EuroCAMP: Porto

An Introduction to Identity and Access

Management
Ken Klingenstein
Director, Internet2 Middleware and Security

Borrowed from
Keith Hazelton (hazelton@doit.wisc.edu)
Sr. IT Architect, University of Wisconsin-Madison
EuroCAMP: Porto

Topics

• What is Identity Management (IdM)?

• The IdM Stone Age
• A better vision for IdM
– An aside on the value of affiliation / group /
privilege management services
• Basic IdM functions mapped to open source
components
• Demands on IT and how IdM services help

2
EuroCAMP: Porto Identity and Access Management
(IAM) defined

• What is Identity Management?

“Identity management is the set of business processes,
and a supporting infrastructure, for the creation,
maintenance, and use of digital identities.” The Burton
Group (a research firm specializing in IT infrastructure for
the enterprise)
• Identity Management in this sense is often called
“Identity and Access Management” (IAM)
• What problems do Identity and Access Management
address?

3
EuroCAMP: Porto IAM is…

• “Hi! I’m Lisa.” (Identity)

• “…and here’s my NetID / password to prove it.”
(Authentication)
• “I want to do some E-Reserves reading.”
(Authorization : Allowing Lisa to use the
services for which she’s authorized)
• “And I want to change my grade in last semester’s Physics
course.”
(Authorization : Preventing her from doing
things she’s not supposed to do)

4
EuroCAMP: Porto IAM is also…

• New hire, Assistant Professor Alice

– Department wants to give her an email
account before her appointment begins so
they can get her off to a running start
• How does she get into our system and get set
up with the accounts and services appropriate to
faculty?

5
EuroCAMP: Porto What questions are common
to these scenarios?

• Are the people using these services who they

claim to be?
• Are they a member of our campus community?
• Have they been given permission?
• Is their privacy being protected?
• Policy/process issues lurk nearby

6
EuroCAMP: Porto The IAM Stone Age

• List of functions:
• AuthN: Authenticate principals (people,
servers) seeking access to a service or
resource
• Log: Track access to services/resources

7
EuroCAMP: Porto The IAM Stone Age

• Every application for itself in performing these

functions
• User list, credentials, if you’re on the list,
you’re in (AuthN is authorization (AuthZ)
• And some identifiers are assigned nationally,
with uncertain value locally

8
EuroCAMP: Porto Vision of a better way
to do IAM

• IAM as a middleware layer at the service of any

number of applications
• Requires an expanded set of basic functions
– Reflect: Track changes to institutional data from
changes in Systems of Record (SoR) & other IdM
components
– Join: Establish & maintain person identity across SoR
– Credential: issue digital credentials to people in the
community
–…

9
 EuroCAMP: Porto Basic IAM functions mapped to the
NMI / MACE components

Systems of Record Enterprise Directory

Stdnt

Registry

LDAP
HR

Other

10
EuroCAMP: Porto Your Digital Identity and
The Join

• The collection of bits of identity information about

you in all the relevant IT systems at your institution
• For any given person in your community, do you
know which entry in each system’s data store carry
bits of their identity?
• If more than one system can “create a person
record,” you have identity fragmentation

11
EuroCAMP: Porto The pivotal concept of IAM:
The Join

• Identity fragmentation cure #1: The Join

• Use business logic to
– Establish which records correspond to the same
person
– Maintain that identity join in the face of changes
to data in collected systems

12
 EuroCAMP: Porto Identity Information Access

• Some direct from the Enterprise Directory via

reflection from SoR
• Other bits need to be made reachable by
identifier crosswalks
Registry ID Sys A ID Sys B ID Sys C ID Sys D ID

3a104e59 fsmith32 86443 freds 864164

8c2f916d abecker1 45209 amyb 752731

13
EuroCAMP: Porto Identity Fragmentation Cure #2

• When you can’t integrate, federate

• Federated Identity & Access Management
– Rely on the Identity Management infrastructure of one or
more institutions or units
– To authenticate and pass authorization-related information
to service providers or resource hosts
– Via institution-to-provider agreements
– Facilitated by common membership in a federation (like
InCommon)
• Shibboleth is a way to move the authNZ info
between parties

14
 EuroCAMP: Porto Basic IAM functions mapped to the
NMI / MACE components

Apps / Resources
Enterprise Directory
Systems of Record

A-Select,
CAS, etc

Grouper Signet Shibboleth

15
EuroCAMP: Porto Vision of a better way to do IAM

• More in the expanded set of basic functions

– Mng. Affil.: Manage affiliation and group
information
– Mng. Priv.: Manage privileges and permissions at
system and resource level

16
 EuroCAMP: Porto Managing Roles & Privileges

Role-Based Access
Control (RBAC) model
• Users are placed into
groups
• Privileges are assigned
to groups
• Groups can be arranged
into hierarchies to
effectively bestow
privileges
• Signet manages
privileges
• Grouper manages, well, Grouper Signet
groups 17
EuroCAMP: Porto Vision of a better way to do IAM

• More in the expanded set of basic functions

– Provision: Push IAM info out to systems and
services as required
– Relay: Make access control / authorization
information available to services and resources at
run time
– AuthZ: Make the allow deny decision
independent of AuthN

18
EuroCAMP: Porto

Provisioning

• Getting identity information where it needs to

be
• For “Apps with Attitude,” this often means
exporting reformatted information to them in a
form they understand
• Using either App-provided APIs or tricks to
write to their internal store
• Change happens, so this is an ongoing
process

19
EuroCAMP: Porto

Two modes of app/IdM integration

• Domesticated applications:
– Provide them the full set of IdM functions
• Applications with attitude (comes in the box)
– Meet them more than halfway by provisioning

20
 EuroCAMP: Porto IAM functions

Reflect Data of interest

Join Identity across SoR
Credential NetID, other
Manage Affil/Groups AuthZ info
Manage Privileges More AuthZ info
Provision Gen. AuthNZ info into app space
Relay AuthZ info to app on request
Authenticate Identity claim
Authorize access decision (allow/deny)
Log usage for audit, accounting,…
21
 EuroCAMP: Porto

Alternative packaging of basic IdM

Apps / Resources
Enterprise Directory
Systems of Record

Kerberos

LDAP

Directory
Plug-ins 22
EuroCAMP: Porto Alternative packaging of
basic IdM functions:

Single System of Record as Enterprise Directory

Student

Registry

LDAP
-HR
Info
System

23
EuroCAMP: PortoSingle SoR as Enterprise Directory

• Who “owns” the system?

• Do they see themselves as running shared
infrastructure?
• Will any “external” populations ever become
“internal?”
– What if hospital negotiates a deal?

• Stress-test alternative packaging by thinking

through the list of basic IdM functions

24
EuroCAMP: Porto

Same IdM functions, different packaging

• Your IdM infrastructure (existing or planned)

may have different boxes & lines
• But somewhere, somehow this set of IdM
functions is getting done
• Gives us all a way to compare our solutions
by looking at various packagings of the IdM
functions

25
EuroCAMP: Porto From Construction to Integration

• Construction
– Raw materials into systems
• Integration
– Subsystems into whole systems
– Multiple systems into ecosystems
• We’re all moving from construction to
integration
• Let’s review state of middleware systems’
readiness for integration

26
EuroCAMP: Porto IAM and Application Integration

27
EuroCAMP: Porto Middleware -- Application
Integration

• ERPs
• SAKAI
• uPortal
• …

28
EuroCAMP: Porto

As for Lisa

• Sez who?
– What Lisa’s username and password are?
– What she should be able to do?
– What she should be prevented from doing?
– Scaling to the other 40,000 just like her on
campus

29
EuroCAMP: Porto

As for Professor Alice

• What accounts and services should faculty

members be given?
• At what point in the hiring process should these
be activated?
• Methods need to scale to 20,000 faculty and
staff
• In all of these, a full IAM infrastructure would
provide the technical part of a solution

30
EuroCAMP: Porto Policy issues re “credential” function:
NetID

• When to assign, activate (as early as possible)

• Who gets them? Applicants? Prospects?
• “Guest” NetIDs (temporary, identity-less)
• Reassignment (never; except…)
• Who can handle them? Argument for WebISO.

31
EuroCAMP: Porto
Inter-institutional integration:
the transport function

• Federations
• Peering of federations
– Levels of assurance
– Attribute mapping
– WAYF functionality
• Virtual Organization (VOs)

32
EuroCAMP: Porto
Alternatives to IP Address Based Access
Restriction
1. User-based access restriction
A. Each service provider manages credentials for
all of its users
B. One big credential database of all users used by
all service providers
C. Each user has a “home organization” whose
credential database can, by magic, be used by
each service provider
2. ???

33
EuroCAMP: Porto

Federated Identities

• “Federated identities” is option C on previous slide

– A hierarchical approach to decompose the problem into
manageable pieces
– Analogous to the problem that IAM addresses, and rests
upon IAM infrastructure
• “Federating technology” is the “magic” part of option
C
• “Identity federation” (noun) is a set of service
providers, identity providers, and other context in
which the magic happens

34
 EuroCAMP: Porto

Federating Technologies
• SAML implementations
– Security Assertion Markup • Liberty Identity
Language Federation
– Shibboleth implementations
– Bodington/Guanxi – SourceID
– AthensIM – Lasso
– SourceID – Proprietary
– SAMUEL
• Others
– MS ADFS
– MS Inter-Forest Trust
– Other proprietary

35
EuroCAMP: Porto IAM functions & big pictures

Manage Grps

Reflect AuthZ Log

Provide/run-time
Join
Credential

Manage Privs
Provide/provision

36
(AuthN)
EuroCAMP: Porto
A closer look at managing affiliations,
groups and privileges
• How does this help the harried IT staff?

37
EuroCAMP: Porto

What is IT being asked to do?

• Automatic creation and deletion of computer

accounts
• Personnel records access for legal compliance
• One stop for university services (portal)
integrated with course management systems

38
EuroCAMP: Porto

What else is IT being asked to do?

• Student record access for life

• Submission and/or maintenance of information
online
• Privacy protection

39
EuroCAMP: Porto

More on the To Do list

• Stay in compliance with a growing list of policy

mandates
• Increase the level of security protections in the
face of a steady stream of new threats

40
EuroCAMP: Porto

More on the To Do list

• Serve new populations (alumni, applicants,…)

• More requests for new services and new
combinations of services
• Increased interest in eBusiness

• There is an Identity Management aspect

to each and every one of these items

41
EuroCAMP: Porto

How full IdM layer helps

• Improves scalability: IdM process automation

• Reduces complexity of IT ecosystem
– Complexity as friction (wasted resources)
• Improved user experience
• Functional specialization: App developer can
concentrate on app-specific functionality

42