Trends in Identity Management

Nate Klingenstein

Internet2EDUCAUSE Security Professional 2007

Topics

• Federated Identity• Extending enterprise security• Application to network security protocols

• Peer-to-Peer Identity• OpenID

• Convergence & Divergence• Web Access Federations and Network

Security• Do these communities meaningfully overlap?

Federated Identity

• Leverages local identities to access remote resources• Enterprise directories & authentication

• Organizations trust each other• Decentralized center

• Multiple federations• Federated identity is distinct from

federations• Can have federated ID without federations

Technical Basis of Exchange

• Attributes• Identity Providers (IdP)

• Asserts authentication and attribute information

• Service Providers (SP)• Receives and processes attributes and

authentications• Metadata

Trust Basis for Exchange

• IdP asserts good information• SP disposes of information received

properly• Logging

• Tracking down malfeasants is cooperative but always possible

• Everything always boils down to a bilateral exchange

Trust Basis for Exchange

• Centralized federation services• Metadata• Auditing• Attribute standardization• Other rules

• Extensions and merges of existing identities• Virtual Organizations

Trust Basis for Exchange

• Centralized federation services• Metadata• Auditing• Attribute standardization• Other rules

• Extensions and merges of existing identities• Virtual Organizations

SAML-based Higher Ed Federations

• Australia• Belgium• Canada• China • Denmark• Finland

• France • Germany • Greece • New Zealand• Norway• Spain

• Spain • Sweden• Switzerland • The Netherlands• United Kingdom• United States

InCommonU.S. Higher Ed Federation

• Multiple levels of assurance• Bronze, Silver, Gold, or basic

• Identity information managed by central IT• Where are the attributes you need?

• No guidance on attribute release• http://www.incommonfederation.org

Security Assertion Standards

• SAML 1.1 (Shibboleth 1.x)• SAML 2.0• ID-WSF• WS-Trust• WS-Security• Many other WS-*• Many other others

Standards Convergence

ID-FF 1.1

SAML 1.0 SAML 1.1

Shibboleth 1.x

ID-FF 1.2

SAML 2.0

2002 2003 2004

Peer-to-Peer Trust

• Self-issued credentials• Usually bootstrapped through personal

interaction• Joe sent me his PKC in an IM, and I know

this is Joe because of our secret handshake• And I know that’s his screen-name because…

• Differentiate between quality of initial authentication and subsequent value

• Unauthenticated email sure is popular…

OpenID

• Codification of that community trust• Using URL’s• A simple protocol• Basic attributes• Plug-ins for most web environments

• Many other approaches, some based on heavier technology

• Deployed in blogosphere and beyond• No attempts to integrate with network security

• But growing corporate interest and support

OpenID/SAML convergence

• There are protocols and there are tokens• WS-Trust• WS-Security• Cardspace

• Solutions address somewhat different needs• Room for co-existence• But interoperability would still be nice

• Some cooperation between the two communities in looking for convergence opportunities

Related Projects

• Higgins• A set of interfaces that try to abstract

identity management• Microsoft ADFS

• Shibboleth interoperability• XACML

• Layered in SAML assertions• Its own protocol

Big Changes

• Federated Identity evolving from Web SSO to other applications

• Maturation of vendor products in the IdM space• Increasingly, Federated IdM packages support

multiple protocols; sites make choices based on “value add”

• Growing interest in using Levels of Assurance (LoA)

• Growing interest in Inter-Federation

Federated Identity for Network Authentication

• Traveling individuals• Attribute-based access control• Privacy• Accountability

Current Deployments

• Shibboleth-based wireless authentication at University of Texas• It’s a hack• Use Shibboleth to populate a database that

the RADIUS server can draw on• Supports multiple access groups• Hugely popular with the university brass

https://spaces.internet2.edu/display/SHIB/ShibbolizedWireless

Current Deployments

• eduroam• Global RADIUS infrastructure using 802.1x• Widespread adoption by European higher ed• Multiple countries in Asia & Oceania• U.S. under-represented

http://www.eduroam.org/

Let’s look at the policies…

Revealing Challenges

• What security policies will be enacted on an eduroam visitor?• Japan wants to mandate that once access is

granted via eduroam a VPN tunnel home be established for all further traffic

• What information do people need to know?

• Which attributes are required?• Does anonymity matter?

SAML, RADIUS, DIAMETER

• RADIUS profile of SAML• http://tinyurl.com/24m9pm

• DAMe project• DIAMETER supporting SAML

• Slide theft• Diego Lopez of RedIRIS

InCommon

• U.S. higher education federation• 50 participants and counting• Oriented around access to web

resources• EBSCO, ScienceDirect, JSTOR,

Napster, Turnitin, etc.• SAML-centric

Questions for You

• What could you do with federated identity?

• What information do you need to know before making your various decisions?

• Can InCommon address your collaboration or network authentication needs?

• How would you do inter-realm network security?