tier: quick preview
DESCRIPTION
TIER: Quick Preview. Steven Zoppi. AVP, NET+ Services Integration and Architecture. 14 May 2014 / Notre Dame [CSG]. TIER Objective. Build upon all of the great work the community has already done! - PowerPoint PPT PresentationTRANSCRIPT
TIER: Quick PreviewSTEVEN ZOPPI
AVP, NET+ Services Integration and Architecture
14 MAY 2014 / NOTRE DAME
[CSG]
• Build upon all of the great work the community has already done!
– This is a systems integration problem first, then an invention problem thereafter …
– Extend what works: e.g. NMI-EDIT
Taking into consideration all of the landscape that Ken K presented earlier – but delivering iteratively, at a regular cadence
TIER Objective
• Start With a SandboxShow What WorksEvolve Over Time
– Thanks to Keith Hazelton, Jim Jokl, Michael Gettes, Nate Klingenstein, Bill Yock
• Reference Architecture• Canonical Implementation
Begin With the End In-Mind
• To Enable The Community to Consume and Integrated with Cloud Services Most Efficiently
• Mandate: Emergence of Viable and Varied Cloud Services + Increasing Geographic Diversity of Research and Education– It’s no longer just about who you are – it’s about the
spheres of influence in which you operate combined with the means to find the resources necessary to do research, education, collaboration – and do these things, in scalable, elastic, and manageable ways.
What’s the problem again?
Individual
Enterpris
e
Communi
ty Virtual
Organizati
on
Balanced Scorecard of Control
Individual Identity is the sum of all MetaData known by all affiliates.
• Most service providers are not clueful about identity• Most service providers do not understand groups
– Within Enterprise– Across Enterprises
• Must be achieved at GLOBAL SCALE across Enterprises while maintaining MetaData/Attribute control at the Enterprise
• It will be a multi-year effort• Must enable smooth migration or implementation over time• Must support management of one’s own identity and have the ability for
discretionary MetaData/Attribute Release
*By the way …
• Provide a series of services end-points to which the candidate SPs will connect.
• Provide services which augment or replace SP-AUTHN or AUTHZ “machinery” with those provided by TIER.
• Enable– Faster Integration– Greater Flexibility– Greater Value to the Community and the SP
Encapsulate and Empower SPs
CAS, Shibboleth, Grouper, KIM, OpenReg, CPR, Identity Match, CoManage/CoCoA, InCert, uApprove, InCommon Assurance,
CommIT, ORCID, OpenIDM, Syncope, iRODS, CILogon, u-Prove, FICAM, NSTIC
IDESG, InCommon Federation, SimpleSAML.php, IRMA, PubCookie, InCommon Quilt, Kerberos, ConnID,
OpenIDConnect, Oauth, OpenICF, SCIM, XACML, Social2SAML, MDX, Metadata Aggregator, ABC4Trust, NSTIC Scalable
Privacy, KOM, OpenIdM, EduGain, Moonshot
• The core needs are for AuthN and AuthZ for Interrealm Use
• A wide assortment of open source software has been developed by the community to address parts of those needs.– Excellent, Inconsistent, Non-
Interoperable, Hard to Sustain / Maintain, Still has significant gaps.
• Lacking a common approach has led to a proliferation of approaches.
Challenges
• Scalable, Multi-Enterprise, Resilient Solution
• Rationalized and Accessible API and Grammar
• Federation-Enabled• Extensible
– Plug-in Architecture• Support for Matrices within/without
Organizations• Support for Institutional, Statutory and
Regulatory Constraint in the Semantic Layers for AuthZ
Requirements
The definitive source of
Scholarly Identity and Affiliation across Virtual
Organizations … In The Cloud
• Terminology: “Façade” design pattern (Software Engineering)
“A Façade provides a unified interface to a set of interfaces in a subsystem. Façade defines a higher-level interface that makes the subsystem easier to use. Wrap a complicated subsystem with a simpler interface.”
Generalized Design
The TIER Façade Acts Like A Broker
API Interface
Handler “A” Handler “B” Handler “C”
Routing Decisions
Decision making for which subsystem
receives the target request remains within
the enterprise.
Contained Within the Enterprise
Cloud-Based Service
Internet2 Middleware: Proposed Unified Model
Secure Directory, Identity and Metadata Services
Single Signon and Identity Components
AuthN (Who)
Multi Factor Multi-Level (Groups)
AuthZ (What)
Business Rules Engine /
Grammar
Federated Registry (Directory Search / Lookup)
Network Objects (Files, Datasets, etc.)
People Files / Datasets Nodes
Metadata Registry Services
Persistence and Replication
Lightweight Workflow Services
Automated Provisioning /
Deprovisioning and Rules
Enforcement