STEVEN ZOPPI AVP, NET+ Services Integration and Architecture 14 MAY 2014 / NOTRE DAME [CSG] TIER: Quick Preview TIER Objective • Build upon all of the great work the community has already done! – This is a systems integration problem first, then an invention problem thereafter … – Extend what works: e.g. NMI-EDIT Taking into consideration all of the landscape that Ken K presented earlier – but delivering iteratively, at a regular cadence Begin With the End In-Mind • Start With a Sandbox Show What Works Evolve Over Time – Thanks to Keith Hazelton, Jim Jokl, Michael Gettes, Nate Klingenstein, Bill Yock • • Reference Architecture Canonical Implementation What’s the problem again? • To Enable The Community to Consume and Integrated with Cloud Services Most Efficiently • Mandate: Emergence of Viable and Varied Cloud Services + Increasing Geographic Diversity of Research and Education – It’s no longer just about who you are – it’s about the spheres of influence in which you operate combined with the means to find the resources necessary to do research, education, collaboration – and do these things, in scalable, elastic, and manageable ways. Balanced Scorecard of Control Individual Identity is the sum of all MetaData known by all affiliates. Indiv idual Com muni Virtu ty Ente al Orga rpris e nizat ion *By the way … • • Most service providers are not clueful about identity Most service providers do not understand groups – Within Enterprise – Across Enterprises • • • • Must be achieved at GLOBAL SCALE across Enterprises while maintaining MetaData/Attribute control at the Enterprise It will be a multi-year effort Must enable smooth migration or implementation over time Must support management of one’s own identity and have the ability for discretionary MetaData/Attribute Release Encapsulate and Empower SPs • • • Provide a series of services end-points to which the candidate SPs will connect. Provide services which augment or replace SP-AUTHN or AUTHZ “machinery” with those provided by TIER. Enable – Faster Integration – Greater Flexibility – Greater Value to the Community and the SP Challenges • • • The core needs are for AuthN and AuthZ for Interrealm Use A wide assortment of open source software has been developed by the community to address parts of those needs. – Excellent, Inconsistent, NonInteroperable, Hard to Sustain / Maintain, Still has significant gaps. Lacking a common approach has led to a proliferation of approaches. Requirements • • • • • • Scalable, Multi-Enterprise, Resilient Solution Rationalized and Accessible API and Grammar Federation-Enabled Extensible – Plug-in Architecture Support for Matrices within/without Organizations Support for Institutional, Statutory and Regulatory Constraint in the Semantic Layers for AuthZ The definitive source of Scholarly Identity and Affiliation across Virtual Organizations … In The Cloud Generalized Design • Terminology: “Façade” design pattern (Software Engineering) “A Façade provides a unified interface to a set of interfaces in a subsystem. Façade defines a higherlevel interface that makes the subsystem easier to use. Wrap a complicated subsystem with a simpler interface.” The TIER Façade Acts Like A Broker Contained Within the Enterprise Decision making for which subsystem receives the target request remains within the enterprise. API Interface Routing Decisions Handler “A” Handler “B” Handler “C” Cloud-Based Service Internet2 Middleware: Proposed Unified Model Secure Directory, Identity and Metadata Services Single Signon and Identity Components AuthN (Who) Multi Factor Multi-Level (Groups) Lightweight Workflow Services Persistence and Replication Automated Provisioning / Deprovisioning and Rules Enforcement Federated Registry (Directory Search / Lookup) AuthZ (What) Business Rules Engine / Grammar Metadata Registry Services Network Objects (Files, Datasets, etc.) People Files / Datasets Nodes