Extending Services with Federated Identity Management Wes Hubert Information Technology Analyst
Overview General Concepts Higher Education Federations eduroam InCommon Federation Infrastructure Trust Agreements Processes
Common IdM Terms Identifier: A name that identifies a unique person, group, or object Authentication: Verification of an identity Authorization: Granting access to a specific resource Identity Management: Control of identifiers, authentication, authorization
Federation: An organization whose members are organizations with some degree of internal autonomy
Actors User (principal, supplicant, client, etc) Identity Provider (IdP) Service Provider (SP)
Actors User (principal, supplicant, client, etc) Initiates the request for a service Identity Provider (IdP) Authenticates user identity Maintains a directory of vetted users Service Provider (SP) Authorizes (or denies) access Based on information provided by IdP
Federated Identity Management Provides portability of identity information across organizations Manages trust between administratively separate IdP and SP Protects privacy of identity information
Examples Higher Education eduroam InCommon Public OpenID Yahoo! Google...
eduroam education roaming Secure network access service (wi-fi) Research and education community Thousands of institutions worldwide http://www.youtube.com/watch?v=tvcmcmzs3ua
eduroam Sites
eduroam London Sites
eduroam US Sites
KU wi-fi prior to eduroam JAYHAWK Primary campus wi-fi Requires KU Online ID authentication KUGUEST Rate limited, restricted ports KU-Passport Sponsored short-term access
eduroam Provides travelers secure network access at participating institutions without obtaining guest credentials Removes the need for institutions to provision wi-fi credentials for visitors
Select SSID eduroam
Log in with home credentials
Start VPN (Optional)
eduroam More later on How it works Why it is secure
InCommon Internet2-based research and education identity management federation 347 Higher Education Participants 28 Government, Labs, Non-profits, etc. 139 Sponsored Partners» (April 2013)
InCommon Provides privacy-preserving trust fabric Higher education Sponsored partners Identity management federation Certificate service Multifactor authentication service Assurance program
InCommon IdM Federation About 300 identity providers More than 6 million end users Sample services EDUCAUSE federated login Internet2 FileSender service
Federated Login: EDUCAUSE Alternative to EDUCAUSE-specific login Eliminates need for remembering an EDUCAUSE-specific password www.educause.edu
EDUCAUSE Federated Login On http://www.educause.edu screen click Login >
In Federated Login section click Log in Using InCommon
Select home campus identity provider
Home system presents the login page
... and you re logged in to EDUCAUSE
Can verify login page via https URL
Can verify login page via https certificate
Internet2 FileSender Service Service for sharing large files Initiated by federation member Usable by anyone Operated by Internet2 https://filesender.internet2.edu
FileSender Service
Select home system for authentication
Select home system for authentication
Text Entered Limits Selection List
Easy Reuse of Previous AuthN System
Login On Home System
Information About File to be Shared
Email Notification of Shared File
Generate A Guest Voucher
What s behind the curtain? Management of users by IdP Vetting of user identities Common attributes known to IdP/SP Secure connection between IdP/SP Identity of communicating systems Specification of attributes to send Encrypted transfer of required attributes
Trust Points Two primary trust relationships Between user and IdP Between IdP and SP Both are bidirectional User ultimately depends on both Details specific to each federation
How Is Trust Established? User Trust for InCommon Authentication Communicates with home system as IdP Based on trust established during ID setup Authentication via familiar (home) login Can verify site using https URL address bar Server certificate
How Is Trust Established? InCommon IdP/SP Participant Operational Practices statement X.509 Certificate in Metadata XML Attribute Release Specifications Optional Higher Levels of Assurance Bronze Silver
POP Statement Attribute assertions to other participants Made at organization s executive level Issuing system assures appropriate risk management measures Information will be used only for purposes for which it is provided
POP Statement Federation Participant Information Identity Provider Information Service Provider Information Other Information
Participant Information Organization Links for ID management practices Privacy policy Contact information
Identity Provider Information Community Who can get IDs Who is identified as Member Credentials Administrative processes Technologies (UserID/password, PKI, etc.)
Identity Provider Information Electronic Identity Database Sources, update procedures What is considered public information? Own Use of Credential System Attribute assertions Privacy constraints
Service Provider Information What attributes are required to manage access decisions? Other use of attributes Controls on access and use of PII Controls on access management Actions taken in case of compromise
SAML Security Assertion Markup Language XML-based 3 roles Principal (user) Identity Provider (IdP) Service Provider (SP) Securely passes limited information between federated systems
Shibboleth Federated IdM software Internet2 Middleware Initiative project SAML-based SSO Controlled attribute release Privacy preserving Started in 2000, first release July 2003 Developed in parallel with InCommon
InCommon Metadata Submitted by site administrator Defines IdP and SP Entity X.509 certificate User interface, error handling SAML protocol endpoints Contacts
EDUCAUSE Attribute Release edupersonprincipalname surname givenname email edupersonaffiliation
EDUCAUSE Attribute Release <!-- Release personal attributes required by EDUCAUSE --> <afp:attributefilterpolicy id="releasetoeducause"> <afp:policyrequirementrule xsi:type="basic:attributerequesterstring" value="https://www.educause.edu/shibboleth-sp" /> <afp:attributerule attributeid="edupersonprincipalname"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule>... (other attribute specifications)... <afp:attributerule attributeid="edupersonaffiliation"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule> </afp:attributefilterpolicy>
General Attribute Release <!-- Release edupersonaffiliation (and Scoped form) to anyone --> <afp:attributefilterpolicy id="releaseedupersonaffiliationtoanyone"> <afp:policyrequirementrule xsi:type="basic:any" /> <afp:attributerule attributeid="edupersonaffiliation"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule> <afp:attributerule attributeid="edupersonscopedaffiliation"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule> </afp:attributefilterpolicy>
InCommon Research & Scholarship Category Group shares common attribute release New SPs may be added No action required by IdP to access Currently (May 16, 2013) 12 SPs 51 IdPs FileSender is in this group
eduroam RADIUS Remote Authentication Dial-In User Service It s rarely for dial-in anymore Peers authenticate by IP & shared secret 802.1X PEAP Protected Extensible Authentication Protocol Server-side public key certificate authenticates
How Is Trust Established? eduroam user Pre-travel setup on home campus Establishes trusted connection to authentication server PEAP/WPA2 authentication Server name (e.g. adhome-lawc-04.home.ku.edu) X.509 certificate signed by trusted CA
eduroam Wi-Fi Profile
How Is Trust Established? eduroam IdP/SP Vetting when joining the federation RADIUS shared secret via encrypted email X.509 Certificates Specific IP numbers and ports
Summary Federated identity management increases security and convenience It s all about Trust Trust between user and IdP Trust between IdP and SP
Levels of Assurance Office of Management and Budget M-04-04 E-Authentication Guidance for Federal Agencies NIST 800-63
Levels of Assurance Level 1: Little or no confidence in the asserted identity s validity Level 2: Some confidence in the asserted identity s validity Level 3: High confidence in the asserted identity s validity Level 4: Very high confidence in the asserted identity s validity
Levels of Assurance Level 1 - Although there is no identity proofing requirement at this level, the authentication mechanism provides some assurance that the same Claimant who participated in previous transactions is accessing the protected transaction or data.
Levels of Assurance Level 2 - Level 2 provides single factor remote network authentication. At Level 2, identity proofing requirements are introduced, requiring presentation of identifying materials or information.
InCommon Assurance Profiles Bronze Corresponds to NIST Level 1 May replace POP Silver Corresponds to NIST Level 2 Requires audit review of procedures
Identity Ecosystem Steering Group (IDESG) Facilitate fulfillment of NSTIC goals https://www.idecosystem.org http://www.nstic.gov
Objectives Privacy Security Interoperability Ease of use
IDESG Login Options
IDESG Login Selected
IDESG Login Completed
Related Links https://eduroam.org http://www.incommon.org http://csrc.nist.gov/publications/ nistpubs/800-63-1/sp-800-63-1.pdf http://csrc.nist.gov/publications/ PubsDrafts.html#SP-800-63--2 https://www.idecosystem.org http://www.nstic.gov