Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
CIS2054 - Federated Identity Management
Transcript of CIS2054 - Federated Identity Management
Libraries and Journals
Student S from MCAST wants to use resource R at UoM...
B) MCAST (government) buys R for S to use
C) S goes to uni and asks for a user account to access R (possible?)
D) S bribes/pleads with someone and gets access (possible!)
Can't we share specialized resources?
Can we join resources so that 1+1 = 3?
What do we do?
A) Build a big common room and store all the resources in them
B) Build a new common campus
C) Buy a truck and get a driver who would move stuff to and fro as required
D) Create an identity federation
Let's start off with an example
1st Attempt to get resource R
2nd Attempt to get resource R
Centralised IdM vs Federated IdM
Have you ever used IEEEXplore?
Obtaining resource R
Checks IP against institutional IP ranges
What makes up a Federation?
Sharing assertions and not identifying information
Manage less passwords
Acess to restricted resources from institutions in the circle of trust
Manage only internal identities
If student S leaves UoM, and is removed from eSIMS, then he/she cannot access MCAST anymore.
No need to scale up if federation grows
Amount of federation users won't affect entity's backend capacity, everyone will be stored and managed in his/her own institution
Date of Birth
Are you over 18?
Username and Password
Yes, he can log-in!
Single Sign-On as well as Single Sign-Out on Internet/Intranet
Major Online Sites
... such as (e.g.) Airbus and Michelin
To reduce cognitive workload
To encourage user sign-ups
To increase security
Have you heard of cross-border eID and STORK?
No redundant information exists at MCAST
Cross-border recognition of nationally issued digital signatures for security of data exchange requires interoperability at legal, operational and technical levels. The framework for a European Federated Validation Service will provide a necessary tool for the establishment of Trust between different issuers of certificates and for the technical validation of eSignatures.
Inter-EU State eID validity
a) Selective disclosure
b) With user consent
c) Sharing entitlements and auth
Faster Integration for Resource Sharing
Used widely in the US and EU
UK Access Management Federation
UK Academic community moving towards a federated approach
IdPs - Identity Providers
SPs - Service Providers
- E.g. Library
- Lab Access (IT Services Profile)
- Course Material on VLE
- Live@Edu (MCAST)
Resources which can be shared by UoM include:
- Online Journal Subscriptions at the Library
- ITS terminals
- MSDNAA Subscriptions
Interesting research on this topic:
- Extending CampusLink to make use of new tokens (e.g.Yubikey and NFC)
- Automated Policy mapping between institutions
- E.g. IT Services (UoM)
- Using any backend technology
(AD, LDAP, SQL Server, OpenID)
E.g. Students, Academics
- E.g. Rich Policy Environment
- Security Policies
- Privacy Policies
- Data Release Policies
St. Martins IdP
UOM IdP and SP
MCAST IdP and SP
SAML assertions contains auth information about:
- a student, a lecturer or even the whole organization.
Assertion sent to the service provider which in turn makes use of the information appropriately.
Assertions are a core component within a federation
- relevant identity attributes are shared across entities,
- Not identifying information (respecting privacy and keeping redundancy of identity-related information in check)
Signed SAML Assertions
Example: This is a student from UOM who has been authenticated through a user name and password
In SP Initiated the WAYF question is required.
Can be answered:
Manually: Recall the IEEEXplore Institution Selection
Automatically: Using institution issued Smart Card
How can these be applied?
E.g. Service Provider Initiated Protocol using HTTP Redirect Binding (using POST as in IEEEXplore)
Different Binding techniques exist
1. SAML Request
2. Signed SAML Response
Some notes on IdM
- Will start to face new IdM practices and issues in many established domains
- Will introduce (simplified) aspects of new IdM techniques
- Will not explore issues behind ID and IdM issues
Before we start...
Various technologies/techniques/standards to achieve ID federation
SAML (by OASIS Security Service Technical Committee)
Information Card Metaphor
OpenID (OpenID Foundation)
- CardSpace - Microsoft (.Net 3+) ~ XP onwards
... as part of the MS Identity Metasystem (started off by MS Passport)
- Lessons outlined by Kim Cameron
- Higgins Project (open source)
- DigitalMe (Bandit project)
Probably you already have an OpenID which you can use in OpenID enabled sites
E.g. If you have a Google, PayPal, Yahoo or Blogger account amongst others...
- Open, XML oriented standard enabling 2+ security domains to discuss Authorization AND Authentication facts for a given entity
... across security domains (IdP and SP i.e. RP).
- Gives a lot of flexibility in terms of federation configuration (i.e. participants) and allows for full-adherence to the 7-laws of ID
- 1B+ OpenIDs
- Allows decentralized authentication processes and information sharing
SAML - why?
- Highly configurable
- Allows for signed requests and response (X.509)
- Allows for several binding mechanisms (not just HTTP)
- Particularly useful in multi-channel system
SFIMME - 2008 used GSM as an out of band authentication mechanism
Liberty Identity Federation (ID-FF) by Liberty Alliance
In 2003 Liberty started working with OASIS
- De-facto standard for IDF
- IEEEXplore is working to integrate
with Athens (Eduserve and NHS in the UK)
... + 90 countries
... ~ 4.5 million users
... uses SAML
- Used to offer off-campus access to library resources
e.g. SOAP/ HTTP GET/POST....
- Can we create new SAML Profiles (for GSM-based services?)
- i.e. For out-of-band or multichannel service provision and authentication?
- SP with n identities for entity E from n IdPs (can we identify and merge?)
- Users tend to forget which IdP they used to sign-up (i.e. emerging WAYF problem)
That's all folks!
University of Malta
Any mechanism, depending on LoA required
and set policies across the federation
Evaluation of FID
- Enhanced privacy (no redundat identifying info)
- Less cognitive workload (less profiles to manage, except for a few trusted IdPs
- Users decide (or policy enforces) the usage of a specific IdP depending on scenario
... e.g. Social Network IdP for blogging, but PayPal for eCommerce sites
- eGovernment? What IdPs could exist? RealID in the US and many new IdPs in the UK)
- Faster take-up and conversions of visitors to registered users. No need to re-register!
Students use their existing Identity at their own IdP
- SSO is now possible across the Federation. Logged in at UoM, the seamless access to IEEEXplore
MCAST resources, St.Martins resources and so forth.
- Improved usability.
- Users understand the WAYF question (in a physical world)
- Users are already familiar with Home ID Provider's challenge/response UI
A case with CampusLink (work conducted by Braden Borg and myself)
Main emphasis is on authorization (granting permissions across domains), however adopts authentication techniques as well (e.g. used at FB)
But OAuth is also good in many scenarios. Discussion here https://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/