intro to identity for developers tom barton, u chicago scott cantor, ohio state patrick michaud, u...
TRANSCRIPT
Intro to Identity for Developers
Tom Barton, U Chicago
Scott Cantor, Ohio State
Patrick Michaud, U Washington
Plan for the afternoon
• [All] Why are we here?
• [Tom] Internet2 Middleware big picture
• [Scott] Identity-enabling web applications
• Break
• [Patrick] Catalyst case study
• [Tom] Collaboration management
• [All] IAM current issues
2
Earlier
• Identity & Access Management plumbing
• Federations are rising
Later
• Identity Services
• Collaboration management
3
Internet2 Middleware Initiative (I2MI)big picture themes
• Many Sources of Authority • Policy making bodies• Resource managers• Program/activity heads• Self• Identification vs. authorization
• Distributed management• Within an organization• Among organizations
• Common & articulating infrastructure• Departments/programs/activities should not have to
build their own• Articulate between organizations
Access Management Realities
4
• To ease the management of inter-org collaborative activities, campus IAM practices must be good enough• Identification & identifiers• Authentication• Attributes•Common practices & standards
Early I2MI revelation
5
• Basic enterprise-wide services that are used by many applications
• Now being extended through federations to include inter-institutional and virtual organization needs
• Authentication, single sign on, directories, identifiers, authorization and privilege management
• Perhaps workflow, digital rights management, enterprise service bus and a few others
• As much policy, governance, and practice as technology
I2MI's notion of middleware
• Application integration• Administrative• Academic and collaborative
• Institutional and business process integration• Working with authoritative sources• Becoming an authoritative source
• People and process time - not software and hardware expense
• Making it reliable, flexible and invisible – true indoor plumbing
Keys to success in middleware
Identity & Access Management reflected in a campus LDAP entry
uid: tbartonchicagoID: 01191359NeduPersonAffiliation: staffisMemberOf:
uc:drdepts:nsit:integration uc:adhoc:factuc:directorsuc:nsit:srdirsuc:nsit:integration:iteco_wrapp:gems:44:251:staff
Relative Roles of Signet & Grouper
• Users are placed into groups
• Privileges are assigned to groups
• Groups can be arranged hierarchically to give privileges indirectly
• Grouper manages groups
• Signet manages privileges
• Aligns with diverse Sources of Authority Grouper Signet
13
Privilege Elements by Example
By authority of the Dean grantor
principal investigators grantee (group/role)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projects resource
up to $100,000 limit
until January 1, 2009as long as a faculty member at…
conditions
Privilege Lifecycle
• Single domain• University (usually!)
• Single service domain, two user domains• Campus services & users, plus "guests"
• Single service domain, many user domains• Higher Ed service providers such as …• Library services, administrative ASPs, direct-to-student
services• Many service domains, many user domains
• State & regional consortia• Some Virtual Orgs or Collaborative Orgs• Some grid infrastructures
• Sources of Authority & access management infrastructure are distributed across domains
Multi-domain access scenarios
14
16
The rise of federations
• Federations are now occurring broadly, and internationally, to support inter-institutional and external partner collaborations
• Almost all in the corporate world are bi-lateral; almost all in the R&E world are multilateral
• They provide a powerful leverage of enterprise (campus, site) credentials
• Federations are learning to peer• Internal federations are also proving useful
17
InCommon Federation:Essential Data
• US R&E Federation, a 501(c)3 • Addresses legal, LoA, shared attributes, business
proposition• Members are universities, service providers,
government agencies, national labs• Over 80 organizations and growing steadily
• 1.7 million user base now
• Uses range over popular and academic content, wiki and list controls, ASPs, NIH, MS DreamSpark, …
• www.incommonfederation.org
• Trust fabric: Metadata so that IdP's & SP's can mutually authenticate & interoperate
• Multilateral agreement among federation participants• Agree to actually operate as they claim to
• A “Where Are You From Service” available
InCommon Federation:Essential Services
18
19
Campus
Science Gateway
provision accounts
run monitor
attributesrun monitor
InCommon Federation
TeraGrid Resources ~10 Sites
run monitor
~20 Sites
~125 Sites
Example: TeraGrid and multiple domains
• Two powerful forces being leveraged• the rise of federated identity• the bloom in collaboration tools, most
particularly in the Web 2.0 space but including file shares, email list procs, etc
• Collaboration management platforms provide identity services to “well-behaved collaboration applications”
• Results in user and collaboration centric identity, not tool-based identity
Collaboration and Federated Identity
• Management of collaboration a real impediment to collaboration, particularly with the growing variety of tools
• Goal is to develop a “platform” for handling the identity management aspects of many different collaboration tools• Platform includes a framework and model, specific
running code that implements the model, and applications that take advantage of the model
• This space presents possibilities of improving the overall unified UI as well as UI for specific applications and components.
Collaboration Management Platforms
• A collaboration management platform, supported in part by a NSF OCI grant, being developed by the Internet2 community, with Stanford as a lead institution
• Open source, open protocol
• Uses Shibboleth, Grouper, and Signet
• Parallels activities in the UK and Australia
COmanage
• Already done• Sympa, Federated wikis, Asterisk (open-source IP
audioconferencing), Dim-Dim (open-source web meeting), Bedeworks (federated open-source calendar)
• Immediate targets• Rich access controlled wikis• Web-based file shares, IM, Google Apps for
Education• Domain science resources
• Instruments• Grids
Comanageable applications
Some general COmanage comments
• A limited number of consoles present the basic identity services; can move directly between services as a standard workflow
• Early in the development; the GUI is particularly primitive
• Underlying store is an LDAP directory; alternatives include MySQL db, RTF store, etc.
• COmanage can be deployed by a campus, a department, a VO, a VO service center; COmanage instances communicate with each other by the “attribute ecosystem” voodoo
FederatedWiki
Domain Science
Grid
Domain Science
Instrument
University A University B Laboratory X
CollaborationManagement
Platform
CollaborationTools/ Resources
ApplicationAttributes
Home Org & Id Providers/
Sources ofAuthority
AttributeEcosystem
Flows
Attribute/Resource Info Data Store
Collaboration Management Platform (CMP)and the Attribute Ecosystem
Sources of Authority
CoAuthorization –
Group InfoAuthorization –Privilege Info
AuthenticationPeoplePicker
OtherFunctions
manage
File Sharing
CalendarPhone/Video
Conference
Email List
Manager