1 / 23

www.incommon.org

www.incommon.org. What is Identity Management?. A system of standards, procedures and technologies that provides electronic credentials to individuals. Maintains authoritative information about individuals. Establishes the trust needed for transactions.

kayla
Download Presentation

www.incommon.org

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. www.incommon.org

  2. What is Identity Management? • A system of standards, procedures and technologies that provides electronic credentials to individuals. • Maintains authoritative information about individuals. • Establishes the trust needed for transactions. • Facilitates and controls user access to online applications or resources.

  3. Identity Management • Who are you? (identification) • Collect personally identifying information to prove you are who you say you are (identity proofing), such as drivers license, passport, or biometric data • Assign attributes [(name, address, college or university, department, role (faculty, staff, student), major, email address] • How can you prove it? (authentication) • Verifying that the person seeking access to a resource is the one previously identified and approved

  4. Identity Management • Authentication does not verify that the identity proofing is correct. It establishes that the previously identified person is the same one who is seeking access to a resource.

  5. Key Entities Three entities involved in gaining access to a resource: Subject (i.e. user) – The person identified and the subject of assertions (or claims) about his or her identity. Identity Provider – Typically the university or organization that maintains the identity system, identity-proofs the subject and issues a credential. Also provides assertions or claims to the service provider about a subject’s identity. Service Provider (sometimes called the relying party) – Owner/provider of the protected resource to which the subject would like to access. Consumes the assertion from the identity provider and makes an authorization decision.

  6. Key Terms Authentication – Verification (via a user ID and password) that a subject is associated with an electronic identifier. This is the responsibility of the identity provider. Authorization – Determining whether a subject is eligible to gain access to a resource or service. The authorization decision is made by the service provider and is based on the attributes provided by the identity provider. Attribute – A single piece of information associated with an electronic identity database record, such as name, phone number, group affiliation, email address, major.

  7. The Problem The system of authentication and authorization, and the passing of attributes, requires that the identity provider and service provider agree on policies and procedures. When you have one identity provider working with many service providers – or one service provider working with many identity providers – things get complicated. Individual service providers keep subject information in their own databases, or may want direct access to an identity provider’s database, or may require frequent batch uploads of identity information.

  8. Tedious user registration at all resources Unreliable and outdated user data at resources Different login process at each resource Many different passwords Identity provider may need to support multiple custom authentication methods and/or be asked for access to its identity database

  9. The Problem • Growing number of applications – on-campus and outsourced or hosted • All of these service providers must: • Verify the identity of users (faculty, staff, students, others) • Know who’s eligible to access the service • Know the student is active and hasn’t left school • Increase in outsourced or cloud services raises concerns about the security and privacy of the identity data

  10. A Solution: Federated Identity Management Federation: An association of organizations that come together to exchange information, as appropriate, about their users and resources in order to enable collaborations and transactions. All participants in a federation agree on the same policies and procedures related to identity management and the passing of attributes. Instead of one-to-one relationships, the federation allows one-to many relationships.

  11. Federated Identity Management • Parties agree to leverage the identity provider’s database, rather than creating separate data stores • Users no longer register with the service provider, using their university credentials for transactions • Single sign-on convenience for users • Identity provider does the authentication; service provider does the authorization • Attributes are the key – maintain privacy and security

  12. 1. Single sign on 2. Services no longer manage user accounts & personal data stores 3. Reduced help-desk load 4. Standards-based technology 5. Home org and user controls privacy

  13. InCommon Federation InCommon is the federation for U.S. research and education, providing higher education and their commercial and non-profit partners with a common trust framework for access to online resources.

  14. About InCommon • Through InCommon, campuses leverage their identity databases to allow for the use of one set of credentials to access multiple resources. • Online service providers no longer need to maintain user accounts. • Identity providers manage the levels of their users' privacy and information exchange. • InCommon uses SAML-based authentication and authorization systems (such as Shibboleth®) to enable scalable, trusted collaborations among its community of participants.

  15. InCommon Federation Benefits • Convenience – Single sign-on with higher education credentials • Safety – Enhanced security with fewer data spills • Privacy – Release of only the minimum information necessary to gain access to resources (via attributes) • Scalability – Once implemented, federated access relatively simple to extend • Authentication – Campus does the authentication, maintaining control of user information • Authorization – Service provider makes access decisions based on attributes

  16. Metadata, certificates, common attributes & meaning, federation registration authority, Shibboleth Federated Access in 30 seconds 4. If attributes are acceptable to resource policy, access is granted! 3. Authorization: Privacy-preserving exchange of agreed upon attributes 2. Federation-based trust exchange to verify partners and locations 1. Authentication: single-sign-on at home institution Online Resource Attributes: Anonymous ID, Staff, Student, … Home Institution – user signs in

  17. InCommon Participants Year-by-Year • More than 7.5 million end-users (faculty, staff, students)

  18. Federated ResourcesResources available via InCommon are many and diverse Business Functions • Benefits • Asset management • Talent management • Visas & INS compliance • Mobile alerts • Travel management • Energy management • Surveys and market analysis Learning and Research • Journals • Databases and analytical tools • Multi-media access • Homework labs • Quiz tools • Plagiarism detection • Software downloading • Alcohol awareness education • Student travel discounts • Transportation and ride-share services. • Strong support from key higher education partners, such as: Microsoft, Apple, National Student Clearinghouse, NSF, NIH, Gov-affiliated Labs

  19. InCommon Assurance Profiles • Bronze and Silver profiles equate to the U.S. government’s NIST 800-63 levels of assurance 1 and 2, respectively • Require more stringent identity proofing policies and procedures, allowing for access to higher-risk applications (such as financial service apps) • Status: Several universities working through the policy and technical processes for implementing Silver • CIC universities (Big Ten schools and the Univ. of Chicago) assurance.incommon.org

  20. InCommon Collaboration Groups • Collaboration • InC-Library • InC-Student • InC-NIH • InC-Research Agencies • US Federations https://spaces.internet2.edu/display/InCCollaborate/

  21. Outreach and Education IAM Online – Monthly presentations on identity and access management. www.incommon.org/iamonline CAMP, Advance CAMP, Day CAMP – Conferences focused on federated identity and access management. www.incommon.org/camp Affiliate Program – Linking higher ed with partners able to help build the necessary underlying infrastructure that supports federated access. www.incommon.org/affiliate Shibboleth Workshop Series – Intensive workshops to learn and install Shibboleth. www.incommon.org/educate/shibboleth

  22. InCommon Cert Service • Service developed by and for the higher education community. InCommon is a non-profit, community-governed organization – the primary driver is to provide value to the community. • Unlimited SSL certificates, and (soon) unlimited personal certificates (for signing, encryption, code signing and authentication) • One fixed annual fee. • One publicly signed certificate source for all campus servers and domains • Includes all domains owned by the college or university – such as professional organizations or athletic sites (including any .org, .com, .net or others). • Internet2 members receive a 25 percent discount

  23. www.incommon.org info@incommon.org

More Related