Building from bedrock tailoring technology to collaboration
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Building from Bedrock: Tailoring Technology to Collaboration PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on
  • Presentation posted in: General

Building from Bedrock: Tailoring Technology to Collaboration. Topics. Updates on the bedrock Internet identity InCommon today InCommon the next twelve months Collaboration Management Platforms Virtual Organizations and their IdM and access control needs Building from Bedrock

Download Presentation

Building from Bedrock: Tailoring Technology to Collaboration

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Building from bedrock tailoring technology to collaboration

Building from Bedrock: Tailoring Technology to Collaboration


Topics

Topics

  • Updates on the bedrock

    • Internet identity

    • InCommon today

    • InCommon the next twelve months

  • Collaboration Management Platforms

  • Virtual Organizations and their IdM and access control needs

  • Building from Bedrock

    • The activities

    • The early lessons

    • Next steps


In the last few years

In the last few years…

  • Internet identity has become pervasive, in two flavors

    • A rapidly growing, but still maturing federated identity infrastructure, particularly in the R&E sector globally.

    • A set of theoretically interoperable social identity providers serving large masses of social and low-risk applications

  • Federated uses vary by country and sector

    • In some countries, 100% of citizens, using for government, research, educational and other uses

    • In the US, R&E and extensive federal/state government use

    • Verticals (medical, real estate, etc) building federated corporate identities


Saml federations worldwide scope

SAML federations worldwide - scope


Where we headed

Where We Headed

  • The trust infrastructure

    • An international peering of SAML R&E federations, with common attributes and LOA, with some careful integration of other identity approaches (e.g. Social2SAML).

    • Privacy preserving real time interrealm authentication and attribute exchange across all applications

  • The collaboration/VO IdM overlay

    • Services that provide integrated VO identity and access management to both domain and collaboration apps

    • Leverages trust infrastructure, enterprise and VO attributes,etc


It is a work in progress

It is a work in progress

  • Still immature

    • Not all institutions are in a federation

    • Not all institutions populate all base-level attributes

    • User-managed attribute release beginning

  • Still gaps being worked

    • Non-web apps just getting standardized by IETF (GSSAPI enhancements, enabling federated SSH)

    • Interfederation

    • Social2SAML


Incommon today

InCommon today

  • 200+universities, 350+total participants, growth still rapid

  • Traditional uses continue to grow:

    • Outsourced testing services, outsourced travel, access to software, access to licensed content, etc.

  • New uses bloom:

    • Access to wikis, shared services, cloud services, calendaring, command line apps, etc.

  • Certificate services:

    • You’ll come for the cheap SSL, you’ll stay for the personal certs – signing, encryptions, wireless


  • Incommon the next year

    InCommon – the next year

    • Growth and managing growth

    • Silver – higher levels of assurance

    • uApprove – end user attribute management

    • Personal certificates

      • Powerful old technology

      • Authentication, signed email, signed documents, encryption, etc.

    • Solidifying campus participation


    Collaboration management platforms

    Collaboration Management Platforms

    • An integrated “collaboration identity management system”

      • Provides basic group and role management for a group of federated users

      • Plugs into federated infrastructure to permit automatic data management

    • A growing set of applications that derive their authentication and authorization needs from such external systems

      • Collaboration apps – wikis, lists, calendaring, netmeeting

      • Domain apps – instruments, databases, computers, storage


    From the collaboration perspective

    From the collaboration perspective

    Scalable actions expected (or at least hoped for) in a CMP:

    • Create and delete/archive users, accounts, keys

    • Group management on an individual and CMP-wide scale

    • Permit or deny access control to wiki pages, calendars, computing resources, version control systems, domain apps, etc.

    • Domesticated applications to meet the needs of the VO

    • Usage reporting

    • Metering and throttling


    Cmp from the technical perspective

    CMP from the technical perspective

    • A combination of enterprise tools refactored for VO’s

      • Shib, Grouper, Directories, etc

    • A person registry with automated life-cycle maintenance

      • Includes provisioning and deprovisioning

    • A place to create, maintain local attributes

      • Using Groups and Roles

    • A place to combine local and institutional attributes for access to applications

    • A place to push/pull attributes to domesticated applications

      • Collaboration apps – wikis, lists, net meetings, calendars, etc

      • Domain apps – SSH, Clusters, Grids, iRods, etc.

      • Attributes delivered via SAML, LDAP, X.509, etc


    Deployment options for a cmp

    Deployment options for a CMP

    • Proprietary approaches – Google Apps, MS Live

    • Embedded in a portal or gateway

    • As a stand-alone platform, assembled from components, with application servers around it

    • In a cloud, with apps in the cloud

    • As a national service

      • Surfnet –

        • http://www.surfnet.nl/en/Thema/coin/Pages/Default.aspx


    Building from bedrock tailoring technology to collaboration

    http://www.internet2.edu/comanage/

    A set of replaceable modules: user console, person registry, Shibboleth IdP and SP, Grouper, provisioning and deprovisioning, etc.

    A set of domesticated apps

    A kit, not a VM or a service

    Funded by an NSF-SDCI grant and Internet2

    API developed for the platform now in use at LIGO


    Domesticated applications

    Domesticated Applications

    Wikis, Chats, Lists, Jabber, etc.

    Drupal, Moodle, Sakai, etc

    Audioconferencing and netmeeting

    Ad hoc and group event calendaring

    Sharepoint, Webex, Adobe Connect, etc

    File sharing, drop boxes, etc


    Building from bedrock tailoring technology to collaboration

    VO’s

    Multi-institutional, usually multi-national collaborations

    Frequently centered on unique instruments (e.g. CERN, Sloan), data repositories (e.g. medical records, economic data), etc

    Examples:

    • hard sciences – LIGO, NEON, OOI, iPlant, GENI

    • social sciences and humanities - Bamboo, CLARIN

      Use standard collaboration tools and domain tools, often in an integrated fashion

    • SSH to manage an instrument that populated a DB that a web browser accesses


    General vo characteristics

    General VO Characteristics

    Cluster around distinctive resources – instruments, databases, computational resources, historical records, etc.

    A VO is distinct from a general collaboration by formal roles, ownership of resources, real budgets, scholarly deliverables, accountability and audit requirements, etc.

    International by nature

    Less privilege crust than enterprises

    Some VO’s are deep in science and less wide in outreach

    Some are as much wide as deep


    Vo requirements for identity management

    VO Requirements for Identity Management

    Permit or deny access control to wiki pages, calendars, computing resources, version control systems, file sharing and drop boxes, etc

    Add or remove people from groups

    Create new subgroups, identify overlapping memberships, etc.

    Add people to mailing lists, wikis, etc

    Ad hoc calendaring

    Create and delete/archive users, accounts, keys

    Identify group membership on a given date

    Usage reporting


    More on the collaboration space

    More on the collaboration space

    • How VO and Enterprise IdM differ

      • VO often have greater federation needs

      • VO generally built around unique data sets, instruments

      • VO often multi-institutional, multi-national

      • Enterprise IdM (usually) has a stronger LoA

      • Enterprise IdM (usually) have a stronger infrastructure


    The bedrock grant

    The “Bedrock” Grant

    • Building from Bedrock: Infrastructure Improvements for Collaboration and Science – an NSF OCI grant (Fall, 2010)

    • Focus on further developing and integrating tools to allow collaborations to operate efficiently in the IdM space

      • COmanage

      • Grouper

      • Shibboleth

    • Beginning the art of tailoring technology to collaboration

      http://www.internet2.edu/bedrock/


    The art of tailoring

    The art of tailoring

    • Fitting identity and access management systems to collaborations

      • Serve both the collaboration and domain apps

      • Leverage and plumb into emergent federated identity infrastructure

    • Collaborations are like snowflakes – no two are alike. A big variety in the needs and styles of collaborations

    • Work with the collaboration to analyze their needs – for most, “gee, we never thought about things this way…”


    Engaged vo s

    Engaged VO’s

    LIGO – www.ligo.org - high profile international gravitional physics

    iPlant – www.iplantcollaborative.org - comprehensive cyberinfrastructure for Plant Biology

    Bamboo - http://projectbamboo.org/ - comprehensive cyberinfrastructure for Arts and Humanities

    GENI – www.geni.net - NSF next generation Internet research

    Earth Science Women’s Network http://www.sage.wisc.edu/eswn/ - international peer-mentoring for women in earth sciences


    Vo requirements distilled identity and access control

    VO Requirements distilled:Identity and Access Control

    • Leverage federated identity

    • Use groups for primary access control – understandable to most

    • Integrate with campus processes (identity management, course memberships, citizenship and other attributes)

    • Emphasis on some unusual functions

      • Historical views of group memberships

      • Usage reporting for funders consumption


    Integration of identity and access control

    Integration of identity and access control

    • Identity and access control (groups) need to integrate across three science environments

      • Command-line-managed instruments generate data feeds that populate data bases

      • Using web browsers, scientists access the database, mark events, set data feeds, etc.

      • Other communities come in through science gateways and portals

    • Federated identity and domestication of applications is needed

    • Automated provisioning and deprovisioning a big win


    Vo requirements applications

    VO Requirements: Applications

    • Collaborative

      • Federated, Access controlled wikis

      • File shares and Drop Boxes

      • Lists, Chats, Ad hoc calendaring,

      • Netmeetings, Audioconferences, etc.

    • Domain

      • VO Databases

      • TeraGrid, Open Science Grid

      • Command line apps


    Single profile

    Single Profile

    As VO’s get more data-centric in nature, profiles are the automated way to match users with new data sources, and a simple access control mechanism

    The controlled vocabulary/ontology aspects of profiles needs active management tools as well as storing the profiles and managing releases.

    Some of the new NSF data nets are using multiple profiles; single profile is the next single sign-on….

    VIVO is an important building block for answers here http://www.vivoweb.org/


    Tailoring dimensions 1

    Tailoring dimensions - 1

    • Breadth of outreach

    • Depth of science

    • Size of the collaboration and capabilities of IT staff

    • Locus of collaborators

      • Global scheduling, availability of identities, etc.


    Tailoring dimensions 2

    Tailoring dimensions - 2

    • Dataness of collaboration

    • Management style of collaboration

    • Nature of collaborators

      • Balance of tools, communicating styles, etc

    • Autonomy of collaborations

      • When to include vs federate


    Next steps

    Next Steps

    • Enhanced collaboration management – prerequisites, thresholds, cross-application quotas, etc.

    • Continued domestication of applications, including non-web apps

    • Improved user interfaces – OpenSocial, etc

    • Integration with other international collaboration platforms

    • Directly plumbing into infrastructure

      • Class lists dynamically into VO permissions

      • Higher assurance authentication of secure applications

    • VAMP (VO Camp)


  • Login