Activity Details

Campus Identity and Access Management


ObjectivesThe training will provide attendees with practical technical skills (train the trainer) on the essential aspects of architecting, designing and deploying a cost effective (open-source) enterprise Identity and Access management system. We will then show how this IAM system can be used to join a national identity federation to enable collaboration across the economic region and beyond joining to other federations via eduGAIN to enable collaborations at a global scale.
  • Identify the core building blocks of IAM system.
  • Discuss the processes, controls, reporting and auditing that wrap around IAM.
  • Build an IAM system from open-source components that can be duplicated across a region.
  • Joining the federation and eduGAIN.
With this training you will have a low cost Identity and Access Management option you can share with your Universities and Research institutions that will move them forward in being able to participate in your national identity federation and into eduGAIN.
Target AudienceIT Architects and individuals interested in systems integration or DevOps skills.
Activity Co-ordinator(s)Terry Smith, Australian Access Federation
Expected No. of Participants:30
Seating ArrangementU Shape

Session 1 : Identify the core building blocks of IAM system

Date:Monday 2019-02-18
Time:09:00 - 10:30
Location:Room 203
Trainer(s):Terry Smith, Australian Access Federation
Toby Chan, The Hong Kong PolyTechnic University
Brook Schofield, Project Development Officer, GÉANT Association
Dalia Abraham
No. of Participants:16, out of which 14 have provided feeedback
AgendaFor an organisation to successfully participate in a nations identity federation and or the global eduGAIN federation they require a functional identity management solution This session discusses the requirements of such a system provides a high level architecture and identifies a number of open source options that can provide a functional system that can be used by an organisation
1.  An overview of Campus Identity Management
Terry Smith, Australian Access Federation
2.  High level systems architecture
Terry Smith, Australian Access Federation
3.  Open source building blocks
Terry Smith, Australian Access Federation

Session 2 : Building an open source IAM service

Date:Monday 2019-02-18
Time:11:00 - 12:30
Location:Room 203
Trainer(s):Terry Smith, Australian Access Federation
Dalia Abraham
Brook Schofield, Project Development Officer, GÉANT Association
Benn Oshrin
No. of Participants:15, out of which 11 have provided feeedback
AgendaHands on session deploying the initial components of of a Identity and Access Management system suitable for a University or Research Institution
1.  Introduction to TIER
Benn Oshrin
2.  Hands on session, underpinning components
Terry Smith, Australian Access Federation
The first of the hands on sessions building an Identity and Access management system suitable for a University or Research Institution.
3.  Attributes and systems of entry discussion
Terry Smith, Australian Access Federation
A discussion on Identity Production Patterns. All use cases for identity rely of the existence of digital identity data. Reducing the cost and complexity of producing those data is a priority for the delivery of high quality identity services. In this presentation we will investigate the factors that affect the complexity of managing identity within a system of record and classify basic approaches to managing identity within an organization.

Session 3 : Hands on session: Access Management

Date:Monday 2019-02-18
Time:13:30 - 15:00
Location:Room 203
Trainer(s):Terry Smith, Australian Access Federation
Dalia Abraham
Brook Schofield, Project Development Officer, GÉANT Association
No. of Participants:14, out of which 11 have provided feeedback
AgendaHands on session building on the base infrastructure adding and Identity Provider and Service Providers to the organization
1.  Identity Domains
Terry Smith, Australian Access Federation
Digital identity services exist so that relationships can be mediated by information systems. The requirements for managing digitally mediated relationships have not changed since the first multiuser computer systems were developed. Whenever the parties to a relationship are represented by information the following three problems need to be solved: 1: How can one party in a relationship identify the other party? 2: How can parties continue their relationship over time? 3: How can parties in a relationship trust each other? This presentation will provide and quick overview of the Identity domain patterns that are commonly in use.
2.  Hands on session
Terry Smith, Australian Access Federation
Hands on session: With the basic building blocks in place we will turn our attention to providing a simple access management layer to the organization. Services could directly integrate with a base LDAP service but this can have an adverse affect on the risk associated with the access layer particularly for cloud based services. Current best practice has identified that the authentication process should be separated away from services and be performed be a dedicated secure service operated by the organization. This will ensure the a rogue service will never have access to a user's credentials.

Session 4 : Hand on session Entitlement Management

Date:Monday 2019-02-18
Time:15:30 - 17:00
Location:Room 203
Trainer(s):Terry Smith, Australian Access Federation
Dalia Abraham
Brook Schofield, Project Development Officer, GÉANT Association
No. of Participants:13, out of which 10 have provided feeedback
AgendaEntitlement Management is responsible for the creation and management of entitlements and the data related to the production and assignation of entitlements. In this session we will start the deployment of a number of tools that can be used manage entitlements. These entitlement in turn are used by the access management layer to determine the level of access that should be provided to users. Entitlement management will discovers and analyses data about identities, identity domains, business roles, organizational affiliations, and application and service roles and privileges. It creates and maintains entitlement packages and access control models that define how identity holders may access resources. The deployment of the tools is only a small part of the entitlement management. Most of the activity will be involved in developing and understanding of the organization.
Terry Smith, Australian Access Federation

Session 5 : IAM Q&A and general discussion

Date:Monday 2019-02-18
Time:17:00 - 18:00
Location:Room 203
Trainer(s):Brook Schofield, Project Development Officer, GÉANT Association
No. of Participants:24, out of which 11 have provided feeedback
AgendaA non conference style sessions where delegates can propose questions and topics for discussion within the room

Session 6 : Review

Date:Tuesday 2019-02-19
Time:09:00 - 10:30
Location:Room 203
Trainer(s):Terry Smith, Australian Access Federation
Dalia Abraham
Brook Schofield, Project Development Officer, GÉANT Association
No. of Participants:19, out of which 9 have provided feeedback
AgendaIn this session we will review Monday's sessions and the IAM deployments that have been build so far. This is an opportunity for participants to verify their understanding of the architecture and how the open source components are fitting together to provide an IAM solution.
Terry Smith, Australian Access Federation

Session 7 : Identity Analytics

Date:Tuesday 2019-02-19
Time:11:00 - 12:30
Location:Room 203
Trainer(s):Terry Smith, Australian Access Federation
Dalia Abraham
Brook Schofield, Project Development Officer, GÉANT Association
No. of Participants:18, out of which 10 have provided feeedback
AgendaIdentity analytics monitors, analyses and reports on the use of identity across the University. It has two distinct areas of responsibility. It provides business intelligence on the use of identity to ensure the operation of identity services is aligned to business requirements and inform planning. It provides forensic analysis of improper uses of identity and ensures compliance with important governance objectives such as separation of duties, privacy, and repudiation. Identity Analytics is often overlooked as a "would like to have" component of IAM at all levels. We will investigate the possible reasons for this before getting hands on and deploying a simple system to capture, record and report on identity logs generated with every authentication event. With this simple data analytics service we will start to uncover the valuable information buried in the logs. Identity analytics is not only for organization but equally applies at the federation level. Business intelligence at the federation level can lead to increase in utilization and uptake. For the board and subscribers it will help highlight the benefit of the federation.
Terry Smith, Australian Access Federation

Session 8 : Bringing it all together

Date:Tuesday 2019-02-19
Time:13:30 - 15:00
Location:Room 203
Trainer(s):Terry Smith, Australian Access Federation
Dalia Abraham
Brook Schofield, Project Development Officer, GÉANT Association
No. of Participants:21, out of which 8 have provided feeedback
AgendaIn this session we will bring all of the pieces together. The IAM system needs a provisioning engine that deals with the life cycle users identity including credential issuing, provisioning, de-provisioning, maintaining the users identity information, etc. We will look at an open source tool that provides a significant part of the identity management solution. Having the IAM system up and running, managing users identity their entitlements, access to systems and reporting it time to step up to the next level Federation We will take the identity provider and technically join it to a federation enabling users to access a much wider array of services.
Terry Smith, Australian Access Federation

Session 9 : Commercial offerings for IAM

Date:Tuesday 2019-02-19
Time:15:30 - 17:00
Location:Room 203
Trainer(s):Terry Smith, Australian Access Federation
Dalia Abraham
Brook Schofield, Project Development Officer, GÉANT Association
No. of Participants:46, out of which 12 have provided feeedback
Agenda
1.  Liberate
Justin Knight, Jisc, United Kingdom
2.  Commercial IAM offerings
Terry Smith, Australian Access Federation
There are many commercial offerings available that providers Identity and Access solutions to organizations. This session will provide a quick market scan of the more popular solutions that are being deployed. There are advantages and benefits to using these commercial solutions but the cost can be prohibitive. These systems tend to be organization focused not fitting well into the wider federation environment. We will look as some of the reasons advanced federations are running parallel access management systems, one for internal services the other external federated services.

Session 10 : Q&A and General Discussion

Date:Tuesday 2019-02-19
Time:17:00 - 18:00
Location:Room 203
Trainer(s):Justin Knight, Jisc, United Kingdom
AgendaA non conference style session reviewing the training of the past two days allowing participants to ask questions and begin discussions relating to Identity and Access management
TOP