Upload
mason-crabtree
View
223
Download
1
Tags:
Embed Size (px)
Citation preview
Dr Ken Klingenstein
Director, Internet2 Middleware and Security
Emerging Infrastructure for Collaboration: Next Generation Plumbing
Topics
Frameworks• Enterprise-based middleware• Federated services and applications• Virtual organizations and trust fabrics
Activities in Collaborative Middleware• Deployments• Development• Related Activities – a bunch of “Mellons”, instant messaging, etc
Implications for the higher ed community
Implications for the marketplace and the public sector
Frameworks
Enterprise-based middleware • Middleware that provides institutional core middleware needs (academic and
administrative) • Constructed in similar but locally adaptive fashions on campuses, with standard
external service points (directory objectclasses, handle servers, etc.)
Federated services and applications• Enterprises come together into federations, with formal trust structures that permit
exchange of attributes, including identity • User actions within the federation are generally moderated by their enterprise• Resource discovery, security, privacy, authorizations managed by user and enterprise
Virtual organizations leverage the above in a cross-stitch• Sparse mode collaborative communities with real resources and authorizations to share
Trust fabrics (global, federated, P2P) necessary for secure and private collaboration
A Map of Middleware Land
Core Middleware Scope
Identity and Identifiers – namespaces, identifier crosswalks, real world levels of assurance, etc.
Authentication – campus technologies and policies, interrealm interoperability via PKI, Kerberos, etc.
Directories – enterprise directory services architectures and tools, standard objectclasses, interrealm and registry services
Authorization – permissions and access controls, delegation, privacy management, etc.
Integration Activities – open management tools, application of P2P, federated and hierarchical trust, enabling common applications with core middleware
Campus Core Middleware Architecture:(Origin perspective)
Federated administration
Given the strong collaborations within the academic community, there is an urgent need to create inter-realm tools, so
Build consistent campus middleware infrastructure deployments, with outward facing objectclasses, service points, etc. and then
Federate (multilateral) those enterprise deployments with interrealm attribute transports, trust services, etc. and then
Leverage that federation to enable a variety of applications from network authentication to instant messaging, from video to web services, from p2p to virtual organizations, etc. while we
Be cautious about the limits of federations and look for alternative fabrics where appropriate.
Federated administration
O
TO
T
T T
A CMCM A
VOVO
T
Campus 1Campus 2
Federation
Unified field theory of Trust
Bridged, global hierarchies of identification-oriented, often government based trust – laws, identity tokens, etc.
• Passports, drivers licenses • Future is typically PKI oriented
Federated enterprise-based; leverages one’s security domain; often role-based
• Enterprise does authentication and attributes• Federations of enterprises exchange assertions (identity and
attributes
Peer to peer trust; ad hoc, small locus personal trust• A large part of our non-networked lives• New technology approaches to bring this into the electronic world.• Distinguishing P2P apps arch from P2P trust
Virtual Organizations
Geographically distributed, enterprise distributed community that shares real resources as an organization.
Examples include team science (NEESGrid, BIRN, NEON), digital content managers (library cataloguers, curators, etc), life-long learning consortia, etc.
On a continuum from interrealm groups (no real resource management, few defined roles) to real organizations (primary identity/authentication providers)
Want to leverage enterprise middleware and external trust fabrics
Leveraging V.O.s Today
VO
Target Resource
User
Enterprise
Federation
Leveraged V.O.s Tomorrow
VO
Target Resource
User
Enterprise
Federation
Collaborative Tools Authority Systemetc
Middleware Activities
NMI-EDIT Management – MACE, Internet2, EDUCAUSE, SURA
In deployment• Directories• Security• Federations
In development• Virtual organizations - JISC• Diagnostics• Authorization and privilege management
MACE (Middleware Architecture Committee for Education)
Purpose - to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher education
Membership - Bob Morgan (UW) Chair, Tom Barton (Chicago), Scott Cantor (Ohio State), Steven Carmody (Brown), Michael Gettes (Duke), Keith Hazelton (Wisconsin), Paul Hill (MIT), Jim Jokl (Virginia), Mark Poepping (CMU), Bruce Vincent (Stanford), David Wasley (California), Von Welch (Grid)
European members - Brian Gilmore (Edinburgh), Ton Verschuren (Netherlands), Diego Lopez (Spain)
Creates working groups in major areas, including directories, interrealm access control, PKI, video, P2P, etc.
Works via conference calls, emails, occasional serendipitous in-person meetings...
In deployment - International
In deployment - US
Directories
Creation and deployment of consistent internal directory infrastructure within the higher-ed community.
• Includes metadirectory services• Standard internal objectclasses• Most applications have become directory enabled
Development and adoption of outward facing directory objectclasses – eduPerson and eduOrg
• eduPerson - Identity and associated attribute values, entitlements, etc.• eduOrg – enterprise attribute values
Internationalization of eduPerson underwayH.350 – desktop video resource discovery, now an ITU
standard
Security
Emergence of federating software and federations• Rise of SAML (www.opensaml.org)• Shibboleth
In PKI, deployments remain challenging• Escrow, mobility, path construction and validation remain very hard• Non-standards proliferate – little I in the PK that exists• Some campuses have traction
First generation WebSSO’s proliferate and show limits Credential converters (KCA and a Shibbed CA) HEBCA (a bridge certificate authority for higher education) and
USHER (US Higher Ed root CA) are under slooooow construction
Security as creating new capabilities as well as restricting use…
Shibboleth Status
Open source, privacy preserving federating software Being very widely deployed in US and international universities Target - works with Apache(1.3 and 2.0) and IIS targets; Java origins for a
variety of Unix platforms. V2.0 likely to include portal support, identity linking, non web services
(plumbing to GSSAPI,P2P, IM, video) etc. Work underway on intuitive graphical interfaces for the powerful underlying
Attribute Authority and resource protection Likely to coexist well with Liberty Alliance and may work within the WS
framework from Microsoft. Growing development interest in several countries, providing resource
manager tools, digital rights management, listprocs, etc. Used by several federations today – NSDL, InQueue, SWITCH and several
more soon (JISC, Australia, etc.) http://shibboleth.internet2.edu/
GUI’s to manage Shibboleth
Federations Associations of enterprises that come together to exchange
information about their users and resources in order to enable collaborations and transactions
Enroll and authenticate and attribute locally, act federally.
Uses federating software (e.g. Liberty Alliance, Shibboleth, WS-*) common attributes (e.g. eduPerson), and a security and privacy set of understandings
Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision.
Several federations now in construction or deployment
InCommon federation
Federation operations – Internet2Federating software – Shibboleth 1.1 and above Federation data schema - eduPerson200210 or later and
eduOrg200210 or later Federation privacy and security requirements – in
discussion, could be• Privacy requirements:
– Initially, destroy received attributes immediately upon use
• Security requirements:– Initially, enterprises post local I/A and basic business rules for
assignment of eduPersonAffiliation values– Likely to progress towards standardized levels of authn
InQueue Origins2.12.04
Rutgers University
University of Wisconsin
New York University
Georgia State University
University of Washington
University of California Shibboleth Pilot
University at Buffalo
Dartmouth College
Michigan State University
Georgetown
Duke
The Ohio State University
UCLA
Internet2
Carnegie Mellon University
National Research Council of CanadaColumbia UniversityUniversity of VirginiaUniversity of California, San DiegoBrown UniversityUniversity of MinnesotaPenn State UniversityCal Poly PomonaLondon School of EconomicsUniversity of North Carolina at Chapel HillUniversity of Colorado at BoulderUT ArlingtonUTHSC-HoustonUniversity of MichiganUniversity of RochesterUniversity of Southern California
In development
Virtual organizations
Privilege management and authorization systems
Middleware diagnostics
Federated network-layer security services and capabilities
Stanford Authz Model
Authr Deliverables
The deliverables consist of A recipe, with accompanying case studies, of how to take a role-based organization and develop apprpriate groups, policies, attributes etc to operate an authority serviceTemplates and tools for registries and group managementa Web interface and program APIs to provide distributed management (to the departments, to external programs) of access rights and privileges, and delivery of authority information through the infrastructure as directory data and authority events.
Home
Grant Authority Wizard
Related Activities in Collaboration Tools
Chandler
Instant Messaging
P2P filesharing – Lionshare
Chandler
Open source email and calendaring package
Being developed by Open Source Application Foundation (Mozilla et al, led by Mitch Kapor)
Both stand-alone and enterprise versions due out before the end of the year
Intended to be collaborative in nature• Shared role-based views• Federated views
Lionshare
P2P file sharing application that is:Enterprise-based – uses authentication and campus directory and
resource discovery
Federated – works between institutions, using local authentication and authorization
Learning object oriented – meta-data based; linked to digital repositories, courseware, etc.
Developed at Penn State University, now being extended with assistance from Mellon Foundation, Internet2, OKI, Edusource
URL is
Instant Messaging
Federated IM• authentication by enterprise• Screen name authenticated; opaque or transparent by choice• Access control to chat rooms
Across enterprises
Across IM technologies• Payloads• Signalling
Implications for the Higher Ed Community
A variety of collaborative apps are being middleware enabled
There is a growing federated trust infrastructure among the R&E community with potential international usefulness.
New architectures for passing attributes and identity; new tools to learn for managing privacy and security
Emergent tools for authority management; new tools to learn for managing authorization
A marketplace of “identity service providers” may emerge
Implications for the Marketplace and Public Sector
Inter-sector federation activities are not understood• International issues• Consistency of trust• Interoperability of technologies
A marketplace of “identity service providers” may emerge
Collaborative tools will need to work across a variety of trust fabrics
Users will need to manage both privacy and trust; defaults will be important