Do I Really Need Another Account? External Identities for Campus Applications

Transcription

1 Do I Really Need Another Account? External Identities for Campus Applications Dedra Chamberlin, Cirrus Identity Eric Goodman, University of California Todd Haddaway, UMBC Tom Jordan, University of Wisconsin-Madison David Walker, Internet2

2 Overview Introduction The Problem What Do We Want from External IDs? Trustworthiness of External IDs? Criteria for Evaluating External ID Providers Parent Access at UMBC

3 External users... What to do?

4 Your Campus Services Campus SSO Campus Attributes (LDAP, AD, RDBMS) Campus Credentials

5 Your Campus Services Campus SSO External Users Campus Attributes (LDAP, AD, RDBMS) Campus Credentials

6 Learning Management System Campus SSO What about: Auditors Guest Faculty Continuing Education Students Campus Attributes (LDAP, AD, RDBMS) Campus Credentials

7 Student Systems/ERPs Campus SSO What about: Student Applicants Parents - Tuition and Housing Applicants Volunteers Contractors Campus Attributes (LDAP, AD, RDBMS) Campus Credentials

8 Research Collaboration Campus SSO What about: Private sector researchers Freelance scholars Global partners Campus Attributes (LDAP, AD, RDBMS) Campus Credentials

9 Alumni Engagement Campus SSO What about: Alumni members External donors Campus Attributes (LDAP, AD, RDBMS) Campus Credentials

10 Your Campus Services Campus SSO Campus Attributes (LDAP, AD, RDBMS) Campus Credentials

11 Where Do Guests Go?

12 Where Do Guests Go?

13

14

15

16

17 Verification

18

19

20 One Year Later

21

22

23 External Identities A Better Way? Reduce Friction for Customers Reduce IT costs Reduce helpdesk costs

24

25

26 What do we want out of External IDs? Use Cases

27 External Identities Working Group Ran from August 2014 to June 2015 External Identities Working Group Report The mission of the External Identities Working Group was to move the community of knowledge towards the goal of making external identities useful and sufficiently trusted in a variety of campus-based use cases.

28 External ID use case characteristics that inform implementation approach Longevity of the association One-off vs. long term Stability requirements Risk associated with the use case Appropriateness of external processes Level of Assurance matching Level/scope of integration...

29 Why use External Identities? Outsource passwords or other authentication mechanisms Don t manage passwords here Application still manages profiles User Profiles Campus User Profile External User Profile Application Accounts Campus Accounts External Accounts Application Campus IDM External IDs Leverage these passwords instead

30 Outsourced passwords Application not managing passwords Application still manages profiles User Profiles Campus User Profile External User Profile Application Accounts Campus Accounts External Accounts (Or other authentication) Simpler experience for user in many cases External providers may be better able to manage than local provider Application Campus IDM Leverage these passwords instead External IDs

31 Why use External Identities? Outsource user profiles or portions of them Get user details from here Try not to manage user information here User Profiles Campus User Profile External User Profile Application Accounts Campus Accounts External Accounts Application Campus IDM External IDs

32 Outsourced Profile Management Get user details from here Try not to manage user information here Decentralized user management User Profiles Campus User Profile External User Profile Application Accounts Campus Accounts External Accounts Avoids stale user data Delegates attribute or entitlement based authz May be more in concept than reality today Application Campus IDM Primarily useful for basic user info Name, , possibly affiliations Differences between social and federated IDs External IDs

33 Why use External Identities? Link to Internal Identities To support alternative access for users Track when external identities belong to an internal person, to support alternate access or features User Profiles Campus User Profile External User Profile Application Accounts Campus Accounts External Accounts Application Campus External IDs

34 Linked Accounts Track when external identities belong to an internal person, to support alternate access or features Map internal profile and external login User Profiles Campus User Profile External User Profile Application Accounts Campus Accounts External Accounts User convenience (allow use External IDs Application Campus of social ID login) Provides additional login option On/offboarding scenario support (alumni, applicants) Consistent profile across service suite COManage, Campus Identity Useful for Social IDs with directed identifiers Guest management

35 Supporting External Identities Minimizing impacts, maximizing flexibility for applications Services that can wrap or blend campus and external providers in useful ways User Profiles Campus User Profile External User Profile Application Accounts Campus Accounts External Accounts Application Campus External IDs

36 Supporting External Identities Valuable IAM-wide capabilities Protocol conversion OAuth->SAML, etc. Attribute mapping E.g., FB ID/Google ID->ePPN User Profiles Campus User Profile External User Profile Application Accounts Campus Accounts External Accounts Application Campus Invitation services (provisioning support) Account linking services Externalized authorization Provides common support for internal and external users Use of gateways and independent services External IDs

37 Trustworthiness of External Identities

38 Are External IDs Trustworthy? Historically considered less trustworthy than internal identities, but this is not necessarily true...they are trustworthy enough for many purposes, and...there are ways to make them more trustworthy

39 Factors Affecting Trustworthiness Authentication strength Complex passwords? Multi-factor? Identity vetting (and re-vetting) Reassignment of accounts and identifiers Attributes collected and released Are they accurate and kept up to date? Security and privacy policy and practice Frequency of audits

40 When Are External IDs Trustworthy? It depends on the application. For example, We may not require strong authentication methods. Identity vetting may not matter. We may care only that the same person continues using the service. The external ID may be introduced by someone we trust. The same question should be asked of internal IDs

41 Enhancing Trust in External IDs Link multiple IDs to achieve greater overall trust. For example, An institution with good identity vetting but no multifactor authentication links Duo with their internal identities. A distributed institution contracts with an identity service that provides strong identity vetting and links with internal identifiers.

42 Account Recovery for External IDs When linked to an internal ID, there is probably sufficient information to re-establish trustworthy linking, or create linking to a new external ID. When not linked to an internal ID, there may be a business continuity issue, depending on the reliability / trustworthiness of the external account recovery process.

43 Criteria for Evaluating External Identity Providers

44 Trustworthiness Account management Are identifiers re-assigned? What are the password requirements? Is multi-factor supported? Identity vetting Is there any vetting? What attributes are collected, and are they vetted? Is there periodic re-vetting? Authentication policies Attribute release and consent Directed vs. global identifiers Support for communication of authentication contexts

45 Operations Protocol support Protection of secrets Privacy practices Incident response practices API limits

46 Business partnership Company mission Importance of identity Privacy focus Commercial vs. non-commercial motivations Certifications and audits Viability and sustainability of business model Liability and Indemnification Licensing Alignment with campus strategy and policy Impact of pricing model on end-users

47 Parent Access at UMBC Todd Haddaway

48 The Good Ol Days 48

49 College Life?? des a r G? es? s s l s l i a l B at C? Wh ooooo l Hel

50 Parent Access to Student Information (Social Identities at UMBC) Requested by parents at every summer orientation session Added functionality in our web portal using PeopleSoft web services Students use an invitation system to grant or revoke access Using Google and Facebook credentials via Cirrus Identity s Social-to-SAML gateway Access to information becomes an issue between the student50 and their parent

51 Policies? OR Drown in policy meetings Roll out software before we understand the implications

52 Social Identities at UMBC Parent access walk through 52

53 [ 53 ]

54 2015 Internet2 [ 54 ]

55 2015 Internet2 [ 55 ]

56 2015 Internet2 [ 56 ]

57 2015 Internet2 [ 57 ]

58 2015 Internet2 [ 58 ]

59 2015 Internet2 [ 59 ]

60 2015 Internet2 [ 60 ]

61 2015 Internet2 [ 61 ]

62 2015 Internet2 [ 62 ]

63 2015 Internet2 [ 63 ]

64 FERPA? Student Billing and Financial Aid offices want consistency between phone contact and online profile sharing Need to add the same language to online Profile Sharing as the current paper form The university legal office is currently simplifying our FERPA language for use on the Profile page 64

65 Current Paper Form 65

66 Profile Sharing Lookup 66

67 Social Identities at UMBC What s next? Student finances View account balance and details Financial Aid View awards and award status Advising sessions - View notes taken during Applicants and Admits 67

68 Our initial use case Student / Parent Financial Portal Allows authorized payer access to billing data Integration with 3rd party (Cashnet) Invitation-based Establishes a relationship Creates persistent identity

69 SPFP Application Workflow

70 Other key areas of activity Policy Definition Which providers Which applications What levels of assurance? What controls Development of External API for apps Consultation with strategic partners / governance groups

71 Other Outstanding Requests Alumni / Former Students Transcripts / Student Records Guest wireless users Continuing Education students Certification / Licensure (Education, Nursing) Services to Federations (Wisconsin, InCommon, R&S)