Upload
lammien
View
214
Download
0
Embed Size (px)
Citation preview
JA-SIG UK meeting 30 June 2003
On 30 June, representatives of 13 organisations gathered at the University of North London for JA-SIG UK’s second meeting.
The main foci for the meeting were a report on the recent JA-SIG Summer conference in Denver; discussion around authentication, authorisation and network identity; and an exploration of current progress in the UK, and possibilities for inter-institutional collaboration.
Denver JA-SIG meeting
Ian Dolphin reported on the Summer JA-SIG Conference, held just outside Denver in June 2003. Around 200 people attended, mainly from North America, but with a reasonable European presence from Sweden and the UK.
Participants fell into one of three main groupings; those implementing uPortal on live sites; those (like Hull) well into a pilot implementation; and quite a number who were evaluating uPortal alongside other portal products. Unlike previous years, where the participants were almost exclusively from Higher Education, both community colleges and service providers to the K-12 sector were represented.
Presentations are now available on the JA-SIG website [ http://web.princeton.edu/sites/isapps/jasig/2003summerWestminster/ ], two of which were from the UK.
It appears from the conference that the uPortal development model is becoming increasingly well established and of interest across the sector. A round-table meeting prior to the conference, for example, attracted representation from Internet2, OKI, Educause and others. Of these, OKI is apparently now considering depositing software in the uPortal repository, and the OKI-related CHEF project at Michigan is looking at the feasibility of using uPortal as the presentation layer to their learning services.
As well as uPortal itself, the community continues to work on a number of related products, including:
• Yale’s CAS Authentication system
• Columbia’s Content Management System, CuCMS
• Memorial University Newfoundland’s system for embedding legacy applications, CWebProxy
• Nagoya University’s ongoing work to internationalise uPortal
Columbia has submitted an application to the Mellon Foundation to extend CuCMS.
Much of the current work on the uPortal framework has been undertaken using a grant from the Mellon Foundation, which has enabled the involvement
of various commercial companies and has resulted in significant progress from earlier versions of the portal. This Mellon grant, though, is due to end over the summer of 2003, and the subsequent lack of funding will inevitably require a shift in the manner that uPortal continues to develop. It appears likely that commercial companies such as IBS, IM&M, and SCT will remain involved to a degree.
The JA-SIG Board is keen to recognise and build upon the growing international dimension to uPortal, as well as to capitalise upon increasing interest from beyond JA-SIG’s traditional administrative computing roots. As part of this trend, Ian Dolphin from the University of Hull has been invited to join the JA-SIG Board.
Robert Sherratt from the University of Hull reported on current developments with uPortal, basing his comments upon a presentation [ http://web.princeton.edu/sites/isapps/jasig/2003summerWestminster/presentations/uPortal Roadmap.ppt] in Denver from Ken Weiner and Dan Ellentuck.
Version 2.1 of uPortal was released at the end of last year. Amongst a number of changes, three major enhancements were the introduction of the remote channel proxy, a combined groups and permissions manager, and a capability to gather usage statistics.
According to Ken and Dan, version 2.2 is due in October of 2003.
A key feature of this release will be support for Aggregated Layouts, a mechanism that allows ‘fragments’ of content (a channel, a group of channels, a tab and contents, etc) to be published to the portal.
Additionally, the mechanism by which user preferences for channel layout are currently specified will change quite radically, moving towards a WYSIWIG view of the portal layout which the user can modify.
The Groups and Permissions area is also due for an overhaul, with improved support for LDAP and the ability to specify multiple sources of permissions data rather than assuming that all portal users have all of their permissions data held in a single source.
Support for the Web Services for Remote Portals (WSRP) specification is also promised, building upon UNICON’s existing remote channel.
Work is ongoing, utilising the XLIFF specification, to improve uPortal’s internationalisation options. It is possible that these enhancements may not be completed in time for the 2.2 release.
Importantly, the database structure for version 2.2 will differ from that used in 2.1, requiring work by existing 2.1 sites who wish to upgrade. It is hoped that such drastic database changes will not be a regular occurrence!
Network Identity
Malcolm Murphy from Sun Microsystems gave a presentation on Network Identity, and the role of the Liberty Alliance. The presentation is available from http://www.ja-sig.org.uk/.
4 July 2003 2
In essence, Malcolm demonstrated, Network Identity can be seen as a set of attributes that describe profiles or roles of an individual;
• Who you are (authentication)
• What you can do (authorisation)
• Other attributes
These identities can be managed in one of two ways; either centrally as a single ‘big list’, or in a federated manner with different stakeholders taking responsibility for maintaining accurate and current information needed for their purposes. Malcolm suggested that each approach has its place, and pointed to the work that the Liberty Alliance is doing to ensure that the federated model is able to work, with various stakeholders able to exchange the pieces of information that they need to.
The presentation provoked wide-ranging discussion around such issues as the need for campus systems like the portal to reach and be accessible to support staff of various kinds, who are not traditionally registered with campus usernames. Universities with associated teaching hospitals also identified problems with registering and tracking NHS staff who might teach for short periods of time. It was suggested that a federated approach to their identification would go some way towards solving this problem, with the university simply accessing and trusting relevant personal information stored in NHS systems.
Currency and accuracy of central information emerged as a key issue if universities were to build effective federated (rather than merely duplicated) information flows. A number of attendees were able to point to a current situation where, because of excessive delays in obtaining comprehensive information on new users at the centre, individual departments felt it necessary to construct their own local databases, and to keep these current, often in addition to any information they were required to provide to the centre.
Paul Browning, from the University of Bristol, gave a presentation [ http://www.ja-sig.org.uk/] on their approach to authorisation. Bristol have issues about how to deal with “grey users”, particularly amongst staff, people who may only work for the University for a short length of time and are often not recognised as “official” staff. Another important issue is the mapping of local group membership, such as tutor group and supervisor groups, the devolution of the management of these groups, and the combining of the local group data with centralised University group membership details. As Paul points out, it is only when all of these memberships are successfully controlled that a truly personalised portal can be presented to users.
4 July 2003 3
UK round-up
London Metropolitan University
London Met has been working for some years with various elements of portalisation, beginning with a Cold Fusion-based prototype around 2000.
There has been work done to integrate with the Talis library management system, including the use of SOAP-based calls into the library database.
At present, the institution is in the process of resolving differences between the systems of the two institutions that merged to form London Metropolitan. It is currently unclear in a number of cases as to which of the legacy systems will be deployed across the new institution.
A significant drive is towards the use of J2EE applications across the institution, integrated with Cold Fusion.
University of Hull
Hull developed a staff intranet in the late 90’s, using a series of Perl scripts to access data held in institutional corporate systems.
During 2000, work was done to scope a student intranet to accompany this, but it was quickly decided that the level of duplication would be high, and that a better approach would be to develop a single institutional portal to meet the needs of staff and students, integrated closely with a content management system to address the needs of the institutional web presence.
Since September 2002, around 800 students in two departments have been trialling an installation of uPortal. This portal is due to go live to all staff and students across the university from September 2003.
The current focus of work is in migrating the existing Perl scripts of the staff intranet into Java, XML and XSL for deployment through the portal.
Key interests are in content management (including discussion with Columbia over CuCMS) and in ensuring that the portal is accessible to all users.
University of Bristol
Further to Paul’s presentation, he reported that Bristol is working on integration of their uPortal development with the Enterprise edition of Blackboard. They have achieved single-sign on, but are exploring the most meaningful way in which to deliver real integration of content and services between portal and VLE.
Within the library, there is interest in exploring some of the ‘portal’ features of their Aleph product, and there will be a need to examine the best way for this to move forward in relation to the institutional portal.
4 July 2003 4
University of Birmingham
At Birmingham, developments are moving forward in two broad areas; extending the reach of the institutional Web strategy, and exploring deployment of a portal.
In evaluating portals, the two front runners were uPortal and Oracle’s portal product.
The concept of a portal has been sold to the institution, and funding has been allocated to a new task force, which now has the job of deciding between the open source uPortal or one of it’s commercial instantiations from either SCT or UNICON.
The institution has decided not to deploy a content management system, but is instead relying upon its established institutional Web strategy, with use of a central filestore for all institutional web content, alongside standardised templates, and provision of training to designated web authors. The latest stage is the distribution of new copies of Macromedia’s Contribute product to 500 identified web authors across campus.
University of Oxford
The University Computing Service is undertaking a consultation process on the need for and best way to implement a portal for use by the institution. This has included a number of presentations from members of other institutions, and at the moment OUCS are proposing to build a pilot portal that will link with a number of institutional systems.
University of Edinburgh
Three years ago, Edinburgh and a number of other institutions were involved in a SHEFC-funded project to develop a student portal in Cold Fusion. Edinburgh subsequently took the product, rebadged it, and launched it to their students in 2002.
They are now looking at the need for an Enterprise Portal to serve current, past, and future members of the institution. As with several other institutions, the choice for them came down to layering Oracle’s portal on top of their existing Oracle databases or deploying uPortal.
uPortal was chosen, and a demonstrator is due to launch in September 2003, with a pilot staff portal ready by July 2004.
For now, the Cold Fusion-based student portal will continue to be developed, and CWebProxy is being examined as one way in which the existing investment might easily be redeployed within uPortal.
University of Nottingham
The University of Nottingham, which has had it’s uPortal-based COMPASS system for some time has recently decided to switch to the commercial offering from SCT. This will allow them to build upon their existing investment, but additionally offers a Content Management Solution (Documentum) that
4 July 2003 5
4 July 2003 6
they have a need for, as well as integrated search capability (from Verity) and a means of single sign on to Nottingham’s VLEs.
Training
Stan Smith from the University of Nottingham reported on current provision of uPortal training. At present, this comes from UNICON-IBS, who work with a host institution and send trainers across from the US.
Nottingham has worked with the trainers on a number of these events, with the last one in their current arrangement due to be held in July. Additionally, Edinburgh will be hosting an advanced course later in the year.
IBS are apparently interested in exploring means of establishing a body of knowledge in the UK, in order that training could be delivered by people from within the country, rather than them having to fly trainers across from the US for every event.
Future Activities and Collaboration
PEPC 2004
Following on from PEPC 2003 in Geneva, there is interest in the 2004 conference being hosted in the UK. Attendees were asked to consider whether or not they might be interested in hosting this conference, probably for around 200 participants.
Funding Opportunities
There are a number of areas in which implementers both here and in North America are tackling similar problems; for example the work that both Hull and Columbia are doing on content management. It was suggested that we remain alert to possible mechanisms for funding such trans-Atlantic collaboration, in order to feed UK developments back into the JA-SIG process more effectively.
Acknowledgements
JA-SIG UK wishes to thank the University of North London for their hospitality on the day. Refreshments were provided by the JISC-funded PORTAL project and by Access Computing.
Notes compiled by Paul Miller of UKOLN
4 July 2003
JA-SIG UK June 2003 Meeting Attendees
Name Institution
Laura Allison Dynix
Chris Awre JISC
Paul Browning University of Bristol
Ian Dolphin The University of Hull
Digby Entwisle Royal Holloway College, University of London
Mike Jones Cardiff University
Paul Miller UKOLN
Mike O'Reilly London Metropolitan University
Art Pasquinelli Sun Microsystems
Francisco Pinto Oxford University
Sebastian Rahtz Oxford University
Chris Richards University of Southampton
Anne-Marie Scott University of Edinburgh
Robert Sherratt University of Hull
Stan Smith University of Nottingham
David Supple The University of Birmingham
Paul Walk London Metropolitan University
Authorisation Issues
PORTAL - (n). Lat. porta, (door, gate)portalis, (like a gate). A doorway, gate or other entrance, especially a large or elaborate one.
Right People, Right Stuff, Right Pain?
John Byrne (York), James Currall, Colin Farrow (Glasgow)
Institutional Web Management Workshop Junne 2002: The Pervasive Webhttp://www.ukoln.ac.uk/web-focus/events/workshops/webmaster-2002/materials/currall/
Authentication
• Pretty much sorted ….– Yale’s Central Authentication Service (CAS)– Single sign on– Sneak preview
• …. except– “Grey Users”– “Trusting the Trust?” (NHS)– Need multiple authentication services – cascade
through them
Personalisation
• So if you’ve got authentication sorted then personalisation (=“portal”) will be a doddle – right?
• Wrong!• It goes like this …
“The Digital Library”
The challenge – Central vs. Local data
The Data Model
Staff (PIMS)
Students(Dolphin)
Curriculum(Dolphin & Unit Cat)
ResourcesIs there a common local data model?
Why do departments maintain local systems?
Central vs. Local DataWhy do departments maintain local systems?
Teaching Week 0 6000Teaching Week 2 5000Teaching Week 3 3000Teaching Week 4 1000Teaching Week 5 100
Programme registration progress
Teaching Week 6 50%Teaching Week 7 58%Teaching Week 11 83%Teaching Week 13 86%Teaching Week 14 92%Teaching Week 15 93%Teaching Week 16 94%Teaching Week 17 95%
Unit registration progress(=120 credit points)
Driven by assessment & external compliancenot learning & teaching!
The challenge – central vs. local data
The risks1. The portal may be partly empty2. The portal may be wrong in parts3. The portal will not contain local added value
(like tutor groups …)4. The portal will not be personalised
What problems are we trying to solve?
• Authorisation– Membership of some group determines role– Role determines level of access– Group information is often maintained at local
end of Central-Local join (e.g. tutor groups, research groups)
• Preferences (= personalisation)• Multiple authentication services
Authorisation & Central-Local data join
• We need a “Groups Manager” which allows:– Use of groups in an authorisation framework
(i.e. permissions database)– Definition of numerous ad hoc groups (where
group size >= 1)– Definition of groups of groups– Devolution of creation of some groups– Devolution of maintenance of some groups
Bodington does this …..
Preferences
• We also want to be able to store personal attributes such as– Bookmarks– Portal layout– Calendars– Address books
Is LDAP the answer?
Level 6 Level 6
Level 5 Level 5
Level 4
Level 6 Level 6
Level 5 Level 5
Level 4
Level 3 Level 3
Level 2 Level 2
Level 1
Central – database driven
Local – rampant ad hocery?
Practical realities
• Capturing local added value• Incentivising maintenance of local added
value
What else is bubbling under?
• Angel?• Akenti?• Permis?
Six MLEs - more similar than different
Standard title slide formatNetwork Identity Management
Malcolm MurphyTechnology ManagerSun Microsystems
Agenda
● What is Network Identity?● The problem we have today● Centralised vs. Federated models
– Which is better?
● The Liberty alliance● Demo● Conclusions
Agenda
● What is Network Identity?● The problem we have today● Centralised vs. Federated models
– Which is better?
● The Liberty alliance● Demo● Conclusions
What is Network Identity?
● Network Identity is a set of attributes that describe profile(s) of an individual– Who you are (authentication)– What you can do (authorisation)– Other attributes
● Basic element of an enduring or high value relationship
Network Identity componentsCOMPONENT
A level of security guaranteeing the
validity of an identity representation
The provisioning of services or activities
based upon an authenticated
identity
DEFINITION EXAMPLE
Traits, profiles, preferences of an
identity, device, or business partner
• NUS card• Staff/student ID • Username/password• PIN
• Services based on attributes• Transaction consummation• Gradient levels of service
• Personal consumer preferences• Identity specific histories• Device capabilities information
AUTHENTICATION:
AUTHORIZATION:
ATTRIBUTES:
Foundation for Web servicesWeb Services
Network Identity Infrastructure Platform
Authentication, Attributes, and Authorization
Staff Students Partners DevicesTechnology
Agenda
● What is Network Identity?● The problem we have today● Centralised vs. Federated models
– Which is better?
● The Liberty alliance● Demo● Conclusions
Phases of internet evolution
Communication
Marketing
Commerce
Personalized Commerce
Web site
Website.com
myCustomer.com,mySupplier.com
Federated Commerce Identity-based TrustedServices
The “Identity Crisis”
Joe’s Fish Market.ComTropical, Fresh Water, Shell Fish,
Lobster,Frogs, Whales, Seals, Clams
The “Identity Crisis”For End Users (students/staff/etc.)
- Privacy/Security concerns
- Hassle of Multiple logins and passwords
- Multiple disparate views of identityFor Institutions
- Cost to manage Users- Security and administration of disparate systems- No single view of the End User- How to interoperate with other institutions?
For Suppliers/Content providers- “User” profile control and ownership
- “User” affiliation and sharing
- Security and auditability
The “Identity Crisis”
● Poor Identity management is impeding the development of online services– Difficult for users to manage– Expensive for institutions – Issues for service providers
● Who is authorised to do what and how do we charge?● Entry costs (e.g. Athens)
Agenda
● What is Network Identity?● The problem we have today● Centralised vs. Federated models
– Which is better?
● The Liberty alliance● Demo● Conclusions
Models for Network Identity
Providers Students
JISC
University Dept
PORTALNUS
Univ B
LEA
Univ A
No single entity controls the Network
Requires interoperability standards
Creates “broker” between providers and users
“Passport is widely seen as Microsoft’s way to collect a % of every online sale” – WSJ 7/29/02
Centralised Management● User and providers
enroll with global identity operator
● Operator issues unique global identifier
● User can access all operator sites
Centralised Management
Pros● Single source of
control/audit
● Enables common service model
● Can be delivered now (e.g. Athens)
Cons● Security/Privacy
– tracking possible without permission
– operator controls some profile data
● Does not mirror real world trust relationships
● Operator has control over access device
Federated Management
JISC
University Dept
PORTALNUS
Univ B
LEA
Univ A● Based on account “chaining”
● No unique global identifier
● User and services need to be explicitly linked
Federated Management
Pros● User has complete
control over who/what to share
● Nodes have complete control over profile data
● Incremental profile sharing possible
● Opportunity for Identity service providers
Cons● Profile data may be
inconsistent
● Requires standards to interoperate
● Lack of centralised control, if required
Federated Management
● Digital relationships can mirror the way we behave in the real world
● Allows users and service providers to better manage their data on their own terms, not those of a third party
● Allows separation of authentication from authorisation
A bit like ATM networks...Separate Cards with Each Bank
Linked Cards within Bank Networks
Seamless Access Across all Networks
Bank AATM Card
Bank BATM Card
Bank CATM Card
Bank ATMNetwork A
Bank ATMNetwork B
Bank ATMNetwork C
Bank ATMNetwork A
Bank ATMNetwork B
Bank ATMNetwork C
Bank AATM Card
Bank BATM Card
Bank CATM Card
Individual Accounts with Many Web Sites
.com
.com
.com
Federated Accounts within Trust Domain
.com
.com
.com
.com
.com
.com
Linkage of Trust Domains
.com .com.com.com
.com.com
.com .com.com.com
.com.com.com .com
.com.com
.com.com
Evolution of Federated Identity
Federated Linked
Accounts
John Smith#555-534-3321
JSmith#ADF-7-RF-3
JPSmith#3295
Circle of Trust
John Smith#555-534-3321
Bank
Airline
JSmith#ADF-7-RF-3
Linkage of Multiple
Circles of Trust
Identity Silos
Agenda
● What is Network Identity?● The problem we have today● Centralised vs. Federated models
– Which is better?
● The Liberty alliance● Demo● Conclusions
• Enable a broad range of platform neutral identity-based products and services. Deliverable is a set of specifications.
• Enable commercial and non-commercial organizations to realize new revenue and cost saving opportunities
• Enable businesses and consumers to better manage their data on their own business terms not somebody else’s
32
A Business Alliance to establish an open standard for federated network identity.
Over 100 members (8/02)
32
So what does it define?
• Permissions-based attribute sharing• Schema/protocols for core identity
profile service• Trust Circle Interoperability• Delegation of authority to federate
identities/accounts• Interoperability for Network Identity
enables services (e.g. calendar, presence, geo-location,alerts…)
• Federated Network Identity enabled Commerce Transactions
• Payment Services
Future VersionsVersion 1.0• Federated network identity• B2B, B2C, B2E application support• Opt-in account linking• Simplified sign-on • Security built across all the features
and specifications• Interoperability between existing
legacy ID systems• Authentication context• Global log out• Fixed and Wireless device support• Pseudonyms
Liberty 1.0 protocols
● Three participants– Principal, Service Provider, Identity Provider
● Four main functionalities:– Authentication, Pseudonym, Identity
Federation, Single Logout
● Four protocols:– Single sign-on, Name registration, Federation
Termination notification, Single Logout
Functionalities
Identity federation● Principal is informed
about Federation andDefederation
● SP and IP inform each other aboutdefederation
● IP tells SP about account termination
Authentication● support all methods of
navigation● IP and SP mutually
authenticate each other● support various types
of auth mechanism● IP and SP exchange
minimal information about Principal
Functionalities
Pseudonym● IP/SP support unique
pseudonyms on a per Federation basis
● E.g. a Principal might be FredF to an IP and Flint001 to an SP
Single logout● When a Principal logs
out of an IP, all appropriate SP will be notified
Protocols
● Each protocol may be implemented in more than one way – called a profile
● Four profiles defined– Liberty Browser Artifact– Liberty Browser POST– Liberty WML POST– Liberty Enabled Client/Proxy
Implementing Liberty
● Interoperability Prototype: open source Java implementation of Liberty 1.0 available now
● Sun ONE Identity Server 6.0– 1st commercial Liberty enabled product– Builds on Sun ONE stack (directory, policy
management, delegated admin)– Open standards support for Liberty, SAML,
XML
Implementing Liberty
● Build basic infrastructure: – start with an LDAP directory
● Consolidate Identity initiatives– Interoperability is key
● Define Identity mgmt strategy– Technologies and standards– Auto provision / Principal self service– Policy based entitlement; group definition and
management
Agenda
● What is Network Identity?● The problem we have today● Centralised vs. Federated models
– Which is better?
● The Liberty alliance● Demo● Conclusions
Agenda
● What is Network Identity?● The problem we have today● Centralised vs. Federated models
– Which is better?
● The Liberty alliance● Demo● Conclusions
Conclusions
● Federated identity solves the problems of identity in a way that empowers the Principal and the Service Provider● Different circles of trust need to interoperate; THIS IS WHAT PROJECT LIBERTY ENABLES● A good first step is to deploy LDAP
Possible applications of Federated Identity● Lifelong learning● Ubiquitous access to content/services
– Student: Halls, parents, nearest vacation uni– Staff: home, office, sabbatical– From whatever access device you have
● More power/flexibility to ACL● Swifter take up of e-learning
Malcolm [email protected]