際際滷

際際滷Share a Scribd company logo

Federated access management

Download as PPTX, PDF
M
Mark Cairney

Federated Access Management (FAM) systems have been in use in the Library and Educational IT communities for a number of years and have came about from a need to have common standards to allow external users access to services. This is a high-level discussion with a brief history of FAM, how it ties in with an organisation's existing Single-Sign-On (SSO) infrastructure, the role that the Federation has in maintaining the trust relationships between organisation's Identity Providers (IdPs) and Service Providers (SPs) and now between federations and how it's being used by the wider (non-academic) community.

1 of 21
Download to read offline
Federated Access Management Mark Cairney Information Services IT Infrastructure UNIX Section University of Edinburgh
What is Federated Access Management? Trust framework between institutions and services User Authentication devolved to each institution via a local Identity Provider (IdP) Authorisation handled by the Service Provider (SP) based on attributes sent to it by the IdP
What is FAM? Trust relationship handled by both sides containing metadata describing each other Federation is responsible for managing and publishing metadata for all members (IdPs and SPs) Also responsible for establishing policies regarding data exchange between members and ensuring they are being adhered to.
What is FAM? Federations established at a geographical area (country/continental) level e.g. InCommon (US), UKAMF (UK), eduGAIN (Europe) Now starting to see inter-federation agreements e.g. UK Federation <-> eduGAIN Establishing standards/good practice becomes an even bigger issue with inter-federation!
FAM Systems Number of competing FAM solutions (both FOSS and commercial) OpenAthens Shibboleth OpenAM Microsoft AD FS Well be looking at Shibboleth as its what I know best!
Shibboleth Free, Open Source Popular in education sector Gaining traction outwith education 3 main components: Identity Provider (IdP) Service Provider (SP) Discovery Service (DS aka Where Are You From?)
Identity Providers (IdP) Locally-installed server integrated with organisations local infrastructure (SSO, identity management) User logs in with their local SSO credentials IdP authenticates user and looks them up in local Identity source (LDAP, AD, database)
Identity Providers (IdP) User information parsed, processed and only permitted attributes are sent back to the Service Provider (SP) By default all members of the UK Federation are sent a minimal set of attributes Additional attributes have to be explicitly released by the IdP administrator Can have multiple metadata sources and rules for attribute disclosure
Service Providers (SP) Module performing login to service Receives attributes from IdP and uses these to perform authentication and authorisation of user. N.B. Service Provider performs authorisation decision based on attribute data received- its NOT the IdPs job to perform authorisation!!
Discovery Service Formerly Known as WAYF (Where Are You From) Essentially a list of available IdPs UK Federation run one for general use OR Roll your own to present a subset of these Optional- you can hardwire your SP to speak to a specific IdP (but this isnt really federation)
SAML AKA Security Assertion Markup Language Standard dialect for IdPs and SPs to talk to each other Standards (SAML1 / SAML2) Possible (though not always straightforward!) for IdPs and SPs of different flavours e.g. Shibboleth and OpenAthens to talk to each other.
WOW! User IdP SP Discovery Service
The Federation Maintains and publishes the metadata consumed by member entities (i.e. IdPs and SPs) Metadata used to form trust relationships Responsibility for the metadata feed and for ensuring members adhere to good practice (security, privacy etc) Monolithic
Inter-federation Trust More of a political challenge than a technical one Participating federations have to negotiate common standards re: metadata structure, key lengths/types, attributes required. Best practice wins! End result is an aggregated metadata file is published by participating federations
Other Federated Identity Systems OpenAthens- very similar to Shibboleth Commercial entity, ran by EduServ Can either run your own IdP or have OpenAthens run it for you for a fee. Technology very similar to Shibboleth(SAML- based, monolithic Federations)
Other Federated Identity Systems Eduroam- used in Higher Education to provide federated roaming wireless access Built on FreeRADIUS Managed and maintained in the UK by JANET External users credentials are relayed back to their home institution for authentication
Future of Federation Current models work well for web-based authentication (Shibboleth) and/or specific protocols (eduroam) However there is an increasing requirement for support of multiple protocols and for some level of devolved federation management
Shibboleth IdPv3 Still SAML2-based but with a number of improvements based on experience gained with v2 Improvements include: User consent for releasing attributes Session state largely stored client-side in encrypted cookie store.
Moonshot Based on FreeRADIUS 3 with additional functionality provided by Shib libraries Provides some level of devolved management. Multi-protocol support (SSH, Web, Exchange)
Moonshot - Disadvantages Requires bleeding-edge versions of FreeRADIUS and Moonshot dependencies Work-in-progress- steep learning curve and documentation not comprehensive Requires software to be installed on both clients and services to support it- some of these (e.g. OpenSSH) depend on locally patched versions.
Questions? E: Mark.Cairney@ed.ac.uk T: @mcairney http://www.ukfederation.org.uk http://shibboleth.net/ http://www.jisc.ac.uk/assent

Recommended

Email
EmailEmail
Email
Aparajeeta Mishra
Upserve Full
Upserve FullUpserve Full
Upserve Full
Jay Vandervort
Mule expression
Mule expressionMule expression
Mule expression
Ravinder Singh
Creating custom filter
Creating custom filterCreating custom filter
Creating custom filter
Rahul Kumar
Mule esb expression_filter
Mule esb expression_filterMule esb expression_filter
Mule esb expression_filter
Davide Rapacciuolo
Mule components
Mule componentsMule components
Mule components
Krishna_in
Using expression filter
Using expression filterUsing expression filter
Using expression filter
Rahul Kumar
Mule mel 5_tips
Mule mel 5_tipsMule mel 5_tips
Mule mel 5_tips
kunal vishe
Mule object stores
Mule object storesMule object stores
Mule object stores
Krishna_in
Custom filters in mule soft
Custom filters in mule softCustom filters in mule soft
Custom filters in mule soft
Krishna_in
Round robin scheduling
Round robin schedulingRound robin scheduling
Round robin scheduling
Raghav S
Filters
FiltersFilters
Filters
Francesca Della Corte
Mule expression component
Mule expression componentMule expression component
Mule expression component
Karnam Karthik
Mule ESB Tutorial Part 2
Mule ESB Tutorial Part 2Mule ESB Tutorial Part 2
Mule ESB Tutorial Part 2
Srikanth N
MuleSoft Anypoint Studio - Essentials - Data Filtering
MuleSoft Anypoint Studio - Essentials - Data FilteringMuleSoft Anypoint Studio - Essentials - Data Filtering
MuleSoft Anypoint Studio - Essentials - Data Filtering
VenkataNaveen Kumar
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
himajareddys
Les filtres RSS dans Inoreader : d辿tail de la syntaxe utiliser (MAJ : mai 2...Les filtres RSS dans Inoreader : d辿tail de la syntaxe utiliser (MAJ : mai 2...
Les filtres RSS dans Inoreader : d辿tail de la syntaxe utiliser (MAJ : mai 2...
Serge Courrier
Active Filter (Low Pass)
Active Filter (Low Pass)Active Filter (Low Pass)
Active Filter (Low Pass)
Saravanan Sukumaran
Mule ESB Tutorial Part 1
Mule ESB Tutorial Part 1Mule ESB Tutorial Part 1
Mule ESB Tutorial Part 1
Srikanth N
Microservices Best Practices
Microservices Best Practices Microservices Best Practices
Microservices Best Practices
MuleSoft
Future of Integration | MuleSoft
Future of Integration | MuleSoftFuture of Integration | MuleSoft
Future of Integration | MuleSoft
MuleSoft
Mule ESB - Integration Simplified
Mule ESB - Integration SimplifiedMule ESB - Integration Simplified
Mule ESB - Integration Simplified
Rich Software
Application Architecture: The Next Wave | MuleSoft
Application Architecture: The Next Wave | MuleSoftApplication Architecture: The Next Wave | MuleSoft
Application Architecture: The Next Wave | MuleSoft
MuleSoft
Digital Businesses of the Future
Digital Businesses of the Future Digital Businesses of the Future
Digital Businesses of the Future
MuleSoft
Mule soft csv_toxml
Mule soft csv_toxmlMule soft csv_toxml
Mule soft csv_toxml
VenkataNaveen Kumar
Payload and logger
Payload and loggerPayload and logger
Payload and logger
Domenico Schiavone
Mule splitters
Mule splittersMule splitters
Mule splitters
Gandham38
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
OpenID Foundation Japan
ITN_ModuleCCNA Course thirdLecture_.pptx
ITN_ModuleCCNA Course thirdLecture_.pptxITN_ModuleCCNA Course thirdLecture_.pptx
ITN_ModuleCCNA Course thirdLecture_.pptx
MohamedTagEldeen7
Integration Solution Patterns
Integration Solution Patterns Integration Solution Patterns
Integration Solution Patterns
WSO2

More Related Content

Viewers also liked (19)

Mule object stores
Mule object storesMule object stores
Mule object stores
Krishna_in
Custom filters in mule soft
Custom filters in mule softCustom filters in mule soft
Custom filters in mule soft
Krishna_in
Round robin scheduling
Round robin schedulingRound robin scheduling
Round robin scheduling
Raghav S
Filters
FiltersFilters
Filters
Francesca Della Corte
Mule expression component
Mule expression componentMule expression component
Mule expression component
Karnam Karthik
Mule ESB Tutorial Part 2
Mule ESB Tutorial Part 2Mule ESB Tutorial Part 2
Mule ESB Tutorial Part 2
Srikanth N
MuleSoft Anypoint Studio - Essentials - Data Filtering
MuleSoft Anypoint Studio - Essentials - Data FilteringMuleSoft Anypoint Studio - Essentials - Data Filtering
MuleSoft Anypoint Studio - Essentials - Data Filtering
VenkataNaveen Kumar
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
himajareddys
Les filtres RSS dans Inoreader : d辿tail de la syntaxe utiliser (MAJ : mai 2...Les filtres RSS dans Inoreader : d辿tail de la syntaxe utiliser (MAJ : mai 2...
Les filtres RSS dans Inoreader : d辿tail de la syntaxe utiliser (MAJ : mai 2...
Serge Courrier
Active Filter (Low Pass)
Active Filter (Low Pass)Active Filter (Low Pass)
Active Filter (Low Pass)
Saravanan Sukumaran
Mule ESB Tutorial Part 1
Mule ESB Tutorial Part 1Mule ESB Tutorial Part 1
Mule ESB Tutorial Part 1
Srikanth N
Microservices Best Practices
Microservices Best Practices Microservices Best Practices
Microservices Best Practices
MuleSoft
Future of Integration | MuleSoft
Future of Integration | MuleSoftFuture of Integration | MuleSoft
Future of Integration | MuleSoft
MuleSoft
Mule ESB - Integration Simplified
Mule ESB - Integration SimplifiedMule ESB - Integration Simplified
Mule ESB - Integration Simplified
Rich Software
Application Architecture: The Next Wave | MuleSoft
Application Architecture: The Next Wave | MuleSoftApplication Architecture: The Next Wave | MuleSoft
Application Architecture: The Next Wave | MuleSoft
MuleSoft
Digital Businesses of the Future
Digital Businesses of the Future Digital Businesses of the Future
Digital Businesses of the Future
MuleSoft
Mule soft csv_toxml
Mule soft csv_toxmlMule soft csv_toxml
Mule soft csv_toxml
VenkataNaveen Kumar
Payload and logger
Payload and loggerPayload and logger
Payload and logger
Domenico Schiavone
Mule splitters
Mule splittersMule splitters
Mule splitters
Gandham38
Mule object stores
Mule object storesMule object stores
Mule object stores
Krishna_in
Custom filters in mule soft
Custom filters in mule softCustom filters in mule soft
Custom filters in mule soft
Krishna_in
Round robin scheduling
Round robin schedulingRound robin scheduling
Round robin scheduling
Raghav S
Filters
FiltersFilters
Filters
Francesca Della Corte
Mule expression component
Mule expression componentMule expression component
Mule expression component
Karnam Karthik
Mule ESB Tutorial Part 2
Mule ESB Tutorial Part 2Mule ESB Tutorial Part 2
Mule ESB Tutorial Part 2
Srikanth N
MuleSoft Anypoint Studio - Essentials - Data Filtering
MuleSoft Anypoint Studio - Essentials - Data FilteringMuleSoft Anypoint Studio - Essentials - Data Filtering
MuleSoft Anypoint Studio - Essentials - Data Filtering
VenkataNaveen Kumar
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
himajareddys
Les filtres RSS dans Inoreader : d辿tail de la syntaxe utiliser (MAJ : mai 2...Les filtres RSS dans Inoreader : d辿tail de la syntaxe utiliser (MAJ : mai 2...
Les filtres RSS dans Inoreader : d辿tail de la syntaxe utiliser (MAJ : mai 2...
Serge Courrier
Active Filter (Low Pass)
Active Filter (Low Pass)Active Filter (Low Pass)
Active Filter (Low Pass)
Saravanan Sukumaran
Mule ESB Tutorial Part 1
Mule ESB Tutorial Part 1Mule ESB Tutorial Part 1
Mule ESB Tutorial Part 1
Srikanth N
Microservices Best Practices
Microservices Best Practices Microservices Best Practices
Microservices Best Practices
MuleSoft
Future of Integration | MuleSoft
Future of Integration | MuleSoftFuture of Integration | MuleSoft
Future of Integration | MuleSoft
MuleSoft
Mule ESB - Integration Simplified
Mule ESB - Integration SimplifiedMule ESB - Integration Simplified
Mule ESB - Integration Simplified
Rich Software
Application Architecture: The Next Wave | MuleSoft
Application Architecture: The Next Wave | MuleSoftApplication Architecture: The Next Wave | MuleSoft
Application Architecture: The Next Wave | MuleSoft
MuleSoft
Digital Businesses of the Future
Digital Businesses of the Future Digital Businesses of the Future
Digital Businesses of the Future
MuleSoft
Mule soft csv_toxml
Mule soft csv_toxmlMule soft csv_toxml
Mule soft csv_toxml
VenkataNaveen Kumar
Payload and logger
Payload and loggerPayload and logger
Payload and logger
Domenico Schiavone
Mule splitters
Mule splittersMule splitters
Mule splitters
Gandham38

Similar to Federated access management (20)

Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
OpenID Foundation Japan
ITN_ModuleCCNA Course thirdLecture_.pptx
ITN_ModuleCCNA Course thirdLecture_.pptxITN_ModuleCCNA Course thirdLecture_.pptx
ITN_ModuleCCNA Course thirdLecture_.pptx
MohamedTagEldeen7
Integration Solution Patterns
Integration Solution Patterns Integration Solution Patterns
Integration Solution Patterns
WSO2
APIs and Services: One Platform or Two?
APIs and Services: One Platform or Two?APIs and Services: One Platform or Two?
APIs and Services: One Platform or Two?
Akana
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
Chris Phillips
Dreamforce14 Multi Org Collaboration Architecture
Dreamforce14 Multi Org Collaboration ArchitectureDreamforce14 Multi Org Collaboration Architecture
Dreamforce14 Multi Org Collaboration Architecture
Richard Clark
ITN_Module_3.pptx
ITN_Module_3.pptxITN_Module_3.pptx
ITN_Module_3.pptx
argost1003
APIs and Micro Services 0.5
APIs and Micro Services 0.5APIs and Micro Services 0.5
APIs and Micro Services 0.5
Richard Hudson
CCNA Protocols and Models Lecture 際際滷s
CCNA Protocols and Models Lecture 際際滷sCCNA Protocols and Models Lecture 際際滷s
CCNA Protocols and Models Lecture 際際滷s
azlinak
DCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to Microservices
Docker, Inc.
IoT.pptx
IoT.pptxIoT.pptx
IoT.pptx
sateeshka
Identity and User Access Management.pptx
Identity and User Access Management.pptxIdentity and User Access Management.pptx
Identity and User Access Management.pptx
irfanullahkhan64
cloud session uklug
cloud session uklugcloud session uklug
cloud session uklug
dominion
Lessons Learned in Implementing PeopleSoft ELS 9.0
Lessons Learned in Implementing PeopleSoft ELS 9.0Lessons Learned in Implementing PeopleSoft ELS 9.0
Lessons Learned in Implementing PeopleSoft ELS 9.0
Kenneth Petty, PMP
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
Chris Phillips
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Anders Eknert
Basic of computers
Basic of computers Basic of computers
Basic of computers
Harsh Porwal
Internet, Intranet and Extranet
Internet, Intranet and Extranet Internet, Intranet and Extranet
Internet, Intranet and Extranet
Maryam Fida
Eunis federation2
Eunis federation2Eunis federation2
Eunis federation2
HEAnet
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
OpenID Foundation Japan
ITN_ModuleCCNA Course thirdLecture_.pptx
ITN_ModuleCCNA Course thirdLecture_.pptxITN_ModuleCCNA Course thirdLecture_.pptx
ITN_ModuleCCNA Course thirdLecture_.pptx
MohamedTagEldeen7
Integration Solution Patterns
Integration Solution Patterns Integration Solution Patterns
Integration Solution Patterns
WSO2
APIs and Services: One Platform or Two?
APIs and Services: One Platform or Two?APIs and Services: One Platform or Two?
APIs and Services: One Platform or Two?
Akana
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
Chris Phillips
Dreamforce14 Multi Org Collaboration Architecture
Dreamforce14 Multi Org Collaboration ArchitectureDreamforce14 Multi Org Collaboration Architecture
Dreamforce14 Multi Org Collaboration Architecture
Richard Clark
ITN_Module_3.pptx
ITN_Module_3.pptxITN_Module_3.pptx
ITN_Module_3.pptx
argost1003
APIs and Micro Services 0.5
APIs and Micro Services 0.5APIs and Micro Services 0.5
APIs and Micro Services 0.5
Richard Hudson
CCNA Protocols and Models Lecture 際際滷s
CCNA Protocols and Models Lecture 際際滷sCCNA Protocols and Models Lecture 際際滷s
CCNA Protocols and Models Lecture 際際滷s
azlinak
DCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to Microservices
Docker, Inc.
IoT.pptx
IoT.pptxIoT.pptx
IoT.pptx
sateeshka
Identity and User Access Management.pptx
Identity and User Access Management.pptxIdentity and User Access Management.pptx
Identity and User Access Management.pptx
irfanullahkhan64
cloud session uklug
cloud session uklugcloud session uklug
cloud session uklug
dominion
Lessons Learned in Implementing PeopleSoft ELS 9.0
Lessons Learned in Implementing PeopleSoft ELS 9.0Lessons Learned in Implementing PeopleSoft ELS 9.0
Lessons Learned in Implementing PeopleSoft ELS 9.0
Kenneth Petty, PMP
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
Chris Phillips
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Anders Eknert
Basic of computers
Basic of computers Basic of computers
Basic of computers
Harsh Porwal
Internet, Intranet and Extranet
Internet, Intranet and Extranet Internet, Intranet and Extranet
Internet, Intranet and Extranet
Maryam Fida
Eunis federation2
Eunis federation2Eunis federation2
Eunis federation2
HEAnet

Recently uploaded (20)

Gojek Clone Multi-Service Super App.pptx
Gojek Clone Multi-Service Super App.pptxGojek Clone Multi-Service Super App.pptx
Gojek Clone Multi-Service Super App.pptx
V3cube
A Framework for Model-Driven Digital Twin Engineering
A Framework for Model-Driven Digital Twin EngineeringA Framework for Model-Driven Digital Twin Engineering
A Framework for Model-Driven Digital Twin Engineering
Daniel Lehner
DealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures CapitalDealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures Capital
Yevgen Sysoyev
UiPath Document Understanding - Generative AI and Active learning capabilities
UiPath Document Understanding - Generative AI and Active learning capabilitiesUiPath Document Understanding - Generative AI and Active learning capabilities
UiPath Document Understanding - Generative AI and Active learning capabilities
DianaGray10
Wondershare Dr.Fone Crack Free Download 2025
Wondershare Dr.Fone Crack Free Download 2025Wondershare Dr.Fone Crack Free Download 2025
Wondershare Dr.Fone Crack Free Download 2025
maharajput103
Deno ...................................
Deno ...................................Deno ...................................
Deno ...................................
Robert MacLean
Build with AI on Google Cloud Session #4
Build with AI on Google Cloud Session #4Build with AI on Google Cloud Session #4
Build with AI on Google Cloud Session #4
Margaret Maynard-Reid
TrustArc Webinar - Building your DPIA/PIA Program: Best Practices & Tips
TrustArc Webinar - Building your DPIA/PIA Program: Best Practices & TipsTrustArc Webinar - Building your DPIA/PIA Program: Best Practices & Tips
TrustArc Webinar - Building your DPIA/PIA Program: Best Practices & Tips
TrustArc
Formal Methods: Whence and Whither? [Martin Fr辰nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr辰nzle Festkolloquium, 2025]Formal Methods: Whence and Whither? [Martin Fr辰nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr辰nzle Festkolloquium, 2025]
Jonathan Bowen
DevNexus - Building 10x Development Organizations.pdf
DevNexus - Building 10x Development Organizations.pdfDevNexus - Building 10x Development Organizations.pdf
DevNexus - Building 10x Development Organizations.pdf
Justin Reock
Cloud of everything Tech of the 21 century in Aviation
Cloud of everything Tech of the 21 century in AviationCloud of everything Tech of the 21 century in Aviation
Cloud of everything Tech of the 21 century in Aviation
Assem mousa
Unlock AI Creativity: Image Generation with DALL揃E
Unlock AI Creativity: Image Generation with DALL揃EUnlock AI Creativity: Image Generation with DALL揃E
Unlock AI Creativity: Image Generation with DALL揃E
Expeed Software
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIATHE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
Srivaanchi Nathan
Technology use over time and its impact on consumers and businesses.pptx
Technology use over time and its impact on consumers and businesses.pptxTechnology use over time and its impact on consumers and businesses.pptx
Technology use over time and its impact on consumers and businesses.pptx
kaylagaze
UiPath Automation Developer Associate Training Series 2025 - Session 2
UiPath Automation Developer Associate Training Series 2025 - Session 2UiPath Automation Developer Associate Training Series 2025 - Session 2
UiPath Automation Developer Associate Training Series 2025 - Session 2
DianaGray10
Early Adopter's Guide to AI Moderation (Preview)
Early Adopter's Guide to AI Moderation (Preview)Early Adopter's Guide to AI Moderation (Preview)
Early Adopter's Guide to AI Moderation (Preview)
nick896721
Computational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the WorldComputational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the World
HusseinMalikMammadli
Revolutionizing-Government-Communication-The-OSWAN-Success-Story
Revolutionizing-Government-Communication-The-OSWAN-Success-StoryRevolutionizing-Government-Communication-The-OSWAN-Success-Story
Revolutionizing-Government-Communication-The-OSWAN-Success-Story
ssuser52ad5e
UiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and OpportunitiesUiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and Opportunities
DianaGray10
Replacing RocksDB with ScyllaDB in Kafka Streams by Almog Gavra
Replacing RocksDB with ScyllaDB in Kafka Streams by Almog GavraReplacing RocksDB with ScyllaDB in Kafka Streams by Almog Gavra
Replacing RocksDB with ScyllaDB in Kafka Streams by Almog Gavra
ScyllaDB
Gojek Clone Multi-Service Super App.pptx
Gojek Clone Multi-Service Super App.pptxGojek Clone Multi-Service Super App.pptx
Gojek Clone Multi-Service Super App.pptx
V3cube
A Framework for Model-Driven Digital Twin Engineering
A Framework for Model-Driven Digital Twin EngineeringA Framework for Model-Driven Digital Twin Engineering
A Framework for Model-Driven Digital Twin Engineering
Daniel Lehner
DealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures CapitalDealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures Capital
Yevgen Sysoyev
UiPath Document Understanding - Generative AI and Active learning capabilities
UiPath Document Understanding - Generative AI and Active learning capabilitiesUiPath Document Understanding - Generative AI and Active learning capabilities
UiPath Document Understanding - Generative AI and Active learning capabilities
DianaGray10
Wondershare Dr.Fone Crack Free Download 2025
Wondershare Dr.Fone Crack Free Download 2025Wondershare Dr.Fone Crack Free Download 2025
Wondershare Dr.Fone Crack Free Download 2025
maharajput103
Deno ...................................
Deno ...................................Deno ...................................
Deno ...................................
Robert MacLean
Build with AI on Google Cloud Session #4
Build with AI on Google Cloud Session #4Build with AI on Google Cloud Session #4
Build with AI on Google Cloud Session #4
Margaret Maynard-Reid
TrustArc Webinar - Building your DPIA/PIA Program: Best Practices & Tips
TrustArc Webinar - Building your DPIA/PIA Program: Best Practices & TipsTrustArc Webinar - Building your DPIA/PIA Program: Best Practices & Tips
TrustArc Webinar - Building your DPIA/PIA Program: Best Practices & Tips
TrustArc
Formal Methods: Whence and Whither? [Martin Fr辰nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr辰nzle Festkolloquium, 2025]Formal Methods: Whence and Whither? [Martin Fr辰nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr辰nzle Festkolloquium, 2025]
Jonathan Bowen
DevNexus - Building 10x Development Organizations.pdf
DevNexus - Building 10x Development Organizations.pdfDevNexus - Building 10x Development Organizations.pdf
DevNexus - Building 10x Development Organizations.pdf
Justin Reock
Cloud of everything Tech of the 21 century in Aviation
Cloud of everything Tech of the 21 century in AviationCloud of everything Tech of the 21 century in Aviation
Cloud of everything Tech of the 21 century in Aviation
Assem mousa
Unlock AI Creativity: Image Generation with DALL揃E
Unlock AI Creativity: Image Generation with DALL揃EUnlock AI Creativity: Image Generation with DALL揃E
Unlock AI Creativity: Image Generation with DALL揃E
Expeed Software
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIATHE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
Srivaanchi Nathan
Technology use over time and its impact on consumers and businesses.pptx
Technology use over time and its impact on consumers and businesses.pptxTechnology use over time and its impact on consumers and businesses.pptx
Technology use over time and its impact on consumers and businesses.pptx
kaylagaze
UiPath Automation Developer Associate Training Series 2025 - Session 2
UiPath Automation Developer Associate Training Series 2025 - Session 2UiPath Automation Developer Associate Training Series 2025 - Session 2
UiPath Automation Developer Associate Training Series 2025 - Session 2
DianaGray10
Early Adopter's Guide to AI Moderation (Preview)
Early Adopter's Guide to AI Moderation (Preview)Early Adopter's Guide to AI Moderation (Preview)
Early Adopter's Guide to AI Moderation (Preview)
nick896721
Computational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the WorldComputational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the World
HusseinMalikMammadli
Revolutionizing-Government-Communication-The-OSWAN-Success-Story
Revolutionizing-Government-Communication-The-OSWAN-Success-StoryRevolutionizing-Government-Communication-The-OSWAN-Success-Story
Revolutionizing-Government-Communication-The-OSWAN-Success-Story
ssuser52ad5e
UiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and OpportunitiesUiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and Opportunities
DianaGray10
Replacing RocksDB with ScyllaDB in Kafka Streams by Almog Gavra
Replacing RocksDB with ScyllaDB in Kafka Streams by Almog GavraReplacing RocksDB with ScyllaDB in Kafka Streams by Almog Gavra
Replacing RocksDB with ScyllaDB in Kafka Streams by Almog Gavra
ScyllaDB

Federated access management

  • 1. Federated Access Management Mark Cairney Information Services IT Infrastructure UNIX Section University of Edinburgh
  • 2. What is Federated Access Management? Trust framework between institutions and services User Authentication devolved to each institution via a local Identity Provider (IdP) Authorisation handled by the Service Provider (SP) based on attributes sent to it by the IdP
  • 3. What is FAM? Trust relationship handled by both sides containing metadata describing each other Federation is responsible for managing and publishing metadata for all members (IdPs and SPs) Also responsible for establishing policies regarding data exchange between members and ensuring they are being adhered to.
  • 4. What is FAM? Federations established at a geographical area (country/continental) level e.g. InCommon (US), UKAMF (UK), eduGAIN (Europe) Now starting to see inter-federation agreements e.g. UK Federation <-> eduGAIN Establishing standards/good practice becomes an even bigger issue with inter-federation!
  • 5. FAM Systems Number of competing FAM solutions (both FOSS and commercial) OpenAthens Shibboleth OpenAM Microsoft AD FS Well be looking at Shibboleth as its what I know best!
  • 6. Shibboleth Free, Open Source Popular in education sector Gaining traction outwith education 3 main components: Identity Provider (IdP) Service Provider (SP) Discovery Service (DS aka Where Are You From?)
  • 7. Identity Providers (IdP) Locally-installed server integrated with organisations local infrastructure (SSO, identity management) User logs in with their local SSO credentials IdP authenticates user and looks them up in local Identity source (LDAP, AD, database)
  • 8. Identity Providers (IdP) User information parsed, processed and only permitted attributes are sent back to the Service Provider (SP) By default all members of the UK Federation are sent a minimal set of attributes Additional attributes have to be explicitly released by the IdP administrator Can have multiple metadata sources and rules for attribute disclosure
  • 9. Service Providers (SP) Module performing login to service Receives attributes from IdP and uses these to perform authentication and authorisation of user. N.B. Service Provider performs authorisation decision based on attribute data received- its NOT the IdPs job to perform authorisation!!
  • 10. Discovery Service Formerly Known as WAYF (Where Are You From) Essentially a list of available IdPs UK Federation run one for general use OR Roll your own to present a subset of these Optional- you can hardwire your SP to speak to a specific IdP (but this isnt really federation)
  • 11. SAML AKA Security Assertion Markup Language Standard dialect for IdPs and SPs to talk to each other Standards (SAML1 / SAML2) Possible (though not always straightforward!) for IdPs and SPs of different flavours e.g. Shibboleth and OpenAthens to talk to each other.
  • 13. The Federation Maintains and publishes the metadata consumed by member entities (i.e. IdPs and SPs) Metadata used to form trust relationships Responsibility for the metadata feed and for ensuring members adhere to good practice (security, privacy etc) Monolithic
  • 14. Inter-federation Trust More of a political challenge than a technical one Participating federations have to negotiate common standards re: metadata structure, key lengths/types, attributes required. Best practice wins! End result is an aggregated metadata file is published by participating federations
  • 15. Other Federated Identity Systems OpenAthens- very similar to Shibboleth Commercial entity, ran by EduServ Can either run your own IdP or have OpenAthens run it for you for a fee. Technology very similar to Shibboleth(SAML- based, monolithic Federations)
  • 16. Other Federated Identity Systems Eduroam- used in Higher Education to provide federated roaming wireless access Built on FreeRADIUS Managed and maintained in the UK by JANET External users credentials are relayed back to their home institution for authentication
  • 17. Future of Federation Current models work well for web-based authentication (Shibboleth) and/or specific protocols (eduroam) However there is an increasing requirement for support of multiple protocols and for some level of devolved federation management
  • 18. Shibboleth IdPv3 Still SAML2-based but with a number of improvements based on experience gained with v2 Improvements include: User consent for releasing attributes Session state largely stored client-side in encrypted cookie store.
  • 19. Moonshot Based on FreeRADIUS 3 with additional functionality provided by Shib libraries Provides some level of devolved management. Multi-protocol support (SSH, Web, Exchange)
  • 20. Moonshot - Disadvantages Requires bleeding-edge versions of FreeRADIUS and Moonshot dependencies Work-in-progress- steep learning curve and documentation not comprehensive Requires software to be installed on both clients and services to support it- some of these (e.g. OpenSSH) depend on locally patched versions.
  • 21. Questions? E: Mark.Cairney@ed.ac.uk T: @mcairney http://www.ukfederation.org.uk http://shibboleth.net/ http://www.jisc.ac.uk/assent
AboutCopyright
息 2025 際際滷