Practices from the Field NSF Middleware Initiative: Identity and Privilege Management Model Michael Gettes, Duke University Jim Phelps, UW-Madison EDUCAUSE.

Practices from the Field

NSF Middleware Initiative: Identity and Privilege

Management Model

Michael Gettes, Duke University

Jim Phelps, UW-MadisonEDUCAUSE October 2005

2

EDUCAUSE 2005 Topics

• What is Identity and Access Management (IAM)?

• An Institutional view of IAM– Roles, Privileges and Authentication

• Basic IAM functions mapped to NMI/MACE components

• Open Source solutions coming to a store near you

• Outside Forces• Q & A (we take questions as we go also)

3

EDUCAUSE 2005 IAM and Application Integration

4

EDUCAUSE 2005 IAM is…

• “Hi! I’m Lisa.” (Identity)• “…and here’s my NetID / password to prove it.”

(Authentication)• “I want to do some E-Reserves reading.”

(Authorization : Allowing Lisa to use theservices for which she’s authorized)

• “And I want to change my grade in last semester’s Physics course.”

(Authorization : Preventing her from doing things she’s not supposed to do)

5

EDUCAUSE 2005 What questions are common to these scenarios?

• Are the people using these services who they claim to be?

• Are they a member of our campus community?• Have they been given permission?• Is their privacy being protected?• Policy/process issues lurk nearby

6

EDUCAUSE 2005 Vision of a better way to do IAM

Reflect

Join

Credential

Manage Affil/Groups

Manage Privileges

Provision

Relay

Authenticate

Authorize

Log

•IAM as a middleware layer at the service of any number of applications•Requires an expanded set of basic functions

7

EDUCAUSE 2005 Basic IAM functions

Systems of Record

Stdnt

HR

Other

Enterprise Directory

Registr

y LD

AP

8

EDUCAUSE 2005

Role- and Privilege-based AuthZ

• Privileges are what you can do • Roles are who you are, which can be

the used for policy-based privileges • Both are viable, complementary for

authorization

9

EDUCAUSE 2005 Privilege Management Feature Summary

By authority of the Dean grantor

principal investigators role (group)

who have completed training prerequisite

can approve purchases function

in the School of Medicine scope

for research projectsup to $100,000

limits

until January 1, 2006 condition

10

EDUCAUSE 2005 Basic IAM functions mapped to theNMI / MACE components

System

s of R

ecord

Enterprise Directory

11

EDUCAUSE 2005 The Environment

System

s of R

ecord

Enterprise DirectoryApps / Resources

12

EDUCAUSE 2005

How full IdM layer helps

• Improves scalability: IdM process automation

• Improves agility: Keeping up with demands

• Reduces complexity of IT ecosystem– Complexity as friction (wasted resources)

• Improved user experience

• Functional specialization: App developer can concentrate on app-specific functionality

13

EDUCAUSE 2005 The Environment

System

s of R

ecord

Enterprise DirectoryApps / Resources

Grouper Signet Shibboleth

14

EDUCAUSE 2005 Managing Roles & Privileges:The Internet2 way

Grouper Signet

Role-Based Access Control (RBAC) model

• Users are placed into groups

• Privileges are assigned to groups

• Groups can be arranged into hierarchies to effectively bestow privileges

• Signet manages privileges

• Grouper manages, well, groups

15

EDUCAUSE 2005 Grouper

• Grouper project of Internet2 MACE• Infrastructure at University of Chicago

– User interface at Bristol University in UK– $upport from NSF Middleware Initiative (NMI)

• http://middleware.internet2.edu/dir/groups

16

EDUCAUSE 2005 Signet

• Project Signet of Internet2 MACE– Development based at Stanford

– $upport from NSF Middleware Initiative

• http://middleware.internet2.edu/signet

17

EDUCAUSE 2005 IAM functions

Reflect Data of interest

Join Identity across SoR

Credential NetID, other

Manage Affil/Groups AuthZ info

Manage Privileges More AuthZ info

Provision Gen. AuthNZ info into app space

Relay AuthZ info to app on request

Authenticate Identity claim

Authorize access decision (allow/deny)

Log usage for audit, accounting,…

18

EDUCAUSE 2005 Terminology

• CSP - Credential Service Provider - A trusted entity issuing electronic credentials to subscribers (aka Identity Provider)

• RA - Registration Authority - Vouches for the identity of a subscriber to a CSP

• Identity Proofing - Process by which CSP and RA uniquely identify a person/entity

• RP - Relying Party - an entity relying upon the credentials issued by a CSP (aka Service Provider)

• LoA - Level of Assurance - Classification of ID proofing suitable for electronic use to control access to information

19

EDUCAUSE 2005 What is a Federation?

• A collection of organizations, having implemented some form of Identity Management, where Credential Service Providers (CSP, Universities) and Service Providers (SP, Content Providers) agree to “rules of engagement” (policy and attributes) using federating software (Shibboleth, SAML, PKI)

20

EDUCAUSE 2005 What is a Federation?

• Sounds simple? It can be. It can be made really complex, really fast.

• www.nmi-edit.org for more info• CSPs and SPs retain control over their environments

(identity data and access ctrl)• www.InCommonFederation.org

– Approx 25 participants, Launched 4/2005

• Inqueue.internet2.edu– Testing/Playground for InCommon– >140 participants and growing

21

EDUCAUSE 2005 Shibboleth and Federation

• A note from our sponsors: Internet2 and NSF Middleware Initiatives

• It’s real, uses SAML• Open source, freely available• Takes between 3 hours and 3 years to install

-- depending on IdM infra• In production at various schools (duke!)

– For internal apps & external Univ vendors

• shibboleth.internet2.edu

22

EDUCAUSE 2005 Inter-institutional integration

• Virtual Organization (VOs)– GridShib development to enhance VOs working

with Institutional Identity Mgmt Systems

• Federations

• Federal E-Authentication Initiative

• League of Federations– The Interfederation Interoperability Working

Group (IIWG). yes, it’s real

23

EDUCAUSE 2005 Outside Forces…

• Homeland Security Presidential Directive #12– Policy for a Common Identification Standard for Federal

Employees and Contractors– States there will be mandatory, Government-wide

standards for secure authentication (not just E)

• OMB E-Authentication Guidance M-04-04• NIST Special Pub 800-63 (Electronic Authentication

Guideline)– Defines 4 Levels of Assurance for E-Authentication.

Impacts Credentialing.

• Federal E-Authentication Initiative ***• Credential Assessment Framework

24

EDUCAUSE 2005 www.cio.gov/eauthentication

• US Government’s activity to implement HSPD-12 based on NIST SP800-63 to manage access to at least 24 major areas of service within the USG.

• It will utilize technologies based on SAML and PKI/X.509 (shibboleth, Bridge Certification Authority and Hierarchical PKI models, other technologies as appropriate)

25

EDUCAUSE 2005 Credential Assessment Framework (CAF)

• Processes to assess the efficacy of a CSP. We, institutions of Higher Education, can all be seen as CSPs as well as Relying Parties for the services we offer ourselves and each other.

• CAF is really only concerned for CSPs used by the Federal eAuth activities but there are lots of interconnects between HE and Fed so it impacts us in many ways. Hence, various projects active.

26

EDUCAUSE 2005

One key resource to help you start building the IdM infrastructure

• Enterprise Directory Implementation Roadmaphttp://www.nmi-edit.org/roadmap/ directories.html

• Parallel project planning paths:– Technology/Architecture

– Policy/Management

27

EDUCAUSE 2005 The Environment

System

s of R

ecord

Enterprise DirectoryApps / Resources

Grouper Signet Shibboleth

28

EDUCAUSE 2005 Questions?

29

EDUCAUSE 2005

30

EDUCAUSE 2005

Responding to requests:A new approach at UW-Madison

• Campus leaders are defining new ways of channeling and responding to requests

• Groups like the AuthNZ Coordinating Team (ACT) anticipate policy issues and sort through the concerns

• They route findings and recommendations to the CIO office

• The CIO Office take the issue to an appropriate campus body*

31

EDUCAUSE 2005

32

EDUCAUSE 2005

Responding to requests:A new approach

• The Identity Management Leadership Group (IMLG) will provide leadership on IdM issues when responding to:

• Submission and/or maintenance of information online

• Privacy protection• Increased compliance demands• Increased security threats

33

EDUCAUSE 2005

Why a new group?

• Technology is now more robust and services are considered foundational to the institution

• Broader scope, e.g., new populations

• New policy issues and more of them

• Need for flexibility and quick turn-around time