Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Identity federation:A new way tomanage access toresourcesSANLiC 2017Durban, May 2017
1
Identity FederationsA brief introduction
2
FederatedIdentity
A federated identity in informationtechnology is the means of linking aperson's electronic identity andattributes, stored across multipledistinct identity management systems
3https://en.wikipedia.org/wiki/Federated_identity
FederatedIdentity
4
Identity Providers(Home Organisations)
IdentityFederation
Service Providers’Web Sites
Why not justuse Google?
All the major social network platforms providefederated identities…
… so why don’t we just use these?
They all have one major drawback – they are selfasserted
This means you cannot trust any of the information
This is often okay, but…
5
AcademicIdentityFederations
Academic identity federations exist to solvethe trust problem
Your home organisation – university,research council, etc – knows a lot aboutyou
They also know stuff specific to highereducation (HEMIS, RIMS)
More importantly, most of this informationhas usually been checked and may besubject to audit
This makes them ideal to act as identityproviders
6
AcademicFederationOperators
All federations have operators Facebook Inc operates Facebook Connect
Academic federations Usually operated by the National Research and
Education Network (NREN)
Typically only one per country
65 known academic federations worldwide
7
AcademicIdentityFederationsAround theWorld
8https://refeds.org/federations/federations-map, May 2017
AcademicFederationOperators
Academic federations are primarily trustrelationships with federation operatorsacting as trusted introducers
Federation operators worldwide collaborateon issues of interest to the research &education Interoperability (R&S profile)
Common identifiers (eduPersonOrcid)
Handling of sensitive information
Security/incident response (SIRTFI)
etc…
9
Inter-federation
Inter-federation is the linking of one(academic) federation to another
Through inter-federation we can gainaccess to services that are not yet availablein our own country
Service providers can gain access tocustomers
10
SAFIRESouth African Identity Federation
11
SAFIRE –South AfricanIdentityFederation
Academic identity federation for SouthAfrica
Conceived by the community and pilotedover a number of years
Supported service operated by TENET
Member of eduGAIN (since February) 48th member / 41st full participant
1st member in Africa
Your IT Department should know all this…
12
SAFIRE –Participants
13
So what does this allmean for libraries?
14
The“traditional”licensingmodel
License based on some form of FTE count
Site-wide, but use restricted to the localcampus network
Off-campus users must make use of areverse proxy or VPN solution
Not easy to enforce more granular controls
IP-based restrictions don’t scale well – andare out-of-sync with the modern Internet
15
Average student carries 3+ devices.
Default IPv6 allocation foruniversities in South Africa has
1 208 925 819 614 629 174 706 176IP addresses in it.
ReverseProxies
Many libraries use reverse proxies to provideoff-campus access to electronic resources EZProxy III WAM Proxy
Campus networks – indeed “campuses” – arebecoming increasingly hard to define, andusers are becoming increasingly mobile
Confusing for users – “why can’t I just log inlike every other website I use?!”
Difficult to support & troubleshoot
As journal providers embrace SSL, thesebecome more complicated – and expensive –to maintain
16
ReverseProxies
17
By perpetuating reverseproxies, libraries are
undermining Internet securityand directly contributing to
the problem of phishing
https://www.us-cert.gov/ncas/alerts/TA17-075A
What if wecouldleverage ofexistinginstitutionallogins?
18
What if wecould licensein a morespecific way?
19
schacHomeOrganizationType urn:schac:homeOrganizationType:int:university
schacHomeOrganization example.ac.za
eduPersonAffiliation faculty employee member
eduPersonScopedAffiliation [email protected] [email protected] [email protected] [email protected]
What if wecould benefitfrom theintegrationwork done byothers?
20Rhodes University Library & eduGAIN MET, August 2016
What if wecould do thiswhilst stillprotectingpersonalprivacy?
21
Federation…
Provides a new approach to electronicresource management
Gives better control over who has access toyour resources = better compliance withlicensing agreements
Allows you to downsize/decommissionreverse proxies
Is less confusing for your users
Saves you money…
22
FIM4RFindings(2012)
Federated technologies are good. Takeadvantage of them.
The infrastructure needs to be improved totake advantage of federated technologies.Do it.
Relying on older models of local accountcreation and IP-based ACLs is easier. Thisis a very limited view. Stop it.
If you can’t fix it all yourself (and you can’t),facilitate the efforts of groups that can. Buildrelationships, target your spending orfunding to make the biggest impact.
23Source: http://cds.cern.ch/record/1442597
Via: https://learn.nsrc.org/fedidm/iam_researchers
The problemwe’re tryingto solve
25