eurocamp: porto an introduction to identity and access management borrowed from keith hazelton...
TRANSCRIPT
EuroCAMP: Porto
An Introduction to Identity and Access Management
Borrowed from
Keith Hazelton ([email protected])
Sr. IT Architect, University of Wisconsin-Madison
Ken Klingenstein
Director, Internet2 Middleware and Security
2
EuroCAMP: Porto
Topics
• What is Identity Management (IdM)?• The IdM Stone Age• A better vision for IdM
– An aside on the value of affiliation / group / privilege management services
• Basic IdM functions mapped to open source components
• Demands on IT and how IdM services help
3
EuroCAMP: Porto Identity and Access Management(IAM) defined
• What is Identity Management?“Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise)
• Identity Management in this sense is often called “Identity and Access Management” (IAM)
• What problems do Identity and Access Management address?
4
EuroCAMP: Porto IAM is…
• “Hi! I’m Lisa.” (Identity)• “…and here’s my NetID / password to prove it.”
(Authentication)• “I want to do some E-Reserves reading.”
(Authorization : Allowing Lisa to use theservices for which she’s authorized)
• “And I want to change my grade in last semester’s Physics course.”
(Authorization : Preventing her from doing things she’s not supposed to do)
5
EuroCAMP: Porto IAM is also…
• New hire, Assistant Professor Alice– Department wants to give her an email
account before her appointment begins so they can get her off to a running start
• How does she get into our system and get set up with the accounts and services appropriate to faculty?
6
EuroCAMP: Porto What questions are common to these scenarios?
• Are the people using these services who they claim to be?
• Are they a member of our campus community?• Have they been given permission?• Is their privacy being protected?• Policy/process issues lurk nearby
7
EuroCAMP: Porto The IAM Stone Age
• List of functions:
• AuthN: Authenticate principals (people, servers) seeking access to a service or resource
• Log: Track access to services/resources
8
EuroCAMP: Porto The IAM Stone Age
• Every application for itself in performing these functions
• User list, credentials, if you’re on the list, you’re in (AuthN is authorization (AuthZ)
• And some identifiers are assigned nationally, with uncertain value locally
9
EuroCAMP: Porto Vision of a better way to do IAM
• IAM as a middleware layer at the service of any number of applications
• Requires an expanded set of basic functions– Reflect: Track changes to institutional data from
changes in Systems of Record (SoR) & other IdM components
– Join: Establish & maintain person identity across SoR– Credential: issue digital credentials to people in the
community– …
10
EuroCAMP: Porto Basic IAM functions mapped to theNMI / MACE components
Systems of Record
Stdnt
HR
Other
Enterprise Directory
Registr
y LD
AP
11
EuroCAMP: Porto Your Digital Identity and The Join
• The collection of bits of identity information about you in all the relevant IT systems at your institution
• For any given person in your community, do you know which entry in each system’s data store carry bits of their identity?
• If more than one system can “create a person record,” you have identity fragmentation
12
EuroCAMP: Porto The pivotal concept of IAM: The Join
• Identity fragmentation cure #1: The Join
• Use business logic to – Establish which records correspond to the same
person
– Maintain that identity join in the face of changes to data in collected systems
13
EuroCAMP: Porto Identity Information Access
• Some direct from the Enterprise Directory via reflection from SoR
• Other bits need to be made reachable by identifier crosswalks
Registry ID Sys A ID Sys B ID Sys C ID Sys D ID
3a104e59 fsmith32 86443 freds 864164
8c2f916d abecker1 45209 amyb 752731
14
EuroCAMP: Porto Identity Fragmentation Cure #2
• When you can’t integrate, federate• Federated Identity & Access Management
– Rely on the Identity Management infrastructure of one or more institutions or units
– To authenticate and pass authorization-related information to service providers or resource hosts
– Via institution-to-provider agreements– Facilitated by common membership in a federation (like
InCommon)
• Shibboleth is a way to move the authNZ info between parties
15
EuroCAMP: Porto Basic IAM functions mapped to theNMI / MACE components
System
s of R
ecord
Enterprise Directory
Grouper Signet
A-Select, CAS, etc
Shibboleth
Apps / Resources
16
EuroCAMP: Porto Vision of a better way to do IAM
• More in the expanded set of basic functions– Mng. Affil.: Manage affiliation and group
information– Mng. Priv.: Manage privileges and permissions at
system and resource level
17
EuroCAMP: Porto Managing Roles & Privileges
Grouper Signet
Role-Based Access Control (RBAC) model
• Users are placed into groups
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to effectively bestow privileges
• Signet manages privileges
• Grouper manages, well, groups
18
EuroCAMP: Porto Vision of a better way to do IAM
• More in the expanded set of basic functions– Provision: Push IAM info out to systems and
services as required– Relay: Make access control / authorization
information available to services and resources at run time
– AuthZ: Make the allow deny decision independent of AuthN
19
EuroCAMP: Porto
Provisioning
• Getting identity information where it needs to be
• For “Apps with Attitude,” this often means exporting reformatted information to them in a form they understand
• Using either App-provided APIs or tricks to write to their internal store
• Change happens, so this is an ongoing process
20
EuroCAMP: Porto
Two modes of app/IdM integration
• Domesticated applications:– Provide them the full set of IdM functions
• Applications with attitude (comes in the box)– Meet them more than halfway by provisioning
21
EuroCAMP: Porto IAM functions
Reflect Data of interest
Join Identity across SoR
Credential NetID, other
Manage Affil/Groups AuthZ info
Manage Privileges More AuthZ info
Provision Gen. AuthNZ info into app space
Relay AuthZ info to app on request
Authenticate Identity claim
Authorize access decision (allow/deny)
Log usage for audit, accounting,…
22
EuroCAMP: Porto
Alternative packaging of basic IdM
System
s of R
ecord
Enterprise Directory
Directory
Plug-ins
Kerberos
Apps / Resources
LDAP
23
EuroCAMP: Porto Alternative packaging of basic IdM functions:
Single System of Record as Enterprise Directory
Registr
y LD
AP
Student
-HR
Info
System
24
EuroCAMP: PortoSingle SoR as Enterprise Directory
• Who “owns” the system?• Do they see themselves as running shared
infrastructure?• Will any “external” populations ever become
“internal?”– What if hospital negotiates a deal?
• Stress-test alternative packaging by thinking through the list of basic IdM functions
25
EuroCAMP: Porto
Same IdM functions, different packaging
• Your IdM infrastructure (existing or planned) may have different boxes & lines
• But somewhere, somehow this set of IdM functions is getting done
• Gives us all a way to compare our solutions by looking at various packagings of the IdM functions
26
EuroCAMP: Porto From Construction to Integration
• Construction– Raw materials into systems
• Integration – Subsystems into whole systems– Multiple systems into ecosystems
• We’re all moving from construction to integration
• Let’s review state of middleware systems’ readiness for integration
27
EuroCAMP: Porto IAM and Application Integration
28
EuroCAMP: Porto Middleware -- Application Integration
• ERPs
• SAKAI
• uPortal
• …
29
EuroCAMP: Porto
As for Lisa
• Sez who?– What Lisa’s username and password are?– What she should be able to do?– What she should be prevented from doing? – Scaling to the other 40,000 just like her on
campus
30
EuroCAMP: Porto
As for Professor Alice
• What accounts and services should faculty members be given?
• At what point in the hiring process should these be activated?
• Methods need to scale to 20,000 faculty and staff
• In all of these, a full IAM infrastructure would provide the technical part of a solution
31
EuroCAMP: PortoPolicy issues re “credential” function: NetID
• When to assign, activate (as early as possible)
• Who gets them? Applicants? Prospects?
• “Guest” NetIDs (temporary, identity-less)
• Reassignment (never; except…)
• Who can handle them? Argument for WebISO.
32
EuroCAMP: Porto
Inter-institutional integration:the transport function
• Federations
• Peering of federations– Levels of assurance
– Attribute mapping
– WAYF functionality
• Virtual Organization (VOs)
33
EuroCAMP: Porto
Alternatives to IP Address Based Access Restriction
1. User-based access restrictionA. Each service provider manages credentials for
all of its users
B. One big credential database of all users used by all service providers
C. Each user has a “home organization” whose credential database can, by magic, be used by each service provider
2. ???
34
EuroCAMP: Porto
Federated Identities
• “Federated identities” is option C on previous slide– A hierarchical approach to decompose the problem into
manageable pieces– Analogous to the problem that IAM addresses, and rests
upon IAM infrastructure
• “Federating technology” is the “magic” part of option C
• “Identity federation” (noun) is a set of service providers, identity providers, and other context in which the magic happens
35
EuroCAMP: Porto
Federating Technologies• SAML implementations
– Security Assertion Markup Language
– Shibboleth– Bodington/Guanxi– AthensIM– SourceID– SAMUEL– MS ADFS– Other proprietary
• Liberty Identity Federation implementations– SourceID– Lasso– Proprietary
• Others– MS Inter-Forest Trust
36
EuroCAMP: Porto IAM functions & big pictures
Reflect
Join
Credential
Provide/run-time
(AuthN)
Provide/provision
AuthZ
Manage Grps
Manage Privs
Log
37
EuroCAMP: Porto
A closer look at managing affiliations, groups and privileges
• How does this help the harried IT staff?
38
EuroCAMP: Porto
What is IT being asked to do?
• Automatic creation and deletion of computer accounts
• Personnel records access for legal compliance• One stop for university services (portal)
integrated with course management systems
39
EuroCAMP: Porto
What else is IT being asked to do?
• Student record access for life• Submission and/or maintenance of information
online• Privacy protection
40
EuroCAMP: Porto
More on the To Do list
• Stay in compliance with a growing list of policy mandates
• Increase the level of security protections in the face of a steady stream of new threats
41
EuroCAMP: Porto
More on the To Do list
• Serve new populations (alumni, applicants,…)• More requests for new services and new
combinations of services• Increased interest in eBusiness
• There is an Identity Management aspect to each and every one of these items
42
EuroCAMP: Porto
How full IdM layer helps
• Improves scalability: IdM process automation
• Reduces complexity of IT ecosystem– Complexity as friction (wasted resources)
• Improved user experience
• Functional specialization: App developer can concentrate on app-specific functionality