What is federated id management and why should you care
1 / 18

What is Federated ID Management and Why Should You Care? - PowerPoint PPT Presentation

  • Uploaded on

What is Federated ID Management and Why Should You Care?. Tim Poe & Steve Thorpe {tpoe, thorpe}@mcnc.org MCNC All-Staff Meeting March 19, 2009. Outline. Motivation Example Services Requirements Underlying Technology NCTrust Federation Pilot Demo. Motivation.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' What is Federated ID Management and Why Should You Care?' - whitley

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
What is federated id management and why should you care

What is Federated ID Management and Why Should You Care?

Tim Poe & Steve Thorpe

{tpoe, thorpe}@mcnc.org

MCNC All-Staff Meeting

March 19, 2009


  • Motivation

  • Example Services

  • Requirements

  • Underlying Technology

  • NCTrust Federation Pilot

  • Demo


  • Many NC institutions desire access to remote protected web-based services

    • 17 UNC system institutions

    • 115 LEAs, thousands of K-12 schools

    • 58 community colleges

    • 36 independent colleges / universities

    • Plus many other government / educational / commercial organizations

  • Desire is for access to be efficient, cost effective, quick, secure, and user-friendly. Federated ID Management technologies enable such access

Atm machines an early example of federated id management
ATM machines - An Early Example of Federated ID Management

  • Thousands of banks - Federated

  • Millions of users (bank customers)

  • User login (ATM card) and password (PIN) maintained by the user’s home institution (Bank)

  • Other institutions give service ($) access to remote users, based on trusting the login and password that’s maintained by the home institution

  • Today we’re doing something similar, only we’re serving Web-based services rather than $

Example confluence
Example – Confluence

  • Confluence is a web-based wiki service that fosters collaboration among multiple institutions

  • Federated ID Management technologies can alleviate MCNC’s current need for in-house management of accounts for outside users

  • Each home institution would manage their *own* accounts

Example nclive
Example - NCLive

  • NCLive provides access to eJournals, etc. for libraries, higher-ed and increasingly K-12

  • Want ease of resource accessibility yet must adhere to licenses of various products being distributed, e.g. certain content might be allowed only for:

    • Students

    • K-20 staff

    • Chemistry teachers

    • etc.

Examples vcl
Examples - VCL

  • NCSU’s Virtual Computing Lab (VCL) is a web service that allows reservations of a computer with a desired set of applications, then remote access over the Internet

  • You can use applications such as Matlab, Maple, SAS, Solidworks, and many others. Linux, Solaris and numerous Windows environments are available

  • Due to licensing and resource limitations, access must be limited to certain user communities

Other examples
Other Examples

  • How about a service for elementary school kids to access privately licensed PBS, CSPAN, and History Channel video content through the internet?

  • How about a service to enable cross-institutional course registration for access to distance learning from a different university in the UNC system?

  • Federated ID Management technologies can facilitate resource utilization across NCREN by enabling these and other web-based services much more efficiently, saving $ for MCNC and the NCREN community


  • Prevent users having to know yet-another password

  • Prevent system administrators having to add yet-another account

  • Avoid logins becoming out of date

  • Enable easier scaling of web-based applications to include multiple additional users/organizations

  • Must know people are who they say they are, with up-to-date accuracy

  • With potentially hundreds of thousands of people involved, need the home institutions to be responsible for account administration

Underlying technology shibboleth
Underlying Technology: Shibboleth

  • Shibboleth is open source software for web single sign-on across or within organizational boundaries

  • Allows informed authorization decisions for protected web service access in a privacy-preserving manner

  • Uses Security Assertion Markup Language (SAML) to provide federated single sign-on and attribute exchange framework

  • Provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application

Obligatory geek diagram simplified the only one we promise
Obligatory Geek Diagram - Simplified(the only one, we promise ! )

1. Student is at Starbucks

4. IdP/SP communication via SAML attributes exchanged through the browser session

3. Protected Web Service is at a university

2. IdP is at his school

Shibboleth Identity Provider (IdP)

Shibboleth Service Provider (SP)

(mod_shib gets attributes from shibd and protects web apps)

Access to protected service (web app) is controlled by shib gatekeeper

(shibd daemon maintains state)

(IdP is a J2EE app)

LDAP Server

Nctrust federation pilot
NCTrust Federation Pilot

  • MCNC and partners have convened the NC Trust Pilot

  • Goal: create a Federation to test web resource sharing among several K-20 organizations within NC

    • Adding K-12 into the mix is a unique aspect

  • NCTrust utilizes the national InCommon Federation infrastructure

    • Provides a trust mechanism allowing each organization to certify its operational practices

  • MCNC is helping partners with tech / installation support

North Carolina

Learning Object Repository



? (tbd)

Shibboleth training workshops
Shibboleth Training Workshops

  • 1.5 day workshops were hosted by MCNC in October 2008 and February 2009

  • Instructors: Shilen Patel and Rob Carter (Duke), Gonz Guzman (MCNC)

  • Approximately 45 participants total

  • There’s an excellent video archive of the workshop, thanks to Bryon and Chad

Mou and incommon paperwork in various stages of completion
MOU and InCommon Paperwork in Various Stages of Completion…

Paperwork is MUCH harder / slower than technical work!

(though the technical parts are certainly not trivial)

First demos starting now!

Demo Completion…

  • As [email protected]:

    • Log onto test service, to see some attributes

    • Access Internet2’s Confluence site

  • As [email protected]:

    • Log onto NCSU’s VCL site, check for images

  • As [email protected]:

    • Log onto NCSU’s VCL site, check for images and see a different list based on my NCSU status

Future steps
Future Steps Completion…

  • Connect services among the NCTrust community

    • VCL

    • NCLive

    • MCNC’s confluence site is a likely candidate

    • Others?

  • Recommendations on best model of state-wide federation to meet the needs of the K-20 educational community in North Carolina

    • To cover funding, operations, governance, etc.

  • Pilot runs through December 2009

Key takeaways
Key Takeaways Completion…

  • We believe Federated ID Management can enable more effective resource sharing among the NCREN community

    • Secure

    • Efficient

    • Scalable

    • Accessible

    • Saves $

    • Not to mention it’s a GREEN technology

  • Fostering adoption of FIM technologies is another way of Connecting North Carolina’s Future Today

Thank you
Thank You Completion…

  • Special thanks to MCNC’s Gonz Guzman, Tom Throckmorton, Kambiz Aghaiepour, Neal Bullins, Carole Bruhn, Keith Venters, Chris Caswell, Bryon Coltrane, and Chad Pritchard who all helped this effort

  • Also thanks to the many Federated ID Task Force members from throughout the NCREN community that are participating with us in the NCTrust pilot project

  • Questions?