Authoritative Quality From Campus Identity Management to a Federated - - PowerPoint PPT Presentation

authoritative quality
SMART_READER_LITE
LIVE PREVIEW

Authoritative Quality From Campus Identity Management to a Federated - - PowerPoint PPT Presentation

Nov 27, 2022 343 likes •656 views

Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto, 2005-11-07 Ingrid Melve, FEIDE manager From campus identity management to a federated solution Case: FEIDE Campus Identity Management 2

slide-1
SLIDE 1

Authoritative Quality

From Campus Identity Management to a Federated Solution

EuroCAMP, Porto, 2005-11-07 Ingrid Melve, FEIDE manager

slide-2
SLIDE 2

2

From campus identity management to a federated solution

 Case: FEIDE  Campus Identity Management  Authoritative Quality – the process  Operational technical solutions  Federating

slide-3
SLIDE 3

3

FEIDE – Federated Electronic Identity for Norwegian Education

 FEIDE is a non-commercial identity management

federation for people in education

 FEIDE is technology and plattform agnostic  FEIDE offers guidelines and policy for campus

identity management

 FEIDE-names are valid for all education services, and

may be used internally, for community services and with educational related services

slide-4
SLIDE 4

4

A solution for whom?

 Higher ed: 230000

person, 53 institutions

 (Lower ed: 780000)  Total: 20% of population  Tradition of sharing work

 Dugnad

 Many shared services

 Common software  Application Service

Providers

 Common interfaces

slide-5
SLIDE 5

5

FEIDE – the players

End user person with FEIDE-name Home organization - IdP university or school with end user affiliation Service Provider Services and applications for end users

slide-6
SLIDE 6

6

FEIDE – identity management for education

Identity management consists of:

 Information model  Login service  Chain of trust  Policy issues  Collaboration between educational

institutions, service providers and vendors

slide-7
SLIDE 7

7

FEIDE information model

 Identity providers (=campus)  Authoritative data flows to LDAP-directory  Information on standard format

 eduPerson, eduOrg  norEduPerson, norEduOrg, norEduOrgUnit

 Standardized import/export

 Provisioning  Service Provider integration  Requirements for campus identity management

slide-8
SLIDE 8

8

Campus Identity Management

 Authoritative data sources  BAS (CIMS) is hub in information flow  All updates and changes flows through BAS  BAS is a neccessary component

slide-9
SLIDE 9

9

Campus Identity Provider benefits

 Authoritative quality and control of information

flow for all affiliated users

 Enhanced user management simplifies and

automates

 Federated login provides access to services

slide-10
SLIDE 10

10

CleanIT, the BAS/CIMS process

 Identify key data  Identify who is reponsible for

 Initial data  Data updates  Data removal  Organizational process  Move data maintenance out of the IT department  Enable Human Resource and Student Management

staff to do their jobs better

slide-11
SLIDE 11

11

What is BAS? Campus IdM (User Management System)

 Campus Identity Management  Routines and policy for data updates  Data quality, well-defined requirements  Quality assurance (identity)  Not really an «application»  Technical solutions:  Cerebrum  Novell  Stover's Microsoft-based  (In-house ad-hoc solutions)

slide-12
SLIDE 12

12

Cerebrum

 Proof-of-concept  Made for complex

heterogenous environments

 Implementation

 PostgresSQL db  API-set in python  Information import  Information export  Java client (XMLRPC)

 Open software  http://cerebrum.sf.net  Integrates with  FS, student registry  LSP, payroll system  ClassFronter  it's:learning  AD and NIS

slide-13
SLIDE 13

13

Cerebrum modules

 NIS  AD  Mail (Exim)  Mail (IMAP)  LDAP (FEIDE)  FS (5.0) student registry  LT payroll system  FRIDA report system  RADIUS (via LDAP,

NIS, AD)

 Home disk (NIS)  Admin client (BOFH)  VLE (ClassFronter)  MSTAS student registry  SATS/IST school registry  Print accounting (Via

PRISS)

 Disk accounting  Notes integration  UA  POLS payroll system  AutoStud

slide-14
SLIDE 14

14

Novell BAS solution

 Directory:

eDirectory 8.7.3

 Data syncronization:

Identity Manager 2.0

 Data management:

iManager 2.0.2

 Cluster of 5 university

colleges in user group

 Future solution: Novell

Access Manager

 Example: Sogn and

Fjordane University College

slide-15
SLIDE 15

15

Stover's Microsoft-based solution

 Active Directory (ADAM)  Microsoft Identity Integration Server  Integrates with  FS and MSTAS student registries  VLE: ClassFronter  PABX  Cluster of 6 university colleges  User group  Community support

slide-16
SLIDE 16

16

Example: Ålesund University College

xxxxx

xxxxxx xxxxxx

xxxxx

xxxxxx xxxxxx

MSTAS

MIIS BAS ADAM LDAP- FEIDE

ARENA FRONTER LPS NetEd Web-publisering Timeplan (Switch) Studiehåndbok Nexus TRIO Telefonsentral INTEGRA Adgangs og sikkerhetkontrol m/ Kortproduksjon

MORIA

AD-ADMIN (ansatte og gråsonebrukere) Dataflyt Ldap autentisering Usikkerhet

slide-17
SLIDE 17

17

Campus Identity Management Systems

 Several systems are operational, pick one

for your campus

 Integration with local systems decide which

  • ne to chose, dialogue with vendor

 Not cost-effective to have many  Federating across different systems is

relatively painless

 Interfaces are important in bottom-up design  Collaboration, work with vendors

slide-18
SLIDE 18

18

Campus status

Organisasjon Type BAS Status i innføringsprosessen Studenter Ansatte Andre FEIDE NTNU BDB 22000 Universitetet i Bergen SEBRA 20000 Universitetet i Oslo Cerebrum 36000 Universitetet i Stavanger ? ? Universitetet i Tromsø Cerebrum ? Egenutv. Arkitekthøgskolen i Oslo ? ? Høgskolen i Agder Cerebrum 8000 Høgskolen i Akershus ? ? Høgskolen i Bodø ? ? Høgskolen i Buskerud Novell ? Høgskolen i Finnmark Novell 2000 Høgskolen i Gjøvik ? ? Høgskolen i Harstad ? ? Høgskolen i Hedmark Novell ? Høgskolen i Lillehammer Novell 3241 Høgskolen i Narvik Microsoft 1800 Høgskolen i Nesna ? ? Høgskolen i Nord-Trøndelag Microsoft ? Høgskolen i Oslo 11000 Høgskolen i Sogn og Fjordane Novell 2800 Høgskolen Stord/Haugesund Microsoft ? Høgskolen i Sør-Trøndelag Cerebrum 8000 Høgskolen i Telemark ? Høgskolen i Vestfold Novell ? Høgskolen i Volda Novell 3500 Høgskolen i Østfold Cerebrum ? Høgskolen i Ålesund Microsoft 1250 Antall FEIDE- navn Universitetet for miljø- og biovitenskap egenutvikl et egenutvikl et

slide-19
SLIDE 19

19

Future directions, campus IdM

 Responsibility placed outside IT department  Consolidating BAS for user management  Technical solutions  Policy and regulations  Giving access to someone I do not control?  Interfaces  XML definitions for import/export  LDAP based on eduPerson/noredu*  Available software is improving

slide-20
SLIDE 20

20

Why federate?

 Users and home

  • rganizations and

service providers need to exchange information

 Trust establishment  Information

exchange

 Policy  Technology

slide-21
SLIDE 21

21

FEIDE federates education

Federations:

 authenticate  enforce information

flow policy

 privacy control  security  trust establishment

slide-22
SLIDE 22

22

FEIDE – trust chain

 FEIDE regulates

service providers and home organizations

 Formal contractual

agreements

 Transitive trust from

end user to service provider via identity provider

slide-23
SLIDE 23

23

FEIDE login

1)User tries to access service 2)Service transfer user to FEIDE login 3)Authentication is done at campus 4)Authentication is confirmed with the service, possibly with attribute release

slide-24
SLIDE 24

24

FEIDE for Norwegian education

 Operational campus (start 2003)  Universities: 2003 - early 2006  University Colleges: 2004 - 2006  Lower education: phasing in from fall 2006  Operational service providers  Shared services in higher ed: 2003 - 2006  Community web services in lower

education: 2006 – 2007

 Local university services: 2003 – 200X

slide-25
SLIDE 25

25

Federating FEIDE, first try

slide-26
SLIDE 26

26

Federation software: Moria

 Open source, http://moria.sf.net  Operational since 2003 (a year before Shib:)  Technology  Centralized login solution (Web Service)  Distributed directory solution (LDAP)  Java  FEIDE is adding support for SAML and

Shibboleth, possibly in Moria

slide-27
SLIDE 27

27

Federating FEIDE, next try

 Federating with  federations  portals  local login servers  Standards  SAML 2.0  SAML 1.1

+extensions

 ID-FF 1.2 ?

slide-28
SLIDE 28

28

Future directions, federation

 Distributed federation (SAML, ID-FF)  Cross-federating  eduGAIN  Government PKI-portal  Non-education federations  Services for both higher and lower

education

 Outreach program

slide-29
SLIDE 29

29

Summary

 Campus identity management

 Not an IT issue  Move responibility to where it belongs  Provide technical solutions  Federated identity management  Collaboration is the key  Community effort  Trust  Policy  Some technology

slide-30
SLIDE 30

30

More information

 http://www.feide.no/index.en.html  Email for FEIDE:  administrasjon@feide.no  Questions for Ingrid  ingrid.melve@uninett.no