1 / 38

Topics

To Authentication and Beyond An update on C&C’s authentication-related middleware services UW Computing Support Staff Meeting December 16, 2004 http://www.washington.edu/computing/infra/. Topics. Authentication in Context within identity management toward our communities of service

duc
Download Presentation

Topics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. To Authentication and BeyondAn update on C&C’s authentication-related middleware servicesUW Computing Support Staff MeetingDecember 16, 2004http://www.washington.edu/computing/infra/

  2. Topics • Authentication in Context • within identity management • toward our communities of service • Authentication Infrastructure Services • UW NetID, Kerberos, SecurID (for people) • UW Services CA (for servers and services) • Pubcookie • Shibboleth • Authorization Infrastructure Services • UW Groups • ASTRA

  3. Identity Management? • “Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” - The Burton Group (market research firm specializing in enterprise IT infrastructure) • How does this compare with, and fit into, our conception of C&C’s (middleware) infrastructure services?

  4. Basic functions of IdM Original source: Keith Hazelton, Univ of Wisconsin

  5. IdM functions & big picture (AuthN) Mng Grps Credential Log Reflect AuthZ Deliver Join Mng Priv Provision Source: Keith Hazelton, Univ of Wisconsin; Tom Barton, Univ of Chicago

  6. Many communities to serve • Central Services • C&C maintained, administrative services • Local Community, that’s you! • enabling departmental services • Federated Communities • external partnerships, virtual organizations • some 3rd-party hosted applications • this is you too! • C&C’s infrastructure services need to serve the unique requirements of each community.

  7. Another view… Image source: Keith Hazelton, Univ of Wisconsin

  8. Definitions • Basic: • Authentication says who you are. • Authorization says what you can do. • Something geekier: • Authentication is the establishment of a security context based on evaluation of evidence. • Authorization is configuration and operation of systems so actions in support of organizational goals are permitted and other actions are prohibited.

  9. UW NetIDs • Primary digital credential for online services at the UW • About 225,000 active UW NetIDs • 3-8 characters in length • They’re a service to users • single id, single password, maybe even some single sign-on • Get in the game! • namespace first, authentication if you can

  10. UW NetID passwords • Uniform policy for all passwords • 8 characters or longer • Must pass strength test • Regular changing recommended • Not externally provisioned

  11. UW NetID types • Personal • belongs to a single person for life • Shared/supplemental • group id; actions not easily audited • Reserved • system account • Tremporary • use by one person, temporarily • Other • kerberos host principals, @u mailing list names

  12. UW NetID populations • All employees in UW payroll • including HMC, HHMI, affiliate faculty, UWRP retirees • All UW students • including matriculated, non-matriculated, UW extension, UWT and UWB; and applicants too • Some Clinicians • e.g., UW Medical Center, from Cancer Care Alliance, Children’s hospital, UW Physicians network

  13. UW NetID populations… • C&C Information additions • including sponsored and supplemental ids, temporary ids (guest wireless) • UW Alumni ID holders • e.g., graduates in the alumni db, UW donors • and others too, e.g. • some Digital Learning Commons users • Cascadia Community College students and employees (very soon)

  14. Kerberos infrastructure • UW’s Enterprise Authentication Service • Fundamental credential store • MIT Kerberos V (version 1.3.5) • Do departments need service principals and host keys for departmental systems? • If so, we haven’t seen the demand • If so, we can create a storefront, similar to the UW CA and Weblogin registration services, based on UW DNS ownership info

  15. SecurID infrastructure • High-assurance authentication service based on SecurID technology • Provides “two-factor” authentication • something you know + something you have • Use is primarily administrative systems • About 5,600 SecurIDs in use • About $60 per device • Use is not likely to expand much

  16. UW Services CA • Issues digital certificates for • Traditional web server uses • Systems and services using SSL/TLS • 767 certificates in use • What best practices are emerging in departments to trust the UW CA? • Support calls? Very few (our perception, yours too?)

  17. UW CA growth

  18. Pubcookie/Weblogin • Purpose • Normalize web-based user authentication • Deliver UW NetID authentication info to apps • Participation • Registration based on UW DNS ownership • Requires trusted SSL server certificate • Over 790 participating servers

  19. Pubcookie 3.2.0 • New functionality • POST-based cross-dns-domain messaging • Custom login messages • Keyserver supports wildcard certs • Keyserver supports Subject Alt Names • Release info • Beta 1 release available now (Apache only) • Beta 2 release available tomorrow(ish) • Will be the recommended version for UW!

  20. Custom login messages Example: ESS login

  21. Shibboleth • Purpose • An architecture, project, and software components for standards-based federated authentication and attribute exchange. • Like Pubcookie on steroids (mostly SAML standard) • User support profile • Should be similar to Pubcookie… • Except now there are Attribute Release Policies (ARPs) involved

  22. Shibboleth… • UW is a Shibboleth “Identity Provider” (IdP) • Running Shibboleth IdP 1.2 • Production service status with first real Service Provider (CreateHope.com, e-academy.com) • User authentication by Pubcookie/weblogin • User attributes from UW EDS Person directory • Participating in InCommon (R&E) federation; “authenticate locally, act federally” • UW NetID credential services undergoing USG E-Authentication Program credential assessment

  23. What can our Shib IdP deliver? • Answer: in general, user attributes of broad cross-community interest: • eduPersonPrincipalName (based on UW NetID) • eduPersonAffiliation (faculty, student, staff, alum, member, affiliate, employee) • eduPersonEntitlement • eduPersonTargetedID • uwPersonAffiliation • uwEmployeeID • Qualifier: but only if an Attribute Release Policy allows release to a given service provider.

  24. Authority management • Why externalize authorization? • To save development time and cost • ASTRA is built and ready for use • UW Groups are coming • To distribute management of authorization • If you want to hand it off to others, you can • Put business people in charge of managing authority • To leverage well designed and maintained solutions • To use standard UIs for managing authorization data • To increase visibility of access control policy • To improve policy adherence and auditing

  25. UW Groups • UW EDS Groups directory under development • Institutional • Departmental • Adhoc • Pairing with new UW Authorization module (for Apache, known as mod_uwa) • Infrastructure alone, not enough… • Need to study institutional triggers and indicators for departmental-level group creation

  26. ASTRA Mission ASTRA provides Web-based management of authority for UW administrative applications. ASTRA removes systems administrators and operations teams from the business of implementing authorization requests. Instead, using ASTRA, the appropriate decision makers within the University community can easily distribute authority to the appropriate people.

  27. ASTRA authority elements example

  28. ASTRA authority elements example… ASTRA UI: initial Authorizor view

  29. ASTRA authority elements example… ASTRA UI: defining new authorization

  30. ASTRA authority elements example… ASTRA UI: adding new authorization

  31. ASTRA authority elements example… ASTRA UI: new authorization added

  32. ASTRA authority elements example… <?xml version="1.0" encoding="utf-16"?> <authz xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <authCollection> <auth> <party uwNetid="dors" regid="23DA66146A7D11D5A4AE0004AC494FFE" /> <environment code="eval" /> <privilege code="FINDesktop" /> <role code="Designee" codeDescription="Designee" /> <action code="Inquiry" /> <spanOfControlCollection> <spanOfControl type="DesigneeBgtCd" code="012345” codeDescription="" /> </spanOfControlCollection> </auth> </authCollection> </authz> ASTRA API: attributes received in XML view

  33. ASTRA: Clients in Production • SAGE • Ariba System Administration • E-Procurement • Online Work Leave System • Affirmative Action • Department Tools for Time Schedule • FS-Works • Employee Self-Service

  34. ASTRA: Clients in Development • Financial Desktop • Space Inventory Management System • Online Accident Reporting System • Year End Tax Form • VEBA • PUC Maintenance Application • Vendor Payment System

  35. ASTRA: Clients in Discussion • MyGradProgram • Online Payroll Update System • UW Project Tracker • Cognos Tools (Data Warehouse) • Keynes Applications (PAS, FIN, etc.)

  36. ASTRA: Usage Since Launch

  37. To Authentication and Beyond… How far out do C&C’s various infrastructure services reach? Kerberos Pubcookie Shibboleth UW Groups ASTRA Answer: the necessary roadmaps are being defined now. Image source: Keith Hazelton, Univ of Wisconsin

More Related