Authentication, Authorization and Federated Identities

Attribute Source of Authority (SOA):

A source of authority (SOA) is an organizational entity that is officially responsible for verifying and protecting the privacy of certain personal attributes that belong to specific individuals whose physical identity was certified by a trusted credentialing authority. The SOA

  1. follows specific policies and procedures for determining the current, personal, affiliations/attributes of an identified person for which the SOA is the responsible authority,
  2. maintains the appropriate records of a person’s current affiliations/attributes, and
  3. provides relying parties with personnel attributes of an identified individual if the individual consents to their release and/ or if the release is permitted by statue.

A credential is considered to be federated when groups of relying parties agree to accept authentication credentials that are issued by credential providers that have agreed to a set of policies, procedures and technologies approved by the federated and are subject to systematic audit for compliance.

Authentication and Authorization:

  • Authentication is a process whereby a relying party can trust at a defined level of assurance (LOA) that an authentication credential truly belongs to the certified physical person presenting that credential.
  • Authorization, in turn, is the process whereby a relying party determines whether an authenticated physical person has the necessary personal attributes to conduct specific activities

Relying parties, human or digital, must be able to trust in global cyberspace an authentication credential provided by a presenter (1) the first time it is received, and (2) any time thereafter. Subsequently, a relying party can query attribute providers (APs), when permitted, to determine if the authenticated physical person has the personal attributes required to be granted certain privileges by the relying party.

Purpose:

The focus of this initiative is to facilitate the development and use of a federated identity management infrastructure that makes authentication and authorization when required for trusted, collaborative interchanges virtually transparent and globally functional across multiple organizational domains. Such a well-defined, common infrastructure must be agreed upon by the research community and congruent with other academic and government efforts if seamless, integrative information exchanges are to occur among researchers and non-person entities.

Where We Started:

In 1998, The University of Texas System (UT System) recognized that a new milieu was immerging where collaboration is no longer just among people, but also between people and increasingly capable digital assistants as well as among the digital assistants themselves. These information interchanges often require defined trust relationships among relying parities such that certain aspects of identity must be known among participants. Subsequently, UT System developed a strategic identity management initiative which enabled UT Institutions to acquire cryptographic authentication credentials supported by an internationally known, commercial certificate provider. This enabled individuals and systems to acquire digital IDs that could be used for authentication credentials, digital signatures and encryption of email, documents and other digital objects.

The University of Texas Health Science Center at Houston has been a leading participate in this initiative and other national and international efforts to establish a global identity management infrastructure. User, 3-tier Web applications have been created and obtained that utilize digital IDs as authentication credentials for accessing restricted resources and for a variety of standard policy work flows requiring digital signatures and document encryption for validating the identity of document creators, document integrity and confidentiality of documents such as email, PDF files and other documents when required.

As part of this initiative, UTHSC-H developed and populated an institutional identity management infrastructure in which individuals having "active" entries in one or more of the primary "source of authority" (SOA) databases have "person" entries in the UTHSC-H Enterprise Directory. Each individual may have simultaneous, multiple affiliations within UTHSC-H if he or she has active entries in two or more SOA databases.

The physical identity attributes of employees, residents, students and guest affiliates are verified by official, institutional hiring, vetting and registration procedures and policies. The issuance of digital authentication credentials to identified individuals are governed by explicit policies and procedures that define the level of assurance (LOA) that UTHSC-H can assert via authentication credentials to relying parties. Policies for identity proofing and credentialing are designed to meet requirements of the U.T. System Identity Management Federation, the InCommon Federation, the United States Federal E-Authentication initiative and the Federal (FBCA) Certificate Policies.

UTHSC-H is responsible for assuring accurate, timely binding of personal attribute information to credentialed individuals for which it is the Source of Authority. When privacy restrictions permit, the university functions as an attribute provider to both internal and external relying parties allowing them to make authorization decisions regarding individuals whose authentication credentials they have accepted.

Where We Are:

In 2004, The University of Texas System established a core resource consortium of middleware-leveraged resource providers using Shibboleth Technology to provide SAML (i.e. Security Assertion Mark-up Language) based authentication credentials and personal attributes to relaying parties for purposes of authentication and authorization. This project evolved into the formation of the UT System Identity Management Federation. In 2010, the UT IdM Federation inter-federated with the InCommon Federation such that the UT authentication credentials can be trusted by all relying parties accepting InCommon participants and UT applications can accept InCommon authentication credentials and attribute assertions.

All CTSA applications being developed at UTHSC-H are either Shibboleth or digital ID enabled or both. Users at the university now use their authentication credentials to authenticate to multiple 3-tier web applications within the institution, at other UT System institutions and globally with a variety or external restricted services. Digital signature are used to sign emails and a variety of electronic documents that are required to ensure their integrity and in some cases to encrypt such that only intended recipients can view.

Future Direction:

UTHealth will continue to work with all national and international initiatives to establish and utilize a global identity management (IdM) infrastructure. Particular focus areas are as follows:

  • Adoption of InCommon Certificate Services for digital IDs at assurance levels 3 an 4.
  • Creation of an on-line resource to assist users and information technology staff understand the basics of identity management and its uses in scholarly activities.
  • Development of policies and procedures for certified exchanges of personal attributes to support authorization.
  • Development and implementation of attribute provider systems for the appropriate release of personal attributes to relying parties.

How to Participate:

Basic Supplemental Information:

1.  Challenges and Opportunities for New Collaborative Science Models - May, 2010, - Report of the American Association of Medical College ( AAMC) Group on Information Resources (GIR) Task Force on Information Technology Infrastructure Requirements for Cross-Institutional Research provides member institutions with an overview of IT requirements in several areas deemed critical for the development of effective cross-institutional research collaborations.

2.  National Strategy for Trusted Identities in Cyberspace - June 24, 2010 DRAFT, U.S. President's Cyberspace Policy Review, Released by President's Cyber Security Coordinator. See release notes.

Identity Management Previous Page