EuroCAMP: Porto

An Introduction to Identity and Access Management

Borrowed from

Keith Hazelton (hazelton@doit.wisc.edu)

Sr. IT Architect, University of Wisconsin-Madison

Ken Klingenstein

Director, Internet2 Middleware and Security

2

EuroCAMP: Porto

Topics

• What is Identity Management (IdM)?• The IdM Stone Age• A better vision for IdM

– An aside on the value of affiliation / group / privilege management services

• Basic IdM functions mapped to open source components

• Demands on IT and how IdM services help

3

EuroCAMP: Porto Identity and Access Management(IAM) defined

• What is Identity Management?“Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise)

• Identity Management in this sense is often called “Identity and Access Management” (IAM)

• What problems do Identity and Access Management address?

4

EuroCAMP: Porto IAM is…

• “Hi! I’m Lisa.” (Identity)• “…and here’s my NetID / password to prove it.”

(Authentication)• “I want to do some E-Reserves reading.”

(Authorization : Allowing Lisa to use theservices for which she’s authorized)

• “And I want to change my grade in last semester’s Physics course.”

(Authorization : Preventing her from doing things she’s not supposed to do)

5

EuroCAMP: Porto IAM is also…

• New hire, Assistant Professor Alice– Department wants to give her an email

account before her appointment begins so they can get her off to a running start

• How does she get into our system and get set up with the accounts and services appropriate to faculty?

6

EuroCAMP: Porto What questions are common to these scenarios?

• Are the people using these services who they claim to be?

• Are they a member of our campus community?• Have they been given permission?• Is their privacy being protected?• Policy/process issues lurk nearby

7

EuroCAMP: Porto The IAM Stone Age

• List of functions:

• AuthN: Authenticate principals (people, servers) seeking access to a service or resource

• Log: Track access to services/resources

8

EuroCAMP: Porto The IAM Stone Age

• Every application for itself in performing these functions

• User list, credentials, if you’re on the list, you’re in (AuthN is authorization (AuthZ)

• And some identifiers are assigned nationally, with uncertain value locally

9

EuroCAMP: Porto Vision of a better way to do IAM

• IAM as a middleware layer at the service of any number of applications

• Requires an expanded set of basic functions– Reflect: Track changes to institutional data from

changes in Systems of Record (SoR) & other IdM components

– Join: Establish & maintain person identity across SoR– Credential: issue digital credentials to people in the

community– …

10

EuroCAMP: Porto Basic IAM functions mapped to theNMI / MACE components

Systems of Record

Stdnt

HR

Other

Enterprise Directory

Registr

y LD

AP

11

EuroCAMP: Porto Your Digital Identity and The Join

• The collection of bits of identity information about you in all the relevant IT systems at your institution

• For any given person in your community, do you know which entry in each system’s data store carry bits of their identity?

• If more than one system can “create a person record,” you have identity fragmentation

12

EuroCAMP: Porto The pivotal concept of IAM: The Join

• Identity fragmentation cure #1: The Join

• Use business logic to – Establish which records correspond to the same

person

– Maintain that identity join in the face of changes to data in collected systems

13

EuroCAMP: Porto Identity Information Access

• Some direct from the Enterprise Directory via reflection from SoR

• Other bits need to be made reachable by identifier crosswalks

Registry ID Sys A ID Sys B ID Sys C ID Sys D ID

3a104e59 fsmith32 86443 freds 864164

8c2f916d abecker1 45209 amyb 752731

14

EuroCAMP: Porto Identity Fragmentation Cure #2

• When you can’t integrate, federate• Federated Identity & Access Management

– Rely on the Identity Management infrastructure of one or more institutions or units

– To authenticate and pass authorization-related information to service providers or resource hosts

– Via institution-to-provider agreements– Facilitated by common membership in a federation (like

InCommon)

• Shibboleth is a way to move the authNZ info between parties

15

EuroCAMP: Porto Basic IAM functions mapped to theNMI / MACE components

System

s of R

ecord

Enterprise Directory

Grouper Signet

A-Select, CAS, etc

Shibboleth

Apps / Resources

16

EuroCAMP: Porto Vision of a better way to do IAM

• More in the expanded set of basic functions– Mng. Affil.: Manage affiliation and group

information– Mng. Priv.: Manage privileges and permissions at

system and resource level

17

EuroCAMP: Porto Managing Roles & Privileges

Grouper Signet

Role-Based Access Control (RBAC) model

• Users are placed into groups

• Privileges are assigned to groups

• Groups can be arranged into hierarchies to effectively bestow privileges

• Signet manages privileges

• Grouper manages, well, groups

18

EuroCAMP: Porto Vision of a better way to do IAM

• More in the expanded set of basic functions– Provision: Push IAM info out to systems and

services as required– Relay: Make access control / authorization

information available to services and resources at run time

– AuthZ: Make the allow deny decision independent of AuthN

19

EuroCAMP: Porto

Provisioning

• Getting identity information where it needs to be

• For “Apps with Attitude,” this often means exporting reformatted information to them in a form they understand

• Using either App-provided APIs or tricks to write to their internal store

• Change happens, so this is an ongoing process

20

EuroCAMP: Porto

Two modes of app/IdM integration

• Domesticated applications:– Provide them the full set of IdM functions

• Applications with attitude (comes in the box)– Meet them more than halfway by provisioning

21

EuroCAMP: Porto IAM functions

Reflect Data of interest

Join Identity across SoR

Credential NetID, other

Manage Affil/Groups AuthZ info

Manage Privileges More AuthZ info

Provision Gen. AuthNZ info into app space

Relay AuthZ info to app on request

Authenticate Identity claim

Authorize access decision (allow/deny)

Log usage for audit, accounting,…

22

EuroCAMP: Porto

Alternative packaging of basic IdM

System

s of R

ecord

Enterprise Directory

Directory

Plug-ins

Kerberos

Apps / Resources

LDAP

23

EuroCAMP: Porto Alternative packaging of basic IdM functions:

Single System of Record as Enterprise Directory

Registr

y LD

AP

Student

-HR

Info

System

24

EuroCAMP: PortoSingle SoR as Enterprise Directory

• Who “owns” the system?• Do they see themselves as running shared

infrastructure?• Will any “external” populations ever become

“internal?”– What if hospital negotiates a deal?

• Stress-test alternative packaging by thinking through the list of basic IdM functions

25

EuroCAMP: Porto

Same IdM functions, different packaging

• Your IdM infrastructure (existing or planned) may have different boxes & lines

• But somewhere, somehow this set of IdM functions is getting done

• Gives us all a way to compare our solutions by looking at various packagings of the IdM functions

26

EuroCAMP: Porto From Construction to Integration

• Construction– Raw materials into systems

• Integration – Subsystems into whole systems– Multiple systems into ecosystems

• We’re all moving from construction to integration

• Let’s review state of middleware systems’ readiness for integration

27

EuroCAMP: Porto IAM and Application Integration

28

EuroCAMP: Porto Middleware -- Application Integration

• ERPs

• SAKAI

• uPortal

• …

29

EuroCAMP: Porto

As for Lisa

• Sez who?– What Lisa’s username and password are?– What she should be able to do?– What she should be prevented from doing? – Scaling to the other 40,000 just like her on

campus

30

EuroCAMP: Porto

As for Professor Alice

• What accounts and services should faculty members be given?

• At what point in the hiring process should these be activated?

• Methods need to scale to 20,000 faculty and staff

• In all of these, a full IAM infrastructure would provide the technical part of a solution

31

EuroCAMP: PortoPolicy issues re “credential” function: NetID

• When to assign, activate (as early as possible)

• Who gets them? Applicants? Prospects?

• “Guest” NetIDs (temporary, identity-less)

• Reassignment (never; except…)

• Who can handle them? Argument for WebISO.

32

EuroCAMP: Porto

Inter-institutional integration:the transport function

• Federations

• Peering of federations– Levels of assurance

– Attribute mapping

– WAYF functionality

• Virtual Organization (VOs)

33

EuroCAMP: Porto

Alternatives to IP Address Based Access Restriction

1. User-based access restrictionA. Each service provider manages credentials for

all of its users

B. One big credential database of all users used by all service providers

C. Each user has a “home organization” whose credential database can, by magic, be used by each service provider

2. ???

34

EuroCAMP: Porto

Federated Identities

• “Federated identities” is option C on previous slide– A hierarchical approach to decompose the problem into

manageable pieces– Analogous to the problem that IAM addresses, and rests

upon IAM infrastructure

• “Federating technology” is the “magic” part of option C

• “Identity federation” (noun) is a set of service providers, identity providers, and other context in which the magic happens

35

EuroCAMP: Porto

Federating Technologies• SAML implementations

– Security Assertion Markup Language

– Shibboleth– Bodington/Guanxi– AthensIM– SourceID– SAMUEL– MS ADFS– Other proprietary

• Liberty Identity Federation implementations– SourceID– Lasso– Proprietary

• Others– MS Inter-Forest Trust

36

EuroCAMP: Porto IAM functions & big pictures

Reflect

Join

Credential

Provide/run-time

(AuthN)

Provide/provision

AuthZ

Manage Grps

Manage Privs

Log

37

EuroCAMP: Porto

A closer look at managing affiliations, groups and privileges

• How does this help the harried IT staff?

38

EuroCAMP: Porto

What is IT being asked to do?

• Automatic creation and deletion of computer accounts

• Personnel records access for legal compliance• One stop for university services (portal)

integrated with course management systems

39

EuroCAMP: Porto

What else is IT being asked to do?

• Student record access for life• Submission and/or maintenance of information

online• Privacy protection

40

EuroCAMP: Porto

More on the To Do list

• Stay in compliance with a growing list of policy mandates

• Increase the level of security protections in the face of a steady stream of new threats

41

EuroCAMP: Porto

More on the To Do list

• Serve new populations (alumni, applicants,…)• More requests for new services and new

combinations of services• Increased interest in eBusiness

• There is an Identity Management aspect to each and every one of these items

42

EuroCAMP: Porto

How full IdM layer helps

• Improves scalability: IdM process automation

• Reduces complexity of IT ecosystem– Complexity as friction (wasted resources)

• Improved user experience

• Functional specialization: App developer can concentrate on app-specific functionality