EuroCAMP: Porto

An Introduction to Identity and

Access Management
Ken Klingenstein
Director, Internet2 Middleware and Security

Borrowed from
Keith Hazelton (hazelton@doit.wisc.edu)
Sr. IT Architect, University of Wisconsin-Madison

EuroCAMP: Porto

Topics
What is Identity Management (IdM)?
The IdM Stone Age
A better vision for IdM
An aside on the value of affiliation / group /
privilege management services
Basic IdM functions mapped to open source
components
Demands on IT and how IdM services help
2

EuroCAMP: Porto

Identity and Access Management

(IAM) defined

What is Identity Management?

Identity management is the set of business processes,
and a supporting infrastructure, for the creation,
maintenance, and use of digital identities. The Burton
Group (a research firm specializing in IT infrastructure for
the enterprise)

Identity Management in this sense is often called

Identity and Access Management (IAM)
What problems do Identity and Access Management
address?

EuroCAMP: Porto

IAM is

Hi! Im Lisa. (Identity)

and heres my NetID / password to prove it.
(Authentication)
I want to do some E-Reserves reading.
(Authorization : Allowing Lisa to use the
services for which shes authorized)
And I want to change my grade in last semesters Physics
course.
(Authorization : Preventing her from doing
things shes not supposed to do)

EuroCAMP: Porto

IAM is also

New hire, Assistant Professor Alice

Department wants to give her an email
account before her appointment begins so
they can get her off to a running start
How does she get into our system and get set
up with the accounts and services appropriate to
faculty?

EuroCAMP: Porto What questions are common

to these scenarios?

Are the people using these services who they

claim to be?
Are they a member of our campus community?
Have they been given permission?
Is their privacy being protected?
Policy/process issues lurk nearby

EuroCAMP: Porto

The IAM Stone Age

List of functions:
AuthN: Authenticate principals (people,
servers) seeking access to a service or
resource
Log: Track access to services/resources

EuroCAMP: Porto

The IAM Stone Age

Every application for itself in performing these

functions
User list, credentials, if youre on the list,
youre in (AuthN is authorization (AuthZ)
And some identifiers are assigned nationally,
with uncertain value locally

EuroCAMP: Porto

Vision of a better way

to do IAM

IAM as a middleware layer at the service of any

number of applications
Requires an expanded set of basic functions
Reflect: Track changes to institutional data from
changes in Systems of Record (SoR) & other IdM
components
Join: Establish & maintain person identity across SoR
Credential: issue digital credentials to people in the
community

EuroCAMP: Porto

Systems of Record

Basic IAM functions mapped to the

NMI / MACE components
Enterprise Directory

Stdnt

Other
10

LDAP

Registry

HR

EuroCAMP: Porto

Your Digital Identity and

The Join
The collection of bits of identity information about
you in all the relevant IT systems at your institution
For any given person in your community, do you
know which entry in each systems data store carry
bits of their identity?
If more than one system can create a person
record, you have identity fragmentation

11

EuroCAMP: Porto

The pivotal concept of IAM:

The Join
Identity fragmentation cure #1: The Join
Use business logic to
Establish which records correspond to the same
person
Maintain that identity join in the face of changes
to data in collected systems

12

EuroCAMP: Porto

Identity Information Access

Some direct from the Enterprise Directory via

reflection from SoR
Other bits need to be made reachable by
identifier crosswalks
Registry ID Sys A ID

Sys B ID

Sys C ID

Sys D ID

3a104e59

fsmith32

86443

freds

864164

8c2f916d

abecker1 45209

amyb

752731

13

EuroCAMP: Porto

Identity Fragmentation Cure #2

When you cant integrate, federate

Federated Identity & Access Management
Rely on the Identity Management infrastructure of one or
more institutions or units
To authenticate and pass authorization-related information
to service providers or resource hosts
Via institution-to-provider agreements
Facilitated by common membership in a federation (like
InCommon)

Shibboleth is a way to move the authNZ info

between parties
14

EuroCAMP: Porto Basic IAM functions mapped to the

NMI / MACE components

Apps / Resources

Enterprise Directory
Systems of Record

A-Select,
CAS, etc

Grouper Signet
15

Shibboleth

EuroCAMP: Porto

Vision of a better way to do IAM

More in the expanded set of basic functions

Mng. Affil.: Manage affiliation and group
information
Mng. Priv.: Manage privileges and permissions at
system and resource level

16

EuroCAMP: Porto

Managing Roles & Privileges

Role-Based Access
Control (RBAC) model
Users are placed into
groups
Privileges are assigned
to groups
Groups can be arranged
into hierarchies to
effectively bestow
privileges
Signet manages
privileges
Grouper manages, well,
groups
17

Grouper

Signet

EuroCAMP: Porto

Vision of a better way to do IAM

More in the expanded set of basic functions

Provision: Push IAM info out to systems and
services as required
Relay: Make access control / authorization
information available to services and resources at
run time
AuthZ: Make the allow deny decision
independent of AuthN

18

EuroCAMP: Porto

Provisioning
Getting identity information where it needs to
be
For Apps with Attitude, this often means
exporting reformatted information to them in a
form they understand
Using either App-provided APIs or tricks to
write to their internal store
Change happens, so this is an ongoing
process
19

EuroCAMP: Porto

Two modes of app/IdM integration

Domesticated applications:
Provide them the full set of IdM functions

Applications with attitude (comes in the box)

Meet them more than halfway by provisioning

20

EuroCAMP: Porto

Reflect
Join
Credential
Manage Affil/Groups
Manage Privileges
Provision
Relay
Authenticate
Authorize
Log
21

IAM functions
Data of interest
Identity across SoR
NetID, other
AuthZ info
More AuthZ info
Gen. AuthNZ info into app space
AuthZ info to app on request
Identity claim
access decision (allow/deny)
usage for audit, accounting,

EuroCAMP: Porto

Alternative packaging of basic IdM

Apps / Resources

Enterprise Directory
Systems of Record

Kerberos
LDAP
Directory
Plug-ins
22

EuroCAMP: Porto

Alternative packaging of
basic IdM functions:

Single System of Record as Enterprise Directory

LDAP

23

Registry

Student
-HR
Info
System

EuroCAMP: PortoSingle

SoR as Enterprise Directory

Who owns the system?

Do they see themselves as running shared
infrastructure?
Will any external populations ever become
internal?
What if hospital negotiates a deal?

Stress-test alternative packaging by thinking

through the list of basic IdM functions
24

EuroCAMP: Porto

Same IdM functions, different packaging

Your IdM infrastructure (existing or planned)
may have different boxes & lines
But somewhere, somehow this set of IdM
functions is getting done
Gives us all a way to compare our solutions
by looking at various packagings of the IdM
functions

25

EuroCAMP: Porto From Construction to Integration

Construction
Raw materials into systems

Integration
Subsystems into whole systems
Multiple systems into ecosystems

Were all moving from construction to

integration
Lets review state of middleware systems
readiness for integration
26

EuroCAMP: Porto

IAM and Application Integration

27

EuroCAMP: Porto

ERPs
SAKAI
uPortal

28

Middleware -- Application
Integration

EuroCAMP: Porto

As for Lisa
Sez who?
What Lisas username and password are?
What she should be able to do?
What she should be prevented from doing?
Scaling to the other 40,000 just like her on
campus

29

EuroCAMP: Porto

As for Professor Alice

What accounts and services should faculty
members be given?
At what point in the hiring process should these
be activated?
Methods need to scale to 20,000 faculty and
staff
In all of these, a full IAM infrastructure would
provide the technical part of a solution

30

EuroCAMP: PortoPolicy issues re credential function:

NetID

When to assign, activate (as early as possible)

Who gets them? Applicants? Prospects?
Guest NetIDs (temporary, identity-less)
Reassignment (never; except)
Who can handle them? Argument for WebISO.

31

EuroCAMP: Porto

Inter-institutional integration:
the transport function
Federations
Peering of federations
Levels of assurance
Attribute mapping
WAYF functionality

Virtual Organization (VOs)

32

EuroCAMP: Porto

Alternatives to IP Address Based Access

Restriction
1. User-based access restriction
A. Each service provider manages credentials for
all of its users
B. One big credential database of all users used by
all service providers
C. Each user has a home organization whose
credential database can, by magic, be used by
each service provider

2. ???
33

EuroCAMP: Porto

Federated Identities
Federated identities is option C on previous slide
A hierarchical approach to decompose the problem into
manageable pieces
Analogous to the problem that IAM addresses, and rests
upon IAM infrastructure

Federating technology is the magic part of option

C
Identity federation (noun) is a set of service
providers, identity providers, and other context in
which the magic happens

34

EuroCAMP: Porto

Federating Technologies
SAML implementations
Security Assertion Markup
Language
Shibboleth
Bodington/Guanxi
AthensIM
SourceID
SAMUEL
MS ADFS
Other proprietary

35

Liberty Identity
Federation
implementations
SourceID
Lasso
Proprietary

Others
MS Inter-Forest Trust

EuroCAMP: Porto

IAM functions & big pictures

Manage Grps
AuthZ

Reflect

Provide/run-time

Join
Credential

Manage Privs

Provide/provision

36
(AuthN)

Log

EuroCAMP: Porto

A closer look at managing affiliations,

groups and privileges
How does this help the harried IT staff?

37

EuroCAMP: Porto

What is IT being asked to do?

Automatic creation and deletion of computer
accounts
Personnel records access for legal compliance
One stop for university services (portal)
integrated with course management systems

38

EuroCAMP: Porto

What else is IT being asked to do?

Student record access for life
Submission and/or maintenance of information
online
Privacy protection

39

EuroCAMP: Porto

More on the To Do list

Stay in compliance with a growing list of policy
mandates
Increase the level of security protections in the
face of a steady stream of new threats

40

EuroCAMP: Porto

More on the To Do list

Serve new populations (alumni, applicants,)
More requests for new services and new
combinations of services
Increased interest in eBusiness

There is an Identity Management aspect

to each and every one of these items

41

EuroCAMP: Porto

How full IdM layer helps

Improves scalability: IdM process automation
Reduces complexity of IT ecosystem
Complexity as friction (wasted resources)

Improved user experience

Functional specialization: App developer can
concentrate on app-specific functionality

42