Embed Size (px)
Citation preview
VO and Internet2 Middleware
Presenter’s Name
Topics
• Motivations for Internet2 Middleware work
• Federated identity and InCommon
• Other IdM• Groups, privileges, diagnostics
• COManage
• Next steps
Presenter’s Name
Motivations for Internet2 Middleware• Create consistent campus middleware infrastructure• Extend local identity into a federated community• Improve use of collaboration tools• Better couple research with education• Allow a class to invoke some VO privileges• Integrate research and administrative processes
• Deploy as infrastructure, not just develop
Presenter’s Name
Connecting SoAs, Integrating with Existing Infrastructure
Presenter’s Name
Federated identity
• Shibboleth and SAML created the concept of federated identity• Local authentication and attributes leveraged globally• Privacy preserving; scalable security
• Shibboleth 1.3 widely deployed; Shib 2.0 in beta; Shib embedded in products from Verisign, Sun, Oracle, MS, etc.
• In the corporate world, all “federations” are bilateral; in the public sector almost all are multilateral
Presenter’s Name
InCommon•US R&E Federation, a 501(c)3 •Addresses legal, LOA, shared attributes, business proposition, etc issues•Members are universities, service providers, government agencies•Over 70 organizations and growing steadily; 1.3 million user base now, crossing 2 million by the end of the year•Uses range from popular and academic content access to wiki and list controls to access NIH applications to …•Almost all use is transparent to users (its middleware) but that is about to change•www.incommonfederation.org
Presenter’s Name
International R&E federations
• Substantial deployments in many countries, including UK, Norway, Switzerland, US, Australia, France, Denmark, Finland, Spain, Germany, Netherlands, etc.
• Most are Shib based; some use other SAML products.• Scope of membership usually higher ed, but some are
broader, e.g. UK, Spain, Netherlands• Use cases range from content access to collaboration
support to learning management systems to wireless roaming to…
• Peering federations give a global R&E trust fabric
Presenter’s Name
Managing authority:Signet and Grouper
• Tools to manage privileges and groups• Taken together, they can provide tools for the “static” part
of the authorization problem – management of roles and privileges assigned to individuals (and other things)
• Newly released 1.0+ versions of both, with a combined interface
• International development community beginning to happen…
• Analysts are discovering privilege management, much as they “discovered” federated identity. Giving no credit to higher education for seeing a different problem…
Presenter’s Name
Relative Roles of Signet & Grouper
Grouper Signet
RBAC (role-based access control) model• Users are placed into groups
(aka “roles”)
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to effectively bestow privileges
• Grouper manages, well, groups
• Signet manages privileges
• Separates responsibilities for groups & privileges
Presenter’s Name
Grouper Architecture
Presenter’s Name
Privilege Elements by ExampleBy authority of the UPCI IRB grantor
UPCI Researchers grantee (group/role)
who have an approved UPCI IRB protocol prerequisite
can access de-identified dataand order tissue
function
from the network of caTIES participants scope
for Study HD7687 resource
up to 100 patients limit
until January 1, 2006as long as approved for material transfer…
conditions
Privilege Lifecycle
Presenter’s Name
A Bloom of Collaboration Tools
• An over-abundance of new tools that provide rich and growing collaboration capabilities (aka Web 2.0)
• Do you• Wiki, blog, moodle, sakai, IM, Chat, videoconference,
audioconference, calendar, flikr, netmeeting, access grid, dimdim, listserv, webdav, etc• Share files among workgroups, access Elsevier, work
with the IEEE, etc• No uber-app – limits invention and community of users• 3 - 4 is fine, but many per user is hard to manage
Presenter’s Name
Collaboration Tools and Identity Management• Required for effective interactions• Deeply enriches collaboration tools• Fine-grain access control and wikis
• spaces.internet2.edu, “member of the community” processes
• Transparently shared file stores• Collaboratively visible calendaring• Embedded VO IM channels in campus portals
Presenter’s Name
Collaboration Management Platforms
• Management of collaboration a real impediment to collaboration, particularly with the growing variety of tools
• Goal is to develop a “platform” for handling the identity management aspects of many different collaboration tools• Platform includes a framework and model, specific running
code that implements the model, and applications that take advantage of the model
• This space presents possibilities of improving the overall unified UI as well as UI for specific applications and components.
Presenter’s Name
Comanage
• Leverages federated identity and the attribute ecosystem heavily
• Uses Grouper to manage groups and Signet to manage privileges, Eddy for diagnostics
• Built completely on open protocols, using open source components
• Open and proprietary applications can be plumbed to work with it
Presenter’s Name
Comanageable applications
• Already done• Sympa, Federated wikis, Asterisk (open-source
IP audioconferencing), Dim-Dim (open-source web meeting),• Bedeworks federated and public calendars
• Immediate targets• Rich access controlled wikis• Web-based file shares
Presenter’s Name
CMP dimensions of growth
• In the applications that can be driven by it• Collaboration and domain science prime areas• Largely a function of the application’s respect for middleware
• In the areas being managed• Diagnostics? Others?
• In the identities being managed• In the coupling of autonomous and diverse instances
• Deployment instances may be at many layers of organization and shift as it matures
• Underlying stores may be db, directory, or other
Presenter’s Name
NSF Grant
• Two previous multi-year awards lead to Shibboleth, Grouper, Signet, Eddy
• New SDCI grant (awarded 10/1/07) supports product improvements and develop collaboration management platforms
• Commits to working with two VO’s to evaluate the software
• (Note: budget cuts and domain science…)
Presenter’s Name
Lots of COManage deployment options
• Platform at Stanford
• Deploy on LIGO servers
• Deploy on campus servers
• Instances can communicate with each other
Presenter’s Name
Two types of application enablement
• “well-behaved” apps draw their entitlements, attributes and roles from a directory or db or… (something external)
• Other apps can have information from COManage pushed into them• Static or dynamic provisioning• Connectors could be X.509 certs, SAML
assertions, etc.
Presenter’s Name
First questions
• Is there work to do together?
• Do time frames work?
• Co-reality check
• Relationship to VOMS
Presenter’s Name
Next steps
