Widely Distributed Access Management

Tom BartonUniversity of Chicago

An Everyday Problem

• People would like to use the collaboration tools available to them to collaborate with whom they choose– Can we do better than email

attachments?

Email as Collaboration Platform

• Pros– Connects arbitrary sets of collaborators– Shares any type of file (ok, some limits)– Self access management

• Cons– Insecure– Limited capabilities– Reduces productivity more than pot-

smoking

Campus Collaboration Scenario

• UC faculty/staff self-initialize collaboration space to work with others internal & external to UC on focused activities– Email list; protected file share; private wiki

or web space; specialized compute or data services

– Initiator-identified collaborators– Both campus and external participants

administer shared collaboration resources

Requirements for Campus Collaboration Scenario

• Authenticate campus and external participants

• Self-creation of collaboration group by authorized campus people

• Delegation of selective admin privileges to campus & non-campus people

• Integration of collaboration services with above (centrally operated & not)

Service Provider Scenario

• An organization provides collaboration services to a population of users– Think Internet2 and its working groups– Or a Science Gateway

• Additional requirement: An initial delegation step, since self-initialization may not be appropriate

Solution Elements

• Distributed access management tools (Grouper & Signet)

• A DB for housing identifiers, memberships & privileges for collaboration participants

• Single locus at which to configure federated SSO (support for internal + external authentication)

• Architecture that adds collaboration attributes (identifiers, memberships, privileges) to authentication context and passes along to collaboration services

Collaboration Connector

• An integration architecture with all solution elements

• Proxy IdP– “IdP” = “Identity Provider” ala SAML and

Shibboleth– Provides SSO and Attributes to integrated

services– “Proxy” because collaboration attributes

must be added to externally-sourced ones

1

2

3

4

6

5,7

Examples

• MyVocs + GridShib– My Virtual Organization Collaboration Service– Improvement of user registration, access

management, service registration needed

• Dorian + Grid Grouper– caBIG’s caGrid security infrastructure– Needs adaptation to be more generally

deployable

• Almost all needed elements exist to be integrated into a “Collaboration Connector in-a-box”

Is it Better Than Email? Pros

Email• Connects arbitrary

sets of collaborators• Shares any type of

file (ok, some limits)

• Self access management

Collaboration Connector

• Yes, with federated authentication

• Yes, whatever the collaboration services provide

• Yes

Is it Better Than Email? Cons

Email• Insecure• Limited capabilities• Reduces

productivity more than pot-smoking

Collaboration Connector

• Secure• Specialized

capabilities• We’ll have to do a

study!