intro to identity for developers tom barton, u chicago scott cantor, ohio state patrick michaud, u...

28
Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington

Upload: chad-burns

Post on 26-Dec-2015

214 views

Category:

Documents


0 download

TRANSCRIPT

Intro to Identity for Developers

Tom Barton, U Chicago

Scott Cantor, Ohio State

Patrick Michaud, U Washington

Plan for the afternoon

• [All] Why are we here?

• [Tom] Internet2 Middleware big picture

• [Scott] Identity-enabling web applications

• Break

• [Patrick] Catalyst case study

• [Tom] Collaboration management

• [All] IAM current issues

2

Earlier

• Identity & Access Management plumbing

• Federations are rising

Later

• Identity Services

• Collaboration management

3

Internet2 Middleware Initiative (I2MI)big picture themes

• Many Sources of Authority • Policy making bodies• Resource managers• Program/activity heads• Self• Identification vs. authorization

• Distributed management• Within an organization• Among organizations

• Common & articulating infrastructure• Departments/programs/activities should not have to

build their own• Articulate between organizations

Access Management Realities

4

• To ease the management of inter-org collaborative activities, campus IAM practices must be good enough• Identification & identifiers• Authentication• Attributes•Common practices & standards

Early I2MI revelation

5

Pre-indoor plumbing

• Basic enterprise-wide services that are used by many applications

• Now being extended through federations to include inter-institutional and virtual organization needs

• Authentication, single sign on, directories, identifiers, authorization and privilege management

• Perhaps workflow, digital rights management, enterprise service bus and a few others

• As much policy, governance, and practice as technology

I2MI's notion of middleware

• Application integration• Administrative• Academic and collaborative

• Institutional and business process integration• Working with authoritative sources• Becoming an authoritative source

• People and process time - not software and hardware expense

• Making it reliable, flexible and invisible – true indoor plumbing

Keys to success in middleware

9

Identity & Access Management reflected in a campus LDAP entry

uid: tbartonchicagoID: 01191359NeduPersonAffiliation: staffisMemberOf:

uc:drdepts:nsit:integration uc:adhoc:factuc:directorsuc:nsit:srdirsuc:nsit:integration:iteco_wrapp:gems:44:251:staff

New tools

Relative Roles of Signet & Grouper

• Users are placed into groups

• Privileges are assigned to groups

• Groups can be arranged hierarchically to give privileges indirectly

• Grouper manages groups

• Signet manages privileges

• Aligns with diverse Sources of Authority Grouper Signet

13

Privilege Elements by Example

By authority of the Dean grantor

principal investigators grantee (group/role)

who have completed training prerequisite

can approve purchases function

in the School of Medicine scope

for research projects resource

up to $100,000 limit

until January 1, 2009as long as a faculty member at…

conditions

Privilege Lifecycle

• Single domain• University (usually!)

• Single service domain, two user domains• Campus services & users, plus "guests"

• Single service domain, many user domains• Higher Ed service providers such as …• Library services, administrative ASPs, direct-to-student

services• Many service domains, many user domains

• State & regional consortia• Some Virtual Orgs or Collaborative Orgs• Some grid infrastructures

• Sources of Authority & access management infrastructure are distributed across domains

Multi-domain access scenarios

14

15 Federated Identity

Authenticate @Home

"IdP" "SP"

ala Shibboleth

Authorize @Resource

16

The rise of federations

• Federations are now occurring broadly, and internationally, to support inter-institutional and external partner collaborations

• Almost all in the corporate world are bi-lateral; almost all in the R&E world are multilateral

• They provide a powerful leverage of enterprise (campus, site) credentials

• Federations are learning to peer• Internal federations are also proving useful

17

InCommon Federation:Essential Data

• US R&E Federation, a 501(c)3 • Addresses legal, LoA, shared attributes, business

proposition• Members are universities, service providers,

government agencies, national labs• Over 80 organizations and growing steadily

• 1.7 million user base now

• Uses range over popular and academic content, wiki and list controls, ASPs, NIH, MS DreamSpark, …

• www.incommonfederation.org

• Trust fabric: Metadata so that IdP's & SP's can mutually authenticate & interoperate

• Multilateral agreement among federation participants• Agree to actually operate as they claim to

• A “Where Are You From Service” available

InCommon Federation:Essential Services

18

19

Campus

Science Gateway

provision accounts

run monitor

attributesrun monitor

InCommon Federation

TeraGrid Resources ~10 Sites

run monitor

~20 Sites

~125 Sites

Example: TeraGrid and multiple domains

In the cloud

20

Many technologies

Decouple application design from implementation of identity services

Identity Services

21

• Two powerful forces being leveraged• the rise of federated identity• the bloom in collaboration tools, most

particularly in the Web 2.0 space but including file shares, email list procs, etc

• Collaboration management platforms provide identity services to “well-behaved collaboration applications”

• Results in user and collaboration centric identity, not tool-based identity

Collaboration and Federated Identity

• Management of collaboration a real impediment to collaboration, particularly with the growing variety of tools

• Goal is to develop a “platform” for handling the identity management aspects of many different collaboration tools• Platform includes a framework and model, specific

running code that implements the model, and applications that take advantage of the model

• This space presents possibilities of improving the overall unified UI as well as UI for specific applications and components.

Collaboration Management Platforms

• A collaboration management platform, supported in part by a NSF OCI grant, being developed by the Internet2 community, with Stanford as a lead institution

• Open source, open protocol

• Uses Shibboleth, Grouper, and Signet

• Parallels activities in the UK and Australia

COmanage

• Already done• Sympa, Federated wikis, Asterisk (open-source IP

audioconferencing), Dim-Dim (open-source web meeting), Bedeworks (federated open-source calendar)

• Immediate targets• Rich access controlled wikis• Web-based file shares, IM, Google Apps for

Education• Domain science resources

• Instruments• Grids

Comanageable applications

Some general COmanage comments

• A limited number of consoles present the basic identity services; can move directly between services as a standard workflow

• Early in the development; the GUI is particularly primitive

• Underlying store is an LDAP directory; alternatives include MySQL db, RTF store, etc.

• COmanage can be deployed by a campus, a department, a VO, a VO service center; COmanage instances communicate with each other by the “attribute ecosystem” voodoo

FederatedWiki

Domain Science

Grid

Domain Science

Instrument

University A University B Laboratory X

CollaborationManagement

Platform

CollaborationTools/ Resources

ApplicationAttributes

Home Org & Id Providers/

Sources ofAuthority

AttributeEcosystem

Flows

Attribute/Resource Info Data Store

Collaboration Management Platform (CMP)and the Attribute Ecosystem

Sources of Authority

CoAuthorization –

Group InfoAuthorization –Privilege Info

AuthenticationPeoplePicker

OtherFunctions

manage

File Sharing

CalendarPhone/Video

Conference

Email List

Manager

• Level of Assurance

• Campus Roles

• Shibboleth & Active Directory

• OpenID and (campus) attributes

• Privacy & consent

• Guest management

Current issues in IAM

28