New trends in Identity Management

Transcription

1 New trends in Identity Management Peter Gietz, DAASI International GmbH Track on Research and Education Networking in South East Europe, Yu Info 2007, Kopaionik, Serbia 14 March

2 Agenda Introduction to (Federated) Identity Management Standards in IdM IdM and Grid Computing 2-2 (c) March 2007 DAASI International GmbH

3 Introduction to (Federated) Identity Management 2-3

4 The dark world before Identity Management Historically grown IT infrastructures and processes Isolated directories and data bases contain the same information about persons (staff, students, etc.) No interaction and no trust between the systems No overall view on the whole infrastructure and data Every application has its own user management, every new application makes things worse Such redundancy of data and administration means higher costs 2-4 (c) March 2007 DAASI International GmbH

5 more deficiencies Processes for provisioning accounts are very slow User get access to resources too late Even worse: users keep access rights after leaving the university There is no real security in this chaos 2-5 (c) March 2007 DAASI International GmbH

6 IdM is the solution Definition of Spencer C. Lee: Identity Management refers to the process of implementing new technologies for the administration of information on the identities of users and of access control to resources The aim of identity management is to increase productivity and security while reducing the costs of managing users, their identities, attributes and access rights 2-6 (c) March 2007 DAASI International GmbH

7 Was is new then? User management exists since the early times of computing etc/passwd in Unix is also user management! So the problems are old Identity Management Systems take care, so you have to develop a concept for your entire IT infrastructure data come from authoritative sources and don't have to be administrated redundantly user management becomes highly automated IT processes synchronize information from data sources to applications so that access to resources can be granted quickly but also are taken away immediately after the user leaves the organisation 2-7 (c) March 2007 DAASI International GmbH

8 Components of IdM Data sources and applications Directories are a central component, which store identity information, passwords, policy Standards: X.500, LDAP As metadirectories they are used as the base for the synchronization of data, for identifying persons, and for password management Connectors do the actual data synchronization, data conversion and logging of the processes Auditing tools provide the overview 2-8 (c) March 2007 DAASI International GmbH

9 What do you get from IdM? You have identities instead of accounts The student who is also staff member is stored under the same identity This increases the personalisation functionality Unified Login / Single Log On Integrative central user management Application can directly use LDAP data or be provisioned with account information Users only have to remember one password Single Sign On User only have to authenticate once per day Single Log Off with one log off process all open sessions are being closed 2-9 (c) March 2007 DAASI International GmbH

10 Federated Identity Management Definition of Peter Valkenburg, et.al (SURF): Collective term for all processes, standards and technologies, which support the exchange of identity data across organisational borders The user data have only to be stored at the home organisation There are two main functionalities (roles of organizations): Identity Provider (IdP), connected to the local user management of the home organizations, provide authentication status and attribute information Service Provider (SP), use these information to make decisions about access to resources 2-10 (c) March 2007 DAASI International GmbH

11 What is needed for Federated Identity Management? Requirement is a federated trust model, organized by contracts between IdPs and SPs. It is best to have an intermediate organisation (e.g. NRN) to prevent n to n contracts to manage central services that provide authoritative meta data about the members of the federation Agreement on a set of authorization attributes interesting attributes are edupersonaffiliation, edupersonentitlement, edupersontargetedid A certain standard in IdM of the participating organisations FidM technologies are, e.g., Liberty Alliance, Shibboleth, WS-Security 2-11 (c) March 2007 DAASI International GmbH

12 Motivation for Federated Identity Management Students become more and more mobile and want to study at different universities Course of studies have to become more compatible, so that (con)federations can support the Bologna process Research gets more and more internationally interconnected escience und Grid-Computing Researchers from different universities need access to distributed resources licenses for data base usage, etc. often need detailed attributes about users is the user student of the faculty of physics? such questions can be answered without loosing privacy 2-12 (c) March 2007 DAASI International GmbH

13 Standards for FIdM 1 LDAP (Lightweight Directory Access Protocol) IETF-Standard for storage of person information and for authentication processes SAML (Security Assertion Markup Language) (OASIS) XML-Documents contain assertions about user: Authentication Statements (when and how did a user authenticate) Authorization Statement (what is the user allowed to access) Attribute Statement (what attributes, roles, etc. does the authenticated user have) Profiles specify how assertions are exchanged between IdP and SP 2-13 (c) March 2007 DAASI International GmbH

14 Standards for FidM 2 XACML (extensible Access Control Markup Language) (OASIS) XML-Documents contain messages about authorization decisions or policies SPML (Service Provisioning Markup Language (OASIS) XML-Documents contain account information in a standardized way so that they can be exchanged across organizational borders. SOAP (Simple Object Access Protocol) XML-Protocol for exchanging all those XML documents between IT-processes on different networks (RPC with XML means) Web Services paradigm 2-14 (c) March 2007 DAASI International GmbH

15 Federations implemented with Shibboleth Shibboleth Production ready open source software for implementing SAML based federations Created by the US higher education community (Internet2/MACE, NMI) Supports Single Sign On More and more applications get shibbolized It is very concerned with privacy Attribute release policies defined by IdP and by the single user EU data protection directive (95/46/EC) can be fulfilled New features like Single Logout will be available in Shibboleth 2.0 Compatibility with Liberty Alliance is also on its way (c) March 2007 DAASI International GmbH

16 Shibboleth 2-16 (c) March 2007 DAASI International GmbH

17 Shibboleth and Grid Computing Shibboleth also got noticed in the Grid Computing communities Grid uses PKI certificates for authentication difficult task if user base grows Shibboleth may help here GridShib is an implementation of Shibboleth for the Web Services based open source grid Infrastructure Globus Toolkit Virtual Organisations (VOs), like international research projects share grid resources (CPUs, Storage, Services) need federated Identity management 2-17 (c) March 2007 DAASI International GmbH

18 Alternatives PAPI created by RedIRIS (Spain) interorganizational Access control leaving authentication at the home organisation interoparable with shibboleth see A-Select created by Surfnet (Netherlands) framework where users can be authenticated by several means with Authentication Service Providers see (c) March 2007 DAASI International GmbH

19 Who uses Shibboleth in Europe? SWITCH-AAI in Switzerland HAKA in the Finish Research network Denmark is starting UK started pilots on Shibboleth DFN-AAI will become productive this year D-Grid (German Grid community) is partly using it already TERENA played a major role in creating consciousness about FidM and products like shibboleth TERENA Task Force EMC2 (European Middleware Coordination and Cooperation) Sub activity SCHAC for common European schema TERENA campus middleware workshops 2-19 (c) March 2007 DAASI International GmbH

20 References TERENA task forces: Good information resources at SwitchAAI: Internet (c) March 2007 DAASI International GmbH

21 Thank you for your attention! QUESTIONS? For later questions: DAASI International GmbH (c) March 2007 DAASI International GmbH