Introduction to Identity Management Systems

Transcription

1 Introduction to Identity Management Systems Ajay Daryanani Middleware Engineer, RedIRIS / Red.es Kopaonik, 13th March

2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2 2

3 Peter Steiner. The New Yorker, 5th July

4 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 4 4

5 Reasons for IdM: User s view Users WANT to: Check their reports Use the Register for a course Borrow a book from the library Use university s Internet connection Read the documentation of a course 5 5

6 Reasons for IdM: User s view and they WANT all this: Easily Safely Quickly In a flexible way Remotely Personalized any more? 6 6

7 Reasons for IdM: Admin s view System administrators HAVE to: Provide advanced services to their customers Safely Quickly Within the budget In a flexible way Improving corporative image and according to national laws! 7 7

8 Reasons for IdM: Admin s view and for this, they HAVE to: Manage hundreds/thousands of entries Manage several services Map users to services (1..N, 1..M) Use standards Include all possible use cases Understand and apply the law without losing their private lifes :-D 8 8

9 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 9 9

10 IdM Roadmap: First steps The simplest case - Few users - One application - Solutions: - DB - Whitelist - BasicAuth 10 10

11 IdM Roadmap: Childhood Growing up a bit - Several users - One/more applications - May require different access roles (admin, student, professor) - Solution: directories 11 11

12 IdM Roadmap: Maturity And more - Several users - Several applications - Same login for all services: Unified Login - Avoiding re-authentication: Single Sign-On 12 12

13 IdM Roadmap: Going beyond And more (out of scope of this workshop) - Several users / apps - Several domains - Example: different universities, same country - Solution: federations 13 13

14 IdM Roadmap: The last border (?) And even more (far beyond this workshop) - Several users / apps / domains - Several federations - Example: different countries - Solution: confederations 14 14

15 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 15 15

16 Definitions: (Digital) Identity Represents the digital personality of a subject Subject represents a user (human/ machine) Personality is defined by means of attributes MUST be unique for a given domain MUST preserve user privacy! It s your key for accessing the digital world 16 16

17 Definitions: (Digital) Credentials Identity is proved through credentials Examples: Real life: Birth certificate Fingerprint Digital life: Password X.509 certificate 17 17

18 Definitions: Attribute Models a characteristic of the subject s personality It is often viewed as a name/value(s) pair Valid attribute names (and values) are defined in a schema Used for access control, personal information, privacy, Example: namespace: urn:mace:terena:org:schac Attribute name: schacsn1 Attribute value: Daryanani 18 18

19 Definitions: Authentication Process of proving that a subject is who he claims to be It verifies user identity Conveyed by means of credentials and obtaining authentication token(s) Example of tokens: Real life: ID card Passport Digital life: Cookie Kerberos ticket 19 19

20 Definitions: Authorization Process of deciding if a user A is entitled to access service B 3 main profiles: Authentication = authorization Identity + attributes Negotiation on attributes to be exchanged Authorization can be simple Profile 1 If (group = X) then accept Or as complex as you want 20 20

21 Definitions: Unified Login System that allows using the same identity for several services Does not imply unified authentication Example: Using same username/password for webmail and Intranet Improves usability Eases identity management Targeted mainly for intra-domain services 21 21

22 Definitions: SSO Single Sign-On (SSO) is the process of authenticating once for all the accessible services Can also be interpreted as the mechanism for not reauthenticating Between sessions on same application Between different applications Authentication status is usually maintained through cookies (in web environment) 22 22

23 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 23 23

24 Components: Simple picture Borrowed from: JISC (UK) 24 24

25 Components: Complex picture Borrowed from: JISC (UK) 25 25

26 Components: Identity Management Architecture Borrowed from: Enterprise directory implementation Roadmap, NMI (US) 26 26

27 Components: Metadirectory Used to synchronize information from different data sources Provides unified view of records maintained at data sources Feeds the directory/directories Other features Control flow of information Data transformation Data correlation Person identification 27 27

28 Components: Directory Centralized information repository Deep hierarchy Optimized for read access Can provide different views of the same information Directories need Schema Attribute values Identifiers 28 28

29 Components: Data Sources Repositories where data is actually written An institution may have several sources Alumni Payroll Departamental DBs Relational databases are an example of data sources Offer better write/update perfomance (vs. directories) 29 29

30 Components: Provisioning Its the process of managing an identity Includes Adding an account Modifying Suspending Resuming De-provisioning implies ending the lifecycle of an identity Resources can also be provisioned 30 30

31 Components: Trust Do not trust anyone until it proves to be trustworthy! Should be maintained between a user and his identity holder But also between your identity holder and identity consumers Implies: Dependance on the trusted party Reliability of the trusted party Risk!!! 31 31

32 Components: Management Interfaces Administrators also have needs! Provide means for information homogeneization Component from different parties are not always meant for cooperating with others Administrators may need tailored functionality IdM can be overwhelming :-D Allow users to manage (partially) their data => self-service 32 32

33 Components: Diagnostics What if something fails? IdM comprises different data sources and interaction between them Useful mechanisms for diagnostics are auditing and logging IdMs lack features on diagnostics Although some propietary solutions include diagnostic tools Recommendations: Log, log, log!!! Create custom management interfaces Do a good design 33 33

34 Components: Security and usability IdMs enhance security For identities ARPs Data protection rules For applications Trust Cryptography De-provision But users are humans (and make mistakes: phishing!) IdMs improve user experience and satisfaction 34 34

35 Components: AAIs Authentication and Authorization Infrastructures (AAIs) All we have seen up to now is now viewed as an IdP (Identity Provider) As an opposition to an SP (Service Provider) New actor: Attribute Authorities AAIs include communication protocols and profiles to connect these components Usually include SSO, federation capabilities 35 35

36 Components: AAIs No user registration and user data maintenance at resource needed Single login process for the users Enlarged user communities for resources Efficient implementation of interinstitutional access 36 36

37 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 37 37

38 Tools and protocols: Provisioning Resource provisioning is the provisioning of identities to systems and services where the identity has access to use SPML Open standard protocol for the integration and interoperation of service provisioning requests It s an OASIS standard

39 Tools and protocols: Trust Public Key Infrastructures (PKIs) Certificates are based on public key Enables for a digital certificate identifying an individual or an organization to be: Issued Revoked Validated Composed of: Root CA Certificate Authority (CA) Registration Authority (RA) Directory to store user certificates Certificate revocation lists (CRLs) 39 39

40 Tools and protocols: Feds and more Software for building federations Shibboleth: PAPI: A-Select: Liberty Alliance protocols Federation interoperability software edugain edugain.ppt 40 40

41 Tools and protocols: IdM suites Sun Microsystems offerings.jsp Oracle IBM Novell

42 IdM References The Open Group: Identity Management 40/9784/idm_wp.pdf Identifiers, Authentication, and Directories: Best Practices for Higher Education Wikipedia and Google, of course 42 42

43 Edificio Bronce Plaza Manuel Gómez Moreno s/n Madrid. España Tel.: / 25 Fax: