towards common identity services
DESCRIPTION
Tom Barton University of Chicago. Towards Common Identity Services. Matterhorn. Consortium of Universities building an enterprise-level, easy-to-install open source podcast and rich media capture, processing and delivery system. Typical security issues need to be handled User authentication - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/1.jpg)
Towards Common Identity Services
Tom BartonUniversity of Chicago
![Page 2: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/2.jpg)
• Consortium of Universities building an enterprise-level, easy-to-install open source podcast and rich media capture, processing and delivery system.
• Typical security issues need to be handled– User authentication– Service authentication– Proxy authentication– Long-running processes– Integration with enterprise services– Out-of-the-box support for enterprises lacking those services
Matterhorn
17-18 November 2009
![Page 3: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/3.jpg)
“Is this a problem that the Matterhorn software needs to solve?
… I hope we can come up with a cheap & easy solution in order to get on with our fundamental tasks involving the handling of media.”
Josh Holtzman, Matterhorn Team memberopencast list, May 15, 2009
17-18 November 2009
![Page 4: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/4.jpg)
417-18 November 2009
![Page 5: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/5.jpg)
5
Identity services for applications
Manage
Subjects
Groups
Roles
Privileges
Credentials
Interface
Roles
Groups
Permissions
Attributes
Authentication
Convey
Kerberos
SQL
SAML
LDAP
SOAP/REST
17-18 November 2009
![Page 6: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/6.jpg)
• Integrate collaboration tools into a common platform
• User and collaboration centric identity, not tool-based identity
• How much domestication is needed?– COmanage– SURFGroepen– Sympa as VO group manager– Duke’s OZ– SWITCH VO platform– U Malaga “identity bus”– Bamboo?
17-18 November 2009 6
WANTED: Domesticated applications
![Page 7: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/7.jpg)
Applications can't be developed that easily integrate with external IAM services until there's broadly held agreement on the interfaces between the two
17-18 November 2009
The identity services problem
![Page 8: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/8.jpg)
It’s a tower of turtles• Application developers• Framework developers• Platform developers• Standards bodies
– Too many– Not enough
• Communities of practice– Education & Research– Internet Identity
• Integrators• Deployers
17-18 November 2009
![Page 9: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/9.jpg)
Don’t try to solve the general problem!
Focus on a small set of related, constrained use cases and make progress on those
17-18 November 2009
![Page 10: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/10.jpg)
June 2009 Advanced CAMP: Identity Services Summit
• Participation– Open source project developers
• Jasig (uPortal, CAS, Bedework)• SAKAI• Kuali
– Campus developers & architects – Internet2/MACE– Kantara
• Project reviews (surveys & sessions)• Lightning talks, break-outs
17-18 November 2009
![Page 11: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/11.jpg)
• Access management glossary and mapping between open source projects
• KIM – Grouper service implementation proof of concept
• uPortal – Grouper service implementation proof of concept
• Shibbolized & CASified .NET & sharepoint• Bedework & COmanage discovery• Enhance development frameworks with roles, etc.
– Spring, django
Some action items from the Identity Services Summit
17-18 November 2009 11
![Page 12: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/12.jpg)
• Access Management terminology is confusing e.g. privilege, permission, entitlement, authorization
• Access Management is often embedded in applications and so is reinvented often
• Access Management often does not account for federations
• Provisioning is easier than de-provisioning• Audit trails are often per application if they exist at
all
MACE-Paccman: some problems
17-18 November 2009 Paccman slides courtesy of Tom Dopirak
![Page 13: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/13.jpg)
MACE-Paccman Initial Deliverables• Glossary and models for Access Management
– How to use groups– How to use privileges– How to provision embedded Access Management software– Audit Considerations
• Comparative glossary with major access management endeavors and Open Source Higher ED projects e.g. Sakai, uPortal, Kuali
• Use Cases in Access Management • Mapping use cases to existing efforts
– Kuali KIM– MIT’s perMIT– Grouper
17-18 November 2009
![Page 14: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/14.jpg)
Kuali Foundation“open source administrative software for higher education, by higher education”
• kuali financials• kuali coeus (research administration)• kuali student• kuali rice (middleware framework)• Incubation projects
– ole (integrated library system)– continuity planning– payroll/hr– materials management
17-18 November 2009
![Page 15: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/15.jpg)
Kuali Identity Management (KIM)
• A new module of the Kuali Rice middleware framework (http://rice.kuali.org)
• Implemented as a set of services for identity and access management
• Designed with the needs of the other Kuali applications in mind (financials, research administration and student system)
• But also meant to be general enough to be used by other applications as well
KIM slides courtesy of Eric Westfall17-18 November 2009
![Page 16: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/16.jpg)
KIM Services
• IdentityService– Principals and entities
• GroupService– Group data, group membership checks
• PermissionService– Authorization checks
• RoleService– Role data
• ResponsibilityService– Resolve responsibilities for certain actions (integration point with the
workflow engine)• AuthenticationService
– Establishes an authenticated user’s session
17-18 November 2009
![Page 17: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/17.jpg)
17-18 November 2009
![Page 18: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/18.jpg)
• Topic of discussion at Advanced CAMP on identity management in June– Where does Kuali Identity Management fit into the broader identity and
access management space in higher education?• A few possibilities
– Can be used solely for implementation of specific Kuali applications– Can be positioned as the primary identity and access management
services at an institution– Certain pieces of the reference implementation can be used, while
others can be integrated with or replaced with other solutions (i.e. LDAP, Grouper, Active Directory)
• Working on some projects surrounding the last item, specifically working with Grouper team on a proof of concept for integration with KIM
Where does it fit?
17-18 November 2009
![Page 19: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/19.jpg)
17-18 November 2009
![Page 20: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/20.jpg)
20
• GAP: Groups And Permissions– Gather groups from configured group stores– UI to manage groups and permissions– Desired to outsource to Grouper
• PAGS: Person-Attribute Group Service– Present group memberships from attributes in
user’s security context• PD: Person Directory
– Gather Subjects from configured stores
17-18 November 2009
uPortal’s group-related services
![Page 21: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/21.jpg)
PD GAP
Portal DB LDAP DB-A
uPortal-Grouper integration needs
WSUIPAGS
pull groups(& Subjects)
Subject Source
•Add GAP interface
•Add group-pull
•Refactor PAGS•New group admin UI•Portal Subjects source
adapter
17-18 November 2009
![Page 22: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/22.jpg)
End matter• “The thing with integration is that it takes a lot of work,
and especially in the early stages, and the work has to come from the real experts, so it's expensive.”-- RL “Bob” Morgan
• Is it enough to have ID Services interfaces, or do we also need to somehow unify management of privileges external to applications with application specific privileges?
• Advanced CAMP 2010 will continue the identity services for OSS theme
17-18 November 2009
![Page 23: Towards Common Identity Services](https://reader035.vdocuments.site/reader035/viewer/2022062817/56816922550346895de0548e/html5/thumbnails/23.jpg)
For more information, visit https://spaces.internet2.edu/display/IdSrvcsClearhouse
17-18 November 2009