280 likes | 366 Views
Intro to Identity for Developers. Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington. Plan for the afternoon. [All] Why are we here? [Tom] Internet2 Middleware big picture [Scott] Identity-enabling web applications Break [Patrick] Catalyst case study
E N D
Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington
Plan for the afternoon • [All] Why are we here? • [Tom] Internet2 Middleware big picture • [Scott] Identity-enabling web applications • Break • [Patrick] Catalyst case study • [Tom] Collaboration management • [All] IAM current issues
Internet2 Middleware Initiative (I2MI)big picture themes Earlier • Identity & Access Management plumbing • Federations are rising Later • Identity Services • Collaboration management
Access Management Realities • Many Sources of Authority • Policy making bodies • Resource managers • Program/activity heads • Self • Identification vs. authorization • Distributed management • Within an organization • Among organizations • Common & articulating infrastructure • Departments/programs/activities should not have to build their own • Articulate between organizations
Early I2MI revelation • To ease the management of inter-org collaborative activities, campus IAM practices must be good enough • Identification & identifiers • Authentication • Attributes • Common practices & standards
I2MI's notion of middleware • Basic enterprise-wide services that are used by many applications • Now being extended through federations to include inter-institutional and virtual organization needs • Authentication, single sign on, directories, identifiers, authorization and privilege management • Perhaps workflow, digital rights management, enterprise service bus and a few others • As much policy, governance, and practice as technology
Keys to success in middleware • Application integration • Administrative • Academic and collaborative • Institutional and business process integration • Working with authoritative sources • Becoming an authoritative source • People and process time - not software and hardware expense • Making it reliable, flexible and invisible – true indoor plumbing
Identity & Access Management reflected in a campus LDAP entry uid: tbarton chicagoID: 01191359N eduPersonAffiliation: staff isMemberOf: uc:drdepts:nsit:integration uc:adhoc:fact uc:directors uc:nsit:srdirs uc:nsit:integration:iteco_wr app:gems:44:251:staff
Relative Roles of Signet & Grouper • Users are placed into groups • Privileges are assigned to groups • Groups can be arranged hierarchically to give privileges indirectly • Grouper manages groups • Signet manages privileges • Aligns with diverse Sources of Authority Grouper Signet
Privilege Elements by Example Lifecycle Privilege
Multi-domain access scenarios • Single domain • University (usually!) • Single service domain, two user domains • Campus services & users, plus "guests" • Single service domain, many user domains • Higher Ed service providers such as … • Library services, administrative ASPs, direct-to-student services • Many service domains, many user domains • State & regional consortia • Some Virtual Orgs or Collaborative Orgs • Some grid infrastructures • Sources of Authority & access management infrastructure are distributed across domains
Authenticate @Home Authorize @Resource "IdP" "SP" Federated Identity ala Shibboleth
The rise of federations • Federations are now occurring broadly, and internationally, to support inter-institutional and external partner collaborations • Almost all in the corporate world are bi-lateral; almost all in the R&E world are multilateral • They provide a powerful leverage of enterprise (campus, site) credentials • Federations are learning to peer • Internal federations are also proving useful
InCommon Federation:Essential Data • US R&E Federation, a 501(c)3 • Addresses legal, LoA, shared attributes, business proposition • Members are universities, service providers, government agencies, national labs • Over 80 organizations and growing steadily • 1.7 million user base now • Uses range over popular and academic content, wiki and list controls, ASPs, NIH, MS DreamSpark, … • www.incommonfederation.org
InCommon Federation:Essential Services • Trust fabric: Metadata so that IdP's & SP's can mutually authenticate & interoperate • Multilateral agreement among federation participants • Agree to actually operate as they claim to • A “Where Are You From Service” available
Example: TeraGrid and multiple domains provision accounts TeraGrid Resources ~10 Sites ~125 Sites run monitor InCommon Federation run monitor Campus attributes run monitor Science Gateway ~20 Sites
In the cloud Many technologies
Identity Services Decouple application design from implementation of identity services
Collaboration and Federated Identity • Two powerful forces being leveraged • the rise of federated identity • the bloom in collaboration tools, most particularly in the Web 2.0 space but including file shares, email list procs, etc • Collaboration management platforms provide identity services to “well-behaved collaboration applications” • Results in user and collaboration centric identity, not tool-based identity
Collaboration Management Platforms • Management of collaboration a real impediment to collaboration, particularly with the growing variety of tools • Goal is to develop a “platform” for handling the identity management aspects of many different collaboration tools • Platform includes a framework and model, specific running code that implements the model, and applications that take advantage of the model • This space presents possibilities of improving the overall unified UI as well as UI for specific applications and components.
COmanage • A collaboration management platform, supported in part by a NSF OCI grant, being developed by the Internet2 community, with Stanford as a lead institution • Open source, open protocol • Uses Shibboleth, Grouper, and Signet • Parallels activities in the UK and Australia
Comanageable applications • Already done • Sympa, Federated wikis, Asterisk (open-source IP audioconferencing), Dim-Dim (open-source web meeting), Bedeworks (federated open-source calendar) • Immediate targets • Rich access controlled wikis • Web-based file shares, IM, Google Apps for Education • Domain science resources • Instruments • Grids
Some general COmanage comments • A limited number of consoles present the basic identity services; can move directly between services as a standard workflow • Early in the development; the GUI is particularly primitive • Underlying store is an LDAP directory; alternatives include MySQL db, RTF store, etc. • COmanage can be deployed by a campus, a department, a VO, a VO service center; COmanage instances communicate with each other by the “attribute ecosystem” voodoo
Domain ScienceInstrument Domain ScienceGrid C o Laboratory X Collaboration Management Platform (CMP)and the Attribute Ecosystem File Sharing Calendar Email List Manager Phone/VideoConference FederatedWiki CollaborationTools/ Resources ApplicationAttributes manage CollaborationManagementPlatform Authorization –Group Info Authorization –Privilege Info Authentication PeoplePicker OtherFunctions Attribute/Resource Info Data Store AttributeEcosystemFlows Home Org & Id Providers/Sources ofAuthority Sources of Authority University A University B
Current issues in IAM • Level of Assurance • Campus Roles • Shibboleth & Active Directory • OpenID and (campus) attributes • Privacy & consent • Guest management