Extending Services with Federated Identity Management

Extending Services with Federated Identity Management Wes Hubert Information Technology Analyst

Overview General Concepts Higher Education Federations eduroam InCommon Federation Infrastructure Trust Agreements Processes

Common IdM Terms Identifier: A name that identifies a unique person, group, or object Authentication: Verification of an identity Authorization: Granting access to a specific resource Identity Management: Control of identifiers, authentication, authorization

Federation: An organization whose members are organizations with some degree of internal autonomy

Actors User (principal, supplicant, client, etc) Identity Provider (IdP) Service Provider (SP)

Actors User (principal, supplicant, client, etc) Initiates the request for a service Identity Provider (IdP) Authenticates user identity Maintains a directory of vetted users Service Provider (SP) Authorizes (or denies) access Based on information provided by IdP

Federated Identity Management Provides portability of identity information across organizations Manages trust between administratively separate IdP and SP Protects privacy of identity information

Examples Higher Education eduroam InCommon Public OpenID Yahoo! Google...

eduroam education roaming Secure network access service (wi-fi) Research and education community Thousands of institutions worldwide http://www.youtube.com/watch?v=tvcmcmzs3ua

eduroam Sites

eduroam London Sites

eduroam US Sites

KU wi-fi prior to eduroam JAYHAWK Primary campus wi-fi Requires KU Online ID authentication KUGUEST Rate limited, restricted ports KU-Passport Sponsored short-term access

eduroam Provides travelers secure network access at participating institutions without obtaining guest credentials Removes the need for institutions to provision wi-fi credentials for visitors

Select SSID eduroam

Log in with home credentials

Start VPN (Optional)

eduroam More later on How it works Why it is secure

InCommon Internet2-based research and education identity management federation 347 Higher Education Participants 28 Government, Labs, Non-profits, etc. 139 Sponsored Partners» (April 2013)

InCommon Provides privacy-preserving trust fabric Higher education Sponsored partners Identity management federation Certificate service Multifactor authentication service Assurance program

InCommon IdM Federation About 300 identity providers More than 6 million end users Sample services EDUCAUSE federated login Internet2 FileSender service

Federated Login: EDUCAUSE Alternative to EDUCAUSE-specific login Eliminates need for remembering an EDUCAUSE-specific password www.educause.edu

EDUCAUSE Federated Login On http://www.educause.edu screen click Login >

In Federated Login section click Log in Using InCommon

Select home campus identity provider

Home system presents the login page

... and you re logged in to EDUCAUSE

Can verify login page via https URL

Can verify login page via https certificate

Internet2 FileSender Service Service for sharing large files Initiated by federation member Usable by anyone Operated by Internet2 https://filesender.internet2.edu

FileSender Service

Select home system for authentication

Select home system for authentication

Text Entered Limits Selection List

Easy Reuse of Previous AuthN System

Login On Home System

Information About File to be Shared

Email Notification of Shared File

Generate A Guest Voucher

What s behind the curtain? Management of users by IdP Vetting of user identities Common attributes known to IdP/SP Secure connection between IdP/SP Identity of communicating systems Specification of attributes to send Encrypted transfer of required attributes

Trust Points Two primary trust relationships Between user and IdP Between IdP and SP Both are bidirectional User ultimately depends on both Details specific to each federation

How Is Trust Established? User Trust for InCommon Authentication Communicates with home system as IdP Based on trust established during ID setup Authentication via familiar (home) login Can verify site using https URL address bar Server certificate

How Is Trust Established? InCommon IdP/SP Participant Operational Practices statement X.509 Certificate in Metadata XML Attribute Release Specifications Optional Higher Levels of Assurance Bronze Silver

POP Statement Attribute assertions to other participants Made at organization s executive level Issuing system assures appropriate risk management measures Information will be used only for purposes for which it is provided

POP Statement Federation Participant Information Identity Provider Information Service Provider Information Other Information

Participant Information Organization Links for ID management practices Privacy policy Contact information

Identity Provider Information Community Who can get IDs Who is identified as Member Credentials Administrative processes Technologies (UserID/password, PKI, etc.)

Identity Provider Information Electronic Identity Database Sources, update procedures What is considered public information? Own Use of Credential System Attribute assertions Privacy constraints

Service Provider Information What attributes are required to manage access decisions? Other use of attributes Controls on access and use of PII Controls on access management Actions taken in case of compromise

SAML Security Assertion Markup Language XML-based 3 roles Principal (user) Identity Provider (IdP) Service Provider (SP) Securely passes limited information between federated systems

Shibboleth Federated IdM software Internet2 Middleware Initiative project SAML-based SSO Controlled attribute release Privacy preserving Started in 2000, first release July 2003 Developed in parallel with InCommon

InCommon Metadata Submitted by site administrator Defines IdP and SP Entity X.509 certificate User interface, error handling SAML protocol endpoints Contacts

EDUCAUSE Attribute Release edupersonprincipalname surname givenname email edupersonaffiliation

EDUCAUSE Attribute Release <!-- Release personal attributes required by EDUCAUSE --> <afp:attributefilterpolicy id="releasetoeducause"> <afp:policyrequirementrule xsi:type="basic:attributerequesterstring" value="https://www.educause.edu/shibboleth-sp" /> <afp:attributerule attributeid="edupersonprincipalname"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule>... (other attribute specifications)... <afp:attributerule attributeid="edupersonaffiliation"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule> </afp:attributefilterpolicy>

General Attribute Release <!-- Release edupersonaffiliation (and Scoped form) to anyone --> <afp:attributefilterpolicy id="releaseedupersonaffiliationtoanyone"> <afp:policyrequirementrule xsi:type="basic:any" /> <afp:attributerule attributeid="edupersonaffiliation"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule> <afp:attributerule attributeid="edupersonscopedaffiliation"> <afp:permitvaluerule xsi:type="basic:any" /> </afp:attributerule> </afp:attributefilterpolicy>

InCommon Research & Scholarship Category Group shares common attribute release New SPs may be added No action required by IdP to access Currently (May 16, 2013) 12 SPs 51 IdPs FileSender is in this group

eduroam RADIUS Remote Authentication Dial-In User Service It s rarely for dial-in anymore Peers authenticate by IP & shared secret 802.1X PEAP Protected Extensible Authentication Protocol Server-side public key certificate authenticates

How Is Trust Established? eduroam user Pre-travel setup on home campus Establishes trusted connection to authentication server PEAP/WPA2 authentication Server name (e.g. adhome-lawc-04.home.ku.edu) X.509 certificate signed by trusted CA

eduroam Wi-Fi Profile

How Is Trust Established? eduroam IdP/SP Vetting when joining the federation RADIUS shared secret via encrypted email X.509 Certificates Specific IP numbers and ports

Summary Federated identity management increases security and convenience It s all about Trust Trust between user and IdP Trust between IdP and SP

Levels of Assurance Office of Management and Budget M-04-04 E-Authentication Guidance for Federal Agencies NIST 800-63

Levels of Assurance Level 1: Little or no confidence in the asserted identity s validity Level 2: Some confidence in the asserted identity s validity Level 3: High confidence in the asserted identity s validity Level 4: Very high confidence in the asserted identity s validity

Levels of Assurance Level 1 - Although there is no identity proofing requirement at this level, the authentication mechanism provides some assurance that the same Claimant who participated in previous transactions is accessing the protected transaction or data.

Levels of Assurance Level 2 - Level 2 provides single factor remote network authentication. At Level 2, identity proofing requirements are introduced, requiring presentation of identifying materials or information.

InCommon Assurance Profiles Bronze Corresponds to NIST Level 1 May replace POP Silver Corresponds to NIST Level 2 Requires audit review of procedures

Identity Ecosystem Steering Group (IDESG) Facilitate fulfillment of NSTIC goals https://www.idecosystem.org http://www.nstic.gov

Objectives Privacy Security Interoperability Ease of use

IDESG Login Options

IDESG Login Selected

IDESG Login Completed

Related Links https://eduroam.org http://www.incommon.org http://csrc.nist.gov/publications/ nistpubs/800-63-1/sp-800-63-1.pdf http://csrc.nist.gov/publications/ PubsDrafts.html#SP-800-63--2 https://www.idecosystem.org http://www.nstic.gov