SLIDE 1
2
From S S O to a federated solution
Campus Identity Management Collaborations Applications Case: FEIDE Federating for applications
How can different campuses inter-operate? From ora et labora to - - PowerPoint PPT Presentation
How can different campuses inter-operate? From ora et labora to - - PowerPoint PPT Presentation
How can different campuses inter-operate? From ora et labora to collaborate and federate EuroCAMP, Ljubljana, 2006-04-03 Ingrid Melve, FEIDE manager From S S O to a federated solution Campus Identity Management Collaborations
SLIDE 2
SLIDE 3
3
Application types
Web: apache, IIS , python, php, .NET Web services: Java Legacy applications:
i.e. S AP, ePhorte, Agresso
Network access: wireless (802.1X),
radius
Proxies: web, Citrix Agents acting on behalf of the user: web
services or legacy/ special applications
SLIDE 4
4
Important applications
S hared apps self service
interfaces
library services administrative
services
reporting
systems
National apps Government
security portal
Local apps e-learning portals wireless access Local apps with
- utside users
All of the above Project
workspace
SLIDE 5
5
Applications need to change
Move login out of the service itself Application does not see password Need to add module or filter in
application
How to integrate with FEIDE Moria2: operational until spring 2007 Liberty Alliance standards chosen as
future integration path
Conformance testing ensures multi-
vendor support
S un Access Manager in demo June
2006
SLIDE 6
6
Norwegian universities and university colleges and how to ICT
4 big, 6 medium,
28 small institutions
Collaboration
normal and useful
NREN has strong
campus presence
CIMS user groups Novell Microsoft Cerebrum Multi-vendor
environment
S hare
administrative applications
S tudent registry Payroll system Financial system Electronic
invoice
Archive system
SLIDE 7
7
FEIDE – Federated Electronic Identity for Norwegian Education
FEIDE is a non-commercial identity
management federation for people in education
FEIDE is technology and plattform agnostic FEIDE offers guidelines and policy for campus
identity management
FEIDE-names are valid for all education
services, and may be used internally, for community services and with educational related services
SLIDE 8
8
A solution for whom?
Higher ed: 230000
person, 53 institutions
(Lower ed: 780000) Total: 20% of
population
Tradition of sharing
work
Dugnad
Many shared services
Common software Application S ervice
Providers
Common interfaces
SLIDE 9
9
FEIDE – the players
End user person with FEIDE-name Home organization - IdP university or school with end user affiliation S ervice Provider S ervices and applications for end users
SLIDE 10
10
FEIDE for Norwegian education
Operational campus (start 2003) Universities: 2003 - early 2006 University Colleges: 2004 - 2006 Lower education: phasing in from fall
2006
Operational service providers S hared services in higher ed: 2003 -
2006
Community web services in lower
education: 2006 – 2007
Local university services: 2003 – 200X
SLIDE 11
11
FEIDE – identity management for education
Identity management consists of:
Information model Login service Chain of trust Policy issues Collaboration between educational
institutions, service providers and vendors
SLIDE 12
12
FEIDE information model
Identity providers (=campus) Authoritative data flows to LDAP-
directory
Information on standard format
eduPerson, eduOrg norEduPerson, norEduOrg, norEduOrgUnit
S tandardized import/
export
Provisioning S ervice Provider integration Requirements for campus identity
management
SLIDE 13
13
Campus Identity Management
Authoritative data sources BAS (CIMS ) is hub in information flow All updates and changes flows through
BAS
CIMS is a neccessary component
SLIDE 14
14
Campus Identity Provider benefits
Authoritative quality and control of information
flow for all affiliated users
Enhanced user management simplifies and
automates
Federated login provides access to services
SLIDE 15
15
CleanIT, the BAS /CIMS process
Identify key data Identify who is reponsible for
Initial data Data updates Data removal Organizational process Move data maintenance out of the IT
department
Enable Human Resource and S tudent
Management staff to do their j
- bs better
SLIDE 16
16
What is Campus Identity Management S ystems (CIMS )?
Routines and policy for data updates Data quality, well-defined requirements Quality assurance (identity) Not really an «application» Technical solutions: Cerebrum Novell S tover's Microsoft-based Incoming: Oracle and IBM (In-house ad-hoc solutions are
- perational)
SLIDE 17
17
Campus Identity Management S ystems
S everal systems are operational, pick
- ne for your campus
Integration with local systems decide
which one to chose, dialogue with vendor
Not cost-effective to have many Federating across different systems is
relatively painless
Interfaces are important in bottom-up
design
Collaboration, work with vendors
SLIDE 18
18
Campus status
Organisasjon Type BAS Status i innføringsprosessen Studenter Ansatte Andre FEIDE NTNU BDB 22000 Universitetet i Bergen SEBRA 20000 Universitetet i Oslo Cerebrum 36000 Universitetet i Stavanger ? 7300 2007 Universitetet i Tromsø Cerebrum 6100 2006 UMB Egenutv. 2800 2006 Høgskolen i Agder Cerebrum 8000 Høgskolen i Akershus ? 3500 2006 Høgskolen i Bergen Microsoft 6000 2006 Høgskolen i Bodø Microsoft 4700 2006 Høgskolen i Buskerud Novell 2800 2006? Høgskolen i Finnmark Novell 2100 Høgskolen i Gjøvik Novell (?) 2100 2006? Høgskolen i Harstad ? 1600 Høgskolen i Hedmark Novell 5600 Høgskolen i Lillehammer Novell 3700 Høgskolen i Molde Microsoft 1600 Høgskolen i Narvik Microsoft 1200 April 2006 Høgskolen i Nesna ? 1000 Høgskolen i Nord-Trøndelag Microsoft 5000 2006 Høgskolen i Oslo egenutviklet 11200 Høgskolen i Sogn og Fjordane Novell 3000 2006 Høgskolen Stord/Haugesund Microsoft 2500 2006/2007 Høgskolen i Sør-Trøndelag Cerebrum 8100 April 2006 Høgskolen i Telemark Novell 6600 2006 Høgskolen i Vestfold Novell 3400 2006 Høgskolen i Volda Novell 4000 April 2006 Høgskolen i Østfold Cerebrum 4200 2006 Høgskolen i Ålesund Microsoft 1800 Samisk Høgskole ? 180 Norges Handelshøgskole Microsoft 2600 2006 190680 Antall FEIDE
- navn
SLIDE 19
19
Future directions, campus IdM
Responsibility placed outside IT
department
Consolidating BAS for user
management
Technical solutions Policy and regulations Giving access to someone I do not
control?
Interfaces XML definitions for import/
export
LDAP based on eduPerson/
noredu*
Available software is improving
SLIDE 20
20
Proposed Educational ID engine
Purpose of an publicly available ID
engine
Unique user name for the entire
educational lifecycle
Easy integration for school owners Quality control in CIMS Report to be published in April 2006 Discussion spring/
summer 2006
Expected to be operational late 2006
SLIDE 21
21
Provisioning
Campus Identity
Management S ystem (CIMS ) import and export
CIMS is core Groups Roles Bulk and/
- r event
driven data transfer
Various
- perational
solutions
S tandardization S haring schema Exploring issues Formal
collaboration work
Universities Vendors FEIDE Education
SLIDE 22
22
CIMS long term work
Existing solutions will live until 2008 Work is starting on specification of
integration with shared/ common applications, provisioning is important
FS , Frida/
Forskdok, Agresso, S AP, HR, eBusiness S uite, ePhorte, BIBS YS
Collaboration on CIMS specification
Look at available systems, development of
Cerebrum or development of new system
Common/
shared solution, modular architecture
SLIDE 23
23
S haring and Federating Identities
National Identity
Number
Basis for ID in CIMS Required for some
services
Used by
government
norEduPersonNIN FEIDE-name eduPerson
PrincipalName
Federated ID
(as in Liberty Alliance)
One per user per
service provider
Controled by Identity
Provider
eduPersonTargetedI
D
SLIDE 24
24
Why federate?
Users and home
- rganizations and
service providers need to exchange information
Trust
establishment
Information
exchange
Policy Technology
SLIDE 25
25
FEIDE federates education
Federations:
authenticate enforce information
flow policy
privacy control security trust establishment
SLIDE 26
26
FEIDE – trust chain
FEIDE regulates
service providers and home
- rganizations
Formal contractual
agreements
Transitive trust from
end user to service provider via identity provider
SLIDE 27
27
FEIDE login
1)User tries to access service 2)S ervice transfer user to FEIDE login 3)Authentication is done at campus 4)Authentication is confirmed with the service, possibly with attribute release
SLIDE 28
28
Federating FEIDE, next try
Federating with federations portals local login
servers
S tandards S AML 2.0 S AML 1.1
+extensions
ID-FF 1.2 ?
SLIDE 29
29
Liberty Alliance framework
Moving on with authentication services Who do we need to integrate with?
eduGAIN, Government S ecurity Portal,
S hibboleth, private identity services
Where do we find support for XYZ? Chose one of many LA-compliant
vendors
Industry grade solutions We can buy support Easy to integrate with public and private
sector and their ID services (federations)
SLIDE 30
30
S un Access Manager in FEIDE
Liberty Alliance-support Conformance testing mandatory Integrates in multi-vendor environment Part of Identity Management S uite Progress plan Technical requirements November 27
2005
Vendor chosen March 10 2006 Demo with crossfederation June 20
2006
Operational (formal) S eptember 1 2006 First ID-FF1.2, then look at other
standards
SLIDE 31
31
Future directions, federation
Distributed federation (S AML, ID-FF) Cross-federating eduGAIN Government PKI-portal Non-education federations S ervices for both higher and lower
education
Outreach program
SLIDE 32
32
S ummary
Campus identity management
Not an IT issue Move responibility to where it belongs Provide technical solutions Federated identity management Collaboration is the key Trust Policy S ome technology S upport the Liberty Alliance work What will happen with WS -Federation?
SLIDE 33
33
More information
http:/
/ www.feide.no/ index.en.html
Email for FEIDE: administrasjon@ feide.no Questions for Ingrid ingrid.melve@ uninett.no