extending services with federated identity managementpeople.ku.edu/~wes/federated_idm.pdf · check...
TRANSCRIPT
CHECK 05/30/2013
Extending Services with Federated Identity
Management
Wes HubertInformation Technology Analyst
CHECK 05/30/2013
Overview
• General Concepts• Higher Education Federations
– eduroam– InCommon
• Federation Infrastructure– Trust Agreements– Processes
CHECK 05/30/2013
Common IdM Terms• Identifier: A name that identifies a
unique person, group, or object• Authentication: Verification of an
identity• Authorization: Granting access to a
specific resource• Identity Management: Control of
identifiers, authentication, authorization
CHECK 05/30/2013
• Federation: An organization whose members are organizations with some degree of internal autonomy
CHECK 05/30/2013
Actors• User (principal, supplicant, client, etc)
– Initiates the request for a service• Identity Provider (IdP)
– Maintains a directory of vetted users– Authenticates user identity
• Service Provider (SP)– Authorizes (or denies) access– Based on information provided by IdP
CHECK 05/30/2013
Federated Identity Management
• Provides portability of identity information across organizations
• Manages trust between administratively separate IdP and SP
• Protects privacy of identity information
CHECK 05/30/2013
Examples
• Higher Education– eduroam– InCommon
• Public– OpenID
• Yahoo!• Google
– ...
CHECK 05/30/2013
eduroam
• education roaming
• Secure network access service (wi-fi)
• Research and education community
• Thousands of institutions worldwide
• http://www.youtube.com/watch?v=TVCmcMZS3uA
CHECK 05/30/2013
eduroam Sites
CHECK 05/30/2013
eduroam London Sites
CHECK 05/30/2013
eduroam US Sites
CHECK 05/30/2013
KU wi-fi prior to eduroam
• JAYHAWK– Primary campus wi-fi– Requires KU Online ID authentication
• KUGUEST– Rate limited, restricted ports
• KU-Passport– Sponsored short-term access
CHECK 05/30/2013
eduroam
• Provides travelers secure network access at participating institutions without obtaining guest credentials
• Removes the need for institutions to provision wi-fi credentials for visitors
CHECK 05/30/2013
Select SSID eduroam
CHECK 05/30/2013
Log in with home credentials
CHECK 05/30/2013
Start VPN (Optional)
CHECK 05/30/2013
eduroam
• More later on– How it works– Why it is secure
CHECK 05/30/2013
InCommon
• Internet2-based research and education identity management federation
• 347 Higher Education Participants• 28 Government, Labs, Non-profits, etc.• 139 Sponsored Partners
» (April 2013)
CHECK 05/30/2013
InCommon
• Provides privacy-preserving trust fabric– Higher education– Sponsored partners
• Identity management federation• Certificate service• Multifactor authentication service• Assurance program
CHECK 05/30/2013
InCommon IdM Federation
• About 300 identity providers• More than 6 million end users• Sample services
– EDUCAUSE federated login– Internet2 FileSender service
CHECK 05/30/2013
Federated Login: EDUCAUSE
• Alternative to EDUCAUSE-specific login– Eliminates need for remembering an
EDUCAUSE-specific password• www.educause.edu
CHECK 05/30/2013
EDUCAUSE Federated Login• On http://www.educause.edu screen click Login >
CHECK 05/30/2013
CHECK 05/30/2013
• In Federated Login section click Log in Using InCommon
CHECK 05/30/2013
CHECK 05/30/2013
• Select home campus identity provider
CHECK 05/30/2013
• Home system presents the login page
CHECK 05/30/2013
• ... and you’re logged in to EDUCAUSE
CHECK 05/30/2013
• Can verify login page via https URL
CHECK 05/30/2013
• Can verify login page via https certificate
CHECK 05/30/2013
Internet2 FileSender Service
• Service for sharing large files– Initiated by federation member– Usable by anyone
• Operated by Internet2• https://filesender.internet2.edu
CHECK 05/30/2013
FileSender Service
CHECK 05/30/2013
• Select home system for authentication
CHECK 05/30/2013
• Select home system for authentication
CHECK 05/30/2013
• Text Entered Limits Selection List
CHECK 05/30/2013
• Easy Reuse of Previous AuthN System
CHECK 05/30/2013
• Login On Home System
CHECK 05/30/2013
• Information About File to be Shared
CHECK 05/30/2013
• Email Notification of Shared File
CHECK 05/30/2013
• Generate A Guest Voucher
CHECK 05/30/2013
What’s behind the curtain?
• Enrollment of users with IdP– Vetting of user identities– Common attributes known to IdP/SP
• Secure connection between IdP/SP– Identity of communicating systems– Specification of attributes to send– Encrypted transfer of required attributes
CHECK 05/30/2013
Trust Points
• Two primary trust relationships– Between user and IdP– Between IdP and SP
• Both are bidirectional• User ultimately depends on both• Details specific to each federation
CHECK 05/30/2013
How Is Trust Established?
• User Trust for InCommon Authentication– Communicates with home system as IdP
• Based on trust established during ID setup– Authentication via familiar (home) login– Can verify site using https
• URL address bar• Server certificate
CHECK 05/30/2013
How Is Trust Established?
• InCommon IdP/SP– Participant Operational Practices statement– X.509 Certificate in Metadata– XML Attribute Release Specifications– Optional Higher Levels of Assurance
• Bronze• Silver
CHECK 05/30/2013
POP Statement
• Attribute assertions to other participants• Made at organization’s executive level• Issuing system assures risk appropriate
risk management measures• Information will be used only for
purposes for which it is provided
CHECK 05/30/2013
POP Statement
• Federation Participant Information• Identity Provider Information• Service Provider Information• Other Information
CHECK 05/30/2013
Participant Information
• Organization• Links for
– ID management practices– Privacy policy
• Contact information
CHECK 05/30/2013
Identity Provider Information
• Community– Who can get IDs– Who is identified as “Member”
• Credentials– Administrative processes– Technologies (UserID/password, PKI, etc.)
CHECK 05/30/2013
Identity Provider Information
• Electronic Identity Database– Sources, update procedures– What is considered public information?
• Own Use of Credential System– Attribute assertions– Privacy constraints
CHECK 05/30/2013
Service Provider Information
• What attributes are required to manage access decisions?
• Other use of attributes• Controls on access and use of PII• Controls on access management• Actions taken in case of compromise
CHECK 05/30/2013
SAML
• Security Assertion Markup Language– XML-based– 3 roles
• Principal (user)• Identity Provider (IdP)• Service Provider (SP)
• Securely passes limited information between federated systems
CHECK 05/30/2013
Shibboleth
• Federated IdM software• Internet2 Middleware Initiative project• SAML-based SSO• Controlled attribute release• Privacy preserving• Started in 2000, first release July 2003• Developed in parallel with InCommon
CHECK 05/30/2013
InCommon Metadata
• Submitted by site administrator• Defines IdP and SP
– Entity– X.509 certificate– User interface, error handling– SAML protocol endpoints– Contacts
CHECK 05/30/2013
EDUCAUSE Attribute Release
• eduPersonPrincipalName• surname• givenName• email• eduPersonAffiliation
CHECK 05/30/2013
EDUCAUSE Attribute Release• <!-- Release personal attributes required by EDUCAUSE -->• <afp:AttributeFilterPolicy id="releaseToEduCause">• <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"• value="https://www.educause.edu/shibboleth-sp" />• <afp:AttributeRule attributeID="eduPersonPrincipalName">• <afp:PermitValueRule xsi:type="basic:ANY" />• </afp:AttributeRule>• ... (other attribute specifications) ...• <afp:AttributeRule attributeID="eduPersonAffiliation">• <afp:PermitValueRule xsi:type="basic:ANY" />• </afp:AttributeRule>• </afp:AttributeFilterPolicy>
CHECK 05/30/2013
General Attribute Release• <!-- Release eduPersonAffiliation (and Scoped form) to anyone -->• <afp:AttributeFilterPolicy id="releaseEduPersonAffiliationToAnyone">• <afp:PolicyRequirementRule xsi:type="basic:ANY" />• <afp:AttributeRule attributeID="eduPersonAffiliation">• <afp:PermitValueRule xsi:type="basic:ANY" />• </afp:AttributeRule>• <afp:AttributeRule attributeID="eduPersonScopedAffiliation">• <afp:PermitValueRule xsi:type="basic:ANY" />• </afp:AttributeRule>• </afp:AttributeFilterPolicy>
CHECK 05/30/2013
InCommon Research & Scholarship Category
• Group shares common attribute release• New SPs may be added• No action required by IdP to access• Currently (May 16, 2013)
– 12 SPs– 51 IdPs
• FileSender is in this group
CHECK 05/30/2013
eduroam
• RADIUS– Remote Authentication Dial-In User Service– It’s rarely for dial-in anymore– Peers authenticate by IP & shared secret
• 802.1X– PEAP
• Protected Extensible Authentication Protocol• Server-side public key certificate authenticates
CHECK 05/30/2013
How Is Trust Established?
• eduroam user– Pre-travel setup on home campus
• Establishes trusted connection to authentication server
– PEAP/WPA2 authentication– Server name (e.g. adhome-lawc-04.home.ku.edu)– X.509 certificate signed by trusted CA
CHECK 05/30/2013
eduroam Wi-Fi Profile
CHECK 05/30/2013
How Is Trust Established?
• eduroam IdP/SP– Vetting when joining the federation– RADIUS shared secret via encrypted email– X.509 Certificates– Specific IP numbers and ports
CHECK 05/30/2013
CHECK 05/30/2013
Summary
• Federated identity management increases security and convenience
• It’s all about Trust– Trust between user and IdP– Trust between IdP and SP
CHECK 05/30/2013
Related Links
• https://eduroam.org• http://www.incommon.org