Real World Identity Managment

50 %
50 %
Information about Real World Identity Managment

Published on July 29, 2009

Author: johnalewis



Today's IT industry is awash with offerings in the identity management space. In this session the presenter will explore real, tactical things we can do now to start solving the identity management issues in our enterprises and take a look at current efforts in the higher education community. We will consider technologies, key standards, as well as the policy and procedure issues we must address, regardless of technology, to achieve proper governance over our enterprise identities.

Real-World Identity Management Solutions John A. Lewis Chief Software Architect Unicon, Inc. 28 July 2009 Campus Technology Boston, Massachusetts © Copyright Unicon, Inc., 2009. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial- Share Alike 3.0 United States License. To view a copy of this license, visit:

Why Makes Identity Important? ● Connects – Users – Applications ● Lots of other things – security, privacy, spam, – secrecy, trust, authority, – collaboration, convenience, – ... 2

What Is Identity Management? “A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” – Burton Group ● Account creation, directories, authentication, authorization access controls, ... ● Includes policy, process, governance, trust ● Need new ways of thinking about controlling access to IT services 3

Identity Management Lifecycle ● Provisioning – Initial Account creation – When to establish a persistent identity? ● Account updates – Self-service? For which attributes? – Central administrative changes ● Role maintenance – Adding, changing, removing roles ● Suspending / Removing / Restoring – When to do this? How long to retain it? 4


● EDUCAUSE Top 10 IT Issues ● 2003 #3 Security & Identity Management ● 2004 #3 Security & Identity Management ● 2005 #2 Security & Identity Management ● 2006 #1 Security & Identity Management ● 2007 #4 Identity / Access Management (Security at #2) ● 2008 #5 Identity / Access Management (Security at #1) 6

Challenge & Goal ● Challenge: Fragmented Identity Landscape – Many systems of records – Many applications – Many passwords – Many overlapping roles ● Goal: Ease-Of-Use for Students/Faculty/Staff – Enable seamless access to resources – Enforce security and privacy – Create a sense of a unified Enterprise 7

Evolution of User Identity ● Application Silos – Each with their own logins and passwords ● Common Directories / Databases – Central store for person information ● Single Sign-On – Central login system for multiple applications ● Federated Identity – Trusted identity information from others 8

Emerging Best Practices ● Automate Provisioning across systems ● Separate Authentication and Authorization ● Use Roles for Access Control & Dynamic Rules ● Provide Delegated Administration ● Multiple Authoritative Sources for Attributes ● Allow Account Names to change 9

Federated Identities 10

Developing a Coherent Cyberinfrastructure from Local Campus to National Facilities: Challenges and Strategies A Workshop Report and Recommendations EDUCAUSE Campus Cyberinfrastructure Working Group and Coalition for Academic Scientific Computation February 2009 Short Link: 11

Strategic Recommendation 2.3.1 “Agencies, campuses, and national and state organizations should adopt a single, open, standards-based system for identity management, authentication, and authorization, thus improving the usability and interoperability of CI resources throughout the nation.” 12

Tactical Recommendation 2.3.1a The global federated system for identity management, authentication, and authorization that is supported by the InCommon Federation should be adopted with an initial focus on major research universities and colleges. After an initial deployment in research-oriented functions involving research universities, such an identity management strategy for CI should be implemented generally within funding agencies and other educational institutions. 13

Why Federated Identity? ● Authoritative information – Users, privileges, attributes ● Improved security – Fewer user accounts in the world ● Privacy when needed – Fine control over attribute sharing ● Saves time & money – Less work administrating users 14

What Is SAML? ● Security Assertion Markup Language (SAML) ● XML-based Open Standard ● Exchange authentication and authorization data between security domains – Identity Provider (a producer of assertions) – Service Provider (a consumer of assertions) ● Approved by OASIS Security Services – SAML 1.0 November 2002 – SAML 2.0 March 2005 15

Major SAML Applications ● Proquest ● Microsoft DreamSpark ● Project MUSE ● Moodle, Joomla, Drupal ● Thomson Gale ● JSTOR, ArtSTOR, OCLC ● Elsevier ScienceDirect ● Blackboard & WebCT ● Google Apps ● WebAssign & TurnItIn ● ExLibris MetaLib ● MediaWiki / Confluence ● Sakai & Moodle ● National Institutes of Health ● uPortal ● National Digital Science ● DSpace, Fedora Library ● Ovid 16

How Federated Identity Works ● A user tries to access a protected application ● The user tells the application where it’s from ● The user logs in at home ● Home tells the application about the user ● The user is rejected or accepted 17

1. I'd like access 2. Where are you from? 3. Please login at home 4. I'd like to login for SP Identity 5. Login Service User Provider Provider 6. Here is data about you for the SP – send it 7. Here is the data from my IdP 8. Access Granted / Access Denied User Application / Directory Database 18

JISC Video on Federated Identity ● Great YouTube video that introduces Federated Identity & Access Management concepts Short Link: 19

Shibboleth 20

Shibboleth ● Enterprise federated identity software – Based on standards (principally SAML) – Extensive architectural work to integrate with existing systems – Designed for deployment by communities ● Most widely used in education, government ● Broadly adopted in Europe ● 2.0 release implements SAML 2 – Backward compatible with 1.3 21

Shibboleth Project ● Free & Open Source – Apache 2.0 license ● Enterprise and Federation oriented ● Started 2000 with first released code in 2003 ● Excellent community support – – 22

Join the Federation! 23


Role of a Federation ● Agreed upon Attribute Definitions – Group, Role, Unique Identifier, Courses, … ● Criteria for IdM & IdP practices – user accounts, credentialing, personal information stewardship, interoperability standards, technologies, ... ● Digital Certificates ● Trusted “notary” for all members ● Not needed for Federated IdM, but does make things even easier 25

InCommon Federation ● Federation for U.S. Higher Education & Research (and Partners) ● Over Three Million Users ● 163 Organizations ● Self-organizing & Heterogeneous ● Policy Entrance bar intentionally set low ● Doesn’t impose lots of rules and standards ● 26

Other Emerging Projects / Standards ● Grouper – Access Management via sophisticated group structures, protocols ● Comanage – Collaborative Organization Management Platform with wide variety of “domesticated” applications ● XACML - eXtensible Access Control Markup Language – declarative access control policy language and a processing model for interpret the policies ● SPML - Service Provisioning Markup Language – framework for exchanging user, resource, and service provisioning information between organizations 27

Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. 28

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Real World Identity Managment - HubSlide

Today's IT industry is awash with offerings in the identity management space. In this session the presenter will explore real, tactical things we can do now to
Read more

Identity management - Wikipedia, the free encyclopedia

The terms "identity management" (IdM) and "identity and access management" are used [by whom?] ... In the real-world context of engineering online systems, ...
Read more

Microsoft Identity and Access Management Series

Identity and Access Management combines processes, technologies, and policies to manage digital identities and specify how they are used to ...
Read more

Microsoft Identity Manager 2016 | Microsoft

Microsoft Identity Manager 2016 simplifies identity management with automated workflow, self-service, business rules and integration with heterogeneous ...
Read more

Identity and Access Management - Gartner Inc.

Identity and Access Management Key Initiative Overview Select solution Toolkit: Gartner Authentication Method Evaluation Scorecards ID: G00170318
Read more

Identity and Access Management -

Anatomy of a Digital Identity Identity and Access Management ... deeper into the real world ... "Identity and access management ...
Read more

What is identity management (ID management) ? - Definition ...

Identity management (ID management) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an ...
Read more

Oracle Identity Management: Customers Partners & OpenWorld ...

Oracle Identity Management: Customers Partners ... and hear about real world implementations of ... follow the Identity Managment ...
Read more

OracleAS Identity Management Solving Real World Problems

OracleAS Identity Management Solving Real World Problems Web applications are great ... Inexpensive development Rapid deployment Access from anywhere BUT ...
Read more