NMIEDIT and Rice University Federated Identity Management Managing

  • Slides: 14
Download presentation
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry

NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure Rice University Copyright Barry R Ribbeck 2005 This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Key Points NMI-EDIT Institutions implementing identity management should consider how their local policies, processes,

Key Points NMI-EDIT Institutions implementing identity management should consider how their local policies, processes, and technology deployments can be leveraged to participate in broader higher education federations. This session offers information about the UT federation, as well as participating campus policy structures, technology implementations, and caveats to automation. This session is sponsored by the NMI-EDIT Consortium of EDUCAUSE, Internet 2, and SURA.

NMI-EDIT Events in Texas - UT Federation 16 Institutions under one governing board No

NMI-EDIT Events in Texas - UT Federation 16 Institutions under one governing board No legal issues (All under state OGC) Policy requirements § Identity Trusts § Attribute release and data exchange § Logging and appropriate use Current Use – § § Inter Campus wireless access Access to intercampus security information Access to cross campus applications Library resources

NMI-EDIT Extending the Reach Grant 2 goals § Outreach § Case Studies • Small

NMI-EDIT Extending the Reach Grant 2 goals § Outreach § Case Studies • Small school identity management – UT Tyler • HAM-TMC Library Shibboleth enable EZProxy • UTHSC-Houston/Baylor Co. M – resident evaluation Application Sharing

What we learned NMI-EDIT Polices need to be updated New procedures need to be

What we learned NMI-EDIT Polices need to be updated New procedures need to be outlined Common understanding needs to be in place for Identity Management Use Cases exists already – you need a champion to drive them to production using the federated model Good project management and cross institutional goal setting is required. Go for the easy wins - once the infrastructure is in place, others will quickly follow.

How to approach policies NMI-EDIT Leverage what is already in place § Most institutions

How to approach policies NMI-EDIT Leverage what is already in place § Most institutions that already have a use case don’t need to reinvent the wheel to create inter institutional policies and procedures. These already exist, they just need to extend the current policy or procedure to take into consideration elements added by electronic commerce.

NMI-EDIT Policies/Procedures – What should be there An understanding of each institutions methods for

NMI-EDIT Policies/Procedures – What should be there An understanding of each institutions methods for Identity Management Definitions of procedures for § How a valid user on campus is defined? § How user accounts are managed? § Agreement on how attributes will be populated (edu. Person) § How each institutions manage guest accounts?

NMI-EDIT Some Hints for Identity management Allow source systems to define user relationship with

NMI-EDIT Some Hints for Identity management Allow source systems to define user relationship with the institution § § Rules are transitive across systems Procedures already exists Vetting processes may need some tweaking Involve source system managers in the process

Security and Privacy NMI-EDIT What about privacy after the attribute exchange? Require an inter

Security and Privacy NMI-EDIT What about privacy after the attribute exchange? Require an inter institutional acceptable use policy ? – maybe, it depends! How is the meta-data collected, protected by the Resource Provider? What about cross institutional members – people who are already have identity defined at both institutions?

NMI-EDIT Post encounter procedures – Application Provider How are systems de-provisioned? What happens to

NMI-EDIT Post encounter procedures – Application Provider How are systems de-provisioned? What happens to the data from previous encounters? What document retention requirements exist? How long is log data maintained? Are there opt out procedures?

Technology NMI-EDIT Shibboleth does a great job at attribute exchange – what about authentication

Technology NMI-EDIT Shibboleth does a great job at attribute exchange – what about authentication LOA? Error diagnostics – better Changing the way we work do support. Private attribute extensions? How are people identified when they really need to be identified, is eppn sufficient?

NMI-EDIT Identity Management – TRUST Foundations Summary We need to know who OUR people

NMI-EDIT Identity Management – TRUST Foundations Summary We need to know who OUR people are before we can allow others to trust us. We need automation to enhance account management and make our process trustworthy We need accurate data from source systems in order to trust federated authorization decisions. We need to know that when a person leaves an institution that we trust, that they no longer have access to our systems.

Where do we start? - Sharing NMI-EDIT – Directory Roadmap NMI-EDIT – Authentication Roadmap

Where do we start? - Sharing NMI-EDIT – Directory Roadmap NMI-EDIT – Authentication Roadmap Educause – Policies and Security Internet 2 – Shibboleth and Security task Force

NMI-EDIT and Rice University Contact Information Barry Ribbeck bribbeck@rice. edu

NMI-EDIT and Rice University Contact Information Barry Ribbeck bribbeck@rice. edu

CAMP Wrapup Identity Management Resources from NMIEDIT OpportunitiesCAMP Wrapup Identity Management Resources from NMIEDIT Opportunities
The Identity Management System NMIEDIT CAMP Synopsis ISCSIThe Identity Management System NMIEDIT CAMP Synopsis ISCSI
The Basics of Federated Identity Overview of FederatedThe Basics of Federated Identity Overview of Federated
Beyond Federated Identity Federated Access Marc Stiegler HPBeyond Federated Identity Federated Access Marc Stiegler HP
Rice Farming Intensive farming activity Rice cultivation RiceRice Farming Intensive farming activity Rice cultivation Rice
Rice Khaita Rice It is an Egyptian riceRice Khaita Rice It is an Egyptian rice
RICE BROWN RICE Whole grain rice nothing isRICE BROWN RICE Whole grain rice nothing is
Water Saving in Rice Cultivation Rice cultivation RiceWater Saving in Rice Cultivation Rice cultivation Rice
Identity Management In A Federated Environment Identity ProtectionIdentity Management In A Federated Environment Identity Protection
Identity Management in DEISAPRACE Vincent RIBAILLIER Federated IdentityIdentity Management in DEISAPRACE Vincent RIBAILLIER Federated Identity
External Identity and Authorization in GENI Federated identityExternal Identity and Authorization in GENI Federated identity
Federated Identity and Open Stack Cloud Services IdentityFederated Identity and Open Stack Cloud Services Identity
nmiedit Privilege Management the Big Picture 2004 Advancednmiedit Privilege Management the Big Picture 2004 Advanced