widely distributed access management tom barton university of chicago
TRANSCRIPT
An Everyday Problem
• People would like to use the collaboration tools available to them to collaborate with whom they choose– Can we do better than email
attachments?
Email as Collaboration Platform
• Pros– Connects arbitrary sets of collaborators– Shares any type of file (ok, some limits)– Self access management
• Cons– Insecure– Limited capabilities– Reduces productivity more than pot-
smoking
Campus Collaboration Scenario
• UC faculty/staff self-initialize collaboration space to work with others internal & external to UC on focused activities– Email list; protected file share; private wiki
or web space; specialized compute or data services
– Initiator-identified collaborators– Both campus and external participants
administer shared collaboration resources
Requirements for Campus Collaboration Scenario
• Authenticate campus and external participants
• Self-creation of collaboration group by authorized campus people
• Delegation of selective admin privileges to campus & non-campus people
• Integration of collaboration services with above (centrally operated & not)
Service Provider Scenario
• An organization provides collaboration services to a population of users– Think Internet2 and its working groups– Or a Science Gateway
• Additional requirement: An initial delegation step, since self-initialization may not be appropriate
Solution Elements
• Distributed access management tools (Grouper & Signet)
• A DB for housing identifiers, memberships & privileges for collaboration participants
• Single locus at which to configure federated SSO (support for internal + external authentication)
• Architecture that adds collaboration attributes (identifiers, memberships, privileges) to authentication context and passes along to collaboration services
Collaboration Connector
• An integration architecture with all solution elements
• Proxy IdP– “IdP” = “Identity Provider” ala SAML and
Shibboleth– Provides SSO and Attributes to integrated
services– “Proxy” because collaboration attributes
must be added to externally-sourced ones
Examples
• MyVocs + GridShib– My Virtual Organization Collaboration Service– Improvement of user registration, access
management, service registration needed
• Dorian + Grid Grouper– caBIG’s caGrid security infrastructure– Needs adaptation to be more generally
deployable
• Almost all needed elements exist to be integrated into a “Collaboration Connector in-a-box”
Is it Better Than Email? Pros
Email• Connects arbitrary
sets of collaborators• Shares any type of
file (ok, some limits)
• Self access management
Collaboration Connector
• Yes, with federated authentication
• Yes, whatever the collaboration services provide
• Yes