Professional Documents
Culture Documents
IAM
IAM
Borrowed from
Keith Hazelton (hazelton@doit.wisc.edu)
Sr. IT Architect, University of Wisconsin-Madison
EuroCAMP: Porto
Topics
What is Identity Management (IdM)?
The IdM Stone Age
A better vision for IdM
An aside on the value of affiliation / group /
privilege management services
Basic IdM functions mapped to open source
components
Demands on IT and how IdM services help
2
EuroCAMP: Porto
EuroCAMP: Porto
IAM is
EuroCAMP: Porto
IAM is also
to these scenarios?
EuroCAMP: Porto
List of functions:
AuthN: Authenticate principals (people,
servers) seeking access to a service or
resource
Log: Track access to services/resources
EuroCAMP: Porto
EuroCAMP: Porto
EuroCAMP: Porto
Systems of Record
Stdnt
Other
10
LDAP
Registry
HR
EuroCAMP: Porto
The Join
The collection of bits of identity information about
you in all the relevant IT systems at your institution
For any given person in your community, do you
know which entry in each systems data store carry
bits of their identity?
If more than one system can create a person
record, you have identity fragmentation
11
EuroCAMP: Porto
The Join
Identity fragmentation cure #1: The Join
Use business logic to
Establish which records correspond to the same
person
Maintain that identity join in the face of changes
to data in collected systems
12
EuroCAMP: Porto
Sys B ID
Sys C ID
Sys D ID
3a104e59
fsmith32
86443
freds
864164
8c2f916d
abecker1 45209
amyb
752731
13
EuroCAMP: Porto
Enterprise Directory
Systems of Record
A-Select,
CAS, etc
Grouper Signet
15
Shibboleth
EuroCAMP: Porto
16
EuroCAMP: Porto
Role-Based Access
Control (RBAC) model
Users are placed into
groups
Privileges are assigned
to groups
Groups can be arranged
into hierarchies to
effectively bestow
privileges
Signet manages
privileges
Grouper manages, well,
groups
17
Grouper
Signet
EuroCAMP: Porto
18
EuroCAMP: Porto
Provisioning
Getting identity information where it needs to
be
For Apps with Attitude, this often means
exporting reformatted information to them in a
form they understand
Using either App-provided APIs or tricks to
write to their internal store
Change happens, so this is an ongoing
process
19
EuroCAMP: Porto
20
EuroCAMP: Porto
Reflect
Join
Credential
Manage Affil/Groups
Manage Privileges
Provision
Relay
Authenticate
Authorize
Log
21
IAM functions
Data of interest
Identity across SoR
NetID, other
AuthZ info
More AuthZ info
Gen. AuthNZ info into app space
AuthZ info to app on request
Identity claim
access decision (allow/deny)
usage for audit, accounting,
EuroCAMP: Porto
Enterprise Directory
Systems of Record
Kerberos
LDAP
Directory
Plug-ins
22
EuroCAMP: Porto
Alternative packaging of
basic IdM functions:
LDAP
23
Registry
Student
-HR
Info
System
EuroCAMP: PortoSingle
EuroCAMP: Porto
25
Construction
Raw materials into systems
Integration
Subsystems into whole systems
Multiple systems into ecosystems
EuroCAMP: Porto
27
EuroCAMP: Porto
ERPs
SAKAI
uPortal
28
Middleware -- Application
Integration
EuroCAMP: Porto
As for Lisa
Sez who?
What Lisas username and password are?
What she should be able to do?
What she should be prevented from doing?
Scaling to the other 40,000 just like her on
campus
29
EuroCAMP: Porto
30
NetID
31
EuroCAMP: Porto
Inter-institutional integration:
the transport function
Federations
Peering of federations
Levels of assurance
Attribute mapping
WAYF functionality
32
EuroCAMP: Porto
2. ???
33
EuroCAMP: Porto
Federated Identities
Federated identities is option C on previous slide
A hierarchical approach to decompose the problem into
manageable pieces
Analogous to the problem that IAM addresses, and rests
upon IAM infrastructure
34
EuroCAMP: Porto
Federating Technologies
SAML implementations
Security Assertion Markup
Language
Shibboleth
Bodington/Guanxi
AthensIM
SourceID
SAMUEL
MS ADFS
Other proprietary
35
Liberty Identity
Federation
implementations
SourceID
Lasso
Proprietary
Others
MS Inter-Forest Trust
EuroCAMP: Porto
Manage Grps
AuthZ
Reflect
Provide/run-time
Join
Credential
Manage Privs
Provide/provision
36
(AuthN)
Log
EuroCAMP: Porto
37
EuroCAMP: Porto
38
EuroCAMP: Porto
39
EuroCAMP: Porto
40
EuroCAMP: Porto
41
EuroCAMP: Porto
42