from campus identity management to a federated solution ......2 from campus identity management to a...
TRANSCRIPT
![Page 1: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/1.jpg)
Authoritative QualityFrom Campus Identity Management to a Federated Solution
EuroCAMP, Porto, 2005-11-07Ingrid Melve, FEIDE manager
![Page 2: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/2.jpg)
2
From campus identity management to a federated solution
Case: FEIDE Campus Identity Management
Authoritative Quality – the process Operational technical solutions
Federating
![Page 3: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/3.jpg)
3
FEIDE – Federated Electronic Identity for Norwegian Education
FEIDE is a non-commercial identity management federation for people in education
FEIDE is technology and plattform agnostic FEIDE offers guidelines and policy for campus
identity management FEIDE-names are valid for all education services, and
may be used internally, for community services and with educational related services
![Page 4: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/4.jpg)
4
A solution for whom?
Higher ed: 230000 person, 53 institutions
(Lower ed: 780000) Total: 20% of population Tradition of sharing work
Dugnad Many shared services
Common software Application Service
Providers Common interfaces
![Page 5: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/5.jpg)
5
FEIDE – the players
End userperson with FEIDE-name
Home organization - IdP university or school with end user affiliation
Service ProviderServices and applications for end users
![Page 6: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/6.jpg)
6
FEIDE – identity management for education
Identity management consists of: Information model Login service Chain of trust Policy issues Collaboration between educational
institutions, service providers and vendors
![Page 7: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/7.jpg)
7
FEIDE information model
Identity providers (=campus) Authoritative data flows to LDAP-directory Information on standard format
eduPerson, eduOrg norEduPerson, norEduOrg, norEduOrgUnit
Standardized import/export Provisioning Service Provider integration
Requirements for campus identity management
![Page 8: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/8.jpg)
8
Campus Identity Management
Authoritative data sources BAS (CIMS) is hub in information flow All updates and changes flows through BAS BAS is a neccessary component
![Page 9: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/9.jpg)
9
Campus Identity Provider benefits
Authoritative quality and control of information flow for all affiliated users
Enhanced user management simplifies and automates
Federated login provides access to services
![Page 10: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/10.jpg)
10
CleanIT, the BAS/CIMS process
Identify key data Identify who is reponsible for
Initial data Data updates Data removal
Organizational process Move data maintenance out of the IT department Enable Human Resource and Student Management
staff to do their jobs better
![Page 11: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/11.jpg)
11
What is BAS? Campus IdM (User Management System)
Campus Identity Management Routines and policy for data updates Data quality, well-defined requirements Quality assurance (identity) Not really an «application» Technical solutions:
Cerebrum Novell Stover's Microsoft-based (In-house ad-hoc solutions)
![Page 12: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/12.jpg)
12
Cerebrum
Proof-of-concept Made for complex
heterogenous environments
Implementation PostgresSQL db API-set in python Information import Information export Java client (XMLRPC)
Open software http://cerebrum.sf.net Integrates with
FS, student registry LSP, payroll system ClassFronter it's:learning AD and NIS
![Page 13: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/13.jpg)
13
Cerebrum modules
NIS AD Mail (Exim) Mail (IMAP) LDAP (FEIDE) FS (5.0) student registry LT payroll system FRIDA report system RADIUS (via LDAP,
NIS, AD) Home disk (NIS)
Admin client (BOFH) VLE (ClassFronter) MSTAS student registry SATS/IST school registry Print accounting (Via
PRISS) Disk accounting Notes integration UA POLS payroll system AutoStud
![Page 14: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/14.jpg)
14
Novell BAS solution
Directory: eDirectory 8.7.3
Data syncronization: Identity Manager 2.0
Data management: iManager 2.0.2
Cluster of 5 university colleges in user group
Future solution: Novell Access Manager
Example: Sogn and Fjordane University College
![Page 15: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/15.jpg)
15
Stover's Microsoft-based solution
Active Directory (ADAM) Microsoft Identity Integration Server Integrates with
FS and MSTAS student registries VLE: ClassFronter PABX
Cluster of 6 university colleges User group Community support
![Page 16: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/16.jpg)
16
Example: Ålesund University College
xxxxx
xxxxxx
xxxxxx
xxxxx
xxxxxx
xxxxxx
MSTAS
MIISBAS
ADAMLDAP-FEIDE
ARENA
FRONTER
LPS
NetEdWeb-publisering
Timeplan(Switch)
StudiehåndbokNexus
TRIOTelefonsentral
INTEGRAAdgangs og
sikkerhetkontrol m/ Kortproduksjon
MORIA
AD-ADMIN(ansatte og
gråsonebrukere)
Dataflyt
Ldap autentisering
Usikkerhet
![Page 17: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/17.jpg)
17
Campus Identity Management Systems
Several systems are operational, pick one for your campus
Integration with local systems decide which one to chose, dialogue with vendor
Not cost-effective to have many Federating across different systems is
relatively painless Interfaces are important in bottom-up design Collaboration, work with vendors
![Page 18: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/18.jpg)
18
Campus statusOrganisasjon Type BAS
Status i innføringsprosessenStudenter Ansatte Andre FEIDE
NTNU BDB 22000 Universitetet i Bergen SEBRA 20000 Universitetet i Oslo Cerebrum 36000 Universitetet i Stavanger ? ? Universitetet i Tromsø Cerebrum ?
Egenutv. 0 Arkitekthøgskolen i Oslo ? ? Høgskolen i Agder Cerebrum 8000 Høgskolen i Akershus ? ? Høgskolen i Bodø ? ? Høgskolen i Buskerud Novell ? Høgskolen i Finnmark Novell 2000 Høgskolen i Gjøvik ? ? Høgskolen i Harstad ? ? Høgskolen i Hedmark Novell ? Høgskolen i Lillehammer Novell 3241 Høgskolen i Narvik Microsoft 1800 Høgskolen i Nesna ? ? Høgskolen i Nord-Trøndelag Microsoft ?
Høgskolen i Oslo 11000 Høgskolen i Sogn og Fjordane Novell 2800 Høgskolen Stord/Haugesund Microsoft ? Høgskolen i Sør-Trøndelag Cerebrum 8000
Høgskolen i Telemark ? Høgskolen i Vestfold Novell ? Høgskolen i Volda Novell 3500 Høgskolen i Østfold Cerebrum ? Høgskolen i Ålesund Microsoft 1250
AntallFEIDE-
navn
Universitetet for miljø- og biovitenskap
egenutviklet
egenutviklet
![Page 19: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/19.jpg)
19
Future directions, campus IdM
Responsibility placed outside IT department Consolidating BAS for user management
Technical solutions Policy and regulations
Giving access to someone I do not control? Interfaces
XML definitions for import/export LDAP based on eduPerson/noredu*
Available software is improving
![Page 20: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/20.jpg)
20
Why federate?
Users and home organizations and service providers need to exchange information
Trust establishment Information
exchange Policy Technology
![Page 21: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/21.jpg)
21
FEIDE federates education
Federations: authenticate enforce information
flow policy privacy control security trust establishment
![Page 22: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/22.jpg)
22
FEIDE – trust chain
FEIDE regulates service providers and home organizations
Formal contractual agreements
Transitive trust from end user to service provider via identity provider
![Page 23: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/23.jpg)
23
FEIDE login
1) User tries to access service
2) Service transfer user to FEIDE login
3) Authentication is done at campus
4) Authentication is confirmed with the service, possibly with attribute release
![Page 24: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/24.jpg)
24
FEIDE for Norwegian education
Operational campus (start 2003) Universities: 2003 - early 2006 University Colleges: 2004 - 2006 Lower education: phasing in from fall 2006
Operational service providers Shared services in higher ed: 2003 - 2006 Community web services in lower
education: 2006 – 2007 Local university services: 2003 – 200X
![Page 25: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/25.jpg)
25
Federating FEIDE, first try
![Page 26: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/26.jpg)
26
Federation software: Moria
Open source, http://moria.sf.net Operational since 2003 (a year before Shib:) Technology
Centralized login solution (Web Service) Distributed directory solution (LDAP) Java
FEIDE is adding support for SAML and Shibboleth, possibly in Moria
![Page 27: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/27.jpg)
27
Federating FEIDE, next try
Federating with federations portals local login servers
Standards SAML 2.0 SAML 1.1
+extensions ID-FF 1.2 ?
![Page 28: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/28.jpg)
28
Future directions, federation
Distributed federation (SAML, ID-FF) Cross-federating
eduGAIN Government PKI-portal Non-education federations
Services for both higher and lower education
Outreach program
![Page 29: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/29.jpg)
29
Summary
Campus identity management Not an IT issue Move responibility to where it belongs Provide technical solutions
Federated identity management Collaboration is the key Community effort
Trust Policy Some technology
![Page 30: From Campus Identity Management to a Federated Solution ......2 From campus identity management to a federated solution Case: FEIDE Campus Identity Management Authoritative Quality](https://reader033.vdocuments.mx/reader033/viewer/2022051604/5ffaa8414d5f8f77d735a8c5/html5/thumbnails/30.jpg)
30
More information
http://www.feide.no/index.en.html Email for FEIDE:
[email protected] Questions for Ingrid