110 likes | 194 Views
Federated Identity and the International Research Community. Dr Ken Klingenstein Director, Internet2 Middleware and Security. Topics. The Needs of researchers Meeting those needs International Issues and Implications. IdM Needs of Researchers. Access to collaboration tools
E N D
Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security
Topics The Needs of researchers Meeting those needs International Issues and Implications
IdM Needs of Researchers Access to collaboration tools No modifications to existing domain science apps Command line tools International capabilities Multiple levels of assurance Roles, schema and attributes
Meeting those needs • Bridging Federated Identity to Domain Apps • Gridshib – federated id in, X.509 PKI certificate out • Oauth – federated id in, delegation token out • SAML Extended Client Profile (ECP) for non-web apps • Boarding process a one-time task • Connecting federated identity to existing app identity
Multiple levels of assurance • LOA 1 for wikis, outreach, etc • LOA 2 for grant administration • LOA 3/4 for sensitive data and apps • Step-up processes to integrate user experience
Roles, schema and attributes Research communities have their own cultures, vocabularies, needs Building community-wide consistency on roles, privileges, groups provides tremendous leverage for collaborations Keeping it simple is critical and difficult
Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.
Domestication of applications The work of re-factoring applications to use the emergent identity services infrastructure Begins with federated identity and authentication, use of directories; gains a lot from group management for access control, etc Needs a fine grain set of authorization tools down the road Domesticated apps can receive IdM attributes via LDAP, SAML, X.509, SQL, Kerberos PAC, and maybe all of the above
COmanage can provide authentication and basic authorization services (group membership, privilege management, etc) to domesticated apps • “Domesticated” applications currently include Mediawiki, Confluence, Jira, Subversion, Sympa, Listserv, Drupal, Nagios, Wordpress, Git. Plan to add audioconferencing, IM and chat rooms, EC2, Fedora, web-based file share, etc. • Not “collaboration in a box”. More collaboration in an open-standard, integrated box. The “stand-alone” can be readily replumbed to be completely integrated into enterprise, federated or other attribute ecosystems as they develop • Implemented as a service or as a VM, perhaps in a cloud
International issues • Interoperability among federations • Technical issues straightforward • Policy alignment roughly okay • Formalizing however will be hard • Semantic differences in attributes
International privacy issues • Privacy policies quite different • Differences among national policies • Differences between national and EU policies • Differences between policies and courts • PII differences • Consent and necessity differences