Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Identity Services for Open Source Software

advertisement 
Tom Barton
University of Chicago
Towards Common Identity Services
Matterhorn
• Consortium of Universities building an enterpriselevel, easy-to-install open source podcast and rich
media capture, processing and delivery system.
• Typical security issues need to be handled
–
–
–
–
–
–
User authentication
Service authentication
Proxy authentication
Long-running processes
Integration with enterprise services
Out-of-the-box support for enterprises lacking those
services
17-18 November 2009
2
“Is this a problem that the Matterhorn software
needs to solve?
… I hope we can come up with a cheap & easy
solution in order to get on with our
fundamental tasks involving the handling of
media.”
Josh Holtzman, Matterhorn Team member
opencast list, May 15, 2009
17-18 November 2009
3
17-18 November 2009
4
Identity services for applications
Manage
Convey
Interface
Privileges
LDAP
Permissions
Roles
SAML
Roles
Groups
SQL
Groups
Credentials
SOAP/REST
Attributes
Subjects
Kerberos
Authentication
17-18 November 2009
5
WANTED:
Domesticated applications
• Integrate collaboration tools into a
common platform
• User and collaboration centric
identity, not tool-based identity
• How much domestication is
needed?
–
–
–
–
–
–
–
COmanage
SURFGroepen
Sympa as VO group manager
Duke’s OZ
SWITCH VO platform
U Malaga “identity bus”
Bamboo?
17-18 November 2009
6
The identity services problem
Applications can't be developed that easily
integrate with external IAM services until there's
broadly held agreement on the interfaces
between the two
17-18 November 2009
7
It’s a tower of turtles
•
•
•
•
Application developers
Framework developers
Platform developers
Standards bodies
– Too many
– Not enough
• Communities of practice
– Education & Research
– Internet Identity
• Integrators
• Deployers
17-18 November 2009
8
Don’t try to solve the
general problem!
17-18 November 2009
Focus on a small set of
related, constrained use
cases and make
progress on those
9
June 2009 Advanced CAMP:
Identity Services Summit
• Participation
– Open source project developers
• Jasig (uPortal, CAS, Bedework)
• SAKAI
• Kuali
– Campus developers & architects
– Internet2/MACE
– Kantara
• Project reviews (surveys & sessions)
• Lightning talks, break-outs
17-18 November 2009
Some action items from the Identity
Services Summit
• Access management glossary and mapping
between open source projects
• KIM – Grouper service implementation proof of
concept
• uPortal – Grouper service implementation proof of
concept
• Shibbolized & CASified .NET & sharepoint
• Bedework & COmanage discovery
• Enhance development frameworks with roles, etc.
– Spring, django
17-18 November 2009
11
MACE-Paccman: some problems
• Access Management terminology is confusing e.g.
privilege, permission, entitlement, authorization
• Access Management is often embedded in
applications and so is reinvented often
• Access Management often does not account for
federations
• Provisioning is easier than de-provisioning
• Audit trails are often per application if they exist at
all
17-18 November 2009
Paccman slides courtesy of Tom Dopirak
MACE-Paccman Initial Deliverables
• Glossary and models for Access Management
– How to use groups
– How to use privileges
– How to provision embedded Access Management
software
– Audit Considerations
• Comparative glossary with major access management
endeavors and Open Source Higher ED projects e.g. Sakai,
uPortal, Kuali
• Use Cases in Access Management
• Mapping use cases to existing efforts
– Kuali KIM
– MIT’s perMIT
– Grouper
17-18 November 2009
Kuali Foundation
“open source administrative software for higher education,
by higher education”
•
•
•
•
•
kuali financials
kuali coeus (research administration)
kuali student
kuali rice (middleware framework)
Incubation projects
– ole (integrated library system)
– continuity planning
– payroll/hr
– materials management
17-18 November 2009
Kuali Identity Management (KIM)
• A new module of the Kuali Rice middleware
framework (http://rice.kuali.org)
• Implemented as a set of services for identity
and access management
• Designed with the needs of the other Kuali
applications in mind (financials, research
administration and student system)
• But also meant to be general enough to be
used by other applications as well
17-18 November 2009
KIM slides courtesy of Eric Westfall
15
KIM Services
• IdentityService
– Principals and entities
• GroupService
– Group data, group membership checks
• PermissionService
– Authorization checks
• RoleService
– Role data
• ResponsibilityService
– Resolve responsibilities for certain actions (integration
point with the workflow engine)
• AuthenticationService
– Establishes an authenticated user’s session
17-18 November 2009
16
17-18 November 2009
Where does it fit?
• Topic of discussion at Advanced CAMP on identity
management in June
– Where does Kuali Identity Management fit into the broader
identity and access management space in higher education?
• A few possibilities
– Can be used solely for implementation of specific Kuali
applications
– Can be positioned as the primary identity and access
management services at an institution
– Certain pieces of the reference implementation can be used,
while others can be integrated with or replaced with other
solutions (i.e. LDAP, Grouper, Active Directory)
• Working on some projects surrounding the last item,
specifically working with Grouper team on a proof of
concept for integration with KIM
17-18 November 2009
18
17-18 November 2009
uPortal’s group-related services
• GAP: Groups And Permissions
– Gather groups from configured group stores
– UI to manage groups and permissions
– Desired to outsource to Grouper
• PAGS: Person-Attribute Group Service
– Present group memberships from attributes in
user’s security context
• PD: Person Directory
– Gather Subjects from configured stores
17-18 November 2009
20
uPortal-Grouper integration needs
• Refactor PAGS
• Add GAP interface
• New group admin UI
• Add group-pull
• Portal Subjects source adapter
PAGS
PD
UI
GAP
Subject Source
Portal
DB
17-18 November 2009
pull groups
(& Subjects)
LDAP
DB-A
End matter
•
“The thing with integration is that it takes a lot of
work, and especially in the early stages, and the work
has to come from the real experts, so it's expensive.”
-- RL “Bob” Morgan
•
Is it enough to have ID Services interfaces, or do we
also need to somehow unify management of
privileges external to applications with application
specific privileges?
•
Advanced CAMP 2010 will continue the identity
services for OSS theme
17-18 November 2009
For more information, visit https://spaces.internet2.edu/display/IdSrvcsClearhouse
17-18 November 2009
Related documents
Kuali Coeus Update Fall QRAM 2013
Kuali Coeus Update Fall QRAM 2013
Kuali Days - Indiana University
Kuali Days - Indiana University
Presentation Title
Presentation Title
February 2010 Summary
February 2010 Summary
Information Technology Services
Information Technology Services
Presentation
Presentation
Kuali Help Guide
Kuali Help Guide
34 Staff in attendance, plus all three officers Welcome Introductions
34 Staff in attendance, plus all three officers Welcome Introductions
Submittal for the Larry L. Sautter Award
Submittal for the Larry L. Sautter Award
Kuali_TIFCSI
Kuali_TIFCSI
Chart of Accounts
Chart of Accounts
Presentation Template
Presentation Template
Download
advertisement