Professional Documents
Culture Documents
Introtoidm
Introtoidm
Borrowed from
Keith Hazelton (hazelton@doit.wisc.edu)
Sr. IT Architect, University of Wisconsin-Madison
EuroCAMP: Porto
Topics
2
EuroCAMP: Porto Identity and Access Management
(IAM) defined
3
EuroCAMP: Porto IAM is…
4
EuroCAMP: Porto IAM is also…
5
EuroCAMP: Porto What questions are common
to these scenarios?
6
EuroCAMP: Porto The IAM Stone Age
• List of functions:
• AuthN: Authenticate principals (people,
servers) seeking access to a service or
resource
• Log: Track access to services/resources
7
EuroCAMP: Porto The IAM Stone Age
8
EuroCAMP: Porto Vision of a better way
to do IAM
9
EuroCAMP: Porto Basic IAM functions mapped to the
NMI / MACE components
Stdnt
Registry
LDAP
HR
Other
10
EuroCAMP: Porto Your Digital Identity and
The Join
11
EuroCAMP: Porto The pivotal concept of IAM:
The Join
12
EuroCAMP: Porto Identity Information Access
13
EuroCAMP: Porto Identity Fragmentation Cure #2
14
EuroCAMP: Porto Basic IAM functions mapped to the
NMI / MACE components
Apps / Resources
Enterprise Directory
Systems of Record
A-Select,
CAS, etc
16
EuroCAMP: Porto Managing Roles & Privileges
Role-Based Access
Control (RBAC) model
• Users are placed into
groups
• Privileges are assigned
to groups
• Groups can be arranged
into hierarchies to
effectively bestow
privileges
• Signet manages
privileges
• Grouper manages, well, Grouper Signet
groups 17
EuroCAMP: Porto Vision of a better way to do IAM
18
EuroCAMP: Porto
Provisioning
19
EuroCAMP: Porto
• Domesticated applications:
– Provide them the full set of IdM functions
• Applications with attitude (comes in the box)
– Meet them more than halfway by provisioning
20
EuroCAMP: Porto IAM functions
Kerberos
LDAP
Directory
Plug-ins 22
EuroCAMP: Porto Alternative packaging of
basic IdM functions:
Student
Registry
LDAP
-HR
Info
System
23
EuroCAMP: PortoSingle SoR as Enterprise Directory
24
EuroCAMP: Porto
25
EuroCAMP: Porto From Construction to Integration
• Construction
– Raw materials into systems
• Integration
– Subsystems into whole systems
– Multiple systems into ecosystems
• We’re all moving from construction to
integration
• Let’s review state of middleware systems’
readiness for integration
26
EuroCAMP: Porto IAM and Application Integration
27
EuroCAMP: Porto Middleware -- Application
Integration
• ERPs
• SAKAI
• uPortal
• …
28
EuroCAMP: Porto
As for Lisa
• Sez who?
– What Lisa’s username and password are?
– What she should be able to do?
– What she should be prevented from doing?
– Scaling to the other 40,000 just like her on
campus
29
EuroCAMP: Porto
30
EuroCAMP: Porto Policy issues re “credential” function:
NetID
31
EuroCAMP: Porto
Inter-institutional integration:
the transport function
• Federations
• Peering of federations
– Levels of assurance
– Attribute mapping
– WAYF functionality
• Virtual Organization (VOs)
32
EuroCAMP: Porto
Alternatives to IP Address Based Access
Restriction
1. User-based access restriction
A. Each service provider manages credentials for
all of its users
B. One big credential database of all users used by
all service providers
C. Each user has a “home organization” whose
credential database can, by magic, be used by
each service provider
2. ???
33
EuroCAMP: Porto
Federated Identities
34
EuroCAMP: Porto
Federating Technologies
• SAML implementations
– Security Assertion Markup • Liberty Identity
Language Federation
– Shibboleth implementations
– Bodington/Guanxi – SourceID
– AthensIM – Lasso
– SourceID – Proprietary
– SAMUEL
• Others
– MS ADFS
– MS Inter-Forest Trust
– Other proprietary
35
EuroCAMP: Porto IAM functions & big pictures
Manage Grps
Provide/run-time
Join
Credential
Manage Privs
Provide/provision
36
(AuthN)
EuroCAMP: Porto
A closer look at managing affiliations,
groups and privileges
• How does this help the harried IT staff?
37
EuroCAMP: Porto
38
EuroCAMP: Porto
39
EuroCAMP: Porto
40
EuroCAMP: Porto
41
EuroCAMP: Porto
42