Date post: | 01-Jun-2015 |
Category: |
Technology |
Upload: | heanet |
View: | 259 times |
Download: | 1 times |
Edugate
Glenn Wearen
HEAnet.
Summary
1 year Pilot Project / 2 years in production
All IoT’s, Universities, Colleges, but only half of HEAnet’s members
Core service at some institutions but light use at others
So, where to now?
1. Extended Attribute Schema2. Higher Identity Assurance3. Strong Authentiation4. Account Provisioning5. Cross institutional groups6. New Identity Protocols7. Statistics8. Bilateral Trusts9. Expansion beyond HEAnet10. SSO for non-web applications11. Aggregated identities12. Logout
1. Extended Attribute Schema
Students• Do you have photos?• Can I tell if a user is part-time/full-time?• What course is the student pursuing?
Staff• Cost-center code (for eProcurement)• ResearcherID AuthorID• Availability calendar • Telephone number
2. Higher Identity Assurance
Would you use Edugate for eProcurement?• On-campus
(cross charging for campus services)
• Shared procurement portal(Shannon Consortium Procurement Network)
• External suppliers (vikingdirect.ie/officedepot.ie)
Service Provider will seek assurances that the identity is sufficient quality to underpin a cardless financial transaction
3. Strong Authentication
Passwords are the root of all e-vil• Easily shared• Easily forgotten• Frequently exposed• No common password policy• Password changes not enforced
3. Strong Authentication
SSO helps to eliminate passwords• Consolidating onto a single (or single+1)
credential allows for strong authentication• 2-factor authentication / strong password policy
SSO systems can protect sensitive resources• re-authentication • ‘step-up’ authentication
4. Account Provisioning
On-campus, provisioning is a minor problem, but, for cloud/hosted/outsourced services provisioning is a significant problem
Invitation systems require;• email address of all potential users -1 time url• approval workflows -open URL
4. Account Provisioning
Bulk provisioning• Handling of bulk files a significant risk• Out of Sync almost immediately• De-provisioning rarely handled• Accounts created for users who might never login
4. Account Provisioning
Just-in-Time provisioningStandards emerging
• Simple Cloud Identity Management (SCIM)
But, service Providers familiar with;• LDAP Enter username/password, authenticate, query for attributes
• Oauth Enter user ID, authenticate, get token, query for attributes • API Enter a user identifier, query for attributes, forever
5. Cross institutional groups
Cross institutional/federation groups
(Virtual Organisations)• Identity provider doesn’t know all the collaboration
or projects that a user participates within.• This makes it authorisation difficult for Service
Providers (e.g. Project Portal)
5. Cross Institutional Groups
Establish an Edugate group repository;• this can be queried by IdP’s during the
preparation of attributes for an assertion• this can be queried by SP’s provided the
repository has a user identifier• Self-asserted group membership• Group membership approvals or invitations.
6. New Identity ProtocolsOpenID Connect
• Addresses weaknesses and shortcomings of OpenID
OAuth2• Allows retrieval of user data when user is not present
WIF• Predominant identity protocol for Microsoft
services
6. New Identity Protocols
Should Edugate add new protocols?• Cost?• Benefit?
7. Statistics and Monitoring
Are my users able to access service X?
Why are my users accessing service Y?
How come I’ve no users from institution A?
Why are we so popular with institution B?
What is the most widely used Edugate service?
What is the least most used service?
Is Edugate being used? or being used more?
7. Statistics and Monitoring
Is IdP X up?
Are there high rates of attrition?
Are [staff|students] able to authenticate?
8.Proliferation of bilateral trusts
There are 29 bilateral trusts in Edugate, why don’t these services join Edugate?• Maybe not required (single institution)• Tender awarded, Edugate not in the tender• SP not a legal entity
Google Apps, Millennium, Blackboard Learn.
9. Expansion beyond HEAnet?
More identity providers will mean more service providers
•Private Colleges
•Health Services Sector (HSE/Hospitals/CPD)
•Industry Research Centers (Intel Labs / SFI participants)
•2nd Level schools
10. SSO for non-web
SAML works well within the browser, but,
Outside the browser, it requires client support
• Native client support Outlook Claims based authentication
• Or, with Moonshot;Common library support (GSS/SASL/SSPI)
11. Aggregated identities
Institution holds validated identity data and enrollment status. This can be aggregated or augmented with self-asserted data from other sources;• Social ID’s (Profile Pictures, friends, interests)• Group membership repository
11. Aggregated identities
Facebook/Twitter/Google hold self-asserted identity data. This can be aggregated or augmented with verified user data from other sources
:-p
12. Logout
Clicking on ‘Logout’ what should happen?• Logout of the application, but IdP session
persists (Local Logout)• Logout of the application, redirect to IdP
session killer page (partial logout)• Logout of the application, redirect to IdP
session killer page, trigger logout of all services• (global logout)
12. Logout
Or should the SP force re-authentication at the IdP after the logout button has been used (if the IdP supports it.
So, where to now?
1. Extended Attribute Schema2. Higher Identity Assurance3. Strong Authentiation4. Account Provisioning5. Cross institutional groups6. New Identity Protocols7. Statistics8. Bilateral Trusts9. Expansion beyond HEAnet10. SSO for non-web applications11. Aggregated identities12. Logout