Title: Federated Identity Management: Is The State of Texas Ready?
1Federated Identity Management Is The State of
Texas Ready?
TASSCC 2008 August 12, 2008
- Paul Caskey
- The University of Texas System
- System-wide Information Services
2Agenda
- Identity Management The Basics
- Federating Technologies
- Benefits of Federation
- Challenges of Federation
- Examples of Federations
- Federations in Texas
- Federated Applications
- What Are Others Doing?
- How Could It Work In Texas?
- What Will The Future Hold?
- Next Steps
3IdM The Basics
- Identity Management
- The union of policy, process, governance, and
technology surrounding the creation, maintenance,
and use of digital identities. - Federation
- An organized group of entities who share one or
more - Goals
- Applications
- Customers
- Regulatory environments
- Funding sources
- Industry
4IdM The Basics (cont.)
- Federated Identity Management
- Participating in an organized group of entities
who agree to follow shared policies, maintain
consistent practices, and trust other
participants with respect to the creation,
maintenance, and use of digital identities. - Moving away from application or service provider
based identity towards institutional or
enterprise based identity. - Authenticate locally, act globally!
5Traditional Identity Management
6Federated Identity Concept
Benefits
Administrative Apps
Grid Computing
Compliance Training
Library
7IdM The Basics (cont.)
- What are some of the policies and practices that
are important in federated identity management? - Identity verification (vetting)
- Credentialing
- Password policies
- Provisioning
- Auditing
8IdM The Basics (cont.)
- Examples of policy standards and associated
regulation that affect Federated IdM - US Federal Governements eAuthentication
Credential Assessment Suite - Password Entropy Spreadsheet (assess password
policy) - NIST Special Publication 800-63
- The Office of Management and Budget memorandum
OMB 04-04 - US Federal Homeland Security Presidential
Directive 12 (HSPD-12) - The European Unions privacy directive 95/46/EC
9IdM The Basics (cont.)
- Examples of policy standards and associated rules
and laws that affect Federated IdM (cont) - Code of Federal Regulations 21, part 11
- HIPAA
- FERPA (Education only)
- Sarbanes-Oxley (SOX)
- Graham-Leach-Bliley (GLB)
- Texas TAC 202, TBCC - Title 11 Personal
Identity Information
10Federating Technologies
- Security Assertion Markup Language (SAML) a
standard developed and ratified by OASIS, an
international non-profit standards organization. - WS-Federation a specification developed by IBM,
Microsoft, BEA (and others) OASIS now has a
technical committee tasked with standardizing
WS-Fed. - Liberty Identity Federation Framework (ID-FF)
has now been integrated into the SAML 2.0
standard. - OpenID a user-centric distributed web-SSO
technology, generally more lightweight and
less-focused around communities of trust than
SAML.
11Federating Technologies (cont.)
- SAML is the most robust, is mature, is
internationally standardized, and has a large
user base. (demo) - Most available software supports multiple
protocols. - Commercial Sun, IBM/Tivoli, Oracle, Novell, Ping
Identity - Open-source Shibboleth (from Internet2)
- Heres some comparisons of SAML to WS-Fed
- Sun Blog 1
- Sun Blog 2 (more in-depth)
12Benefits of Federation
- Share Resources (training systems)
- Collaborate (wikis)
- Lower costs (no application-based IdM)
- Increase security / Improve the user experience
(fewer usernames/passwords)
13Challenges of Federation
- Deploying new infrastructure is hard
- The infrastructure must be there before gains can
be realized, which makes justification a
challenge. - Policy development can take considerable time.
- Trust can be difficult to achieve.
- Good policy and governance helps (trust but
verify) - Making it ubiquitous across entities of varying
size is a challenge. - Many times, it is the smaller organizations that
can benefit most.
14Examples of Government-Funded Federations
- National
- US The Federal Governments eAuthentication
initiative (www.cio.gov/eauthentication) - US The InCommon Federation (www.incommonfederatio
n.org) - Sweden (www.swamid.se)
- Denmark (www.dk-aai.dk)
- UK (www.ukfederation.org - 5 million users)
- China (CARSI - shibboleth.edu.cn)
- France (federation.cru.fr)
15Examples of Government-Funded Federations (cont.)
- National (cont)
- Germany (www.dfn.de)
- The Netherlands (federatie.surfnet.nl)
- Norway (www.feide.no)
- Finland (www.csc.fi)
- Belgium (shib.kuleuven.be)
- Australia (www.federation.org.au)
- Switzerland (www.switch.ch)
16Examples of Other Federations
- Medical Disaster Management Project Sentinel
(http//sentinel.georgetown.edu/) - Cancer Research caBIG (https//cabig.nci.nih.gov/
) - State-based
- North-Carolina (MCNC Project Page)
- Texas Lone Education and Research Network
(LEARN) https//eco.tx-learn.net/ (more later)
17Federation in Texas
- The University of Texas System Federation
- Participants include only U.T. System
institutions and sponsored affiliates. - Serves a constituency of 190,000 students and
80,000 employees - First federated application in 2004, official
production status on 9/1/2006 - Focus has been on business applications
- 40 applications in use, including 4 (and
counting) commercial products/services
18Federation in Texas (cont.)
- The Lonestar Education and Research Network
(LEARN) Federation - Participation is open to LEARN members and
sponsored affiliates - In pilot operation as of spring 2008
- Policy work underway
- Governing board is being formed
- One application in use (more under development)
19Current Federated Applications
- Microsoft DreamSpark (LEARN Federation)
- Forensics Assessment Center Network (UT/LEARN)
- MobileCampus.com
- Cayuse
- Adobe Connect (compliance training)
- Blackboard (course management)
- MediaWiki
- Federated Wireless
- LegalTracking
- Risk Management (ISAAC)
- Financial Reporting
- Project Reporting
- Federated Sharepoint (in development)
20What Are Others Doing?
- A quick google search turned up mentions of
Federated Identity Management in a surprising
number of states - California
- Federated IdM The Blueprint (PPT)
- New York
- https//www.oft.state.ny.us/Policy/G07-001/
(trust model) - https//www.oft.state.ny.us/oft/IAM.htm (IAM)
- Washington
- http//dis.wa.gov/enterprise/enterprisearch/identi
tymgmtInitiativeCharter.doc (planning doc)
21What Are Others Doing? (cont.)
- States that are discussing Federated IdM (cont.)
- New Jersey
- http//www.state.nj.us/it/ps/it_architecture.pdf
- Nevada
- http//www.nitoc.nv.gov/ARCH/arcdocs/2005/EAC-Minu
tes-2005-09-20.doc (older doc) - Wisconsin
- IdM Overview
22What Are Others Doing? (cont.)
- States that are discussing Federated IdM (cont.)
- Nebraska
- http//www.nitc.state.ne.us/events/conferences/ego
v/2004/files/345_UserAuthentication_Hartman-FedID.
ppt - And, last, but most certainly not least, TEXAS
- http//www.dir.state.tx.us/pubs/UserAccess/UserAcc
essStudy.pdf (DIRs user access study from 2006) - http//architecture.hhsc.state.tx.us/myweb/Documen
ts20page/identityManagement.doc (HHS)
23How Could It Work in Texas?
- There are countless agency-to-agency applications
- A variety DIR reporting apps (security, projects,
etc) - Pediatric forensics (FACN)
- Educational support (K-12)
- Transportation (TxDOT)
- Law enforcement
- The 800 pound elephant in this space is, of
course, TexasOnline (government-to-citizen) - Who is the identity provider for Joe Citizen?
24The Future?
- Standards convergence (SAML, WS-Fed, OpenID)
- Interfederation
- Building trust paths between federations
- In certain cases, the legal issues can be
daunting (especially on an international basis) - More public Identity Providers (yahoo, google)
- ProtectNetwork.org already serves this purpose
worldwide and basic accounts are free. - Cardspace/Infocard
25Next Steps for Texas
- To pursue a Federated Identity Management
approach, Texas should - Establish an IdM governance framework
- Define IdM policies/best-practices (this takes
considerable time) - Identify a few low-risk, limited audience
applications - Begin pilot operations with those who are ready
- Make arrangements for smaller agencies to use
externally-hosted identity providers (like
ProtectNetwork.org)
26- So, Is the state of Texas ready for Federated
identity Management? - The technology is available, secure, robust,
reliable, and mature. - Policy frameworks exist.
- Governance models can be established.
- Expertise is available.
- External services are ready.
- The benefits are clear and significant.
- We're only waiting on us!
27Thank You!
- Paul Caskey
- (pcaskey_at_utsystem.edu)
- The University of Texas System
- System-wide Information Services