Extending Services with Federated Identity Management

Transcription

1 Extending Services with Federated Identity Management Wes Hubert Information Technology Analyst

2 Overview General Concepts Higher Education Federations eduroam InCommon Federation Infrastructure Trust Agreements Processes

3 Common IdM Terms Identifier: A name that identifies a unique person, group, or object Authentication: Verification of an identity Authorization: Granting access to a specific resource Identity Management: Control of identifiers, authentication, authorization

4 Federation: An organization whose members are organizations with some degree of internal autonomy

5 Actors User (principal, supplicant, client, etc) Identity Provider (IdP) Service Provider (SP)

6 Actors User (principal, supplicant, client, etc) Initiates the request for a service Identity Provider (IdP) Authenticates user identity Maintains a directory of vetted users Service Provider (SP) Authorizes (or denies) access Based on information provided by IdP

7 Federated Identity Management Provides portability of identity information across organizations Manages trust between administratively separate IdP and SP Protects privacy of identity information

8 Examples Higher Education eduroam InCommon Public OpenID Yahoo! Google...

9 eduroam education roaming Secure network access service (wi-fi) Research and education community Thousands of institutions worldwide

10 eduroam Sites

11 eduroam London Sites

12 eduroam US Sites

13 KU wi-fi prior to eduroam JAYHAWK Primary campus wi-fi Requires KU Online ID authentication KUGUEST Rate limited, restricted ports KU-Passport Sponsored short-term access

14 eduroam Provides travelers secure network access at participating institutions without obtaining guest credentials Removes the need for institutions to provision wi-fi credentials for visitors

15 Select SSID eduroam

16 Log in with home credentials

17 Start VPN (Optional)

18 eduroam More later on How it works Why it is secure

19 InCommon Internet2-based research and education identity management federation 347 Higher Education Participants 28 Government, Labs, Non-profits, etc. 139 Sponsored Partners» (April 2013)

20 InCommon Provides privacy-preserving trust fabric Higher education Sponsored partners Identity management federation Certificate service Multifactor authentication service Assurance program

21 InCommon IdM Federation About 300 identity providers More than 6 million end users Sample services EDUCAUSE federated login Internet2 FileSender service

22 Federated Login: EDUCAUSE Alternative to EDUCAUSE-specific login Eliminates need for remembering an EDUCAUSE-specific password

23 EDUCAUSE Federated Login On screen click Login >

24

25 In Federated Login section click Log in Using InCommon

26

27 Select home campus identity provider

28 Home system presents the login page

29 ... and you re logged in to EDUCAUSE

30 Can verify login page via https URL

31 Can verify login page via https certificate

32 Internet2 FileSender Service Service for sharing large files Initiated by federation member Usable by anyone Operated by Internet2

33 FileSender Service

34 Select home system for authentication

35 Select home system for authentication

36 Text Entered Limits Selection List

37 Easy Reuse of Previous AuthN System

38 Login On Home System

39 Information About File to be Shared

40 Notification of Shared File

41 Generate A Guest Voucher

42 What s behind the curtain? Management of users by IdP Vetting of user identities Common attributes known to IdP/SP Secure connection between IdP/SP Identity of communicating systems Specification of attributes to send Encrypted transfer of required attributes

43 Trust Points Two primary trust relationships Between user and IdP Between IdP and SP Both are bidirectional User ultimately depends on both Details specific to each federation

44 How Is Trust Established? User Trust for InCommon Authentication Communicates with home system as IdP Based on trust established during ID setup Authentication via familiar (home) login Can verify site using https URL address bar Server certificate

45 How Is Trust Established? InCommon IdP/SP Participant Operational Practices statement X.509 Certificate in Metadata XML Attribute Release Specifications Optional Higher Levels of Assurance Bronze Silver

46 POP Statement Attribute assertions to other participants Made at organization s executive level Issuing system assures appropriate risk management measures Information will be used only for purposes for which it is provided

47 POP Statement Federation Participant Information Identity Provider Information Service Provider Information Other Information

48 Participant Information Organization Links for ID management practices Privacy policy Contact information

49 Identity Provider Information Community Who can get IDs Who is identified as Member Credentials Administrative processes Technologies (UserID/password, PKI, etc.)

50 Identity Provider Information Electronic Identity Database Sources, update procedures What is considered public information? Own Use of Credential System Attribute assertions Privacy constraints

51 Service Provider Information What attributes are required to manage access decisions? Other use of attributes Controls on access and use of PII Controls on access management Actions taken in case of compromise

52 SAML Security Assertion Markup Language XML-based 3 roles Principal (user) Identity Provider (IdP) Service Provider (SP) Securely passes limited information between federated systems

53 Shibboleth Federated IdM software Internet2 Middleware Initiative project SAML-based SSO Controlled attribute release Privacy preserving Started in 2000, first release July 2003 Developed in parallel with InCommon

54 InCommon Metadata Submitted by site administrator Defines IdP and SP Entity X.509 certificate User interface, error handling SAML protocol endpoints Contacts

55 EDUCAUSE Attribute Release edupersonprincipalname surname givenname edupersonaffiliation

56 EDUCAUSE Attribute Release <!-- Release personal attributes required by EDUCAUSE --> <afp:attributefilterpolicy id="releasetoeducause"> <afp:policyrequirementrule xsi:type="basic:attributerequesterstring" value=" /> <afp:attributerule attributeid="edupersonprincipalname"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule>... (other attribute specifications)... <afp:attributerule attributeid="edupersonaffiliation"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule> </afp:attributefilterpolicy>

57 General Attribute Release <!-- Release edupersonaffiliation (and Scoped form) to anyone --> <afp:attributefilterpolicy id="releaseedupersonaffiliationtoanyone"> <afp:policyrequirementrule xsi:type="basic:any" /> <afp:attributerule attributeid="edupersonaffiliation"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule> <afp:attributerule attributeid="edupersonscopedaffiliation"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule> </afp:attributefilterpolicy>

58 InCommon Research & Scholarship Category Group shares common attribute release New SPs may be added No action required by IdP to access Currently (May 16, 2013) 12 SPs 51 IdPs FileSender is in this group

59 eduroam RADIUS Remote Authentication Dial-In User Service It s rarely for dial-in anymore Peers authenticate by IP & shared secret 802.1X PEAP Protected Extensible Authentication Protocol Server-side public key certificate authenticates

60 How Is Trust Established? eduroam user Pre-travel setup on home campus Establishes trusted connection to authentication server PEAP/WPA2 authentication Server name (e.g. adhome-lawc-04.home.ku.edu) X.509 certificate signed by trusted CA

61 eduroam Wi-Fi Profile

62 How Is Trust Established? eduroam IdP/SP Vetting when joining the federation RADIUS shared secret via encrypted X.509 Certificates Specific IP numbers and ports

63

64 Summary Federated identity management increases security and convenience It s all about Trust Trust between user and IdP Trust between IdP and SP

65 Levels of Assurance Office of Management and Budget M E-Authentication Guidance for Federal Agencies NIST

66 Levels of Assurance Level 1: Little or no confidence in the asserted identity s validity Level 2: Some confidence in the asserted identity s validity Level 3: High confidence in the asserted identity s validity Level 4: Very high confidence in the asserted identity s validity

67 Levels of Assurance Level 1 - Although there is no identity proofing requirement at this level, the authentication mechanism provides some assurance that the same Claimant who participated in previous transactions is accessing the protected transaction or data.

68 Levels of Assurance Level 2 - Level 2 provides single factor remote network authentication. At Level 2, identity proofing requirements are introduced, requiring presentation of identifying materials or information.

69 InCommon Assurance Profiles Bronze Corresponds to NIST Level 1 May replace POP Silver Corresponds to NIST Level 2 Requires audit review of procedures

70 Identity Ecosystem Steering Group (IDESG) Facilitate fulfillment of NSTIC goals

71 Objectives Privacy Security Interoperability Ease of use

72 IDESG Login Options

73 IDESG Login Selected

74 IDESG Login Completed

75 Related Links nistpubs/ /sp pdf PubsDrafts.html#SP