AARNet Copyright 2005 AARNet Copyright 2005 AARNet Middleware Activities 2005 APAN 2005 James.Sankar@aarnet.edu.au Network Engineer – Middleware AARNet AARNet Copyright 2005 About this talk Background – – – – AARNet Why Middleware? Overview of AARNet current middleware activities IAM survey background Results – Key Findings – Barriers – Opportunities 3 AARNet Copyright 2005 AARNet – Core Activity Roll out of the AARNet 3 Dark Fibre “Dense WaveDivision Multiplexing” (DWDM) providing: – 32 wavelengths of 10Gbps capacity initially – Supports growth to 64 or more wavelengths of 40Gbps over life of the network 4 AARNet Copyright 2005 AARNET goals • To complete the AARNet 3 roll out and develop outreach programmes to extend access to rural areas. • To participate in national and regional activities – Engage with the community – e.g. Astronomers, Physicists etc – Engage with research and education stakeholders to develop a national middleware framework • To develop applications and services for AARNet customers • To develop international links and actively participate in international projects. 5 AARNet Copyright 2005 Why Middleware? On the Internet – nobody knows who you are! More content and access to scarce physical systems requires user authentication and authorisation in a secure, scalable way 6 AARNet Copyright 2005 Why Middleware? Identity and Access Management should support user requests to resources regardless of location, to do so requires integration, loosely coupled federations and clever, intuitive systems that are and able to support general requests or ask for authentication when required. 7 AARNet Copyright 2005 AARNet middleware In-house developments 8 – Develop a middleware architecture framework for development activities. – Roll out eduroam to AARNet offices and staff. – Gain practical experience of Shibboleth by • Creating an AARNet Identity Provider system for AARNet staff and join MAMS federation. • Assessing the feasibility of shibbolising AARNet applications and services. – Further development AARNet’s middleware website to generate awareness; AARNet Copyright 2005 AARNet middleware Joint activities – Involvement in national middleware initiatives involving education and research communities. – CAUDIT Identity and Access Management survey 2005. – Participation and assistance in eduroam Australia roll out, development and policy. – Participation in • global eduroam development and policy. • CAUDIT PKI Technical Working Group in developing a national PKI. • Global middleware policy. 9 AARNet Copyright 2005 What is a CAMPUS Identity & Access Management System? “…Identity and access management isn’t really a system that you go out and buy. It must become a pervasive, federated infrastructure that integrates companies internally while simultaneously allow them to interoperate with other companies. It must support both centralized and decentralized scenarios. It must accommodate integration where practical, and more loosely coupled federation models where necessary.” Burton Group (July 2002) 10 AARNet Copyright 2005 What is a CAMPUS Identity & Access Management System? “…an integrated system of business processes, policies and technologies that enable organizations to facilitate and control their users' access to critical online applications and resources — while protecting confidential personal and business information from unauthorized users. It represents a category of interrelated solutions that are employed to administer user authentication, access rights, access restrictions, account profiles, passwords, and other attributes supportive of users' roles/profiles on one or more applications or systems.” Wikipedia 2005 11 AARNet Copyright 2005 The Survey – why now? The Survey instrument was designed to assess progress of Identity and Access Management systems to act on – Any barriers to integration (same/single sign on) that need to be removed (resourcing, technical, political, etc.) – Any opportunities to • Promote campus infrastructure integration best practice • Assess the need for a federated authn infrastructure 12 • Identify authz components for services / resources. AARNet Copyright 2005 Survey Results Authentication – Username/Passwords & IP based authentication. Authorisation – Ezproxy, proxy caches in use. Differences exist in support to access local and remote resources. Directory services – LDAP preferred service System integration – in house developments (PERL, Visual Basic, JAVA, C++, SQL to process data from student, HR and other databases). 13 AARNet Copyright 2005 Resources / Application support 14 AARNet Copyright 2005 Survey Results - continued Current focus – Campus infrastructure integration • Unify Authentication, Authorisation, Access; – Automate the transfer of data to feed into Directories, meta data, and so forth. – Develop simplified user interfaces (e.g. Same/Single Sign on portals). • Visitor guest network access (http, https, VPN) via – Creating temporary accounts. – eduroam (802.1X/EAP-TTLS & RADIUS backend). 15 AARNet Copyright 2005 Identity and Access Management Today 16 AARNet Copyright 2005 Survey Results - continued Public Key Infrastructures Use – Limited use of digital certificates (due to No national PKI) – 30% claim their Directory Services support PKI Next Project developments – Web portal & Account self service = 14/25 – Same Sign On = 4/25 & Single Sign On = 13/25 – CAUDIT /Staff/Student/Web/Service certs = 7/25 17 AARNet Copyright 2005 Survey Results – Barriers identified • Limited resources / funds available. • Limited key stakeholders involvement to create integration and federation infrastructures. • High risks/impact to develop critical IAM systems. • Lack of coordinated middleware effort in IAM space • Minimal dissemination of standards, policies and technical guidelines. • Limited Training (eduperson, same/single sign on). 18 AARNet Copyright 2005 Survey Results – Recommendations 1 (1) Develop IAM content on – Gather and exchange recommended Authentication and Authorisation methods/products, guidelines for use, transmission, storage of credentials and IAM best practice – Identify / develop ways to can leverage from same/single sign on environments. – Track CAUDIT PKI developments and make use of PKI to develop secure access. (2) Engage with service providers 19 – Identify requirements to enable users to gain access to remote resources and agree on standards/rules to operate via a federation. AARNet Copyright 2005 Survey Results – Recommendations 2 (3) Develop a middleware framework – An inclusive process for stakeholders (identity providers and service providers) to align to in a cost effective, low risk, secure, user-friendly way within Australia. – Identify Australian strengths to contribute in partnership with the global middleware effort. – Identify international middleware activities that Australia can make learn and develop from. 20 AARNet Copyright 2005 Useful links • AARNet Middleware web pages http://www.aarnet.edu.au/engineering/middleware/ • Identity & Access Management Survey 2005 – http://www.aarnet.edu.au/engineering/middleware/id_access_m gt_survey.html • Eduroam - www.eduroam.org • Eduroam Australia – www.eduroam.edu.au • Shibboleth – http://shibboleth.internet2.edu/ • MAMS - http://www.melcoe.mq.edu.au/projects/MAMS/ 21 AARNet Copyright 2005 Thank You 22