Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Extending the Reach

VIEWS: 7 PAGES: 30

									Issues in Federating with
       Shibboleth
                  Miguel Soldi
  The University of Texas System Administration
The University of Texas System
16    Institutions
  • 9 General Academic institutions
  • 6 Health institutions
  • 1 System Administration


81, 000 employees
175,000 students
$8.5 billion budget
The University of Texas System
16   Institutions
 • 9 General Academic institutions
 • 6 Health institutions
 • 1 System Administration

 • Significant differences in size and budgets
 • Half of institutions “absorbed” into System
 • Institutions enjoy considerable autonomy
 • 16 “stovepipes”
The University of Texas System
System-Wide     IT Oversight
  • UT System CIO
  • Strategic Leadership Council
  • IT Managers Council


Institution   IT Oversight
  • From CIO to Director level
  • Administrative and Academic Computing
What Is a Federation?
A federation is an association of organizations
that use a common set of attributes, practices
and policies to exchange information about
their users and resources in order to enable
collaborations and transactions.
                                             InCommon


Shibboleth is the technology used to define and
implement a federated system of identity
authentication and authorization.

Shibboleth works within a Federation.
Federations: First Steps
Technically speaking, it involves:
   • new policies
   • new processes
   • new trust relationships
   • new authentication and authorization mechanisms
   • new enterprise directories
   • new applications and much more

Participating    organizations must agree on:
    • Technical specifications: data attributes to exchange, the software use to
      interoperate
    • Policy specifications: privacy, establish trust and trustworthy data

Must   provide two sets of services:
    • Metadata management: aggregate, distribute and maintain members’
      attribute data, syntax and semantics
    • Trust management: federation and member operation practices and control
      and privacy and security policies
                                  Collaborative Identity Management Life-Cycle


    Collaborative
        Trust
     Conception                                     Instantiation                                     Technology Evolution
                                  Organization /
                                     Policy




     University System/Consortium
     (if applicable)
                                                     Technology /
                                                    Infrastructure
`    Business Drivers
                              `


       Staff / Budget /
         Hardware/                                                        Identity Data
`                                                                          (Attributes)
          Software            `
         Resources


         System /
        Consortium
          Policy              `

                                                                           Approved             Yes
                                       Governance




     University (Individual                                                for Use?
     Campus) or Institution
                                                                                          Yes
                                                               No
     Business Drivers
                              `

                                                                            Alternative
       Staff / Budget /                                                                           Technical                              Maintenance
                                                                          Use Approved?
         Hardware/                                                                                Operations
`                             `
          Software
         Resources
                                                                                                                         Application 1
        University /                                                 No
        Institution           `
          Policy


    External                                                                                                             Application 2

     Fed / State / Other
            Laws              `
Conception: Giving It Shape
 Whatare the business / institution mission drivers? Are these short-
 term and/or temporary or are they long-term?

 Isa Federation the adequate solution to support our institutional
 collaboration efforts?

 Does the Federation need to support only intra-institution / system
 efforts or require participation of external entities?

 Do we need to create our own Federation or could an outsourced
 solution (join INCOMMON) be adequate?

 Who  can become members of the Federation? Can members sponsor
 service-providers?

 Who are the Federation stakeholders? Who do they represent (Admin
 IT, Academic Computing, Research)?

   protection of personal or protected information a significant
 Is
 requirement?
Conception: Giving It Shape

UT System Strategies:
 Statement    of Direction from UT System Strategic Leadership Council

 Presentationsand outreach to stakeholders, UT System leadership and
 IT steering committees

 Establish   common directions and goals

 Address   institutions concerns regarding security, privacy and trust
Conception: Giving It Shape
What are the business / institution mission drivers? Are
these short-term and/or temporary or are they long-term?
  • Long Term drivers
  • Not application driven

  •Build Identity Management infrastructure that enables greater
  synergy and collaboration among UT institutions

  •Application security simplified thru common trust fabric, allowing the
  secure exchange of identity authentication and authorization
  attributes System-wide

  •Provide platform to address system-wide initiatives
        • Instantiation of system-wide permanent identifier
        • Implement a common framework, standards and protocols, for
          attribute naming, storage, and exchange (LDAP, Shibboleth)
Conception: Giving It Shape
What  are the business / institution mission drivers? Are
 these short-term and/or temporary or are they long-term?
      • Long Term drivers
      • Not application driven

Is a Federation the adequate solution to support our
 institutional collaboration efforts?
      • Yes, since a common set of attributes, practices and policies to
      exchange information to foster collaboration among UT institutions is
      desired

Does the Federation need to support only intra-institution /
 system efforts or require participation of external entities?
      • Mostly intra-system collaborative efforts
Conception: Giving It Shape                       (cont.)
Do we need to create our own Federation or could an
 outsourced solution (join INCOMMON) be adequate?
      • Benefits of creating UT Federation:
          •   Leverage existing inter-institution agreements
          •   Establish common set of standards and attributes for UT institutions
          •   More granular control over authentication/authorization policies
          •   Forum for experimentation and dialogue

Whocan become members of the Federation? Can
 members sponsor service-providers?
      • Phase I: UT institutions only
      • Phase II: Include external institutions and/or federations

Is protection of personal or protected information a
 significant requirement?
      • Yes, specifically Social Security Numbers
Conception: Giving It Shape

Challenges:
 Disparate   agendas among proposed Federation member institutions

 Finding value-adding applications and drivers that can justify
 commitment of funds, time, and effort by all proposed member
 institutions

 Unavailability   of resources at proposed member institutions

 Varyinglevels of trust among proposed member institutions and within
 individual institutions (Admin IT and Academic Computing, etc)
                                  Collaborative Identity Management Life-Cycle


    Collaborative
        Trust
     Conception                                     Instantiation                                     Technology Evolution
                                  Organization /
                                     Policy




     University System/Consortium
     (if applicable)
                                                     Technology /
                                                    Infrastructure
`    Business Drivers
                              `


       Staff / Budget /
         Hardware/                                                        Identity Data
`                                                                          (Attributes)
          Software            `
         Resources


         System /
        Consortium
          Policy              `

                                                                           Approved             Yes
                                       Governance




     University (Individual                                                for Use?
     Campus) or Institution
                                                                                          Yes
                                                               No
     Business Drivers
                              `

                                                                            Alternative
       Staff / Budget /                                                                           Technical                              Maintenance
                                                                          Use Approved?
         Hardware/                                                                                Operations
`                             `
          Software
         Resources
                                                                                                                         Application 1
        University /                                                 No
        Institution           `
          Policy


    External                                                                                                             Application 2

     Fed / State / Other
            Laws              `
Instantiation: Making It Happen
 Technical:
  • How to establish standards and prerequisites and, at
    the same time, leverage each proposed member
    institution’s existing infrastructure
     •   Require LDAP?
     •   Common attributes? EduPerson?
     •   What are the requirements for privacy and security?
     •   Standard data definitions / schema? How are the standards
         established? What is the system or source of authority?
  • Based on standards and prerequisite, what is the
    readiness status of proposed member institutions?
  • Who is responsible for remediation?
  • What is the best way to put all proposed member
    institutions in “the same page”? An Install Fest?
Instantiation: Making It Happen
Policy/     Organizational:
  • Definition of trust. How is trust established, per
    application or other?
  • Policy considerations are a function of the broader
    relationship the member institutions have with each
    other:
     • The closer the relationship, the fewer the policy reconciliation
       conflicts
     • The more diverse, the greater the possibility of conflicts
  • How diverse are the Operating Standards and Practices
    from institution to institution?
  • Are institutional definitions and identity management
    trust policies for students, faculty, and staff consistent?
Instantiation: Making It Happen
Policy/    Organizational (cont.):
  • What data is required to uniquely identify individuals?
    How do we reconcile identity?
  • What is the Federation’s governance structure?
  • How is conflict among members resolved? What are
    the conflict-resolution guidelines?
  • Who reviews and approves the Federation Charter and
    documents?
  • What audit permissions and procedures are needed to
    ensure ongoing quality of identity verification processes
    among member institutions?
Instantiation: Making It Happen
UT System Strategies:
Technical:
  •   Establish up-front standards and technology prerequisites
  •   Assess institutions readiness status
  •   Provide technical assistance and resources to smaller institutions
  •   Host UT System Shibboleth Install Fest for identity providers and
      Shibboleth Service Provider Fest for resource providers to get all member
      institutions “on the same page”

Policy/Organizational:
  • Identity data will be maintained by member institutions
  • Ensure that identity data maintained by member institutions is consistent
    and authoritative
  • Pick projects carefully. Policy work is slow, Inter-institutional policy work is
    Very Slow
  • Establish UT System Federation governance with System-wide
    representation
Instantiation: Making It Happen
 Technical:
  • How to establish standards and prerequisites and, at the same time,
    leverage each proposed member institution’s existing infrastructure
      •   Shibboleth v 1.2
      •   RedHat Enterprise Linux 3.0
      •   Apache 2.0
      •   Tomcat 5
      •   Mod_jk2
      •   Basic Authentication Mechanism for Apache (LDAP)
      •   LDAP infrastructure for authorization
            •   LDAP Server (Sun ONE Directory Server, OpenLDAP, etc.)
            •   Populated with user data
            •   EduPerson schema installed
            •   User passwords
      • Verisign Server Digital Certificate

  • Who is responsible for remediation?
      • UT System Administration has taken the lead in:
          • providing “help desk” support
          • maintaining a discussion group and middleware-related web site
          • providing consulting services
          • Hosting system-wide middleware events
Instantiation: Making It Happen
Policy/    Organizational:
  • Definition of trust. How is trust established, per
    application or other?
     • Trust is established by application based on risk assessment
       and by relying party

  • How diverse are the Operating Standards and Practices
    from institution to institution?
     • Significant diversity. Working towards convergence thru
       Member Operating Practices

  • Are institutional definitions and identity management
    trust policies for students, faculty, and staff consistent?
     • No consistent definitions or trust policies.
     • Exploring the development of a UTPerson schema
Instantiation: Making It Happen
Policy/       Organizational (cont.):
  • What data is required to uniquely identify individuals?
    How do we reconcile identity?
     • Most institutions are using the following to uniquely identify
       individuals:
         •   SSN
         •   Name (First, Middle Initial, Last)
         •   Date of Birth
         •   Previous surname
         •   Previous name
         •   City of birth
         •   Country of birth
         •   Gender
         •   Component & Persistent ID
     • Considering requiring member institutions to have a persistent
       (non-reused) Component ID to be kept in perpetuity.
     • Currently, the federation identifier is EduPersonPrincipalName
       (netid@domainname)
Instantiation: Making It Happen
Policy/    Organizational (cont.):
  • What is the Federation’s governance structure?
     • The affairs of the Federation will be governed by a
       six-member Executive Committee and will be
       managed under the direction of the U. T. System
       CIO.

  • Who reviews and approves the Federation Charter and
    documents?
     • UT System Federation Board members and legal
       office reviews Charter and related documents. May
       require approval of UT System Board of Regents
Instantiation: Making It Happen
UTSystem Identity Management
Federation
 Test Identity Management Federation Exists
 Twelve UT member institutions
 UT System Identity Management Federation
  Board appointed
 Policy Documents created and being reviewed
 Will operate under the authority of the UT
  System Board of Regents
Instantiation: Making It Happen
UTSystem Identity Management Federation
Documents
  Used InCommon as model
  Policies and Documents:
       Federation Charter
       Federation Operating Practices
       Member Operating Practices
         • Drafted a document that explicitly defines standards, policies and
           procedures that federation members must put in place to be able
           to make real, informed relying party decisions
         • Used University of California UCTrust Federation document as
           format
       Membership inter-institution Agreement
         • Leveraged existing UT System inter-institution Agreement to
           simplify membership contract
       Membership Fee Schedule
Instantiation: Making It Happen

Challenges:
 The   Technical implementation aspects of Federation can get way ahead
  of Policy and Governance
 Integration / federation process entangled with power / autonomy
  conflicts
     • Priorities vary by institution
     • Conventions may be seen as dictates
 Managing trust relationships is complex enough when dealing with
  institutions within the same system (among “family”.) Complexity
  increases significantly when dealing with external agencies, institutions,
  or service providers.
 Getting commitment of resources to dedicate to effort
 Coordinating initiatives of multiple institutions
Instantiation: Making It Happen

Challenges               :
                    (cont)



Technical:
  • Consistent middleware infrastructure
  • Building the architecture to be manageable and reliable
  • Level of acceptance of open source applications


Policy / Organizational:
  • Intra-system identity reconciliation
  • Differing requirements among member institutions for initial proof
     of identity of people affiliated with the institution.
  • Obtaining consensus about the content and level of detail of the
     Federation Charter and related documents
                                  Collaborative Identity Management Life-Cycle


    Collaborative
        Trust
     Conception                                     Instantiation                                     Technology Evolution
                                  Organization /
                                     Policy




     University System/Consortium
     (if applicable)
                                                     Technology /
                                                    Infrastructure
`    Business Drivers
                              `


       Staff / Budget /
         Hardware/                                                        Identity Data
`                                                                          (Attributes)
          Software            `
         Resources


         System /
        Consortium
          Policy              `

                                                                           Approved             Yes
                                       Governance




     University (Individual                                                for Use?
     Campus) or Institution
                                                                                          Yes
                                                               No
     Business Drivers
                              `

                                                                            Alternative
       Staff / Budget /                                                                           Technical                              Maintenance
                                                                          Use Approved?
         Hardware/                                                                                Operations
`                             `
          Software
         Resources
                                                                                                                         Application 1
        University /                                                 No
        Institution           `
          Policy


    External                                                                                                             Application 2

     Fed / State / Other
            Laws              `
Operation: Delivering Applications
How   to manage the creation, provisioning, authentication,
 and termination of user accounts
Are user accounts re-used or re-cycled by member
 institutions?
Issues with use of Shibboleth with legacy systems
How do we measure and document benefit and
 performance of Federation?
Continue assessing risk of unauthorized disclosure, fraud,
 and liability
Preparation of a Security Plan and a Disaster Recovery Plan
 for the Federation
What approvals and processes are needed to enter into
 trust agreements with other federations?
Maintenance: Keeping It Going
Establish   an Audit function and procedures

Establishplan and resources to keep up with technology
 changes and federal and state compliance requirements

How  to scale the Federation? What opportunities exist to
 leverage the infrastructure?

How  to keep the Federation “fresh” and application
 relevant?

How  to address the multi-institution collaboration
 requirements of academics and researchers?
THANK YOU

								
To top