University of Cincinnati Federated Identity Strategy Federated identity management (FIM) allows for two or more organizations to link their networks allowing for greater security and access to appropriate resources. FIM offers a standards-based means of achieving these goals by enabling one organization (the identity provider) to provide information about a managed identity to another organization (the identity consumer, service or resource provider). Each organization included in the "community of trust" tracks the identities of individuals who are most central employees and close contacts. Once the individuals have been authenticated by their own organizations, these individuals can access the other organizations' resources without re-authentication being required. The higher education community is one of the early adopters of FIM technologies. The primary driver for being an early adopter is because higher education researchers form communities based on subject matter that transcends institutional boundaries and they seek to share scarce resources like libraries or expensive laboratory equipment. A researcher is often less interested in intra-institutional collaboration than inter-institutional peer-to-peer collaboration. It s important to recognize that many enterprises already provide identity information to their trusted partners and resource providers in manual form. For example, currently researchers sharing data via specialized applications between Children s Hospital Medical Center and the University of Cincinnati must work each access request individually within their respective IT environments. This manual process may include transmission and storage of personally identifiable information. Furthermore, the process can be cumbersome and is prone to breakdown when problems arise due to a lack of no formal mechanism being in place between the entities potentially leading to ownership issues in the troubleshooting process. Implementation of federated identity solutions from the top down don t work well, rather a real business need must drive the adoption. That said, Children s Hospital Medical Center research environment engaged an external consultant to inventory servers and applications, map data flow between applications and clients, review current identity management practices and design a high performance network link between Children s and UC. Children s requested that UCit participate in this engagement and one of the recommended strategies from the engagement is to implement a FIM system between the entities. See appendices B and C.
Partners in a FIM system depend on each other to authenticate their respective users and vouch for their access to services. With Federations, when a user accesses a federated partner s resources that require authentication, instead of the organization that owns the resource authenticating the user, the user s home organization authenticates them and sends a token of approval to the federated partner. This allows the user to only have to store personal information for authentication in one place rather than across several different organizations. It also decreases the amount of personal identifiable information for which organizations are liable. There is less risk of Identity theft or leak of personal identifiable information in this system as the information is stored only with the home organization and users typically only have to remember one password instead of different ones for each organization. In general, federation provides many benefits to users and organizations. It is proving to be an effective way to lower the risk of identity theft, provide users with a much easier online experience, and delivering users easy access to a greater number of valuable resources. The fewer times a specific identity must be managed the more efficient the entire system. On a technical level, companies can share applications without needing to adopt the same technologies for directory services, security and authentication. Within companies, directory services such as Microsoft s Active Directory or products using the Lightweight Directory Access Protocol (LDAP) such as Novell s e-directory have allowed companies to recognize their users through a single identity. However, asking multiple companies to match up technologies or maintain full user accounts for their partners employees is unwieldy. FIM allows companies to keep their own directories and securely exchange information from them. Beyond our near term need with Children s as interest in e-learning increases it is accompanied by an increasing need to verify that online students are who they say they are. In addition, various affiliates of higher education, like funders, contractors, and even parents need to get access to institutional ITbased services. In many institutions, up to 30% of user accounts are provisioned manually for these affiliates because the source is not the HR or student information system. Additional affiliate groups are made up of exchange students or alumni that may or may not be currently enrolled in the university. Due to the number of affiliates and alumni, the total numbers of actively managed accounts are often significantly larger (for UC around 195,000) than those listed in the HR or student information system. For a complete breakdown of identities refer to the Appendix A.
FIM works by creating a trust system between organizations. These trusts are called Federations. Federation is a sort of perimeter mechanism that sits at the edge of the network and shares identity information with other federation mechanisms where a trust relationship exists. The federation technology creates or gathers the trust assertions that must be made when an internal user wishes to access an external resource or vice versa. Federation can, therefore, be viewed as an extension of identity management principles beyond the borders of the enterprise. Globally there are a number of initiatives underway; domestically the U.S. federal government has launched one of the largest initiatives with its e-authentication project. Higher education s initiative is known as InCommon and has over 2.2 million end users participating in an open source effort. While these two domestic examples follow separate federation approaches InCommon is linked to a number of primary government funding agencies to provide improved convenience and identity administration efficiencies when education institutions access government data and when applying for grants. The list of vendors in this space includes CA, EMC, IBM, Liberty Alliance, Microsoft, Novell, Oracle, Ping Identity and Sun Microsystems. It s not plausible to evaluate all vendors so UCit is recommending that we limit the evaluations to those vendors currently integral to our Identity Management System. We would like to limit the evaluation to Microsoft, Novell and InCommon s Shibboleth open source solution for the following reasons. Novell s e-directory currently serves as the global directory structure and root of our existing identity management system. Underneath this Novell root structure sits an extensive Microsoft Active Directory environment. Both Novell and Microsoft s federation services were built with interoperability in mind. They are based on industry standards, which allows for interoperability across multiple platforms and programming languages. There is also another interesting open source solution called Shibboleth which is geared toward higher education. Shibboleth simply sits on top of any directory service that is being used now and adds the federation services so that policies can be derived for external trusts.
Appendix A Affiliation Counts at the University of Cincinnati Primary Affiliation Count Student (Active) 67,629 Staff 4,392 Faculty 6,136 Non UC Student Worker 58 Emeritus 414 Affiliate 6,042 Non Employee Faculty 465 Student (In-Active) 110,015 Total Active Affiliations 195,151
Appendix B CHMCC & UC Future State Network Diagram CHMCC & UC Future State Network Diagram UC GRI CSTCC Main Xavier Existing Fiber Connection Continue for I1/I2 Use CERF CHMCC Primary ISP UC HPB OARNet CHMCC IS Firewall UC Sanders CHMCC Research Data CHMCC Research Servers Private Gig Link for Traffic between CHMCC and UC OARnet (State of Ohio ISP) CHMCC IS DMZ UC Internal UC Border Firewall/Router CHMCC IS Servers
Appendix C CHMCC Future State Provisioning