Activities in the US

advertisement
Some Frontier Issues from the
Wild, Wild West
Ken Klingenstein
Topics
• Activities in the US
• R&E Sector
• Government sector
• Shib update
• The issues on the frontier
• At the infrastructure level
• At the user and application level
Activities in the US
• Government sector
• EAuthentication
• Law enforcement
• Health Care
• R&E Sector
• State based federations
• InCommon
Diego and RL “Bob”…
Or maybe this
Government Federations
• Internationally, several national governments
are developing federations of agencies and
offering services to external users
• Within the US, several national governments
are developing federations 
• GSA EAuthentication
• NSF
• NIH
• http://www.publiccio.com/story.php?id=2007.02.02-103751
EAuthentication
• A set of federal agencies, working through a coordinating
agency (GSA) in conjunction with NIST for primarily
business (and some consumer) interactions
• Based on SAML, NIST 800-63, etc
• Applications range from booking campgrounds to checking
social security to filing administrative data from universities
to agencies to student loans to access to grant
management to…
• Not a very good soccer team yet but it is the US Gov
• Attempting to peer with InCommon
State University Federations
• State university federations - Texas, California,
Maryland, etc
• Leverage existing infrastructure in both policies
and shared applications
• Some, such as the California Digital
Marketplace, reach very broad populations
UTexas Federation Apps
•
•
•
•
•
•
•
•
•
•
Project Tracking (CHA)
Monthly Financial Reporting (BUD)
TIXX (GOV)
UT Plane (ADM)
Compliance Training (ADM)
Research Projects Tracking (ACA)
Academic Affairs Jobs (ACA)
Degree Programs (ACA)
Grad Registration (ACA)
System Administration Wireless
(OTIS)
•
•
•
•
•
•
•
•
•
•
Legal Tracking (OGC)
Parking Management (APS)
Signature Authority (APS)
Bid Specification (OFPC)
Project Time Reporting (OFPC)
Student Couponing (UT Austin)
Online Education via Blackboard
(UTHSCH)
Board of Regents Agenda (BOR)
12/06
Budget Change Request (BUD)
12/06
UTANOP (BUD) 12/06
InCommon
•US R&E Federation
•www.incommon.org
•Members join a 501(c)3
•Addresses legal, LOA, shared attributes, business
proposition, etc issues
•Approximately 50 members and growing
•A low percentage of national Shib use…
InCommon Members 5/1/07
•Case Western Reserve University
•Clemson University
•Cornell University
• Dartmouth
•Duke University
•Florida State University
• Georgetown University
•Indiana University
• Miami University
• New York University
•Ohio University
•Penn State
•Stanford University
•Stony Brook University
•SUNY Buffalo
•Texas A&M
•The Ohio State University
•The Johns Hopkins University
•The University of Chicago
•University of Alabama at Birmingham
•University of California, Davis
•University of California, Irvine
•University of California, Los Angeles
•University of California, Merced
•University of California, Office of the President
•University of California, Riverside
•University of California, San Diego
•University of Maryland
•University of Maryland Baltimore County
•University of Maryland, Baltimore
•University of Rochester
•University of Southern California
•University of Virginia
•University of Washington
•University of Wisconsin - Madison
•Cdigix
•EBSCO Publishing
•Elsevier ScienceDirect
•Houston Academy of Medicine - Texas Medical Center Library
•Internet2
•JSTOR
•Napster, LLC
•OCLC
• OhioLink - The Ohio Library & Information Network
•ProtectNetwork
•Symplicity Corporation
•Thomson Learning, Inc.
• Turnitin
•WebAssign
Key aspects of InCommon
• Federating software
• Shib 1.2+ (other possibilities in the future)
• Shared attributes and schema
• eduPerson right now
• Levels of authentication
• POP (participant operational practices) for LOA-today
• InCommon Bronze and Silver will map to LOA 1 & 2
• Management
• Steering committee of members IT executives
• Operations staffed by Internet2
InCommon Management/Governance
• Steering Committee of campus/vendor
CIO’s and policy people – sets policies for
membership, business model, etc.
• Technical advisory committee - Sets
common member standards for attributes
(eduPerson 2.0) , identity management
good practices, etc.
InCommon Uses
• Access control to content
• Popular content – Ruckus, CDigix, etc
• Scholarly content – Google, OCLC WorldCat
• Downloads – Microsoft
• Access to external services
• Student travel, charitable giving, web learning and testing,
plagiarism testing service, etc.
• Allure for alumni services and other internal businesses
• Student loans, student testing, graduate school admissions,
etc.
• Access to national services
• The National Science Digital Library
• The Teragrid pilot
Challenges in the US
• Addressing the risks in federated identity
• Too many lawyers
• Too few business drivers
• No bulk content licensing
• Few “national” applications
• No government access yet
• For many institutions, the focus is in state versus national for
applications
• Bi-lateral relationships exist more than national relationships.
• Not all institutions really have their identity management
technologies fully in place
• Very few have their identity management policies in place.
Shibboleth
• Shib 1.3 widely deployed; 1.2 still common
• Along the way, other capabilities added:
• ADFS compatibility for WS-Fed, (MS $)
• Eauthentication certification (with waiver form:))
• Shib 2.0 completes the SAML+Shib integration
• More compatible with COTS SAML 2.0 products than they
are with each other
• A Shib/SAML to TCP/IP analogy isn’t bad; Shib adds
multi-party federation support through metadata, ARPS,
etc.
• Also eases support for n-tier, non-web and other
capabilities
• Alpha in April, Beta soon
The Shibboleth 2.0 Sidebar
• Support for the attribute ecosystem
• attribute handling, including policy, in both SP and IdP
• designed to be reusable for other protocols (eg CardSpace)
• sets stage for further work on multiple attribute sources,
reputation management, etc.
• All Java SP (in addition to current Java/Apache), easing
integration for some applications
• Trust management
• PKI still seems too hard, even at the simpler enterprise level
• Supports a broad set of trust choices – CA’s, certs, plain
keys, managing site metadata (naming, acquisition,
validating)
• A product of years of painful experience 
Federated Applications
• Mostly access controls to content
• The first shibbed collaborative apps are
appearing…
•
•
•
•
Several wikis
Digital repositories such as DSpace and Fedora
Learning Management Systems such as WebCT
IM, p2p fileshare (Lionshare), CVS
• Grid-Shib integration in several ways
• SIP based tools (videoconferencing,
audioconferencing) within reach
• Bootstrapping from duct tape sometimes a problem
The Frontier
The issues on the frontier
•
•
•
•
Peering, leveraging, confederating, etc
Integration with p2p trust
The user interface
The applications
• Collaboration
• Domain-specific
Relationships among federations
• Peering
• Confederation
• Presumes peering, adds multifederation
support
• Leveraged
• Specialized federations that extend a
common base federation
Some inter-federation key issues
• Multi-protocols
• Sharing metadata
• Aligning policies
• WAYF functionality
• Dispute resolution
• Virtual organization support
REFeds
Peering
Parameters:
•LOA
•Attribute mapping
•Legal structures
•
Liability
•
Adjudication
•Metadata
•VO Support
•Economics
•Privacy
VOs plumbed to peered federations
Developing the Attribute Ecosystem
• Addressing not only the real time delivery of
attributes, but their creation, distribution and
maintenance
• Providing a consistent set of user experiences,
both in managing their identity/privacy, but in their
roles as managers of privileges to others
• Must function with the real world of existing
middlemen, uncertain user capabilities, laws and
regulations, and duct tape
Application access controls
(including network devices)
Shib
User
IdP
p2p
A Simple Life GUI
Application access controls
(including network devices)
Autograph
Shib
Authn
User
IdP
p2p
Source of Source of
Authority Authority
Source of
Authority
An Integrated IdM Life
Application access controls
(including network devices)
Shib
User
IdP
p2p
Source of Source of
Authority Authority
Local apps
Source of
Authority
Integrated Interfaces
Application access controls
(including network devices)
Autograph
Shib
Authn
User
IdP
p2p
Signet/
Grouper
Source of Source of
Authority Authority
Local apps
Source of
Authority
Real Life
Source of
Authority
Source of
Authority
Application access controls
(including network devices)
Portal
Source of
Authority
Gateway
Proxy
Source of
Authority
User
p2p
Shib
Source of
Authority
IdP
Source of Source of
Authority Authority
Source of
Authority
Source of
Authority
Application access controls
(including network devices)
VO Service
Center
IdP
Gateway
Shib
Source of
Authority
IdP
User
p2p
Source of
Authority
Source of Source of
Authority Authority
Source of
Authority
Internet Identity – P2P
• Provides tokens for interpersonal trust
• Use cases include file and photo sharing, some
encrypted email, etc.
• Limited role but large personal contexts
• Subtle but critical layers
• Identity Selector, tokens, mobility, reputation
systems, others
• Active space – Cardspace in MS Vista, Higgins
and the Bandits, OpenId, etc.
Identity Integration goals
• Of federated and p2p identity
• Many levels of integration
• The tokens
• The GUI
• The privacy management paradigm
• Of identity and privilege management
• Assignment and management of permissions to users by
those with authority to grant such access
• Addresses the static aspects of the authorization space, with
audit, delegation, prerequisites, etc.
• Permissions can be enterprise or virtual organization
User Interface Frontier
• A consistent look and feel to the management of identity
activities across a set of collaboration applications
• The applications may be web services, video or
audioconferencing, calendaring, IM, wikis, file shares, etc
• The activities may include authentication, release of
attributes and management of privacy, creation of
attributes for others, group management, etc
• Defaults must hide most of the complexity
• Cards seem to be a common metaphor
• Variety of appliances an issue
Management of the Domain
• Lacking general infrastructure, identity and privilege
management within the domain is problematic
• Insecure, ineffective, ad hoc or often missing
• Building tools to integrate Id/Pr Management within the
domain with the approaches used on campuses.
• Allows more seamless interactions of research and
instructional roles.
• Permit students to sample and engage in research securely
and easily.
• Allow researchers to administer grants and integrate virtual
and physical realities.
Collaboration tools and services
• Addressing the collaborative side of research
• Adapting common open-source collaborations
tools for more effective use
• First in an institutional and inter-institutional use
• Then, leveraging that, for virtual organizations
• Addressing integration of authentication, authorizations,
privacy, etc.
• Wikis, IM, web-accessed file-shares,
videoconferencing, audio conferencing, etc.
• Use cases abound, from “open to members of a
community” to “just these few colleagues” and
others
MACE
Download