1 / 19

Maturation & Convergence in Authentication & Authorization Services in US Higher Education:

Maturation & Convergence in Authentication & Authorization Services in US Higher Education:. Keith Hazelton, hazelton@doit.wisc.edu Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE 20th APAN, Taipei, Taiwan August 24, 2005. Topics. Middleware service layer concepts & models

martine
Download Presentation

Maturation & Convergence in Authentication & Authorization Services in US Higher Education:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, hazelton@doit.wisc.edu Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE 20th APAN, Taipei, Taiwan August 24, 2005

  2. Topics • Middleware service layer concepts & models • Roots of the Internet2 middleware initiative • Growing relevance of middleware for network layer services and Grid services • Possible paths of convergence

  3. Identity and Access Management (IAM) defined • What is Identity Management? “Identity [and access] management is • the set of business processes, • and a supporting infrastructure, • for the • creation, • maintenance, • and use • of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise)

  4. The IAM Stone Age • List of functions: • AuthN: Authenticate principals (people, servers) seeking access to a service or resource • Log: Track access to services/resources

  5. The IAM Stone Age • Every application for itself in performing these functions • User list, credentials, if you’re on the list, you’re in (AuthN is authorization (AuthZ) • As Hobbes might say: Stone age IAM “nasty, brutish & short on features”

  6. Vision of a better way to do IAM • IAM as a middleware layer at the service of any number of applications • Requires an expanded set of basic functions • Reflect: Track changes to institutional data from changes in Systems of Record (SoR) & other IdM components • Join: Establish & maintain person identity across multiple independent sources of person information • Human Resources and Student Info. Systems • …or Department X and Department Y IT systems

  7. Vision of a better way to do IAM • More in the expanded set of basic functions • Credential: issue digital credentials to people in the community • Mng. Affil.: Manage affiliation and group information • Mng. Priv.: Manage privileges and permissions at system and resource level • Provision: Push IAM info out to systems and services as required • Deliver: Make access control / authorization information available to services and resources at run time • AuthZ: Make the allow deny decision independent of AuthN

  8. IAM functions

  9. Roots of the Internet2 Middleware Initiative • Stated goal is to support educational institution as a whole in its various missions • Requires focus on entire population of various service consumers (students, staff, researchers, lecturers, etc.) • Plus two critical requirements: • Scalability • Flexibility

  10. Basic IAM functions mapped to theInternet2 NMI / MACE components Enterprise Directory Systems of Record Stdnt Registry LDAP Reflect HR Join Other Credential

  11. Basic IAM functions mapped to theInternet2 NMI / MACE components Apps / Resources Enterprise Directory AuthN Systems of Record AuthN Log Reflect Provision Join WebISO Credential AuthZ Mng. Affil. Mng. Priv. Deliver Log Grouper Signet Shibboleth

  12. Middleware becoming crucial to network and Grid communities • QoS, Authenticated network access and network service all require IAM suite of functions • Grid services have that PLUS need to support multiple-institution virtual organizations (VOs) • Middleware becomes crucial in both for • Scalability • Flexibility

  13. The GridShib picture User Grid Service (1) Grid Authentication (0) Attribute Release Policy Campus (2) Shib Attribute Request (4) Attribute-based authorization (3) Attributes Shibboleth

  14. Getting Attributes into a Site’s Attribute Authority SIS Person Registry Loaders Attribute Authority HR Shib/ GridShib Core Business Systems Group Registry LDAP Grouper UI On-site Authorities uid: jdoe eduPersonAffiliation: … isMemberOf: … eduPersonEntitlement: … Privilege Registry Signet UI using Shibboleth Off-site Authorities

  15. Do APAN attendees thus represent a new market for I2-style middleware? • If so, what are likely paths of collaboration and convergence? • SAML and WS* and PKI interoperability • to bring institutional IAM and Grid IAM into alignment--See Project GridShib & JISC news • IAM infrastructures at departmental in addition to institutional levels • Federations as organizational umbrellas for VOs • A quick glance at federation building initiatives

  16. Federation Value Proposition • Set of cooperating IdPs and SPs forms a community needing agreement on: • Trust Fabric • X.509 certs • IdP and SP identifiers & other metadata • Community standard for attribute semantics • Community standards for IdP and SP operational practices • Strength of authentication • Confidentiality • For N IdPs and M SPs, which is easier? • N*M agreements • N+M agreements

  17. The Research and EducationFederation Space Today REF Cluster InQueue (a starting point) Other clusters Other potential US R+E feds Other national nets SWITCH InCommon NSDL The Shib Research Club State of Penn Fin Aid Assoc Indiana Slippery slope - Med Centers, etc

  18. Specific possibilities • Participate in beta testing of middleware components to get your requirements into development stream • Participate in middleware-enhanced VO trials • Others???

  19. Q & A • hazelton@doit.wisc.edu • http://middleware.internet2.edu • http://shibboleth.internet2.edu • http://grid.ncsa.uiuc.edu/GridShib • http://middleware.internet2.edu/dir/groups/grouper • http://middleware.internet2.edu/signet • http://www.incommonfederation.org

More Related