collaboration: identity and access management
DESCRIPTION
Collaboration: Identity and Access Management. Lori Stevens University of Washington 16-17 October 2007. What is IAM?. Critical IT infrastructure Intersection of what NW engineers don’t want to do *with* what app developers don’t want to do - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/1.jpg)
University of Washington
Collaboration: Identity and
Access Management
Lori StevensUniversity of Washington
16-17 October 2007
![Page 2: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/2.jpg)
University of Washington
![Page 3: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/3.jpg)
University of Washington
What is IAM?
• Critical IT infrastructure• Intersection of what NW engineers don’t
want to do *with* what app developers don’t want to do
• Combines technologies, business processes, governance, and policies to:– Manage digital identities– Specify how ids access resources
![Page 4: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/4.jpg)
University of Washington
Terminology• Authentication: says who you are
• Authorization: says what you can do
• Credentials: what you provide as ID
• Federation: collection of orgs that agree to operate under a certain rule-set
![Page 5: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/5.jpg)
University of Washington
Terminology• Identification: Process by which info about
a person is used to provide some LOA
• Level of Assurance (LOA)- Degree of certainty that someone is who they say they are– Low is OK for some things– For patient information (PHI), need high
![Page 6: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/6.jpg)
University of Washington
What drives the need?• Collaboration• Research and education, governments,
global health, …• Administrative applications• Growing complexity and the need to
simplify• Risk mitigation
![Page 7: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/7.jpg)
University of Washington
IAM-supported Collaboration
• Wiki, blog, email, calendar, IM• Document sharing/editing• Phone/videoconference• Data sharing• More about outreach, ease of access,
enablement
![Page 8: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/8.jpg)
University of Washington
Why is IAM necessary?
• To ensure the intended people access intended services
• Organizations have to manage users/ids efficiently and accurately– While enabling them to get their work done
• Digital IDs are taking on an increasingly important role for how we collaborate and share networked resources
![Page 9: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/9.jpg)
University of Washington
Identity Management Trends
• Pervasive in business processes
• Inserting NetIDs as early as possible– e.g. NetIDs for student applicants, contractors, etc.– Identities/NetIDs useful for life, e.g. alumni, retirees
![Page 10: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/10.jpg)
University of Washington
Sources of Information
• Human Resource db
• Research/grants db
• Student db
• Other dbs provide info about affiliations
![Page 11: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/11.jpg)
University of Washington
Person Registry
• Is knowing someone is a student enough?
• Is this person an employee and a student?
• Is this person affiliated with the institution?
![Page 12: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/12.jpg)
University of Washington
Federated Authentication
• Scholarship is global
• Less allegiance to institution, more to research
• Worldwide peers, now the norm
• Access to partners is now:– Simple and more flexible– More secure
![Page 13: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/13.jpg)
University of Washington
What is Shibboleth?
• Standards-based (SAML) Web SSO pkg
• Open Source
• Uses local IdM system to get to campus and other institution’s apps
• Protects user’s privacy and inst’s data
• Plays well with others, helps svc partners
![Page 14: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/14.jpg)
University of Washington
Federations
• Usually HE but doesn’t need to be limited
• Mostly Shib-based, not all though
• Use cases: – content access– collaboration support– wireless roaming
![Page 15: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/15.jpg)
University of Washington
![Page 16: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/16.jpg)
University of Washington
Identity Lifecycle Management
• Managing users
• One NetID per person
• Credentials
• Provisioning
• Enabling self-service
![Page 17: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/17.jpg)
University of Washington
Managing Identity
• Provision accounts• Associate accounts with identities/people• Groups are created and managed• Accounts are given privileges• Credentials are issued• Authn, Authz, and Federation happen
![Page 18: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/18.jpg)
University of Washington
Group and Access Management• Several sources determine where a
person fits• A person belongs to several groups• One person often has several affiliations• Access can be based on:
– Affiliation– Group membership– Roles– Privileges
![Page 19: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/19.jpg)
University of Washington
Access Management
• Authentication: – Single sign-on, fewer sign-ons– LOA, # of credentials
• Federation and trust• Authorization:
– access control, role-based, federation
• Security auditing
![Page 20: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/20.jpg)
University of Washington
Enterprise IAM Infrastructure
• Enterprise user database– Person registry, directory driven from large business
sources, e.g. staff, student, affiliates
• Enterprise group management– Driven from business sources, e.g. courses,
departments, ad-hoc
• Enterprise privilege management– Delegated, role/function/affiliation-based
![Page 21: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/21.jpg)
University of Washington
Consolidation supports Collaboration
• Provides a centrally-coordinated service– Allows for distributed management of content– No need to manage multiple instances– Single place for auditing and reporting– Eases mgmt of security issues for apps– One set of tools and data for apps
• The stuff of academic life and often inter-institutional
![Page 22: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/22.jpg)
University of Washington
Challenges with Centralizing• Governance, mgmt of data
• Defining rules, delegation
• Compliance and regulations
• Consensus and support for central svcs
• Responsibility and accountability
![Page 23: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/23.jpg)
University of Washington
Policy and Governance Questions• Who is responsible for IDM?• What collaboration scenarios are
important to Research and Education?• Who will approve policies?• Who is part of the federation?• Who decides and develops policies?• Who owns the source data?
![Page 24: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/24.jpg)
University of Washington
Technical Challenges• Delivering information to apps• Mobility, portability
– anywhere, anyhow, anytime computing
• Interface consistency cross-location• Diversity of apps and platforms• Advanced app requirements• Interoperability
![Page 25: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/25.jpg)
University of Washington
IAM Benefits• Supports collaboration• Enables global federated authentication• Simplifies and secures• Reduces help desk load• Enables
– Shared management– Operating efficiencies
![Page 26: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/26.jpg)
University of Washington
Advancing IAM Efforts• Fostering technical standards• Aggregating and disseminating technical
design and implementation strategies• Fostering opportunities for others to
deploy products• Integrating efforts with specific scientific
and research communities
![Page 27: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/27.jpg)
University of Washington
Resources
• http://www.terena.org/activities/tf-emc2/• middleware.internet2.org• http://middleware.internet2.edu/MACE/• www.nmi-edit.org/roadmap/draft-authn-
roadmap-03/
![Page 28: Collaboration: Identity and Access Management](https://reader035.vdocuments.mx/reader035/viewer/2022062501/568167cb550346895ddd1a31/html5/thumbnails/28.jpg)
University of Washington
Questions?