Providing Secure Access to On and OffCampus Resources: A Case Study in
Federated Identity
John O’Keefe
Director of Academic Technology & Network Services
Lafayette College
https://spaces.internet2.edu/display/[email protected]/Presentation+on+FIdM
Why Does IdM and FIdM Matter?
Why is IdM So Important?
• Many systems, many logins
• Access, Authorization, Accounting
• Regulations
• Seamless access to internal apps (Single Sign-On)
• Business process improvement
Strong Foundational IdM Leads to FIdM
• Use Federation and Shibboleth guidelines as you develop IdM systems
• Extending schemas
• Developing business practices
• Automation of provisioning and de-provisioning must be your goal
What is Federated Identity Management?
• A Federation is “An association of organizations that come together to exchange
information as appropriate about their users and resources in order to enable
collaborations and transactions.” FIdM includes both practices and technologies
relative to this exchange.
FIdM Practices
• Account creation and termination procedures
• Properly maintained and secured identity store
• Attribute Release Policy (ARP)
• Cooperation from key administrative units (HR, Admissions)
• Policies and procedures to match Level of Assurance (LoA)
FIdM Technologies
• Microsoft CardSpace
• OpenID
• Shibboleth
Shibboleth
• Most common in Higher Education
• Based on eduPerson
• InCommon Federation
• Tomcat/Java/OpenLDAP/AD/eDirectory
• SAML - Security Assertion Markup Language
Shibboleth’s Two Heads
• Identity Provider (IdP) - Sharing authentication and person attributes with others
• Service Provider (SP) - Sharing hosted services with others
Why Federated IdM?
• Access to content, resources, and services both inside and outside the institution
• Facilitates collaboration
Access to Content & Services
• Library content (Jstor, RefWorks)
• Federal agencies (NSF, Dept. of Ed)
• Student enrollment verification
• Hosted applications off campus (Google, Microsoft, etc)
• Single Sign-On (SSO) for web based applications
• I2 computing and instrumentation resources
Facilitates Collaboration
• Enables faculty and students both within and beyond your institution to use a
common set of applications
• Enables faculty and students both within and beyond your institution to access, share,
and manipulate a common set of data
• Enables faculty and students both within and beyond your home institution to access
research tools over the Internet and Internet2
Case Study @ Lafayette College
The Beginning
• Net@EDU 2003: Introduction to Shibboleth 1.0
• ITS/Library merge 2005: 11 different username/password combinations
• Users demanding better service
Centralize Identity Store
• Decide on single, central Identity Store (OpenLDAP)
• Migrate to and secure Identity Store
• Develop policies for data stewardship, password management, Help desk, ARP
• Provision and de-provision accounts according to established policies
Moving Towards Federated Identity Management
• Implemented eduPerson schema extensions (for Moodle, iTunesU)
• Used Shibb/InCommon as a guide
• Implement Shibboleth March 2007
• Joined InCommon June 2007
Lafayette and FIdM In Production
Our Installation
• RedHat Enterprise 5
• Tomcat 5.5.2.6
• Apache 2.2
• Shibboleth 2.1.1 (SP and IdP, each running on a blade server)
• Member of InCommon since 2007
• 30% of 1 FTE
What We Do With Federated Identity Today
• DreamSpark
• Internal network management apps
• Library Applications (Jstor, RefWorks)
• Moodle Spaces (Lafayette’s collaborative Moodle instance)
• Spaces (I2 wiki)
• University Tickets Online
• University of Washington Technology Wiki
What’s Next for LC and FIdM: Internal Apps
• Drupal
• MediaWiki
• Secure websites (replace htaccess files)
• Single Sign-On
• WordpressMU
• Zimbra
What’s Next for LC and FIdM: External Apps
• Collaborations with other schools
• Financial Aid Applications
• Google Apps
• GridShibb
• iTunesU
• NITLE services
• NSF & Grant Application/Management
Projects On The Horizon
• Automate account creation/termination procedures
• Encourage others to implement Shibboleth
• More hooks and info into identity vault
• Comply with Silver Level of Assurance (LoA) for Federal applications
Challenges and Lessons Learned
• Support
• Promotion/Explaining FIdM
• Training (CAMP, NITLE conference)
• Finding others to work with
Links & Resources
• All relevant links can be found at:
• https://spaces.internet2.edu/display/[email protected]/Links+and+Resources
Copyright John O’Keefe January 2009
This work is the intellectual property of the author. Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that this copyright statement appears on the
reproduced materials and notice is given that the copying is by permission of the author. To disseminate
otherwise or to republish requires written permission from the author.