STEVEN ZOPPI
AVP, NET+ Services Integration and
Architecture
14 MAY 2014 / NOTRE DAME
[CSG]
TIER: Quick Preview
TIER Objective
•
Build upon all of the great work the community has already done!
– This is a systems integration problem first, then an invention problem
thereafter …
– Extend what works: e.g. NMI-EDIT
Taking into consideration all of the landscape that Ken K presented earlier –
but delivering iteratively, at a regular cadence
Begin With the End In-Mind
•
Start With a Sandbox
Show What Works
Evolve Over Time
– Thanks to Keith Hazelton, Jim Jokl, Michael Gettes, Nate Klingenstein, Bill
Yock
•
•
Reference Architecture
Canonical Implementation
What’s the problem again?
• To Enable The Community to Consume and Integrated with
Cloud Services Most Efficiently
• Mandate: Emergence of Viable and Varied Cloud Services +
Increasing Geographic Diversity of Research and Education
– It’s no longer just about who you are – it’s about the
spheres of influence in which you operate combined with
the means to find the resources necessary to do research,
education, collaboration – and do these things, in scalable,
elastic, and manageable ways.
Balanced Scorecard of Control
Individual
Identity is the
sum of all
MetaData
known by all
affiliates.
Indiv
idual
Com
muni
Virtu
ty
Ente
al
Orga
rpris
e
nizat
ion
*By the way …
•
•
Most service providers are not clueful about identity
Most service providers do not understand groups
– Within Enterprise
– Across Enterprises
•
•
•
•
Must be achieved at GLOBAL SCALE across Enterprises while
maintaining MetaData/Attribute control at the Enterprise
It will be a multi-year effort
Must enable smooth migration or implementation over time
Must support management of one’s own identity and have the ability for
discretionary MetaData/Attribute Release
Encapsulate and Empower SPs
•
•
•
Provide a series of services end-points to which the candidate SPs will
connect.
Provide services which augment or replace SP-AUTHN or AUTHZ
“machinery” with those provided by TIER.
Enable
– Faster Integration
– Greater Flexibility
– Greater Value to the Community and the SP
Challenges
•
•
•
The core needs are for AuthN and
AuthZ for Interrealm Use
A wide assortment of open source
software has been developed by
the community to address parts of
those needs.
– Excellent, Inconsistent, NonInteroperable, Hard to Sustain /
Maintain, Still has significant
gaps.
Lacking a common approach has
led to a proliferation of
approaches.
Requirements
•
•
•
•
•
•
Scalable, Multi-Enterprise, Resilient
Solution
Rationalized and Accessible API and
Grammar
Federation-Enabled
Extensible
– Plug-in Architecture
Support for Matrices within/without
Organizations
Support for Institutional, Statutory
and Regulatory Constraint in the
Semantic Layers for AuthZ
The definitive
source of
Scholarly Identity
and Affiliation
across Virtual
Organizations …
In The Cloud
Generalized Design
•
Terminology: “Façade” design pattern (Software Engineering)
“A Façade provides a unified interface to a set of
interfaces in a subsystem. Façade defines a higherlevel interface that makes the subsystem easier to
use. Wrap a complicated subsystem with a simpler
interface.”
The TIER Façade Acts Like A Broker
 Contained Within the Enterprise
Decision making for
which subsystem
receives the target
request remains within
the enterprise.
API Interface
Routing Decisions
Handler “A”
Handler “B”
Handler “C”


Cloud-Based
Service
Internet2 Middleware: Proposed Unified Model
Secure Directory, Identity and Metadata Services
Single Signon and Identity Components
AuthN (Who)
Multi Factor
Multi-Level
(Groups)
Lightweight
Workflow
Services
Persistence and
Replication
Automated
Provisioning /
Deprovisioning
and Rules
Enforcement
Federated Registry
(Directory Search / Lookup)
AuthZ (What)
Business Rules
Engine /
Grammar
Metadata
Registry
Services
Network
Objects (Files,
Datasets, etc.)
People
Files / Datasets
Nodes