1 / 28

Intro to Identity for Developers

Intro to Identity for Developers. Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington. Plan for the afternoon. [All] Why are we here? [Tom] Internet2 Middleware big picture [Scott] Identity-enabling web applications Break [Patrick] Catalyst case study

jered
Download Presentation

Intro to Identity for Developers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington

  2. Plan for the afternoon • [All] Why are we here? • [Tom] Internet2 Middleware big picture • [Scott] Identity-enabling web applications • Break • [Patrick] Catalyst case study • [Tom] Collaboration management • [All] IAM current issues

  3. Internet2 Middleware Initiative (I2MI)big picture themes Earlier • Identity & Access Management plumbing • Federations are rising Later • Identity Services • Collaboration management

  4. Access Management Realities • Many Sources of Authority • Policy making bodies • Resource managers • Program/activity heads • Self • Identification vs. authorization • Distributed management • Within an organization • Among organizations • Common & articulating infrastructure • Departments/programs/activities should not have to build their own • Articulate between organizations

  5. Early I2MI revelation • To ease the management of inter-org collaborative activities, campus IAM practices must be good enough • Identification & identifiers • Authentication • Attributes • Common practices & standards

  6. Pre-indoor plumbing

  7. I2MI's notion of middleware • Basic enterprise-wide services that are used by many applications • Now being extended through federations to include inter-institutional and virtual organization needs • Authentication, single sign on, directories, identifiers, authorization and privilege management • Perhaps workflow, digital rights management, enterprise service bus and a few others • As much policy, governance, and practice as technology

  8. Keys to success in middleware • Application integration • Administrative • Academic and collaborative • Institutional and business process integration • Working with authoritative sources • Becoming an authoritative source • People and process time - not software and hardware expense • Making it reliable, flexible and invisible – true indoor plumbing

  9. Identity & Access Management reflected in a campus LDAP entry uid: tbarton chicagoID: 01191359N eduPersonAffiliation: staff isMemberOf: uc:drdepts:nsit:integration uc:adhoc:fact uc:directors uc:nsit:srdirs uc:nsit:integration:iteco_wr app:gems:44:251:staff

  10. New tools

  11. Relative Roles of Signet & Grouper • Users are placed into groups • Privileges are assigned to groups • Groups can be arranged hierarchically to give privileges indirectly • Grouper manages groups • Signet manages privileges • Aligns with diverse Sources of Authority Grouper Signet

  12. Privilege Elements by Example Lifecycle Privilege

  13. Multi-domain access scenarios • Single domain • University (usually!) • Single service domain, two user domains • Campus services & users, plus "guests" • Single service domain, many user domains • Higher Ed service providers such as … • Library services, administrative ASPs, direct-to-student services • Many service domains, many user domains • State & regional consortia • Some Virtual Orgs or Collaborative Orgs • Some grid infrastructures • Sources of Authority & access management infrastructure are distributed across domains

  14. Authenticate @Home Authorize @Resource "IdP" "SP" Federated Identity ala Shibboleth

  15. The rise of federations • Federations are now occurring broadly, and internationally, to support inter-institutional and external partner collaborations • Almost all in the corporate world are bi-lateral; almost all in the R&E world are multilateral • They provide a powerful leverage of enterprise (campus, site) credentials • Federations are learning to peer • Internal federations are also proving useful

  16. InCommon Federation:Essential Data • US R&E Federation, a 501(c)3 • Addresses legal, LoA, shared attributes, business proposition • Members are universities, service providers, government agencies, national labs • Over 80 organizations and growing steadily • 1.7 million user base now • Uses range over popular and academic content, wiki and list controls, ASPs, NIH, MS DreamSpark, … • www.incommonfederation.org

  17. InCommon Federation:Essential Services • Trust fabric: Metadata so that IdP's & SP's can mutually authenticate & interoperate • Multilateral agreement among federation participants • Agree to actually operate as they claim to • A “Where Are You From Service” available

  18. Example: TeraGrid and multiple domains provision accounts TeraGrid Resources ~10 Sites ~125 Sites run monitor InCommon Federation run monitor Campus attributes run monitor Science Gateway ~20 Sites

  19. In the cloud Many technologies

  20. Identity Services Decouple application design from implementation of identity services

  21. Collaboration and Federated Identity • Two powerful forces being leveraged • the rise of federated identity • the bloom in collaboration tools, most particularly in the Web 2.0 space but including file shares, email list procs, etc • Collaboration management platforms provide identity services to “well-behaved collaboration applications” • Results in user and collaboration centric identity, not tool-based identity

  22. Collaboration Management Platforms • Management of collaboration a real impediment to collaboration, particularly with the growing variety of tools • Goal is to develop a “platform” for handling the identity management aspects of many different collaboration tools • Platform includes a framework and model, specific running code that implements the model, and applications that take advantage of the model • This space presents possibilities of improving the overall unified UI as well as UI for specific applications and components.

  23. COmanage • A collaboration management platform, supported in part by a NSF OCI grant, being developed by the Internet2 community, with Stanford as a lead institution • Open source, open protocol • Uses Shibboleth, Grouper, and Signet • Parallels activities in the UK and Australia

  24. Comanageable applications • Already done • Sympa, Federated wikis, Asterisk (open-source IP audioconferencing), Dim-Dim (open-source web meeting), Bedeworks (federated open-source calendar) • Immediate targets • Rich access controlled wikis • Web-based file shares, IM, Google Apps for Education • Domain science resources • Instruments • Grids

  25. Some general COmanage comments • A limited number of consoles present the basic identity services; can move directly between services as a standard workflow • Early in the development; the GUI is particularly primitive • Underlying store is an LDAP directory; alternatives include MySQL db, RTF store, etc. • COmanage can be deployed by a campus, a department, a VO, a VO service center; COmanage instances communicate with each other by the “attribute ecosystem” voodoo

  26. Domain ScienceInstrument Domain ScienceGrid C o Laboratory X Collaboration Management Platform (CMP)and the Attribute Ecosystem File Sharing Calendar Email List Manager Phone/VideoConference FederatedWiki CollaborationTools/ Resources ApplicationAttributes manage CollaborationManagementPlatform Authorization –Group Info Authorization –Privilege Info Authentication PeoplePicker OtherFunctions Attribute/Resource Info Data Store AttributeEcosystemFlows Home Org & Id Providers/Sources ofAuthority Sources of Authority University A University B

  27. Current issues in IAM • Level of Assurance • Campus Roles • Shibboleth & Active Directory • OpenID and (campus) attributes • Privacy & consent • Guest management

More Related