Loading in 2 Seconds...
Loading in 2 Seconds...
Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation Clair Goldsmith, Ph.D. The University of Texas System Administration & Barry Ribbeck Rice University
Identity Management FederationsAccess Management Federations • Definition: A collaboration of independent entities that give up a certain degree of autonomy in pursuit of a a common set of goals that create a federation. • Federations enable scalable, trustworthy, secure online partnerships. • Federations set common policies, technical interoperability criteria, and provides central services to establish and maintain trust. • Participants use existing identity management infrastructure for inter-institutional collaborations.
The Purpose for Federated Access within Higher Education “To meet the increasing campus demand for using external applications and online resources, we developed and implemented solutions that efficiently use our existing information infrastructures securely and safely in such a way that we maintain control over the release of personal information for people at Penn State.InCommon is a vitally important part of this infrastructure and helps put us in a position to provide a richer, easier to use, safer online experience for Penn State students, faculty, and staff.” -Kevin Morooney
The Partnership Challenge • Just like faculty and staff members, institutions have partners. • Many of these partnerships revolve around sharing/using online resources. • How many relationships do you manage? • How much time is spent on the differing requirements for each partner? • How much risk do these relationships bring to your network?
The Partnership Challenge Higher education’s missions are realized in increasingly collaborative relationships globally • Higher educations’ digital collections, data, and resources • Commercial service and resource partners • InCommon economizes the time and resources that otherwise would be spent on the differing “one off” requirements for each individual partner • InCommon maximizes security and privacy of personally identifiable/sensitive information • Users are not burdened by load times of log-in credentials
The Partnership Solution • Wouldn't it be great if you were able to deal with each partner in the same way; saving time and reducing risk, all at once? • This is what federations are created to do
Federated Access in 30 seconds Online Resource 4. If attributes are acceptable, Access is granted! 3. Privacy preserving exchange Attributes: Anonymous ID, Staff, Student, … 2. Federation-based Trust Exchange to establish and verify partners & locations metadata, certificates, common attributes & meaning, federation registration authority, Shibboleth, pinch of magic 1. Single Sign On : Log In to existing home system Home Institution
Why is Governance Needed? • Oversight and Conflict Resolution • Establish and manage trust agreements • Determine direction and formulate policy • Ensure services meet business needs while maintaining the appropriate security and compliance with legal requirements • Establish and communicate scalable operational standards and processes
What is the Alternative? • Collection of one-to-one agreements • Conflicting agendas and no common goal • No technology standards. One-off implementations for every application. Inconsistency in operating practices. • No assurance of appropriate security and compliance with legal requirements
Homogeneous Institutions Operating Standards and Practices may vary from institution to institution, but… Governance policies should be relatively consistent, and… Legal requirements should be similar if not the same Considerations Governance may be more tightly structured Governance through Executive Committees or Governing Boards Key executives make decisions Federation Governance Models
Diverse Institutions Operating Standards and Practices vary from institution to institution, and… Governance policies are not consistent, and… No formal authority to force a decision, and… Legal requirements may not be similar at all. Considerations Governance may be more loosely organized Reliance on advisory groups to formulate recommendations Guidance through Steering Committees Collegiality as opposed to strong governance Federation Governance Models (cont.)
Governance Models in Shibboleth Federations • The most common examples are: TestShib InCommon UT System U.S. EAF Diverse Homogeneous
Homogeneous Share a common Mission Same governance body and consistent governance policies Same legal requirements And Also Diverse Significant differences in size and budgets Significant differences in culture Institutions enjoy considerable autonomy 16 “stovepipes” Where Does The University of Texas System Fit? • 16 Institutions • 9 General Academic institutions • 6 Health institutions • 1 System Administration
Homogeneous Share a broad common Mission Governance only wrt inter-institutional collaboration (InCommon) Legal requirements are similar for specific federation use And Also Diverse Size & Budgets For Profit, Non-Profit Bi-lateral agreements also govern collaborations Autonomy: Policy and Practices are “Post and Tell” – Descriptive rather than Prescriptive Where Does InCommon Fit? • 45 Participants • 31 General Academic institutions • 13 Online Service Partners • 1 Independent Identity Management Partner
InCommon Governance Steering Committee Representative of Higher Ed & its Partners Nominations Committee Direction Direction Candidate Approvals Advice Technical Advisory Committee Federation Business & Operations Internet2
InCommon Trust Fabric • InCommon verifies the identity of all participating organizations and issues server certificates for secure communication • Participants agree to the Federation operational principals and share among themselves their own resource and identity management operational principals • Each resource manages access based on the agreed-upon user identity attributes • Each home organization manages user accounts and the release of personal information(identity and privacy management)
The Value of InCommon • Scalability • InCommon is the trust broker • InCommon verifies the identity of organizations and their delegated officers; • Metadata • InCommon aggregates trusted information pointing to each participant’s servers, systems, and technical contacts; • Certificate Authority • InCommon issues participant server certificates • Technical Interoperability • InCommon defines shared attributes, software, operational policies • Personal Information remains under the control of the home organization • Resource providers can focus on standards-based access controls and not on account management
Case Western Reserve University Clemson University Cornell University Dartmouth Duke University Florida State University Georgetown University Miami University New York University Ohio University Penn State Stanford University Stony Brook University SUNY Buffalo The Ohio State University The University of Chicago University of Alabama at Birmingham University of California, Irvine University of California, Los Angeles University of California, Merced University of California, Office of the President University of California, Riverside University of California, San Diego University of Maryland University of Maryland Baltimore County University of Maryland, Baltimore University of Rochester University of Southern California University of Virginia University of Washington University of Wisconsin - Madison Cdigix EBSCO Publishing Elsevier ScienceDirect Houston Academy of Medicine - Texas Medical Center Library Internet2 JSTOR Napster, LLC OCLC OhioLink - The Ohio Library & Information Network ProtectNetwork Symplicity Corporation Thomson Learning, Inc. Turnitin WebAssign 45 Current InCommon Participants Sponsored Partners (14) Higher Education (31)
Houston Academy of MedicineTexas Medical Center Library • Located in Houston • Not a typical higher education library • Shared resources between 44+ institutions • Operated independent of schools • Resource for medical schools, health sciences schools, hospitals, medical researchers and providers
NMI-EDIT ETR Grant • RFP – do something useful with federating technology • Context: Library serves as an identity provider for 44+ institutions for access to online digital content • Problem: Access is based on loose coupling of individuals to an institution • Managing appropriate access is difficult
Scenario • Employee of one of the 44+ institutions is issued a credential for online access to digital resources. • Employee leaves the TMC institution • Library credential looses value and is compromised • Content provider’s resources become compromised • Very difficult for the Library to track down the user
Diagnosis • Library credential is vulnerable to attack • Credential has little value to the owner and is therefore commonly shared • Very low probability of maintaining the link between the credential and the rightful owner (LOW LOA) • Overhead to track down and resolve compromises is outside of the resources and scope of the library, but must be done to honor their contract.
Resolution • The largest contributors and users of the library are 3 higher education institutions. Each of these institutions performs identity management by issuing, managing and revoking electronic credentials to their employees and students. • Why not leverage these resources using federated technology.
ETR Grant Pilot • Employ Sibboleth Resource (EZProxy) to front the online web based digital resources. • Install a Shibboleth IdP to manage the small number of credentials not managed via institutions using federated access. • Leverage the institutional credentials of the largest library members to grant access.
Parts • 4 new servers • Library Joins InCommon • Demonstration: Pilot included a demonstration of access to the HAM-TMC Library resources from UTHSC, Baylor CoM, UT Systems and Brown University. • Presentation to the Library Director.
Where are we now • Federations – InCommon and UT Fed • FOO? • Production planning • How will Federations Federate? • Proof of concept for FOO • Participants: TBD
Next for InCommon • Federation Partnering: Inter-Federating • US Govt eAuthentication Federation • Raising the bar: higher levels of trust • Mapping to federal levels of assurance1 and 2 • InCommon Bronze (L1) • InCommon Silver (L2) • Other Federations: Federal Agencies, State Federations, Countries, …