in blogosphere and beyond• No attempts to integrate with network security
• But growing corporate interest and support
![Page 14: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/14.jpg)
OpenID/SAML convergence
• There are protocols and there are tokens• WS-Trust• WS-Security• Cardspace
• Solutions address somewhat different needs• Room for co-existence• But interoperability would still be nice
• Some cooperation between the two communities in looking for convergence opportunities
![Page 15: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/15.jpg)
Related Projects
• Higgins• A set of interfaces that try to abstract
identity management• Microsoft ADFS
• Shibboleth interoperability• XACML
• Layered in SAML assertions• Its own protocol
![Page 16: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/16.jpg)
Big Changes
• Federated Identity evolving from Web SSO to other applications
• Maturation of vendor products in the IdM space• Increasingly, Federated IdM packages support
multiple protocols; sites make choices based on “value add”
• Growing interest in using Levels of Assurance (LoA)
• Growing interest in Inter-Federation
![Page 17: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/17.jpg)
Federated Identity for Network Authentication
• Traveling individuals• Attribute-based access control• Privacy• Accountability
![Page 18: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/18.jpg)
Current Deployments
• Shibboleth-based wireless authentication at University of Texas• It’s a hack• Use Shibboleth to populate a database that
the RADIUS server can draw on• Supports multiple access groups• Hugely popular with the university brass
https://spaces.internet2.edu/display/SHIB/ShibbolizedWireless
![Page 19: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/19.jpg)
Current Deployments
• eduroam• Global RADIUS infrastructure using 802.1x• Widespread adoption by European higher ed• Multiple countries in Asia & Oceania• U.S. under-represented
http://www.eduroam.org/
Let’s look at the policies…
![Page 20: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/20.jpg)
Revealing Challenges
• What security policies will be enacted on an eduroam visitor?• Japan wants to mandate that once access is
granted via eduroam a VPN tunnel home be established for all further traffic
• What information do people need to know?
• Which attributes are required?• Does anonymity matter?
![Page 21: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/21.jpg)
SAML, RADIUS, DIAMETER
• RADIUS profile of SAML• http://tinyurl.com/24m9pm
• DAMe project• DIAMETER supporting SAML
• Slide theft• Diego Lopez of RedIRIS
![Page 22: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/22.jpg)
InCommon
• U.S. higher education federation• 50 participants and counting• Oriented around access to web
resources• EBSCO, ScienceDirect, JSTOR,
Napster, Turnitin, etc.• SAML-centric
![Page 23: Trends in Identity Management](https://reader036.vdocument.in/reader036/viewer/2022062422/56813ee8550346895da95f98/html5/thumbnails/23.jpg)
Questions for You
• What could you do with federated identity?
• What information do you need to know before making your various decisions?
• Can InCommon address your collaboration or network authentication needs?
• How would you do inter-realm network security?