InCommon Technical Advisory Committee Community Forum. October 10, 2013
|
|
- Hilda Richard
- 5 years ago
- Views:
Transcription
1 InCommon Technical Advisory Committee Community Forum October 10, 2013
2 Logistics for Today Use the phone line we ll want to hear from you! (please use if you don't pay for long distance) (toll-free US/Canada) PIN: # (everyone joins on mute press ##1 to unmute your phone) We will be conducting polls during this webinar some will have the audience entering suggestions that everyone can vote on. We are you! We re here to listen The work gets done by ALL of us join a Sub Group!
3 TAC Community Update Agenda Introduction InterFederationUpdate Metadata Distribution Update MultiFactor Update TAC Quick Work Summary Items, of Past Work and Items Future Quick TAC Work Summary Items, of Past Work and Items Future Steve Carmody Paul Caskey Scott Cantor Tom Barton, Ann West Keith Nick Roy Hazelton Nick Keith Roy Hazelton
4 What is the InCommon Technical Advisory Committee? The InCommon TAC will work with Steering to support the InCommon Participant community's use of shared identity and access management technology, services, recommended practices and strategies. The InCommon TAC will advise the SC regarding policy implications of technical changes and the technical implications of proposed policy changes. The TAC may suggest policy changes to support new uses or configurations of the underlying technology or its applications. The TAC shall seek further review of its recommendations within the broader community of users, both within InCommon and among the larger, shared access management community, as appropriate. The TAC will function as defined for Advisory Committees in the InCommon LLC ByLaws.
5 TAC Members Tom Barton, University of Chicago Jim Basney, University of Illinois Scott Cantor, The Ohio State University Steven Carmody, Brown University Paul Caskey, University of Texas System Michael Gettes, Carnegie Mellon University Keith Hazelton, University of Wisconsin - Madison Jim Jokl, University of Virginia Ken Klingenstein, InCommon Steering Committee Chris Misra, UMASS-Amherst (NEW) Nick Roy, Penn State (NEW) David Walker, Independent Ian Young, U.K. Access Management Federation In Memoriam - R.L. "Bob" Morgan, University of Washington
6 TAC Does its Work Through Subgroups What s a subgroup? A community group that forms to work on a technical priority. A subgroup has a charter and goals Who can participate? Anyone in the community with an interest in the topic and time to contribute
7 TAC Subgroups Current TAC Subgroups Social Identity Working Group Interfederation Phase 2 Metadata Distribution PKI Subcommittee Proposed Subgroups Federation Operations
8 Today s Advertisement See you at Identity Week 2013! An opportunity to meet and interact with your peers in the IDM space Advanced CAMP has reached its registration cap, but CAMP is still open for registration
9 The Big Picture InCommon, Net+ Continue to Evolve The growth of the Net+ provider portfolio The evolving relationship between between InCommon and Net+ The growing demand for international interoperation The need to provide solutions for rapidly evolving campus IDM requirements
10 Interfederation Working Group
11 About the group Began in early 2013 led by Jim Basney" Intent was to explore the area of linking federations" Technical aspects" Trust/policy issues" One primary driver was LIGO users in the UK Federation" Wiki:" spaces.internet2.edu/display/incinterfed/interfed+subcommittee" Mailing List:" lists.incommon.org/sympa/info/interfed"
12 Use Cases" Deliverables from Phase 1 spaces.internet2.edu/x/eqawag" Plans for InCommon and UK Interfederation" spaces.internet2.edu/x/tia_ag" Lessons Learned" spaces.internet2.edu/x/qwboag" Report to Technical Advisory Committee (TAC)" spaces.internet2.edu/x/dw9oag"
13 Phase 2 Picks up where Phase 1 left off." Duration: October 2013 March 2013" New Leadership:" Warren Anderson (LIGO, new to subcommittee)" Paul Caskey (UT System, Liaison to TAC)" Charter drawn from recommendations document of Phase 1." Currently ~10 participants."
14 Charter for Phase 2 Establish international interfederation agreements with edugain and UK federation." Review documented trust practices and policies for entity registration and publishing." Review and adopt the US-EU Code of Conduct concerning attribute release and privacy." Review and assist in the implementation of metadata management/publication/aggregation/tagging improvements." Establish practices and policies for domestic interfederation for regional, K-12, etc federations."
15 Next steps? Begin work on Phase 2" And We need You!! (everyone is welcome)" First telecon soon! (~10/23)" Subscribe to the mailing list:" All project information is linked here:" spaces.internet2.edu/display/incinterfed"
16 Warren Anderson, Chair" Contacts Paul Caskey, TAC Liaison"
17 Metadata Distribution Subgroup Charter Phase One Recommendations
18 Phase 1 Conclusions Current signing key will be maintained indefinitely, a long-lived, self-signed certificate issued Shibboleth deployers unaffected, other metadata-supporting products likely affected similar to the last time the certificate was renewed Current CA not used operationally by federation participants, will be discontinued upon 2014 expiration Review and update policy and technical guidance around signing operations, and participant keys
19 Phase 2 Discussions Plan transition to SHA-2 in metadata signatures Currently testing broader interoperability issues around use of SHA-2 Primary impact is on unsupported software versions using OpenSSL or earlier Most common case is Red Hat EL 4 and various unsupported Windows Shibboleth packages
20 Phase 2 Discussions Examine trade-offs with different technical /business models for metadata management and distribution (e.g., offline key vs. an online HSM) Propose a pilot for support of per-entity queries using existing Shibboleth SP software Understand technical requirements for software and federation operations Understand impact on features like IdP Discovery
21 Multifactor Authentication & Assurance Update Tom Barton, U Chicago & Internet2 Ann West, Internet2
22 Passwords are bad and will get worse. We know! Need to strengthen authentication process Reduce risk that authenticated user is someone else Stolen or shared (eg, phishing) Inappropriate reassignment (eg, yahoo) Fraudulently obtained InCommon s Identity Assurance Framework provides a stepwise and standards-based way to plan your mitigation of these risks 22
23 Components of assurance Effort to mitigate Risk Fraudulently obtained Inappropriate reassignment Stolen or shared Assurance component that mitigates Identity proofing + credential management Vetting process, Subject attributes, record keeping Credential management Token issuance & revocation, binding of Token to Subject, secure infrastructure, record keeping Token technologies Password/passphrase Second factor (OTP, phone factor, 2 nd password) Multi-factor (PIN + token) Additional factors (biometric, geolocation,...) 23
24 Assurance update Multi-Context Broker Shibboleth extension Silver/Bronze, 2FA, MFA, step-up authentication Testing code Active Directory Cookbook for Silver v1.2 Draft available for comment. No Alternative Means needed Further Assurance program work Bronze Adoption, Federal Cloud Credential Exchange (FCCX) Alternative Means MFA: SafeNet (soon), Duo (underway) Certificates: Comodo and InCert (Manage certs on user devices) More info: assurance.incommon.org 24
25 Service Categories
26 What is a Service Category? Classification of member SPs to make attribute release more scalable IdPs release a known set of attributes to categories of SPs Attribute release policy is configured for all services in the category (both present and future), rather than once per service. Classification of supporting IdPs to help SPs build relevant discovery interfaces
27 Research & Scholarship Category Services that 1) support Research and Scholarship and 2) require a small set of low-risk attributes Proposed modification to R&S definition to remove requirement for "no specific oversight" of research supported by SP This aligns better with an emerging international R&S Category Academic research in US is generally subject to oversight of some form, but in any case, compliance cannot be readily verified by InCommon Please provide comments and feedback in the chat room or start a conversation on the participants@incommon.org list.
28 Affiliation-Based Access Category Proposal: Affiliation-Based Access Category Services that 1) benefit campus community and 2) require no personally-identifying information Only affiliation and a pseudonymous identifier (edupersontargetedid) are released No presumption of an existing institutional agreement for these services Examples of eligible services include: Software tools for students Online databases for researchers Entertainment discounts for staff Please provide comments and feedback in the chat room or start a conversation on the participants@incommon.org list.
29 Social Identity
30 Social Identity Use Cases Possible use cases for social identity: 1. Social gateway as an IdP of Last Resort 2. Parent accessing student grades web app 3. Student accessing continuing ed course management system 4. Provide someone with one-time or short-term access to local services
31 Social-to-SAML Gateway Pilot Paul Caskey and his colleagues at the University of Texas piloted a Social-to-SAML Gateway in October 2012 The pilot has been in continuous operation since that time Much of what we know about social identity is due to the success of this pilot
32 Google Gateway InCommon Operations runs a production Google Gateway for internal use The Google Gateway is an OpenID-to-SAML gateway for the Federation Manager, the Certificate Manager, and a few other Internet2 SPs Cirrus Identity built the Google Gateway using simplesamlphp in the cloud (AWS)
33 Social Identity WG Next Steps At the Oct 7 Social ID WG meeting, Cirrus Identity demoed their gateway solution Cirrus will deploy their gateway solution on campuses that have expressed an interest Demo/trial phase begins Nov 2013 Production launch targeted for early 2014 Additional campuses should contact Cirrus directly A centralized gateway for all InCommon participants is being discussed Will explore multiple service and subscription models
34 Other Items Other items of possible interest: Delegated Administration Federating the FM and the CM Multifactor IdP Proxy Discoverable IdPs SHA-256 Testing IdM Landscape InCert
35 Delegated Administration
36 What is Delegated Administration? A Delegated Administrator (DA) is provisioned by a Site Administrator (SA) The SA delegates the administration of SP metadata to the DA The SA must approve any metadata update request made by the DA A DA logs into the FM with a federated password
37 Announcement A Delegated Administrator may now log into the FM with a Google account
38 InCommon Google Gateway Internet2 IdPoLR Google Gateway OpenID RP SAML IdP FM Google IdP InCommon IdP In production on October 13, 2013
39 Federating the FM and the CM
40 InCommon Multifactor IdP Proxy Internet2 IdPoLR Google Gateway InCommon Metadata MF IdP Proxy FM OpenID RP SAML IdP InCommon IdP SAML SP SAML IdP CM Google IdP Duo Service
41 Multifactor IdP Proxy The Multifactor IdP Proxy is a SAML-to-SAML gateway that implements distributed multifactor authentication. The MF IdP Proxy is integrated with the Duo Security mobilebased authentication solution. All Executives, SAs, and RAOs will be required to enroll a mobile device for the purposes of MFA. Duo supports ios, Android, Windows Mobile, and Blackberry. A staging instance of the MF IdP Proxy is being tested now. Cirrus Identity built the MF IdP Proxy using simplesamlphp. The staging instance of the MF IdP Proxy is deployed in the cloud (AWS). The deployment requirements for a production MF IdP Proxy are TBD.
42 Federating the FM: Status Report Project status: All DAs log into the FM with a federated password now; all DAs will log in via the MF IdP Proxy by the end of 2013 All RAs log into the FM with two factors now; all RAs will log in via the MF IdP Proxy by the end of 2013 All new Site Administrators will be required to enroll a mobile device by the end of 2013
43 Federating the CM: Status Report Project status: A staging instance of the CM that supports federated login is being tested now All MRAOs will log into the staging CM with two factors via the IdP Proxy by the end of Oct 2013 All DRAOs will log into the staging CM via the IdP Proxy by the end of 2013 All new RAOs will be required to enroll a mobile device by the end of 2013
44 InCert Status 44
45 InCert: The Problem Space InCert addresses two independent but related issues Manual on-boarding of devices on to the campus network is hard Device configuration for campus WLAN network Device MAC address network registration Security settings & device security testing etc., etc. Stronger authentication can be hard to deploy Passwords are painful to use and phishing is easy and commonplace Enhanced authentication, to be used, must be as or more simple for users to use than passwords and add real security The use of digital certificates (PKI) can enhance security and usability 45
46 Network On-Boarding Automation Many schools have developed local tools Tools, depending on platform, implements functions such as: Certificate installation Wireless configuration Windows firewall VPN settings Security settings Network registration 46
47 Personal Digital Certificate Automation Common Uses for Standard Assurance Certificates Web authentication to campus Web SSO VPN authentication Wireless authentication (EAP-TLS) Campus and eduroam S/MIME for signed (and encrypted) Digital signatures Globus / Grid InCert automates the harder parts of end-user digital certificate use Provisioning and life cycle management Application setup InCommon Client Certificate Site 47
48 InCert : Common Network On-Boarding Tool Development Goals for InCert Project Automate on-boarding for workstations and mobile devices Automatically configure network and wireless settings campus and eduroam Device registration, security configuration, etc. Open community-sourced tool set Life-cycle management of end user certificates Built-in support for InCommon Certificate Service Customizable per-campus without coding Easy for campus to leverage just the pieces that meet local needs Early support for at Windows, MacOS, ios, and now Android Support for other campus needs (e.g., netreg, security, etc.) 48
49 InCert Tool Structure and Status InCommon Comodo CA Ready Ready more testing needed Known issue when used with certs Macintosh Client Campu s AuthNZ Link Campus InCert Server Development Roadmap Campus Logging, netreg, etc. Macintosh Web Service Windows Client ios Web Service Android Client 49
50 InCert Background/Summary Information Summary Documents /InCommonCertToolv2.pdf Screen movie of early version of Windows client Client Certificate Roadmap 50
51 TAC Community Updates 2013 TAC Work Items Keith Hazelton UW-Madison
52 Strategic Priorities, 2013 Assurance Metadata Administration Supporting NET+ Interfederation Metadata Distribution Federated User Experience ç Mobile/Federated Non-browser Applications ç
53 InCommon s evolving role: TAC, at InC Steering s request, spearheaded comprehensive scan of 50+ identity-related projects and initiatives in research and education Shibboleth Consortium, Grouper, REFEDS, CIFER, NSTIC, Kuali RICE, Internet2 Net+, InCommon, Published results in June 2013 Identity Management in Higher Education: A View of the Landscape 53
54 The Landscape Report Institutes of higher education and research are complex, highly dynamic, non-hierarchical organizations where people often have multiple simultaneous roles and relationships Off-the-shelf identity and access management solutions do not generally meet the needs of higher education and research In a very real sense, higher education is leading the creation of identity management solutions because it has to.
55 Trust and Identity vision Review of Landscape document led InC Steering to sketch a vision of the way forward Trust and Identity InCommon seems uniquely situated to provide comprehensive information sharing and coordination of efforts across the wide array of identity consortia, projects and initiatives
56 Trust and Identity Recommendations Production of roadmaps for CIOs on building and leveraging federation and identity and access management infrastructure Work with specific projects to make sure the full set of needed tools and training are available Foster shared approaches to assurance and other crucial policy and practice matters
57 Trust and Identity Recommendations Explore ways to extend the benefits of a modern, comprehensive IAM infrastructure beyond the R1 institutions IAM as a Service Consulting services to augment local staff and bootstrap creation and roll-out of on-campus infrastructure Enhance InC Steering s organizational capabilities so it can effectively respond to these opportunities
58 Some drivers for 2014 and beyond (Are they yours?) Enhanced support for research mission New models for teaching and learning Accelerating adoption of cloud-based services Serving an expanding set of user populations Next generation ERP roll-outs Pressure to consolidate admin services to free up scarce resources
59 Setting TAC Priorities for 2014 Participant Polling Current pain or pressure points? Unfinished journeys that must be continued? Looming trends calling for effective shared responses?
Network Device Provisioning
Network Device Provisioning Spring Internet2 Meeting April 23, 2013 Jim Jokl University of Virginia 1 The Problem Set Enable the use of strong authentication Passwords are painful and phishing is easy
More informationAssurance Enhancements for the Shibboleth Identity Provider 19 April 2013
Assurance Enhancements for the Shibboleth Identity Provider 19 April 2013 This document outlines primary use cases for supporting identity assurance implementations using multiple authentication contexts
More informationMulti-Factor Authentication (MFA) Interoperability Profile. Karen Herrington, Virginia Tech David Walker, Internet2 September 26, 2016
Multi-Factor Authentication (MFA) Interoperability Profile Karen Herrington, Virginia Tech David Walker, Internet2 September 26, 2016 1 Mission Working group formed at the request of the Assurance Advisory
More informationGrabbing the Bronze and Silver Ring: The InCommon Assurance Program
IAM Online Grabbing the Bronze and Silver Ring: The InCommon Assurance Program Wednesday, June 15, 2011 3 p.m. ET Tom Barton, University of Chicago R.L. Bob Morgan, University of Washington Renee Shuey,
More informationTom Barton, Keith Hazelton, Bill Yock. Strategies for Accelerating Identity and Access Management (IAM) in Higher Education
Tom Barton, Keith Hazelton, Bill Yock Strategies for Accelerating Identity and Access Management (IAM) in Higher Education Three Speeches for the Price of One! Tom Barton Global Access Services for R&E
More informationExtending Services with Federated Identity Management
Extending Services with Federated Identity Management Wes Hubert Information Technology Analyst Overview General Concepts Higher Education Federations eduroam InCommon Federation Infrastructure Trust Agreements
More informationDo I Really Need Another Account? External Identities for Campus Applications
Do I Really Need Another Account? External Identities for Campus Applications Dedra Chamberlin, Cirrus Identity Eric Goodman, University of California Todd Haddaway, UMBC Tom Jordan, University of Wisconsin-Madison
More informationThe Challenges of User Consent
IAM Online The Challenges of User Consent Wednesday, May 11, 2011 3 p.m. ET Tom Barton, University of Chicago Steve Carmody, Brown University Russell Beall, University of Southern California Tom Scavo,
More informationTRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model
TRUST. assured reliance on the character, ability, strength, or truth of someone or something - Merriam-Webster TRUST AND IDENTITY July 2017 Trusted Relationships for Access Management: The InCommon Model
More information1. Federation Participant Information DRAFT
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES [NOTE: This document should be considered a as MIT is still in the process of spinning up its participation in InCommon.] Participation in InCommon
More informationSOFTWARE DEMONSTRATION
SOFTWARE DEMONSTRATION IDENTITY AND ACCESS MANAGEMENT SOFTWARE AND SERVICES RFP 644456 DEMONSTRATION AGENDA Executive Summary Technical Overview Break User Interfaces and Experience Multi-Campus and Inter-Campus
More informationIdentity Assurance Profiles Bronze and Silver. January 14, 2013 Version 1.2 Rev. 5 Release Candidate
Identity Assurance Profiles Bronze and Silver January 14, 2013 Version 1.2 Rev. 5 Release Candidate EXECUTIVE SUMMARY Identity Assurance Profiles, as described in the InCommon Identity Assurance Assessment
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationDissecting NIST Digital Identity Guidelines
Dissecting NIST 800-63 Digital Identity Guidelines KEY CONSIDERATIONS FOR SELECTING THE RIGHT MULTIFACTOR AUTHENTICATION Embracing Compliance More and more business is being conducted digitally whether
More informationBEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE
BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE OUR ORGANISATION AND SPECIALIST SKILLS Focused on delivery, integration and managed services around Identity and Access Management.
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationTrust and Identity Services an introduction
KEVIN MOROONEY Vice President, Trust and Identity Services OCTOBER, 2016 PACIFIC NORTHWEST GIGAPOP (PNWGP) Trust and Identity Services an introduction ADVISORY COUNCIL MEETING Background Me trust and identity
More informationFederated access to Grid resources
Federated access to Grid resources http://tinyurl.com/loubf Keith Hazelton (hazelton@wisc.edu) Internet2 Middleware Architecture Comm. for Ed. APAN, Singapore, 19-July-06 Topics http://tinyurl.com/loubf
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationGoal. TeraGrid. Challenges. Federated Login to TeraGrid
Goal Federated Login to Jim Basney Terry Fleury Von Welch Enable researchers to use the authentication method of their home organization for access to Researchers don t need to use -specific credentials
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationTIER ROADMAP UPDATE WORKING TOGETHER TO DEVELOP THE PATH
TIER ROADMAP UPDATE WORKING TOGETHER TO DEVELOP THE PATH Ann West (Internet2) Steve Zoppi (Internet2) James Jokl (University of Virginia) Warren Curry (University of Florida) Topics for Today TIER Overview
More informationInCommon Policies and Practices
InCommon Policies and Practices The documents listed below comprise the polices and practices under which the InCommon Federation and Participants operate. These documents should be reviewed prior to submitting
More informationDigital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2
Digital Identity Guidelines aka NIST SP 800-63 March 1, 2017 Ken Klingenstein, Internet2 Topics 800-63 History and Current Revision process Caveats and Comments LOA Evolution Sections: 800-63A (Enrollment
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationAXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure
AXIAD IDS CLOUD SOLUTION Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure Logical Access Use Cases ONE BADGE FOR CONVERGED PHYSICAL AND IT ACCESS Corporate ID badge for physical
More informationIdentity and Access Management PIN App Owner Town Hall Meeting. March 31, 2015 Tuesday 3:00 4:30 p.m. Taubman, T-520 (HKS)
Identity and Access Management PIN App Owner Town Hall Meeting March 31, 2015 Tuesday 3:00 4:30 p.m. Taubman, T-520 (HKS) Agenda Meeting Purpose and Intended Outcomes Rollout of HarvardKey Explanation
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ( Participant ) to use Shibboleth identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationInCommon Federation: Participant Operational Practices
InCommon Federation: Participant Operational Practices Participation in the InCommon Federation ( Federation ) enables a federation participating organization ( Participant ) to use Shibboleth identity
More informationFederated Services for Scientists Thursday, December 9, p.m. EST
IAM Online Federated Services for Scientists Thursday, December 9, 2010 1 p.m. EST Rachana Ananthakrishnan Argonne National Laboratory & University of Chicago Jim Basney National Center for Supercomputing
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationFIDO AND PAYMENTS AUTHENTICATION. Philip Andreae Vice President Oberthur Technologies
FIDO AND PAYMENTS AUTHENTICATION Philip Andreae Vice President Oberthur Technologies The Problem The Solution The Alliance Updates Data Breaches 781 data breaches in 2015 170 million records in 2015 (up
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationIdentity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014
Identity management Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014 Outline 1. Single sign-on 2. SAML and Shibboleth 3. OpenId 4. OAuth 5. (Corporate IAM) 6. Strong identity 2
More informationRA21. Resource Access in the 21 st Century
RA21 Resource Access in the 21 st Century Ralph Youngen, Director, Publishing Systems Integration, American Chemical Society Vice chair, STM RA21 Taskforce 2 The Journey from Print to Digital Institution
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationEXPERIENCE SIMPLER, STRONGER AUTHENTICATION
1 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION 2 Data Breaches are out of control 3 IN 2014... 783 data breaches >1 billion records stolen since 2012 $3.5 million average cost per breach 4 We have a PASSWORD
More informationThe Device Has Left the Building
The Device Has Left the Building Mobile Security Made Easy With Managed PKI Christian Brindley Principal Systems Engineer, Symantec Identity and Information Protection Agenda 1 2 3 Mobile Trends and Use
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationReport for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids
GFD-I.089 Von Welch, NCSA (Editor) October 6, 2005 Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids Copyright Open Grid Forum (2006-2007). All Rights Reserved.
More informationIAM for Workday: How to Embrace an 800 Pound Gorilla. Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management
IAM for Workday: How to Embrace an 800 Pound Gorilla Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management 10-7-2015 Background IAM Integrations Parting Thoughts Questions Agenda 2 Background
More information3-Part Guide to Developing a BYOD Strategy
An IT admin s guide to implementation considerations and best practices when developing a BYOD strategy As the consumerization of IT continues to grow, so has the popularity of Bring Your Own Device (BYOD)
More informationThe challenges of (non-)openness:
The challenges of (non-)openness: Trust and Identity in Research and Education. DEI 2018, Zagreb, April 2018 Ann Harding, SWITCH/GEANT @hardingar Who am I? Why am I here? Medieval History, Computer Science
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationMashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity
www.oasis-open.org Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity Eve Maler eve.maler@sun.com 1 A few notes about me and this talk Some relevant affiliations/perspectives:
More informationTrusting External Identity Providers for Global
Trusting External Identity Providers for Global MIND THE GAP Research Collaborations Jim Basney jbasney@ncsa.illinois.edu IGTF at CERN (Sep 19 2016) slideshare.net/jbasney National Center for Supercomputing
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: British Columbia Institute of Technology Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationPKI is Alive and Well: The Symantec Managed PKI Service
PKI is Alive and Well: The Symantec Managed PKI Service Marty Jost Product Marketing, User Authentication Lance Handorf Technical Enablement, PKI Solutions 1 Agenda 1 2 3 PKI Background: Problems and Solutions
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationInternet2 Overview, Services and Activities. Fall 2007 Council Briefings October 7, 2007
Internet2 Overview, Services and Activities Fall 2007 Council Briefings October 7, 2007 Agenda Building Community - Marianne Smith International Partnerships Heather Boyles Middleware and Security - Renee
More informationPublic Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman
Public Key Infrastructure PKI National Digital Certification Center Information Technology Authority Sultanate of Oman Agenda Objectives PKI Features etrust Components Government eservices Oman National
More informationREFEDS Minutes, 22 April 2012
DOC VERSION:0.1 DATE: 24/04/12 PAGE 1/6 title / reference:refeds-minutes-120422 REFEDS Minutes, 22 April 2012 Licia Florio and Nicole Harris Abstract: Minutes of the REFEDS BOF held in conjunction with
More informationInCommon Per-Entity Metadata: Architecture, Status and Next Steps
InCommon Per-Entity Metadata: Architecture, Status and Next Steps IAM Online January 23, 2019 Albert Wu, Federation Service Manager, InCommon Nick Roy, Director of Technology and Strategy, InCommon David
More informationSupporting a Widely Deployed Campus Shibboleth Implementation
Spring 2012 Internet2 Member Meeting April 25, 2012 Supporting a Widely Deployed Campus Shibboleth Implementation Russell Beall, University of Southern California Brendan Bellina, University of Southern
More informationglobus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory
globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory Computation Institute (CI) Apply to challenging problems Accelerate by building the research
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: University of Guelph Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationFeduShare Update. AuthNZ the SAML way for VOs
FeduShare Update AuthNZ the SAML way for VOs FeduShare Goals: Provide transparent sharing of campus resources in support of (multiinstitutional) collaboration Support both HTTP and non-web access using
More informationGÉANT Community Programme
GÉANT Community Programme Building the community Klaas Wierenga Chief Community Support Officer GÉANT Information day, Tirana, 5 th April 1 Membership Association = very large community to serve GÉANT
More informationSirtfi for Security Incidents in a Federated Context. Tom Barton, UChicago & Internet2
Sirtfi for Security Incidents in a Federated Context Tom Barton, UChicago & Internet2 1 The Whole Elephant Recall why compromises on campus should be reported to the campus IT security team They determine
More informationSECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS
WHITE PAPER SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS The Challenges Of Securing AWS Access and How To Address Them In The Modern Enterprise Executive Summary When operating in Amazon Web Services
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES There is also a glossary at the end of this document that defines terms shown in italics. Participation in the InCommon Federation ( Federation )
More informationInternet2 NET+ Security and Identity Portfolio
NICK LEWIS Internet2 NET+ Program Manager, Security and Identity Internet2 NET+ Security and Identity Portfolio AUGUST 20, 2015 INTERNET2 Founded In 1996 by research universities to take self-responsibility
More informationIAM Problems with managing identities and access of University Guests
IAM Problems with managing identities and access of University Guests Agenda IAM Background / Goals / Status Problem with managing guests accounts Possible solutions IAM Project Success Factors Establishing
More informationCILogon. Federating Non-Web Applications: An Update. Terry Fleury
Federating Non-Web Applications: An Update Terry Fleury tfleury@illinois.edu This material is based upon work supported by the National Science Foundation under grant number 0943633. Any opinions, findings,
More informationFederated Access Management Futures
Federated Access Management Futures Ian A. Young SDSS, Edina, University of Edinburgh ian@iay.org.uk Prediction is very difficult, especially about the future. Niels Bohr What to expect Prepared material
More informationISACA International Perspective
ISACA International Perspective 11 th October 2013 Allan Boardman ISACA International Vice President and Board Director Member of ISACA s Strategic Advisory Council Member of the IT Governance Institute
More informationFederated Security Incident Response. Tom Barton, University of Chicago Jim Basney, NCSA Vincente Brillault, CERN Scott Koranda, LIGO
Federated Security Incident Response Tom Barton, University of Chicago Jim Basney, NCSA Vincente Brillault, CERN Scott Koranda, LIGO Prologue An Example Criminals target University Employee Self Service
More informationIntroduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan
Introduction of Identity & Access Management Federation Motonori Nakamura, NII Japan } IP networking } The network enables a variety type of attractive applications } Communication E-mail Video conferencing
More informationThe Great Federation Showdown: IdP versus SP
The Great Federation Showdown: IdP versus SP 1 IdP vs SP: what to expect? Federation is a division of labor between IdP and SP Things are complicated, federation is no exception A choice, whether good
More informationHigher Education PKI Initiatives
Higher Education PKI Initiatives (Scott Rea) Securing the ecampus - Hanover NH July 28, 2009 Overview What are the drivers for PKI in Higher Education? Stronger authentication to resources and services
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationIdentity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011
Identity management Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline 1. Single sign-on 2. OpenId 3. SAML and Shibboleth 4. Corporate IAM 5. Strong identity 2
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: McMaster University Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationSustainability in Federated Identity Services - Global and Local
Sustainability in Federated Identity Services - Global and Local What works and what doesn t with eduroam and edugain Ann Harding @hardingar Activity Lead, Trust & Identity Development, GÉANT Person who
More informationProf. Christos Xenakis
From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control Device-Centric Authentication for Future Internet Prof. Christos Xenakis SAINT Workshop
More informationSAP Security in a Hybrid World. Kiran Kola
SAP Security in a Hybrid World Kiran Kola Agenda Cybersecurity SAP Cloud Platform Identity Provisioning service SAP Cloud Platform Identity Authentication service SAP Cloud Connector & how to achieve Principal
More informationEXPERIENCE SIMPLER, STRONGER AUTHENTICATION
1 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION 2 Data Breaches are out of control 3 IN 2014... 708 data breaches 82 million personal records stolen $3.5 million average cost per breach 4 We have a PASSWORD
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Okanagan College Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationAuthentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.
Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November 3th, 2005 Von Welch vwelch@ncsa.uiuc.edu Outline
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationNET+ INFRASTRUCTURE AND PLATFORM SERVICES PORTFOLIO STATUS & UPDATE
NET+ INFRASTRUCTURE AND PLATFORM SERVICES PORTFOLIO STATUS & UPDATE Andrew Keating, Sean O'Brien, and Sara Jeanes NET+ Cloud Services 2014 Internet2 NET+ IPS Portfolio Update CONTENTS Goals and Updates
More informationITU-T SG 17 Q10/17. Trust Elevation Frameworks
ITU-T SG 17 Q10/17 Trust Elevation Frameworks Abbie Barbir, Ph.D. ITU-T SG 17 Q10 Rapporteur Martin Euchner SG 17 Advisor ITU Workshop on "Future Trust and Knowledge Infrastructure July 1 2016 Contents
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationThe EGI AAI CheckIn Service
The EGI AAI CheckIn Service Kostas Koumantaros- GRNET On behalf of EGI-Engage JRA1.1 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number
More informationWhat s New and What s Next
Trust and Identity in Education and Research (TIER) What s New and What s Next Jim Jokl Keith Hazelton Bill Thompson Tom Jordan Kevin Morooney Ann West Steve Zoppi (University of Virginia), Chair/TIER
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Concordia University of Edmonton Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: CARLETON UNIVERSITY Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More information