Dr Ken Klingenstein

Director, Internet2 Middleware and Security

Emerging Infrastructure for Collaboration: Next Generation Plumbing

Topics

Frameworks• Enterprise-based middleware• Federated services and applications• Virtual organizations and trust fabrics

Activities in Collaborative Middleware• Deployments• Development• Related Activities – a bunch of “Mellons”, instant messaging, etc

Implications for the higher ed community

Implications for the marketplace and the public sector

Frameworks

Enterprise-based middleware • Middleware that provides institutional core middleware needs (academic and

administrative) • Constructed in similar but locally adaptive fashions on campuses, with standard

external service points (directory objectclasses, handle servers, etc.)

Federated services and applications• Enterprises come together into federations, with formal trust structures that permit

exchange of attributes, including identity • User actions within the federation are generally moderated by their enterprise• Resource discovery, security, privacy, authorizations managed by user and enterprise

Virtual organizations leverage the above in a cross-stitch• Sparse mode collaborative communities with real resources and authorizations to share

Trust fabrics (global, federated, P2P) necessary for secure and private collaboration

A Map of Middleware Land

Core Middleware Scope

Identity and Identifiers – namespaces, identifier crosswalks, real world levels of assurance, etc.

Authentication – campus technologies and policies, interrealm interoperability via PKI, Kerberos, etc.

Directories – enterprise directory services architectures and tools, standard objectclasses, interrealm and registry services

Authorization – permissions and access controls, delegation, privacy management, etc.

Integration Activities – open management tools, application of P2P, federated and hierarchical trust, enabling common applications with core middleware

Campus Core Middleware Architecture:(Origin perspective)

Federated administration

Given the strong collaborations within the academic community, there is an urgent need to create inter-realm tools, so

Build consistent campus middleware infrastructure deployments, with outward facing objectclasses, service points, etc. and then

Federate (multilateral) those enterprise deployments with interrealm attribute transports, trust services, etc. and then

Leverage that federation to enable a variety of applications from network authentication to instant messaging, from video to web services, from p2p to virtual organizations, etc. while we

Be cautious about the limits of federations and look for alternative fabrics where appropriate.

Federated administration

O

TO

T

T T

A CMCM A

VOVO

T

Campus 1Campus 2

Federation

Unified field theory of Trust

Bridged, global hierarchies of identification-oriented, often government based trust – laws, identity tokens, etc.

• Passports, drivers licenses • Future is typically PKI oriented

Federated enterprise-based; leverages one’s security domain; often role-based

• Enterprise does authentication and attributes• Federations of enterprises exchange assertions (identity and

attributes

Peer to peer trust; ad hoc, small locus personal trust• A large part of our non-networked lives• New technology approaches to bring this into the electronic world.• Distinguishing P2P apps arch from P2P trust

Virtual Organizations

Geographically distributed, enterprise distributed community that shares real resources as an organization.

Examples include team science (NEESGrid, BIRN, NEON), digital content managers (library cataloguers, curators, etc), life-long learning consortia, etc.

On a continuum from interrealm groups (no real resource management, few defined roles) to real organizations (primary identity/authentication providers)

Want to leverage enterprise middleware and external trust fabrics

Leveraging V.O.s Today

VO

Target Resource

User

Enterprise

Federation

Leveraged V.O.s Tomorrow

VO

Target Resource

User

Enterprise

Federation

Collaborative Tools Authority Systemetc

Middleware Activities

NMI-EDIT Management – MACE, Internet2, EDUCAUSE, SURA

In deployment• Directories• Security• Federations

In development• Virtual organizations - JISC• Diagnostics• Authorization and privilege management

MACE (Middleware Architecture Committee for Education)

Purpose - to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher education

Membership - Bob Morgan (UW) Chair, Tom Barton (Chicago), Scott Cantor (Ohio State), Steven Carmody (Brown), Michael Gettes (Duke), Keith Hazelton (Wisconsin), Paul Hill (MIT), Jim Jokl (Virginia), Mark Poepping (CMU), Bruce Vincent (Stanford), David Wasley (California), Von Welch (Grid)

European members - Brian Gilmore (Edinburgh), Ton Verschuren (Netherlands), Diego Lopez (Spain)

Creates working groups in major areas, including directories, interrealm access control, PKI, video, P2P, etc.

Works via conference calls, emails, occasional serendipitous in-person meetings...

In deployment - International

In deployment - US

Directories

Creation and deployment of consistent internal directory infrastructure within the higher-ed community.

• Includes metadirectory services• Standard internal objectclasses• Most applications have become directory enabled

Development and adoption of outward facing directory objectclasses – eduPerson and eduOrg

• eduPerson - Identity and associated attribute values, entitlements, etc.• eduOrg – enterprise attribute values

Internationalization of eduPerson underwayH.350 – desktop video resource discovery, now an ITU

standard

Security

Emergence of federating software and federations• Rise of SAML (www.opensaml.org)• Shibboleth

In PKI, deployments remain challenging• Escrow, mobility, path construction and validation remain very hard• Non-standards proliferate – little I in the PK that exists• Some campuses have traction

First generation WebSSO’s proliferate and show limits Credential converters (KCA and a Shibbed CA) HEBCA (a bridge certificate authority for higher education) and

USHER (US Higher Ed root CA) are under slooooow construction

Security as creating new capabilities as well as restricting use…

Shibboleth Status

Open source, privacy preserving federating software Being very widely deployed in US and international universities Target - works with Apache(1.3 and 2.0) and IIS targets; Java origins for a

variety of Unix platforms. V2.0 likely to include portal support, identity linking, non web services

(plumbing to GSSAPI,P2P, IM, video) etc. Work underway on intuitive graphical interfaces for the powerful underlying

Attribute Authority and resource protection Likely to coexist well with Liberty Alliance and may work within the WS

framework from Microsoft. Growing development interest in several countries, providing resource

manager tools, digital rights management, listprocs, etc. Used by several federations today – NSDL, InQueue, SWITCH and several

more soon (JISC, Australia, etc.) http://shibboleth.internet2.edu/

GUI’s to manage Shibboleth

Federations Associations of enterprises that come together to exchange

information about their users and resources in order to enable collaborations and transactions

Enroll and authenticate and attribute locally, act federally.

Uses federating software (e.g. Liberty Alliance, Shibboleth, WS-*) common attributes (e.g. eduPerson), and a security and privacy set of understandings

Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision.

Several federations now in construction or deployment

InCommon federation

Federation operations – Internet2Federating software – Shibboleth 1.1 and above Federation data schema - eduPerson200210 or later and

eduOrg200210 or later Federation privacy and security requirements – in

discussion, could be• Privacy requirements:

– Initially, destroy received attributes immediately upon use

• Security requirements:– Initially, enterprises post local I/A and basic business rules for

assignment of eduPersonAffiliation values– Likely to progress towards standardized levels of authn

InQueue Origins2.12.04

Rutgers University

University of Wisconsin

New York University

Georgia State University

University of Washington

University of California Shibboleth Pilot

University at Buffalo

Dartmouth College

Michigan State University

Georgetown

Duke

The Ohio State University

UCLA

Internet2

Carnegie Mellon University

National Research Council of CanadaColumbia UniversityUniversity of VirginiaUniversity of California, San DiegoBrown UniversityUniversity of MinnesotaPenn State UniversityCal Poly PomonaLondon School of EconomicsUniversity of North Carolina at Chapel HillUniversity of Colorado at BoulderUT ArlingtonUTHSC-HoustonUniversity of MichiganUniversity of RochesterUniversity of Southern California

In development

Virtual organizations

Privilege management and authorization systems

Middleware diagnostics

Federated network-layer security services and capabilities

Stanford Authz Model

Authr Deliverables

The deliverables consist of A recipe, with accompanying case studies, of how to take a role-based organization and develop apprpriate groups, policies, attributes etc to operate an authority serviceTemplates and tools for registries and group managementa Web interface and program APIs to provide distributed management (to the departments, to external programs) of access rights and privileges, and delivery of authority information through the infrastructure as directory data and authority events.

Home

Grant Authority Wizard

Related Activities in Collaboration Tools

Chandler

Instant Messaging

P2P filesharing – Lionshare

Chandler

Open source email and calendaring package

Being developed by Open Source Application Foundation (Mozilla et al, led by Mitch Kapor)

Both stand-alone and enterprise versions due out before the end of the year

Intended to be collaborative in nature• Shared role-based views• Federated views

Lionshare

P2P file sharing application that is:Enterprise-based – uses authentication and campus directory and

resource discovery

Federated – works between institutions, using local authentication and authorization

Learning object oriented – meta-data based; linked to digital repositories, courseware, etc.

Developed at Penn State University, now being extended with assistance from Mellon Foundation, Internet2, OKI, Edusource

URL is

Instant Messaging

Federated IM• authentication by enterprise• Screen name authenticated; opaque or transparent by choice• Access control to chat rooms

Across enterprises

Across IM technologies• Payloads• Signalling

Implications for the Higher Ed Community

A variety of collaborative apps are being middleware enabled

There is a growing federated trust infrastructure among the R&E community with potential international usefulness.

New architectures for passing attributes and identity; new tools to learn for managing privacy and security

Emergent tools for authority management; new tools to learn for managing authorization

A marketplace of “identity service providers” may emerge

Implications for the Marketplace and Public Sector

Inter-sector federation activities are not understood• International issues• Consistency of trust• Interoperability of technologies

A marketplace of “identity service providers” may emerge

Collaborative tools will need to work across a variety of trust fabrics

Users will need to manage both privacy and trust; defaults will be important