1 / 52

The Future of Indoor Plumbing

The Future of Indoor Plumbing. Dr Ken Klingenstein Director, Internet2 Middleware and Security. Topics. The Work So far Indoor, policy-based plumbing IdM in the enterprise Inter-realm and inter-institutional The Next Several Years Internet identity Interfederation and confederation

nat
Download Presentation

The Future of Indoor Plumbing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Future of Indoor Plumbing Dr Ken Klingenstein Director, Internet2 Middleware and Security

  2. Topics • The Work So far • Indoor, policy-based plumbing • IdM in the enterprise • Inter-realm and inter-institutional • The Next Several Years • Internet identity • Interfederation and confederation • In collaboration and virtual organizations • In the Internet of Things • In the attribute ecosystem and the Tao of Attributes

  3. Over the last ten years, we’ve built • Enterprise identity middleware plumbing • Directories, Authentication, Single Sign-on, Group managers, some authorization • Connected the applications to the plumbing • Extended the enterprise to work in a bigger world with federations • Created a foundation for collaboration

  4. Enterprise IdM middleware plumbing 4

  5. Indoor, policy-based plumbing Before this, each application had to provide its own identity management – authentication, groups and privileges, etc After this, applications can use an set of pipes and services that provide basic identity Applications can concentrate on what they are special at The pipes have standard interfaces to help the applications use them What flows through these pipes are identity, assurance and attributes

  6. Connecting applications to plumbing • Academic applications • E-learning, Grids, Access to Digital content • Administrative applications • The infrastructure apps • Legacies and the systems of records • The collaboration tools • email, web, calendaring, IM, etc… • (Collaboration management platforms) • The network layer needs plumbing too • (Firewall negotiation, Spam control, Network access)

  7. E-learning

  8. Grids

  9. The Legacy Administrative Apps

  10. Federation - Extending beyond the institution • The need to collaborate drove the R&E community to create SAML and Shibboleth • Federations have technical and policy sides • Aggregate, secure, and distribute members’ metadata • Coordinate policies, attributes, etc • Showed that privacy, secrecy and security could coexist • Now applies to clouds, national service providers

  11. Early federations without indoor plumbing

  12. Modern federation

  13. Looking back, some of the easier pieces… • The design of the technology – “we saw a different problem and solved it in the obvious way” • Getting attention – the need for Internet identity was growing • We are not so much different from the corporate world – we just have a more urgent need to collaborate beyond our organizational borders

  14. Looking back, some of the hard parts... Implementing the technologies Policies - Getting the institution to understand what it does and document it The many types of communities we serve The embedded base of bad solutions Having the legacy applications learn to rely on, and supply, the middleware layer Dealing with a mess of privacy laws

  15. Middleware Architects

  16. Looking Forward • The future of Internet identity and privacy • Interfederation and confederation • Collaborations and Virtual Organizations • Non-web applications • The Internet of things • The Attribute Ecosystem and the Tao of Attributes

  17. Internet identity futures • Integration of social networking and federated identity technologies • OpenId within the Shibboleth platform • eduPersonOpenId? • Attribute management within OpenId • Focus on business processes, not on protocols • Privacy management by end-users • The attribute ecosystem becomes the real set of issues

  18. Interfederation Connecting autonomous federations Critical for global scaling, accommodating state and local federations, integration across sectors Has technical, financial and policy dimensions Elegant technical solution being developed in the eduGAIN project of Geant Policy activities in Kalmar2 Union, Geant, Kantara, Terena

  19. MDX – metadata exchange protocol Institutions and organizations will pick a registrar to give their metadata to Institutions and organizations will pick an aggregator (or several) to get their partners metadata from Aggregators exchange metadata with each other and registrars If this sounds like DNS registration and routing, it is, one layer up In the land of data, metadata is king; imagine many new kinds of metadata

  20. Confederation • The union of federations • Primary use case is Europe • Ultimately represents an alignment of policies (privacy, cookies, etc), attributes (semantics), and others more than a technology • Policy space looks very hard • Differences among national policies • Differences between national and EU policies • Differences between policies and courts

  21. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.

  22. Domestication of applications The work of re-factoring applications to use the emergent identity services infrastructure Begins with federated identity and authentication, use of directories; gains a lot from group management for access control, etc Needs a fine grain set of authorization tools down the road Domesticated apps can receive IdM attributes via LDAP, SAML, X.509, SQL, Kerberos PAC, and maybe all of the above

  23. COmanage can provide authentication and basic authorization services (group membership, privilege management, etc) to domesticated apps • “Domesticated” applications currently include Mediawiki, Confluence, Jira, Subversion, Sympa, Listserv, Drupal, Nagios, Wordpress, Git. Plan to add audioconferencing, IM and chat rooms, EC2, Fedora, web-based file share, etc. • Not “collaboration in a box”. More collaboration in an open-standard, integrated box. The “stand-alone” can be readily replumbed to be completely integrated into enterprise, federated or other attribute ecosystems as they develop • Implemented as a service or as a VM, perhaps in a cloud

  24. Domain ScienceInstrument Domain ScienceGrid C o Laboratory X Collaboration Management Platform (CMP)and the Attribute Ecosystem File Sharing Calendar Email List Manager Phone/VideoConference FederatedWiki CollaborationTools/ Resources ApplicationAttributes manage CollaborationManagementPlatform Authorization –Group Info Authorization –Privilege Info Authentication PeoplePicker OtherFunctions Attribute/Resource Info Data Store AttributeEcosystemFlows Home Org & Id Providers/Sources ofAuthority Sources of Authority University A University B

  25. End user accesses a service drupal Google Groups sympa SAKAI3 legacy User goes to service Redirected to platform IdP, then back to user’s home Platform attributes, groups, and privs added bedework webFiles OSG legacy confluence apache/IIS TeraGrid uPortal 3 IdP LDAP STS ID services provisioner 2 Local store user attrs user accounts groups & privs platform use local store groups privileges access manager policy engine user invitation end user account linking SP user dashboard service status notifications service manager monitoring diagnostics register provisioning Org IdP Org IdP Org IdP Org IdP

  26. End user accesses a service drupal Google Groups sympa SAKAI3 legacy User goes to service Redirected to platform IdP, then back to user’s home Platform attributes, groups, and privs added bedework webFiles OSG legacy confluence apache/IIS TeraGrid uPortal 2 3 1 3 IdP LDAP STS ID services provisioner 2 Local store user attrs user accounts groups & privs platform use local store groups privileges access manager policy engine 2 user invitation end user account linking SP user dashboard service status notifications service manager monitoring diagnostics register provisioning Org IdP Org IdP Org IdP Org IdP

  27. Collabmin adds a new CO to the platform drupal Google Groups sympa SAKAI3 legacy Create group, assign Admin to power user Allocate service resources bedework webFiles OSG legacy confluence apache/IIS TeraGrid uPortal 2 IdP LDAP STS ID services provisioner 1 Local store user attrs user accounts groups & privs platform use local store groups privileges access manager policy engine 2 user invitation collabmin account linking SP user dashboard service status notifications service manager monitoring diagnostics register provisioning Org IdP Org IdP Org IdP Org IdP

  28. Non web applications Many non-web apps want federated identity – wireless roaming, videoconferencing, soft phones, signed email, Grids, next-generation Internet, calendaring, etc. Adding federated authentication and authorization to them is generally engineered on a per case basis. The embedded base of devices, systems, etc that are part of the non-web applications space is huge and diverse. ISOC, GEANT and others are interested but the task is daunting.

  29. Non-web Applications

  30. The Internet of things We have built the Internet of computers and now the Internet of people and identity; next is things. Federation is a powerful model – it provides a degree of local freedom but a scalable infrastructure; with interfederation it can reach Internet scale. Devices need to have identity, attributes, access control privileges, etc that tend to federate and also need to interact with identity federation. Next generation Internet work has many types of federated voodoo – federations of identities, of firewalls, of routers, etc.

  31. Trust, Identity and the Internet • Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities • http://www.isoc.org/isoc/mission/initiative/trust.shtml • ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC’s and protocols • First target area is DKIM; subsequent targets include SIP and firewall traversal (trust-mediated transparency)

  32. The Attribute Ecosystem Authentication is very important, but identity is just one of many attributes And attributes provide scalable access control, privacy, customization, linked identities, federated roles and more We now have our first transport mechanisms to move attributes around – SAML and federations There will be many sources of attributes, many consumers of attributes, query languages and other transport mechanisms Together, this attribute ecosystem is the “access control” layer of infrastructure

  33. Attribute use cases are rapidly emerging Disaster “first responders” attributes and qualifications dynamically Access-ability use cases Public input processes – anonymous but qualified respondents Grid relying parties aggregating VO and campus attributes The “IEEE” problem The “over legal age” and the difference in legal ages use cases Self-asserted attributes – friend, interests, preferences, etc

  34. Key Issues • Attribute aggregation • Metadata of attributes, LOA, etc • Sources of authority and delegation • Schema management, mapping, etc • User interface • Privacy and legal issues

  35. Attribute aggregation • From where - Gathering attributes from multiple sources • From IdP or several IdP • From other sources of authority • From intermediaries such as portals • When - static and dynamic acquisition • Some attributes are volatile (group memberships); others are static (Date of Birth) • Some should be acquired per assertion; some once in a boarding process • Will require a variety of standardized mechanisms – • Bulk feeds, user activated links, triggers

  36. The Tao of Attributes workshop 属性之道 Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc. Participants were the best and brightest – the folks who invented LDAP, SAML, OpenId, etc. Webcast at http://videocast.nih.gov/PastEvents.asp Twittered at TAOA http://middleware.internet2.edu/tao-of-attributes/

  37. Principles of the Tao Least privilege/minimal release Using data “closest” to source of authority Late and dynamic bindings where possible Dynamic identity data increases in value the shorter the exposure. How much meaning is encoded in the attribute versus context, metadata? How much flat attribute proliferation can be managed through a structured data space?

  38. Future applications

More Related