An Introduction to Identity and Access Management

1
An Introduction to Identity and Access Management
Ken Klingenstein Director, Internet2 Middleware
and Security

• Borrowed from
• Keith Hazelton (hazelton_at_doit.wisc.edu)
• Sr. IT Architect, University of Wisconsin-Madison

2
Topics

• What is Identity Management (IdM)?
• The IdM Stone Age
• A better vision for IdM
• An aside on the value of affiliation / group /
  privilege management services
• Basic IdM functions mapped to open source
  components
• Demands on IT and how IdM services help

3
Identity and Access Management(IAM) defined

• What is Identity Management?
• Identity management is the set of business
  processes, and a supporting infrastructure, for
  the creation, maintenance, and use of digital
  identities. The Burton Group (a research firm
  specializing in IT infrastructure for the
  enterprise)
• Identity Management in this sense is often called
  Identity and Access Management (IAM)
• What problems do Identity and Access Management
  address?

4
IAM is

• Hi! Im Lisa. (Identity)
• and heres my NetID / password to prove it.
• (Authentication)
• I want to do some E-Reserves reading.
• (Authorization ? Allowing Lisa to use
  the services for which shes authorized)
• And I want to change my grade in last semesters
  Physics course.
• (Authorization ? Preventing her from doing
  things shes not supposed to do)

5
IAM is also

• New hire, Assistant Professor Alice
• Department wants to give her an email account
  before her appointment begins so they can get her
  off to a running start
• How does she get into our system and get set up
  with the accounts and services appropriate to
  faculty?

6
What questions are common to these scenarios?

• Are the people using these services who they
  claim to be?
• Are they a member of our campus community?
• Have they been given permission?
• Is their privacy being protected?
• Policy/process issues lurk nearby

7
The IAM Stone Age

• List of functions
• AuthN Authenticate principals (people, servers)
  seeking access to a service or resource
• Log Track access to services/resources

8
The IAM Stone Age

• Every application for itself in performing these
  functions
• User list, credentials, if youre on the list,
  youre in (AuthN is authorization (AuthZ)
• And some identifiers are assigned nationally,
  with uncertain value locally

9
Vision of a better way to do IAM

• IAM as a middleware layer at the service of any
  number of applications
• Requires an expanded set of basic functions
• Reflect Track changes to institutional data from
  changes in Systems of Record (SoR) other IdM
  components
• Join Establish maintain person identity across
  SoR
• Credential issue digital credentials to people
  in the community

10
Basic IAM functions mapped to theNMI / MACE
components
Enterprise Directory
Systems of Record
Stdnt
Registry
LDAP

• Reflect

HR

• Join

Other

• Credential

11
Your Digital Identity and The Join

• The collection of bits of identity information
  about you in all the relevant IT systems at your
  institution
• For any given person in your community, do you
  know which entry in each systems data store
  carry bits of their identity?
• If more than one system can create a person
  record, you have identity fragmentation

12
The pivotal concept of IAM The Join

• Identity fragmentation cure 1 The Join
• Use business logic to
• Establish which records correspond to the same
  person
• Maintain that identity join in the face of
  changes to data in collected systems

13
Identity Information Access

• Some direct from the Enterprise Directory via
  reflection from SoR
• Other bits need to be made reachable by
  identifier crosswalks

Registry ID Sys A ID Sys B ID Sys C ID Sys D ID
3a104e59 fsmith32 86443 freds 864164
8c2f916d abecker1 45209 amyb 752731
14
Identity Fragmentation Cure 2

• When you cant integrate, federate
• Federated Identity Access Management
• Rely on the Identity Management infrastructure of
  one or more institutions or units
• To authenticate and pass authorization-related
  information to service providers or resource
  hosts
• Via institution-to-provider agreements
• Facilitated by common membership in a federation
  (like InCommon)
• Shibboleth is a way to move the authNZ info
  between parties

15
Basic IAM functions mapped to theNMI / MACE
components
Apps / Resources
Enterprise Directory

• AuthN

Systems of Record

• AuthN

• Log

• Reflect

• Provision

• Join

A-Select, CAS, etc

• Credential

• AuthZ

• Mng.
• Affil.

• Mng.
• Priv.

• Relay

• Log

Grouper
Signet
Shibboleth
16
Vision of a better way to do IAM

• More in the expanded set of basic functions
• Mng. Affil. Manage affiliation and group
  information
• Mng. Priv. Manage privileges and permissions at
  system and resource level

17
Managing Roles Privileges

• Role-Based Access Control (RBAC) model
• Users are placed into groups
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to
  effectively bestow privileges
• Signet manages privileges
• Grouper manages, well, groups

Grouper
Signet
18
Vision of a better way to do IAM

• More in the expanded set of basic functions
• Provision Push IAM info out to systems and
  services as required
• Relay Make access control / authorization
  information available to services and resources
  at run time
• AuthZ Make the allow deny decision independent
  of AuthN

19
Provisioning

• Getting identity information where it needs to be
• For Apps with Attitude, this often means
  exporting reformatted information to them in a
  form they understand
• Using either App-provided APIs or tricks to write
  to their internal store
• Change happens, so this is an ongoing process

20
Two modes of app/IdM integration

• Domesticated applications
• Provide them the full set of IdM functions
• Applications with attitude (comes in the box)
• Meet them more than halfway by provisioning

21
IAM functions
Reflect Data of interest
Join Identity across SoR
Credential NetID, other
Manage Affil/Groups AuthZ info
Manage Privileges More AuthZ info
Provision Gen. AuthNZ info into app space
Relay AuthZ info to app on request
Authenticate Identity claim
Authorize access decision (allow/deny)
Log usage for audit, accounting,

22
Alternative packaging of basic IdM
Apps / Resources
Enterprise Directory

• AuthN

Systems of Record

• AuthN

• Log

• Reflect

• Provision

• Join

Kerberos

• Credential

• AuthZ

LDAP

• Mng.
• Affil.

• Relay

• Log

Directory Plug-ins
23
Alternative packaging of basic IdM functions
Single System of Record as Enterprise Directory
Student -HR Info System
Registry
LDAP

• "Join"

• Reflect

• Credential

24
Single SoR as Enterprise Directory

• Who owns the system?
• Do they see themselves as running shared
  infrastructure?
• Will any external populations ever become
  internal?
• What if hospital negotiates a deal?
• Stress-test alternative packaging by thinking
  through the list of basic IdM functions

25
Same IdM functions, different packaging

• Your IdM infrastructure (existing or planned) may
  have different boxes lines
• But somewhere, somehow this set of IdM functions
  is getting done
• Gives us all a way to compare our solutions by
  looking at various packagings of the IdM functions

26
From Construction to Integration

• Construction
• Raw materials into systems
• Integration
• Subsystems into whole systems
• Multiple systems into ecosystems
• Were all moving from construction to integration
• Lets review state of middleware systems
  readiness for integration

27
IAM and Application Integration
28
Middleware -- Application Integration

• ERPs
• SAKAI
• uPortal

29
As for Lisa

• Sez who?
• What Lisas username and password are?
• What she should be able to do?
• What she should be prevented from doing?
• Scaling to the other 40,000 just like her on
  campus

30
As for Professor Alice

• What accounts and services should faculty members
  be given?
• At what point in the hiring process should these
  be activated?
• Methods need to scale to 20,000 faculty and staff
• In all of these, a full IAM infrastructure would
  provide the technical part of a solution

31
Policy issues re credential function NetID

• When to assign, activate (as early as possible)
• Who gets them? Applicants? Prospects?
• Guest NetIDs (temporary, identity-less)
• Reassignment (never except)
• Who can handle them? Argument for WebISO.

32
Inter-institutional integrationthe transport
function

• Federations
• Peering of federations
• Levels of assurance
• Attribute mapping
• WAYF functionality
• Virtual Organization (VOs)

33
Alternatives to IP Address Based Access
Restriction

• User-based access restriction
• Each service provider manages credentials for all
  of its users
• One big credential database of all users used by
  all service providers
• Each user has a home organization whose
  credential database can, by magic, be used by
  each service provider
• ???

34
Federated Identities

• Federated identities is option C on previous
  slide
• A hierarchical approach to decompose the problem
  into manageable pieces
• Analogous to the problem that IAM addresses, and
  rests upon IAM infrastructure
• Federating technology is the magic part of
  option C
• Identity federation (noun) is a set of service
  providers, identity providers, and other context
  in which the magic happens

35
Federating Technologies

• SAML implementations
• Security Assertion Markup Language
• Shibboleth
• Bodington/Guanxi
• AthensIM
• SourceID
• SAMUEL
• MS ADFS
• Other proprietary

• Liberty Identity Federation implementations
• SourceID
• Lasso
• Proprietary
• Others
• MS Inter-Forest Trust

36
IAM functions big pictures
Manage Grps
Log
AuthZ
Reflect
Provide/run-time
Join
Credential
Manage Privs
Provide/provision
(AuthN)
37
A closer look at managing affiliations, groups
and privileges

• How does this help the harried IT staff?

38
What is IT being asked to do?

• Automatic creation and deletion of computer
  accounts
• Personnel records access for legal compliance
• One stop for university services (portal)
  integrated with course management systems

39
What else is IT being asked to do?

• Student record access for life
• Submission and/or maintenance of information
  online
• Privacy protection

40
More on the To Do list

• Stay in compliance with a growing list of policy
  mandates
• Increase the level of security protections in the
  face of a steady stream of new threats

41
More on the To Do list

• Serve new populations (alumni, applicants,)
• More requests for new services and new
  combinations of services
• Increased interest in eBusiness
• There is an Identity Management aspect to each
  and every one of these items

42
How full IdM layer helps

• Improves scalability IdM process automation
• Reduces complexity of IT ecosystem
• Complexity as friction (wasted resources)
• Improved user experience
• Functional specialization App developer can
  concentrate on app-specific functionality