Identity Management Practical Issues Associated with Sharing Federated

  • Slides: 17
Download presentation
Identity Management Practical Issues Associated with Sharing Federated Services William A. Weems The University

Identity Management Practical Issues Associated with Sharing Federated Services William A. Weems The University of Texas Health Science Center at Houston

Identity Management What is the Collaborative Goal? Make the sharing of restricted resources within

Identity Management What is the Collaborative Goal? Make the sharing of restricted resources within an organization and across organizational boundaries as transparent to users as accessing public Web pages! 2

Identity Management Ideally, individuals would each like a single digital credential that can be

Identity Management Ideally, individuals would each like a single digital credential that can be securely used to authenticate his or her identity anytime authentication of identity is required to secure any transaction. 3

Identity Management A Federated Credential Allows a person to use her federated identity credential

Identity Management A Federated Credential Allows a person to use her federated identity credential for single sign-on access to restricted service applications provided by federation members for which she has privileges. 4

Identity Management Ideally, a digital credential must • positively identify a person, • include

Identity Management Ideally, a digital credential must • positively identify a person, • include the person’s permanent identifier • positively identify the certifying authority i. e. the identity provider (Id. P), • be presentable only by the person it authenticates, • be tamper proof, and • be accepted by all systems. 5

Identity Management What is Identity? Two Categories of Identity • Physical Identity – Assigned

Identity Management What is Identity? Two Categories of Identity • Physical Identity – Assigned Identifier - Authentication – Facial picture – Fingerprints – DNA sample • Identity Attributes – Authorization Attributes – Common name, – Address, – Institutional affiliations - e. g. faculty, student, staff, contractor, – Specific group memberships, – Roles, – Entitlements for specific services. – Etc. 6

Identity Management Identity Vetting & Credentialing Permanent Identity Database Identity Provider (Id. P) uth.

Identity Management Identity Vetting & Credentialing Permanent Identity Database Identity Provider (Id. P) uth. tmc. edu Assigns Everlasting Identifier Permanently Bound Id. P Obtains Physical Characteristics Person 7 Issues Digital Credential Person Only Activation Digital Credential

Identity Management UTHSC-H Identity Management System HRMS SIS Identity Reconciliation & Provisioning Processes Authoritative

Identity Management UTHSC-H Identity Management System HRMS SIS Identity Reconciliation & Provisioning Processes Authoritative Enterprise Directories GMEIS UTP INDIS Person Registry OAC 7 Sync Secondary Directories OAC 47 Guest MS User Administration Tools Authentication Service Attribute Management Authorization Service Change Password 8

Identity Management Federal E-Authentication Initiative http: //www. cio. gov/eauthentication/ • Levels of assurance (Different

Identity Management Federal E-Authentication Initiative http: //www. cio. gov/eauthentication/ • Levels of assurance (Different Requirements) – – Level 1 – e. g. no identity vetting Level 2 - e. g. specific identity vetting requirements Level 3 – e. g. cryptographic tokens required Level 4 – e. g. cryptographic hard tokens required • Credential Assessment Framework Suite (CAF) 9

Identity Management Federated Services Identity (Id. P) & Resource Providers (RP) Identity Provider (Id.

Identity Management Federated Services Identity (Id. P) & Resource Providers (RP) Identity Provider (Id. P) uth. tmc. edu Identity Provider (Id. P) utsystem. edu Identity Provider (Id. P) bcm. edu Public Key Resource Provider (RP) library. tmc. edu Federation Asseration Service e. g. In. Common GMEIS (RP) uth. tmc. edu Infrastructure Identity Provider (Id. P) mdanderson. org Blackboard (RP) uth. tmc. edu 10 Identity Provider (Id. P) utmb. edu

Identity Management 11

Identity Management 11

Identity Management 12

Identity Management 12

Identity Management 13

Identity Management 13

Identity Management 14

Identity Management 14

Identity Management Person Cannot Login to Their Id. P Authentication Service • Potential Problems:

Identity Management Person Cannot Login to Their Id. P Authentication Service • Potential Problems: – Does not know which password is being requested. • Page must define which service is requesting the username/password pair. – e. g. UTEID in the previous example • Login page must describe a help resource – Person typed password incorrectly • Person is told that “Authentication Failed” and to re-enter his password 15

Identity Management Person Authenticated But Unauthorized • Potential Problems: – A statement only that

Identity Management Person Authenticated But Unauthorized • Potential Problems: – A statement only that “You Are Not Authorized” leaves individual from other institution in the dark. • Who should person contact? – Someone at their home institution? – Someone at the service provider institution? • Solution: – Error page should provide guidance. • e. g. If the service is a Blackboard LMS, a statement like “ Contact the course instructor, organizational leader or appropriate registrar’s office to receive authorization for access. 16

Identity Management Multiple New Processes and Procedures to be Worked Through • How are

Identity Management Multiple New Processes and Procedures to be Worked Through • How are courses provisioned? – Manually: BB administrator adds names and EPPNs (i. e. Net. IDs) from lists obtained provided by source of authorities (SOAs) at relying institutions for appropriate courses? – Automatically: Service Provider Applications (e. g. Blackboard) obtains authorization attributes from the Id. P’s attribute authority and provisions the BB courses with the appropriate student information? 17