Trends in Identity Management
Nate Klingenstein
Internet2EDUCAUSE Security Professional 2007
Topics
• Federated Identity• Extending enterprise security• Application to network security protocols
• Peer-to-Peer Identity• OpenID
• Convergence & Divergence• Web Access Federations and Network
Security• Do these communities meaningfully overlap?
Federated Identity
• Leverages local identities to access remote resources• Enterprise directories & authentication
• Organizations trust each other• Decentralized center
• Multiple federations• Federated identity is distinct from
federations• Can have federated ID without federations
Technical Basis of Exchange
• Attributes• Identity Providers (IdP)
• Asserts authentication and attribute information
• Service Providers (SP)• Receives and processes attributes and
authentications• Metadata
Trust Basis for Exchange
• IdP asserts good information• SP disposes of information received
properly• Logging
• Tracking down malfeasants is cooperative but always possible
• Everything always boils down to a bilateral exchange
Trust Basis for Exchange
• Centralized federation services• Metadata• Auditing• Attribute standardization• Other rules
• Extensions and merges of existing identities• Virtual Organizations
Trust Basis for Exchange
• Centralized federation services• Metadata• Auditing• Attribute standardization• Other rules
• Extensions and merges of existing identities• Virtual Organizations
SAML-based Higher Ed Federations
• Australia• Belgium• Canada• China • Denmark• Finland
• France • Germany • Greece • New Zealand• Norway• Spain
• Spain • Sweden• Switzerland • The Netherlands• United Kingdom• United States
InCommonU.S. Higher Ed Federation
• Multiple levels of assurance• Bronze, Silver, Gold, or basic
• Identity information managed by central IT• Where are the attributes you need?
• No guidance on attribute release• http://www.incommonfederation.org
Security Assertion Standards
• SAML 1.1 (Shibboleth 1.x)• SAML 2.0• ID-WSF• WS-Trust• WS-Security• Many other WS-*• Many other others
Standards Convergence
ID-FF 1.1
SAML 1.0 SAML 1.1
Shibboleth 1.x
ID-FF 1.2
SAML 2.0
2002 2003 2004
Peer-to-Peer Trust
• Self-issued credentials• Usually bootstrapped through personal
interaction• Joe sent me his PKC in an IM, and I know
this is Joe because of our secret handshake• And I know that’s his screen-name because…
• Differentiate between quality of initial authentication and subsequent value
• Unauthenticated email sure is popular…
OpenID
• Codification of that community trust• Using URL’s• A simple protocol• Basic attributes• Plug-ins for most web environments
• Many other approaches, some based on heavier technology
• Deployed in blogosphere and beyond• No attempts to integrate with network security
• But growing corporate interest and support
OpenID/SAML convergence
• There are protocols and there are tokens• WS-Trust• WS-Security• Cardspace
• Solutions address somewhat different needs• Room for co-existence• But interoperability would still be nice
• Some cooperation between the two communities in looking for convergence opportunities
Related Projects
• Higgins• A set of interfaces that try to abstract
identity management• Microsoft ADFS
• Shibboleth interoperability• XACML
• Layered in SAML assertions• Its own protocol
Big Changes
• Federated Identity evolving from Web SSO to other applications
• Maturation of vendor products in the IdM space• Increasingly, Federated IdM packages support
multiple protocols; sites make choices based on “value add”
• Growing interest in using Levels of Assurance (LoA)
• Growing interest in Inter-Federation
Federated Identity for Network Authentication
• Traveling individuals• Attribute-based access control• Privacy• Accountability
Current Deployments
• Shibboleth-based wireless authentication at University of Texas• It’s a hack• Use Shibboleth to populate a database that
the RADIUS server can draw on• Supports multiple access groups• Hugely popular with the university brass
https://spaces.internet2.edu/display/SHIB/ShibbolizedWireless
Current Deployments
• eduroam• Global RADIUS infrastructure using 802.1x• Widespread adoption by European higher ed• Multiple countries in Asia & Oceania• U.S. under-represented
http://www.eduroam.org/
Let’s look at the policies…
Revealing Challenges
• What security policies will be enacted on an eduroam visitor?• Japan wants to mandate that once access is
granted via eduroam a VPN tunnel home be established for all further traffic
• What information do people need to know?
• Which attributes are required?• Does anonymity matter?
SAML, RADIUS, DIAMETER
• RADIUS profile of SAML• http://tinyurl.com/24m9pm
• DAMe project• DIAMETER supporting SAML
• Slide theft• Diego Lopez of RedIRIS
InCommon
• U.S. higher education federation• 50 participants and counting• Oriented around access to web
resources• EBSCO, ScienceDirect, JSTOR,
Napster, Turnitin, etc.• SAML-centric
Questions for You
• What could you do with federated identity?
• What information do you need to know before making your various decisions?
• Can InCommon address your collaboration or network authentication needs?
• How would you do inter-realm network security?