US Federal E-Authentication and Higher Education
March 28, 2007 | Leave a Comment
The United States federal government has been working on an E-Authentication project actively since 2003 in response to the E-Government Act of 2002. Movement has been slow, but there are many federal agencies now leveraging this infrastructure in a federated manner. For more details about the initiative, there is the publicly available Burton Group Report on the Federal E-Authentication Initiative. For an updated view see the GCN article, E-Authentication maps out its future.
Since then, there has been work to bridge both Liberty Alliance and Shibboleth-based federations with the e-Government services. Involvement also extends to the Post Secondary Electronic Standards Council (PESC) who is working with all these organizations to assure higher education is appropriately represented. Certainly NSF Fastlane and Federal Student Aid (FAFSA) seem like the most obvious first candidates to work with higher education institutions.
With all the activity surrounding the federal government deploying these services in a federated method, institutions should definitely be getting their internal infrastructure in place to support and interoperate with one of the major federations (InCommon, eGovernment, etc).
Tags: "liberty alliance", act, authentication, burton group, e-authentication, eauth, eauthentication, egovernment, fafsa, fastlane, federal, federated, federation, financial aid, gcn, government, higher education, identity, identity management, idm, incommon, initiative, liberty, pesc, pki, shibboleth
Win2K3 R2 TechNet with Michael Murphy, Dig It?
March 1, 2006 | 3 Comments
Point of fact, no.
Yesterday I attended a Microsoft TechNet event with Michael Murphy. My interest in this specific TechNet was to learn what I could about Microsoft’s federated identity management plans.
The good news is that Active Directory Federation Services (ADFS) is now released. This package implements the WS-Federation standard for federated single sign on (SSO).
To Murphy’s credit he started the federated discussion with what I think is the perfect analogy, the drivers license. I’ll talk more about that at a later point, but I loved his quote: “Where is my drivers license for the Internet?”
It was when he started to be asked questions about their solution that his shallow knowledge and inexperience in this field became readily apparent. A gentleman asked the question, “How does this relate to the Liberty Alliance?” Murphy was not at all familiar with “Liberty” and basically dismissed the question. Unfortunately this would be like someone presenting about SQL Server and not being familiar with MySQL…
Anyway, another participant tried to get at what might allow LA and ADFS to interact, he asked: “Is this product SAML compliant?” Murphy said he’d never heard of SAML, and to him it sounded “like a camel named Sam.” Obviously this response was not useful to anyone…
At this point I piped up and asked about how ADFS exchanged authorization information with the service provider, the question was something like “how does it assert authorization and attribute information?” Murphy said it doesn’t. Unfortunately I knew this had to be untrue…
ADFS could not possibly be ONLY about authentication and completely ignore the authorization issue. I re-framed my question saying that attributes and authorizations were key to identity. He said they were not, this system addressed the authentication issue and attribute information was never communicated. Fear of sounding more like a dink led me to give up at this point…
I should have asked “What good is your drivers license without attributes for your age, sight restriction, etc.?” Maybe he would have “got it” then…
Moving on, Murphy demo’d how the interaction would occur using some virtual servers he had. The interface for managing and setting up these federated connections seemed pretty easy and intuitive.
When Murphy logged into the service provider interface in the demo, I immediately noticed that the newly created account already had a bunch of attributes. Most notably, a $500 spending limit.
I had to ask: “How does the service provider know this newly created user has a $500 spending limit?” Murphy stumbled with this, but threw out a blatantly off the cuff and incorrect response.
At this point a guy behind me asked “Can you scroll down?” This was it, clearly my fears for a half implemented federated system were really just due to a poor presenter. A pile of attributes, including custom defined ones including title were being listed in a textarea as the things being passed.
So anyway, ADFS has potential, but we’ll have to try it out for ourselves.
Stuff that intrigued me from other sections of the event:
Can we run Active Directory Application Mode (ADAM) centrally to manage our authorizations for all web-based applications? ‘Cause this would rock.
Windows Server Update Services (WSUS) could be useful for PSU…
Distributed File System (DFS) and the Branch Office Management seems partially implemented, not well thought out, and overall garbage.
The Cygwin replacement, or is there more to it?
Finally, did Michael Murphy learn his presentation style from Billy Mays?
Tags: "Active Directory Application Mode", "active directory federation services", "billy mays", "distributed file system", "liberty alliance", "michael murphy", "UNIX Interoperability Components", "windows server 2003 r2", "Windows Server Update Services", active directory, ad, adam, adfs, cygwin, dfs, federated identity management, identity management, microsoft, presentation, saml, technet, unix, windows, ws-federation, wsus