Embed Size (px)
Citation preview
Scared Straight… if you want to go outside…Authenticate Locally, Act Globally
Topics
• Externalities who care about our IdM• Content
• Services
• Government
• Virtual organizations
• Internal federations
• Security, usability and privacy
• And now, for the rest of the story…
Externalities
• Relying Parties want to use campus authn • For economies
• Not another sso to incorporate into the app• Avoid much of the costs of account management
• For scaling in users• Interest is tempered by legal
considerations, policy considerations, and unintended disruptive economic consequences
Content
• To protect IPR (the JSTOR incident…)• To open up markets• Popular content – Ruckus, CDigix, etc• MS• Scholarly content – Google, OCLC
WorldCat• Scope of IdM may be an issue
Services
• Student travel, charitable giving, web learning and testing, plagiarism testing service, etc.
• Allure for alumni services and other internal businesses
• Student loans, student testing, graduate school admissions, etc.
• The Teragrid
Government
• NSF Fastlane Grant Submission• Dept of Agriculture Permits• Social Security• NIH• Dept of Ed
Virtual Organizations
• The big team science efforts, and even smaller collaborations with real resources to be managed seriously
• Have their own IdM issues• Collaboration tools• Domain science identity management
• Today’s solutions are non-existent, insecure or widely despised…
• Could leverage federated identity for both ease of use and better security
Peering
Possible peering parameters
• LOA • Attribute mapping• Economics• Liability• Privacy
VOs plumbed to federations
Inviting Attributes into your life…
• For privacy and secrecy• Albeit for a refined view of privacy
• For better security• Federated identity allows for stronger
security where needed in a manner scalable for both RP and the user.
• For efficiency
The impacts on cyberinfrastructure
“The event was a nice example of why you get on an airplane and travel to a workshop - to make progress about 50 times faster than exchanging email and position papers! Having made this investment, we are ready to take the next concrete steps to make this vision a reality.
Improving security and usability at the same time. How often do you get a chance to do that? “
Charlie Catlett, Teragrid Director
And Now for the Rest of the Story
• The Simple Life and the Simple User• The Full IdM Life • Real IdM Life and the Attribute Economy
User
Application access controls(including network devices)
IdP
Shib
p2p
User
Application access controls(including network devices)
IdP
Shib
p2p Source ofAuthority
Source ofAuthority
Source ofAuthority
Authn
Autograph
A Simple Life GUI
User
Application access controls(including network devices)
IdP
Shib
p2p Source ofAuthority
Source ofAuthority
Source ofAuthority
A Full IdM Life
Local apps
Relative Roles of Signet & Grouper
Grouper Signet
RBAC (role-based access control) model• Users are placed into
groups (aka “roles”)
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to effectively bestow privileges
• Grouper manages, well, groups
• Signet manages privileges
• Separates responsibilities for groups & privileges
User
Application access controls(including network devices)
Shib
p2p Source ofAuthority
Source ofAuthority
Source ofAuthority
Authn
Autograph
A Full Life GUI
Signet/Grouper
IdP Local apps
User
Application access controls(including network devices)
IdP
Shib
p2p Source ofAuthority
Source ofAuthority
Source ofAuthority
Portal
Gateway
Proxy
Source ofAuthority
Source ofAuthority
Source ofAuthority
Source ofAuthority
Source ofAuthority
Real Life
User
Application access controls(including network devices)
IdP
Shib
p2p Source ofAuthority
Source ofAuthority
Source ofAuthority
VO ServiceCenter
Gateway
Source ofAuthority
Source ofAuthority
Source ofAuthority
IdP
User
Application access controls(including network devices)
IdP
Shib
p2p
Autograph
Authn
Source ofAuthority
Source ofAuthority
S/GS/G
VO Service Center
Source ofAuthority
S/G
A VO Service Center Flow
