190 likes | 240 Views
Collaborative Platforms. Collaborations and Virtual Organizations. IdM is a critical dimension of collaboration, crossing many applications and user communities
E N D
Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.
Collaboration Platform • Integrated set of collaboration apps (wikis, listprocs, CVS, file share, calendaring, etc) • Integration of at least identity and access control via group memberships • Integration of content and meta-data is harder • Repackages successful approaches for a collaborative/project/VO setting • Federated identity, group management, directories, and security token services (aka credential convertors)
Examples of Collaborative Platforms • COmanage • http://middleware.internet2.edu/co/ • http://www.surfnet.nl/Documents/indi-2009-07-020%20(Report%20Collaboration%20Infrastructure).pdf • Commercial offerings – Sharepoint, Adobe Connect, Google Sites, Google Wave, Google Apps • Repurposed LMS –Sakai, Croquet
Collaboration Infrastructure (COIN) Dutch National Collaboration Infrastructure Domesticated tools -Adobe Connect; Alfresco; Foodle; Filesender; Confluence; WSO2 mashup server; OpenFire; Drupal; KnowledgeTree, Sympa and Limesurvey Domesticated services -Google Apps; MyExperiment.org; Twitter; PubMed Integration across VO, institution and third-party domains Workflow Grid integration
Domestication of applications The work of re-factoring applications to use the emergent identity services infrastructure Begins with federated identity and authentication, use of directories; gains a lot from group management for access control, etc Needs a fine grain set of authorization tools down the road Domesticated apps can receive IdM attributes via LDAP, SAML, X.509, SQL, Kerberos PAC, and maybe all of the above
Typical activities in collaboration management Add or remove people from groups Create new subgroups, identify overlapping memberships, etc. Permit or deny access control to wiki pages, calendars, computing resources, version control systems, etc Add people to mailing lists, wikis, etc Create and delete/archive users, accounts, keys Identify group membership on a given date
COManage Elements Data Store Applications
Grouper A general purpose, extensible, open-source group management tool In production at many institutions in the US and overseas Core national infrastructure service in several countries Manages groups of things – people, devices, processes Has GUI, people picker, group math, inheritance, delegation, provisioning and deprovisioning, etc. Stores values in LDAP directory Aimed at spectrum from power user to collabmin, sysadmin and enterprise IdM.
Security Token Service Converts the form of an existing credential or packs a set of attributes into a new credential Presents external security information to an application or service in the lingua of the app/service Conversions – SAML into X.509, SAML into Kerberos, SAML to LDAP, etc. Mythical in a single comprehensive package; legion in individual instances
What forms does COmanage take? • Usually as an assembled set of services • A dashboard, directory product, Shibboleth IdP and SP, Grouper, and a set of applications provisioned on other servers • On an enterprise level to serve its collaborations and VO’s, within a large VO, or at a federation level to serve a national community • Can also be a VM, a VM in the cloud, or a service with the applications in the cloud. • Can be embedded in a science portal or gateway
Some key issues Extent of application domestication Waiting for other technologies to happen – interfederation, discovery, metadata tagging, etc. GUI approach Domain application/science portal integration
Roles, schema and attributes Research communities have their own cultures, vocabularies, needs Building community-wide consistency on roles, privileges, groups provides tremendous leverage for collaborations Keeping it simple is critical and difficult
Needs of Big Science Researchers Access to collaboration tools Basic group management and access control Command line tools Integration of web and command line IdM and access control No modifications to existing domain science apps International capabilities Multiple levels of assurance Roles, attributes, metadata and ontologies
Relying Party Flows of attributes - 1 Enterprise Project comanage Data Store Enterprise
Relying Party Flows of attributes – 2 – PDP extra pass Enterprise Project comanage Data Store Enterprise
Relying Party Flows of attributes – 3 – IdP to RP Enterprise Project comanage Data Store Enterprise