Issues in Federating with Shibboleth

1
Issues in Federating with Shibboleth

• Miguel Soldi
• The University of Texas System Administration

2
The University of Texas System

• 16 Institutions
• 9 General Academic institutions
• 6 Health institutions
• 1 System Administration
• 81, 000 employees
• 175,000 students
• 8.5 billion budget

3
The University of Texas System

• 16 Institutions
• 9 General Academic institutions
• 6 Health institutions
• 1 System Administration
• Significant differences in size and budgets
• Half of institutions absorbed into System
• Institutions enjoy considerable autonomy
• 16 stovepipes

4
The University of Texas System

• System-Wide IT Oversight
• UT System CIO
• Strategic Leadership Council
• IT Managers Council
• Institution IT Oversight
• From CIO to Director level
• Administrative and Academic Computing

5
What Is a Federation?

• A federation is an association of organizations
  that use a common set of attributes, practices
  and policies to exchange information about their
  users and resources in order to enable
  collaborations and transactions.
• InCommon
• Shibboleth is the technology used to define and
  implement a federated system of identity
  authentication and authorization.
• Shibboleth works within a Federation.

6
Federations First Steps

• Technically speaking, it involves
• new policies
• new processes
• new trust relationships
• new authentication and authorization mechanisms
• new enterprise directories
• new applications and much more
• Participating organizations must agree on
• Technical specifications data attributes to
  exchange, the software use to interoperate
• Policy specifications privacy, establish trust
  and trustworthy data
• Must provide two sets of services
• Metadata management aggregate, distribute and
  maintain members attribute data, syntax and
  semantics
• Trust management federation and member operation
  practices and control and privacy and security
  policies

7
(No Transcript)
8
Conception Giving It Shape

• What are the business / institution mission
  drivers? Are these short-term and/or temporary
  or are they long-term?
• Is a Federation the adequate solution to support
  our institutional collaboration efforts?
• Does the Federation need to support only
  intra-institution / system efforts or require
  participation of external entities?
• Do we need to create our own Federation or could
  an outsourced solution (join INCOMMON) be
  adequate?
• Who can become members of the Federation? Can
  members sponsor service-providers?
• Who are the Federation stakeholders? Who do they
  represent (Admin IT, Academic Computing,
  Research)?
• Is protection of personal or protected
  information a significant requirement?

9
Conception Giving It Shape

• UT System Strategies
• Statement of Direction from UT System Strategic
  Leadership Council
• Presentations and outreach to stakeholders, UT
  System leadership and IT steering committees
• Establish common directions and goals
• Address institutions concerns regarding security,
  privacy and trust

10
Conception Giving It Shape

• What are the business / institution mission
  drivers? Are these short-term and/or temporary
  or are they long-term?
• Long Term drivers
• Not application driven
• Build Identity Management infrastructure that
  enables greater synergy and collaboration among
  UT institutions
• Application security simplified thru common trust
  fabric, allowing the secure exchange of identity
  authentication and authorization attributes
  System-wide
• Provide platform to address system-wide
  initiatives
• Instantiation of system-wide permanent identifier
• Implement a common framework, standards and
  protocols, for attribute naming, storage, and
  exchange (LDAP, Shibboleth)

11
Conception Giving It Shape

• What are the business / institution mission
  drivers? Are these short-term and/or temporary
  or are they long-term?
• Long Term drivers
• Not application driven
• Is a Federation the adequate solution to support
  our institutional collaboration efforts?
• Yes, since a common set of attributes,
  practices and policies to
  exchange information to foster collaboration
  among UT institutions is desired
• Does the Federation need to support only
  intra-institution / system efforts or require
  participation of external entities?
• Mostly intra-system collaborative efforts

12
Conception Giving It Shape (cont.)

• Do we need to create our own Federation or could
  an outsourced solution (join INCOMMON) be
  adequate?
• Benefits of creating UT Federation
• Leverage existing inter-institution agreements
• Establish common set of standards and attributes
  for UT institutions
• More granular control over authentication/authoriz
  ation policies
• Forum for experimentation and dialogue
• Who can become members of the Federation? Can
  members sponsor service-providers?
• Phase I UT institutions only
• Phase II Include external institutions and/or
  federations
• Is protection of personal or protected
  information a significant requirement?
• Yes, specifically Social Security Numbers

13
Conception Giving It Shape

• Challenges
• Disparate agendas among proposed Federation
  member institutions
• Finding value-adding applications and drivers
  that can justify commitment of funds, time, and
  effort by all proposed member institutions
• Unavailability of resources at proposed member
  institutions
• Varying levels of trust among proposed member
  institutions and within individual institutions
  (Admin IT and Academic Computing, etc)

14
(No Transcript)
15
Instantiation Making It Happen

• Technical
• How to establish standards and prerequisites and,
  at the same time, leverage each proposed member
  institutions existing infrastructure
• Require LDAP?
• Common attributes? EduPerson?
• What are the requirements for privacy and
  security?
• Standard data definitions / schema? How are the
  standards established? What is the system or
  source of authority?
• Based on standards and prerequisite, what is the
  readiness status of proposed member institutions?
• Who is responsible for remediation?
• What is the best way to put all proposed member
  institutions in the same page? An Install Fest?

16
Instantiation Making It Happen

• Policy/ Organizational
• Definition of trust. How is trust established,
  per application or other?
• Policy considerations are a function of the
  broader relationship the member institutions have
  with each other
• The closer the relationship, the fewer the policy
  reconciliation conflicts
• The more diverse, the greater the possibility of
  conflicts
• How diverse are the Operating Standards and
  Practices from institution to institution?
• Are institutional definitions and identity
  management trust policies for students, faculty,
  and staff consistent?

17
Instantiation Making It Happen

• Policy/ Organizational (cont.)
• What data is required to uniquely identify
  individuals? How do we reconcile identity?
• What is the Federations governance structure?
• How is conflict among members resolved? What are
  the conflict-resolution guidelines?
• Who reviews and approves the Federation Charter
  and documents?
• What audit permissions and procedures are needed
  to ensure ongoing quality of identity
  verification processes among member institutions?

18
Instantiation Making It Happen

• UT System Strategies
• Technical
• Establish up-front standards and technology
  prerequisites
• Assess institutions readiness status
• Provide technical assistance and resources to
  smaller institutions
• Host UT System Shibboleth Install Fest for
  identity providers and Shibboleth Service
  Provider Fest for resource providers to get all
  member institutions on the same page
• Policy/Organizational
• Identity data will be maintained by member
  institutions
• Ensure that identity data maintained by member
  institutions is consistent and authoritative
• Pick projects carefully. Policy work is slow,
  Inter-institutional policy work is Very Slow
• Establish UT System Federation governance with
  System-wide representation

19
Instantiation Making It Happen

• Technical
• How to establish standards and prerequisites and,
  at the same time, leverage each proposed member
  institutions existing infrastructure
• Shibboleth v 1.2
• RedHat Enterprise Linux 3.0
• Apache 2.0
• Tomcat 5
• Mod_jk2
• Basic Authentication Mechanism for Apache (LDAP)
• LDAP infrastructure for authorization
• LDAP Server (Sun ONE Directory Server, OpenLDAP,
  etc.)
• Populated with user data
• EduPerson schema installed
• User passwords
• Verisign Server Digital Certificate
• Who is responsible for remediation?
• UT System Administration has taken the lead in
• providing help desk support
• maintaining a discussion group and
  middleware-related web site

20
Instantiation Making It Happen

• Policy/ Organizational
• Definition of trust. How is trust established,
  per application or other?
• Trust is established by application based on risk
  assessment and by relying party
• How diverse are the Operating Standards and
  Practices from institution to institution?
• Significant diversity. Working towards
  convergence thru Member Operating Practices
• Are institutional definitions and identity
  management trust policies for students, faculty,
  and staff consistent?
• No consistent definitions or trust policies.
• Exploring the development of a UTPerson schema

21
Instantiation Making It Happen

• Policy/ Organizational (cont.)
• What data is required to uniquely identify
  individuals? How do we reconcile identity?
• Most institutions are using the following to
  uniquely identify individuals
• SSN
• Name (First, Middle Initial, Last)
• Date of Birth
• Previous surname
• Previous name
• City of birth
• Country of birth
• Gender
• Component Persistent ID
• Considering requiring member institutions to have
  a persistent (non-reused) Component ID to be kept
  in perpetuity.
• Currently, the federation identifier is
  EduPersonPrincipalName (netid_at_domainname)

22
Instantiation Making It Happen

• Policy/ Organizational (cont.)
• What is the Federations governance structure?
• The affairs of the Federation will be governed by
  a six-member Executive Committee and will be
  managed under the direction of the U. T. System
  CIO.
• Who reviews and approves the Federation Charter
  and documents?
• UT System Federation Board members and legal
  office reviews Charter and related documents.
  May require approval of UT System Board of
  Regents

23
Instantiation Making It Happen

• UT System Identity Management Federation
• Test Identity Management Federation Exists
• Twelve UT member institutions
• UT System Identity Management Federation Board
  appointed
• Policy Documents created and being reviewed
• Will operate under the authority of the UT System
  Board of Regents

24
Instantiation Making It Happen

• UT System Identity Management Federation
  Documents
• Used InCommon as model
• Policies and Documents
• Federation Charter
• Federation Operating Practices
• Member Operating Practices
• Drafted a document that explicitly defines
  standards, policies and procedures that
  federation members must put in place to be able
  to make real, informed relying party decisions
• Used University of California UCTrust Federation
  document as format
• Membership inter-institution Agreement
• Leveraged existing UT System inter-institution
  Agreement to simplify membership contract
• Membership Fee Schedule

25
Instantiation Making It Happen

• Challenges
• The Technical implementation aspects of
  Federation can get way ahead of Policy and
  Governance
• Integration / federation process entangled with
  power / autonomy conflicts
• Priorities vary by institution
• Conventions may be seen as dictates
• Managing trust relationships is complex enough
  when dealing with institutions within the same
  system (among family.) Complexity increases
  significantly when dealing with external
  agencies, institutions, or service providers.
• Getting commitment of resources to dedicate to
  effort
• Coordinating initiatives of multiple institutions

26
Instantiation Making It Happen

• Challenges (cont)
• Technical
• Consistent middleware infrastructure
• Building the architecture to be manageable and
  reliable
• Level of acceptance of open source applications
• Policy / Organizational
• Intra-system identity reconciliation
• Differing requirements among member institutions
  for initial proof of identity of people
  affiliated with the institution.
• Obtaining consensus about the content and level
  of detail of the Federation Charter and related
  documents

27
(No Transcript)
28
Operation Delivering Applications

• How to manage the creation, provisioning,
  authentication, and termination of user accounts
• Are user accounts re-used or re-cycled by member
  institutions?
• Issues with use of Shibboleth with legacy systems
• How do we measure and document benefit and
  performance of Federation?
• Continue assessing risk of unauthorized
  disclosure, fraud, and liability
• Preparation of a Security Plan and a Disaster
  Recovery Plan for the Federation
• What approvals and processes are needed to enter
  into trust agreements with other federations?

29
Maintenance Keeping It Going

• Establish an Audit function and procedures
• Establish plan and resources to keep up with
  technology changes and federal and state
  compliance requirements
• How to scale the Federation? What opportunities
  exist to leverage the infrastructure?
• How to keep the Federation fresh and
  application relevant?
• How to address the multi-institution
  collaboration requirements of academics and
  researchers?

30

• THANK YOU