Edugate

Glenn Wearen

HEAnet.

Summary

1 year Pilot Project / 2 years in production

All IoT’s, Universities, Colleges, but only half of HEAnet’s members

Core service at some institutions but light use at others

So, where to now?

1. Extended Attribute Schema2. Higher Identity Assurance3. Strong Authentiation4. Account Provisioning5. Cross institutional groups6. New Identity Protocols7. Statistics8. Bilateral Trusts9. Expansion beyond HEAnet10. SSO for non-web applications11. Aggregated identities12. Logout

1. Extended Attribute Schema

Students• Do you have photos?• Can I tell if a user is part-time/full-time?• What course is the student pursuing?

Staff• Cost-center code (for eProcurement)• ResearcherID AuthorID• Availability calendar • Telephone number

2. Higher Identity Assurance

Would you use Edugate for eProcurement?• On-campus

(cross charging for campus services)

• Shared procurement portal(Shannon Consortium Procurement Network)

• External suppliers (vikingdirect.ie/officedepot.ie)

Service Provider will seek assurances that the identity is sufficient quality to underpin a cardless financial transaction

3. Strong Authentication

Passwords are the root of all e-vil• Easily shared• Easily forgotten• Frequently exposed• No common password policy• Password changes not enforced

3. Strong Authentication

SSO helps to eliminate passwords• Consolidating onto a single (or single+1)

credential allows for strong authentication• 2-factor authentication / strong password policy

SSO systems can protect sensitive resources• re-authentication • ‘step-up’ authentication

4. Account Provisioning

On-campus, provisioning is a minor problem, but, for cloud/hosted/outsourced services provisioning is a significant problem

Invitation systems require;• email address of all potential users -1 time url• approval workflows -open URL

4. Account Provisioning

Bulk provisioning• Handling of bulk files a significant risk• Out of Sync almost immediately• De-provisioning rarely handled• Accounts created for users who might never login

4. Account Provisioning

Just-in-Time provisioningStandards emerging

• Simple Cloud Identity Management (SCIM)

But, service Providers familiar with;• LDAP Enter username/password, authenticate, query for attributes

• Oauth Enter user ID, authenticate, get token, query for attributes • API Enter a user identifier, query for attributes, forever

5. Cross institutional groups

Cross institutional/federation groups

(Virtual Organisations)• Identity provider doesn’t know all the collaboration

or projects that a user participates within.• This makes it authorisation difficult for Service

Providers (e.g. Project Portal)

5. Cross Institutional Groups

Establish an Edugate group repository;• this can be queried by IdP’s during the

preparation of attributes for an assertion• this can be queried by SP’s provided the

repository has a user identifier• Self-asserted group membership• Group membership approvals or invitations.

6. New Identity ProtocolsOpenID Connect

• Addresses weaknesses and shortcomings of OpenID

OAuth2• Allows retrieval of user data when user is not present

WIF• Predominant identity protocol for Microsoft

services

6. New Identity Protocols

Should Edugate add new protocols?• Cost?• Benefit?

7. Statistics and Monitoring

Are my users able to access service X?

Why are my users accessing service Y?

How come I’ve no users from institution A?

Why are we so popular with institution B?

What is the most widely used Edugate service?

What is the least most used service?

Is Edugate being used? or being used more?

7. Statistics and Monitoring

Is IdP X up?

Are there high rates of attrition?

Are [staff|students] able to authenticate?

8.Proliferation of bilateral trusts

There are 29 bilateral trusts in Edugate, why don’t these services join Edugate?• Maybe not required (single institution)• Tender awarded, Edugate not in the tender• SP not a legal entity

Google Apps, Millennium, Blackboard Learn.

9. Expansion beyond HEAnet?

More identity providers will mean more service providers

•Private Colleges

•Health Services Sector (HSE/Hospitals/CPD)

•Industry Research Centers (Intel Labs / SFI participants)

•2nd Level schools

10. SSO for non-web

SAML works well within the browser, but,

Outside the browser, it requires client support

• Native client support Outlook Claims based authentication

• Or, with Moonshot;Common library support (GSS/SASL/SSPI)

11. Aggregated identities

Institution holds validated identity data and enrollment status. This can be aggregated or augmented with self-asserted data from other sources;• Social ID’s (Profile Pictures, friends, interests)• Group membership repository

11. Aggregated identities

Facebook/Twitter/Google hold self-asserted identity data. This can be aggregated or augmented with verified user data from other sources

:-p

12. Logout

Clicking on ‘Logout’ what should happen?• Logout of the application, but IdP session

persists (Local Logout)• Logout of the application, redirect to IdP

session killer page (partial logout)• Logout of the application, redirect to IdP

session killer page, trigger logout of all services• (global logout)

12. Logout

Or should the SP force re-authentication at the IdP after the logout button has been used (if the IdP supports it.

So, where to now?

1. Extended Attribute Schema2. Higher Identity Assurance3. Strong Authentiation4. Account Provisioning5. Cross institutional groups6. New Identity Protocols7. Statistics8. Bilateral Trusts9. Expansion beyond HEAnet10. SSO for non-web applications11. Aggregated identities12. Logout