1 / 24

Authorization: Just when you thought middleware was no fun anymore

Authorization: Just when you thought middleware was no fun anymore. Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware Architecture Comm. for Education (MACE) Internet2 Fall Member Meeting, Indianapolis, Oct. 15, 2003.

sharih
Download Presentation

Authorization: Just when you thought middleware was no fun anymore

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware Architecture Comm. for Education (MACE) Internet2 Fall Member Meeting, Indianapolis, Oct. 15, 2003

  2. Authorization related services: A broad vision and selected details • UW-Madison as a concrete reference point for thinking Authorization thoughts

  3. Core middleware services suite

  4. Core middleware services suite { Identity Mgmt Services

  5. Core Middleware Services: Directory / Identity Mgmt. Source system a Source system b Source system c AuthZ Info Mgmt.: Internet2 Grouper, Stanford Authority (PrivGroups), UW-Msn PASE

  6. Core middleware services suite { Security Services AuthN / AuthZ… Identity Mgmt Services

  7. Core Middleware Services: Authentication, Authorization,… AuthZ Info Access: Shibboleth (intra and inter-inst.) AuthN: LDAP bind; PKI

  8. PASE: A system for managing authorization information A secure, delegated service to maintain and provide information about: Populations of interest to the university Affiliations (or roles) that a person has Services that members of a role get (i.e. what they are entitled to do) P A S E

  9. PASE and authorization • Typically, authorization decisions indicates whether a person or other principal is permitted to access a requested resource or invoke a requested service • PASE is an authorizationinformation management tool; it helps us manage key information needed for authorization processes • PASE is the companion to our Identity Management System -- The University Directory Service (UDS)

  10. Current Limitations: • Handling all populations • Having clearly defined affiliation information • Applying and documenting rules about who gets what • Getting timely information with which to make access control decisions • Handling special populations

  11. Current limitations: handling special populations • No system support for defining new types of affiliations • Binary entitlement: Either a person gets all services or gets none • No delegated management: • For defining new groups of people • For granting group members access to services • Result: Difficult to add new groups

  12. What is needed:An authorization information system with: • Flexibility to handle new services and population types without reprogramminng or other undo hassle • Logical “single source” AuthZ info repository • Secure, delegated administration • A framework on which to implement policy

  13. registers PASE relates the correct entities for greater flexibility and scalability A sponsor (Source) who has person which is mapped to affiliation which consists of service bundle which is owned by service service provider

  14. PASE, peer institutions and NMI/Internet2 • Draws from pioneer efforts • Stanford’s Authority system • MIT’s Roles DB • Internet2 Grouper WG • On the cutting edge • Similar efforts at some institutions • We are one of the {b}leaders

  15. The non-technical aspects of PASE • Interests of sponsors and service providers are often not fully aligned • Need for a business process to agree on mappings between affiliations and service bundles • New role for sponsors as a result of their greater control: advocate for populations in negotiations with service providers

  16. PASE Development: An Iterative Approach • We intend to deliver PASE services in severalphases. • First cut: A Pilot • To create the underlying structure end-to-end • To provide many of the functions for managing entities and their relationships • To manage risks (e.g., service disruption) • To assess design choices and make adjustments with minimum impact

  17. PASE Pilot – Spec Auth Retirees • Sponsor: Office of Human Resources • Person (Population): Retiree bio/demo data • Affiliation: Retirees • Affiliation Types: UW-Madison, UW Extension, UW System Administration and UW Colleges • Service Bundle: “Bucky Bundle” • Services: UW Madison Libraries, My UW Madison Portal, UW Madison Photo Identification, UW Madison Recreational Sports, etc. • Service Provider: Service Representatives

  18. PASE Pilot - Out of Pilot Scope • General access to information, both to maintain the data and use the data for authorization decisions • Negotiation between Sponsors and Service Providers • Batch inputs

  19. What’s Next? • Report the results of the pilot • Capture current services’ authorization rules • Define roles and responsibilities of the various players • Refine the links to UDS • Develop interfaces to service providers

  20. More on PASE http://www.doit.wisc.edu/middleware/pase /index.asp • Scott Fullerton fullerton@doit.wisc.edu

  21. What’s off this frame? Target-side: Evaluating authZ info and policies Security Services AuthN / AuthZ… { Identity Mgmt Services

  22. What’s off this frame? Target-side: processing authZ info and policies

  23. Appendix: PASE Terms • Affiliation: A person’s relationship to the institution. A person can have zero, one or many affiliations. An affiliation is similar to a role. • Authorization: Typically, authorization indicates what a person, properly authenticated, is permitted to do with a networked object or resource. • Service: One or more activities represented in business terms. A service can either be totally automated (e.g., the mail system) or partially so (e.g., Rec Sports). Services of interest to this project are protected by an authorization process.

  24. PASE Terms (continued) • Service Bundle: A set of one or more services. An example of this might be the bundle of services that all current members of the community get. In PASE, access privileges are defined by mapping one or more affiliations to a service bundle. • Service Entitlement: The specific, more granular, actions within a service, e.g., Update student data. • Service Provider: The organizational entity responsible for a service. • Sponsor: The UW entity that proposes new affiliations possibly registers new groups of people into the UDS and possibly also defines a person’s affiliation(s).

More Related