Shibboleth For AuthZ
June 27, 2006 | 1 Comment
I had the opportunity to spend a fair amount of time discussing Shibboleth with Vishal Goenka and Josh Horner while I was at Summit 2006 in Orlando. I wanted to know about the support for Shibboleth that was supposed to be coming in a future version of Luminis and a bit about how it will work. During this discussion it became clear to me that Shibboleth’s core ability for attribute release allows applications to get the information they need to make authorization (authZ) decisions.
Until this point I had only though of Shibb as a solution for inter-organizational web-based single-sign on (Federated SSO or WebISO or WebSSO). I knew I could use Shibboleth internally to serve as my WebSSO, but we already have a hugely successful implementation of CAS in our environment. Additionally I haven’t been able to point at a killer application of the federated WebSSO ability. I knew this driver would be coming, but without immediate demand I was luke warm on Shibboleth.
However, the ability to use Shibboleth internally as a central authority for attribute release and in turn a consistent way of doing centralized AuthZ is a gigantically huge win for us. No longer will every homegrown application need to establish it’s own authorization layer with associated interfaces for maintaining that data. Now I have a serious driver for getting Shibboleth in our environment as soon as possible.
So that’s the lead-in to why Ted Wisniewski, Ken Kochien, and I are attending CAMP Shibboleth: Enabling Campus and Federated Single Sign-On.
Tags: authentication, authorization, camp_062, federated, federation, josh horner, shibb, shibboleth, single sign on, sso, summit, vishal goenka, webiso, websso
NERCOMP: Identity Management SIG
September 27, 2005 | 35 Comments
Yesterday we attended the NERCOMP Identity Management Workshop at the College of the Holy Cross.
Steve Carmody of Brown University explained an ideal infrastructure including a reminder for me to review “Identifiers, Authentication, and Directories: Best Practices for Higher Education” by Internet2. Carmody had a lot of great things to say, giving a solid overall update of how Internet2 and MACE are coming along with Shibboleth, Grouper, Signet, and various other initiatives. He also pointed me at Sun’s XACML Implementation which is very interesting.
Christopher Misra of UMass Amherst and Robert Banz of UMBC both presented on their current IdM initiatives. They both seem to have established IdM infratructures which need one enhancement or another.
In the final time slot was a general group discussion. I took this opportunity to ask how schools are establishing and maintaining credentials remotely. No one had an answer that was ideal, I suggested our current proposal and no one seemed to have any criticisms. One person suggested that maybe we don’t need to have as secure a system as we’re proposing to merely secure someone’s email. My reply to this was in a federated world with connections to the federal PKI bridge, InCommon services, and more, we are securing far more than email. It is our responsibility to have as high a level of assurance as possible.
Tags: authentication, authorization, credentials, grouper, higher education, identity, identity management, internet2, MACE, NERCOMP, password, passwords, shib, shibboleth, signet, xacml
Assuring Identity Remotely
August 1, 2005 | 1 Comment
We are currently reassessing our credentialling process and in the course of my research here, I was reading Citizen & Commerce Certificate Policy Version 1.0 which states:
The identity may be established in any of the following manners:
(1) The identity may be established through in-person appearance at the credential provider, or its agent, with physical credentials (e.g., driver’s license or birth certificate). Collection of certified mail is one example of in-person appearance at an agent of the credential provider.
(2) The identity may be established using procedures similar to those used when applying for consumer credit and authenticated through information in consumer credit databases or government records, such as:
• the ability to place calls from or receive phone calls at a given number; or
• the ability to obtain mail sent to a known physical address.
(3) Where an ongoing business relationship with the credential provider or a partner company (e.g., a financial institution, airline, or retail company) exists, the identity may be authenticated through information derived from the business relationship such as:
• the ability to obtain mail at the billing address used in the business relationship; or
• verification of information established in previous transactions (e.g., previous order
number) ; or
• the ability to place calls from or receive phone calls at a phone number used in
previous business transactions.
The second option fits nicely in with a solution we are preparing to present for our campus and online education.
I’ll be posting more on this soon, for now we are calling our plan: “The Modified Tilley Hat Method”.
Tags: authorization, credentials, identity, identity management, level of assurance