maturation & convergence in authentication & authorization services in us higher education:...
TRANSCRIPT
Maturation & Convergence in Authentication & Authorization Services in US Higher Education:
Maturation & Convergence in Authentication & Authorization Services in US Higher Education:
Keith Hazelton, [email protected]
Sr. IT Architect, University of Wisconsin-Madison
Internet2 MACE
20th APAN, Taipei, Taiwan
August 24, 2005
Keith Hazelton, [email protected]
Sr. IT Architect, University of Wisconsin-Madison
Internet2 MACE
20th APAN, Taipei, Taiwan
August 24, 2005
2
TopicsTopics
• Middleware service layer concepts & models
• Roots of the Internet2 middleware initiative
• Growing relevance of middleware for network layer services and Grid services
• Possible paths of convergence
3
• What is Identity Management?
“Identity [and access] management is• the set of business processes, • and a supporting infrastructure, • for the
• creation, • maintenance, • and use
• of digital identities.”
The Burton Group (a research firm specializing in IT infrastructure for the enterprise)
Identity and Access Management (IAM) definedIdentity and Access Management (IAM) defined
4
The IAM Stone AgeThe IAM Stone Age
• List of functions:
• AuthN: Authenticate principals (people, servers) seeking access to a service or resource
• Log: Track access to services/resources
5
The IAM Stone AgeThe IAM Stone Age
• Every application for itself in performing these functions
• User list, credentials, if you’re on the list, you’re in (AuthN is authorization (AuthZ)
• As Hobbes might say: Stone age IAM “nasty, brutish & short on features”
6
Vision of a better way to do IAMVision of a better way to do IAM
• IAM as a middleware layer at the service of any number of applications
• Requires an expanded set of basic functions• Reflect: Track changes to institutional data
from changes in Systems of Record (SoR) & other IdM components
• Join: Establish & maintain person identity across multiple independent sources of person information• Human Resources and Student Info. Systems• …or Department X and Department Y IT systems
7
Vision of a better way to do IAMVision of a better way to do IAM
• More in the expanded set of basic functions• Credential: issue digital credentials to people in the
community• Mng. Affil.: Manage affiliation and group information• Mng. Priv.: Manage privileges and permissions at
system and resource level • Provision: Push IAM info out to systems and services
as required• Deliver: Make access control / authorization
information available to services and resources at run time
• AuthZ: Make the allow deny decision independent of AuthN
8
IAM functionsIAM functions
Reflect Data of interestJoin Identity across SoRCredential NetID, otherManage Affil/Groups AuthZ infoManage Privileges More AuthZ infoProvision For legacy applicationsDeliver Get AuthZ info to appAuthenticate Check identity claimAuthorize Make allow/deny decisionLog Track usage for audit
9
Roots of the Internet2 Middleware InitiativeRoots of the Internet2 Middleware Initiative
• Stated goal is to support educational institution as a whole in its various missions• Requires focus on entire population of
various service consumers (students, staff, researchers, lecturers, etc.)
• Plus two critical requirements:• Scalability• Flexibility
10
Basic IAM functions mapped to theInternet2 NMI / MACE componentsBasic IAM functions mapped to theInternet2 NMI / MACE components
Systems of Record
Stdnt
HR
Other
Enterprise Directory
Registr
y LD
AP
11
Basic IAM functions mapped to theInternet2 NMI / MACE componentsBasic IAM functions mapped to theInternet2 NMI / MACE components
System
s of R
ecord
Enterprise Directory
Grouper Signet
WebISO
Shibboleth
Apps / Resources
12
Middleware becoming crucial to network and Grid communities Middleware becoming crucial to network and Grid communities
• QoS, Authenticated network access and network service all require IAM suite of functions
• Grid services have that PLUS need to support multiple-institution virtual organizations (VOs)
• Middleware becomes crucial in both for• Scalability• Flexibility
13
The GridShib pictureThe GridShib picture
(1) Grid Authentication
(2) Shib Attribute Request
Shibboleth(3) Attributes
GridService
(4) Attribute-basedauthorization
Campus
User
(0) Attribute Release Policy
14
LDAP
Getting Attributes into a Site’s Attribute AuthorityGetting Attributes into a Site’s Attribute Authority
uid: jdoeeduPersonAffiliation: …isMemberOf: …eduPersonEntitlement: …
SIS
HR
On-site Authorities
Loaders PersonRegistry
GroupRegistry
GrouperUI
PrivilegeRegistry
Off-site Authorities
SignetUI
Attribute Authority
Core Business Systems
Shib/GridShib
using Shibboleth
15
Do APAN attendees thus represent a new market for I2-style middleware?Do APAN attendees thus represent a new market for I2-style middleware?
• If so, what are likely paths of collaboration and convergence?
• SAML and WS* and PKI interoperability • to bring institutional IAM and Grid IAM into
alignment--See Project GridShib & JISC news
• IAM infrastructures at departmental in addition to institutional levels
• Federations as organizational umbrellas for VOs• A quick glance at federation building initiatives
16
Federation Value PropositionFederation Value Proposition
• Set of cooperating IdPs and SPs forms a community needing agreement on:• Trust Fabric
• X.509 certs• IdP and SP identifiers & other metadata
• Community standard for attribute semantics• Community standards for IdP and SP operational
practices• Strength of authentication• Confidentiality
• For N IdPs and M SPs, which is easier?• N*M agreements• N+M agreements
17
The Research and EducationFederation Space TodayThe Research and EducationFederation Space Today
REFCluster
InQueue(a starting point)
InCommon
SWITCH
The ShibResearch Club
Other national nets
Other clusters
Other potential USR+E feds
State of Penn Fin Aid Assoc
NSDL
Slippery slope- Med Centers, etc
Indiana
18
Specific possibilitiesSpecific possibilities
• Participate in beta testing of middleware components to get your requirements into development stream
• Participate in middleware-enhanced VO trials
• Others???
19
Q & AQ & A
• [email protected]• http://middleware.internet2.edu• http://shibboleth.internet2.edu• http://grid.ncsa.uiuc.edu/GridShib• http://middleware.internet2.edu/dir/groups/
grouper• http://middleware.internet2.edu/signet• http://www.incommonfederation.org