Post on 21-Jan-2016
description
transcript
Internet2: building and using an advanced network environment for research, teaching and learning
APRU CIO Forum, 23 March 2007
Heather Boyles, heather@internet2.eduKeith Hazelton, hazelton@doit.wisc.edu Ann Doyle, adoyle@internet2.edu
Outline
• Internet2 Overview– Brief introduction: Overview of developments, services,
activities of the Internet2 community– International R&E network connectivity overview - especially
related to APRU institutions, Pacific Rim infrastructure and opportunities for collaboration
• Identity Management for Inter-institutional collaboration– Campus identity management developments in the Internet2
community– Identity management federations and their relationship to
networked collaboration– Federation developments in the APRU community and
opportunities for international cooperation
An Asset for the Community
Universities
Researchers
Regional Networks
K-12
Industry
International
An Asset for the Community
Universities
Researchers
Regional Networks
K-12
Industry
International
Internet2 Activities
Internet2 Network
• Hybrid optical and IP network
• Dynamic and static wavelength services
• Fiber, equipment dedicated to Internet2; Level 3 maintains network and service level
• Platform supports production services and experimental projects
Internet2 Network - Layer 1Internet2 Network - Layer 1
Internet2 Network Optical Switching Node
Level3 Regen Site
Internet2 Redundant Drop/Add Site
ESnet Drop/Add Site
NREN organizations and networks serving APRU institutions
Australia AARNET
Canada CANARIE – CA*net
Chile REUNA
China CERNET, CSTNet
Taiwan TWAREN
Indonesia ITB*
Japan SINET, JGN2
Korea KOREN, KREONET2
Malaysia MYREN
Mexico CUDI
New Zealand REANNZ - KAREN
Philippines PREGINET
Russia RBnet, RUNNET
Singapore SingAREN
Thailand UNINET, ThaiSARN (ThaiREN)
USA Internet2, NLR
Pacific Rim R&E Networking
• Trends in global R&E networking– Increasing interconnectedness
• Number of countries connected, including lesser-developed
• Number of connections, bandwidth– Regionalization
• TEIN2 network in Southeast Asia• CLARA in Latin America
– Hybrid network capabilities• Beyond best-efforts shared IP• Dedicated circuits to support major global science
collaborations
Current AARNet3 Footprint
T
R
A
N
S
P
A
C
2
Topology
Internet2 Activities
Internet2 Middleware Goals
• Much as at the network layer, create a ubiquitous common, persistent & robust core middleware infrastructure for the R&E community
• In support of inter-institutional & inter-realm collaborations, provide tools & services (e.g. registries, bridge PKI components, root directories) as required
Inter-institutional Collaboration is the Driver• One institution hosting course-content for another• Students at one college taking an on-line course from
another college• Libraries purchasing licenses for multiple vendors
with specific access policies• Researchers making resources available to project
members at other schools (e.g. grid resources)• Schools in state systems or articulation relationships
that require mutual access to services
What questions are common to these scenarios?• Are the people using these services
who they claim to be?
• Are they a member of our campus community?
• Have they been given permission?
• Is their privacy being protected?
Identity Management (IdM)
• “Hi! I’m Lisa.” (Identity)• “…and here’s my NetID / password to prove it.”
(Authentication)• “I want to do some E-Reserves reading.”
(Authorization : Allowing Lisa to use theservices for which she’s
authorized)• “And I want to change my grade in last semester’s
Physics course.”(Authorization : Preventing her from doing
things she’s not supposed to do)
Federated Approach to support inter-institutional collaboration
• Federated Identity & Access Management– Rely on the Identity Management infrastructure of
institutions– To authenticate and pass authorization-related
information to service providers or resource hosts– Via institution-to-provider agreements– Facilitated by common membership in a federation
(like InCommon)
• Shibboleth is a way to move the authNZ info between parties
What is Shibboleth?(federating software system)• An initiative to develop an architecture and policy
framework supporting the sharing – between domains -- of secured web resources and services
• A framework built on a “Federated” model• A project delivering an open source implementation
of the architecture and framework• Deliverables: open-source, standards-based, privacy-
preserving federating software– Software for identity providers = campuses (origins)– Software for resource providers (targets)– Operational Federations (scalable trust)
What are Federations?
• An association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.
• Uses common policy, technology, and business practices to establish trust
• Access services from (or provide services to) other institutions, corporate partners, government organizations
• A contractual arrangement
Identity Federations
• Enroll locally
• Authenticate locally
• Assign attributes locally
• Act federally
Identity Federations
• Simplified usability for all collaborations
• Home organizations carefully manage the release of personal information
• On-line resource providers focus on the protection and authorization of use of their on-line resources
• A federation of higher education, by higher education, for higher education (in US)
InCommon Federation• Created to support US Higher Education and
its research and business partners• Federation operator is an LLC operated by
Internet2• Builds on existing campus identity
management and single sign-on systems• Makes use of open industry standards
(SAML) and open source federating software (Shibboleth)
InCommon Members 2/27/07Case Western Reserve University Clemson University Cornell University Dartmouth Duke University Florida State University Georgetown University Miami University New York University Ohio University Penn State Stanford University Stony Brook University SUNY Buffalo The Ohio State University The University of Chicago University of Alabama at Birmingham University of California, Irvine University of California, Los Angeles University of California, Merced University of California, Office of the President University of California, Riverside University of California, San Diego
University of MarylandUniversity of Maryland Baltimore CountyUniversity of Maryland, Baltimore University of Rochester University of Southern California University of Virginia University of Washington University of Wisconsin - Madison Cdigix EBSCO Publishing Elsevier ScienceDirect Houston Academy of Medicine - Texas Medical
Center Library Internet2 JSTOR Napster, LLC OCLC OhioLink - The Ohio Library & Information Network ProtectNetwork Symplicity Corporation Thomson Learning, Inc. Turnitin WebAssign
InCommon Uses
• Access control to content– Popular content – Napster, CDigix, etc– Scholarly content – Google, OCLC WorldCat– Downloads – Microsoft
• Access to external services– Student travel, charitable giving, web learning and testing,
plagiarism testing service, etc.– Allure for alumni services and other internal businesses– Student loans, student testing, graduate school admissions,
etc.• Access to national services
– The National Science Digital Library– The Teragrid pilot: building on Shibboleth and GridShib
GridShib
• “Integrating federated authorization infrastructure (Shibboleth) with Grid technology (the Globus Toolkit) to provide attribute-based authorization for distributed scientific communities”
• http://gridshib.globus.org/
GridShib - from Von Welch
• Allow the Grid to scale by leveraging existing campus identity management (IdM)– Consider Shibboleth as the interface to campus IdM systems– Get out of identity management game
• Making joining the Grid as easy as possible for users– No separate long-term credential for Grid access to manage– No new passwords, certificates, etc
• Allow campuses attributes and VO attributes to be aggregated and used by the Grid for authorization– Allow for scalability in user base through attribute-based
authorization - I.e. know groups of users instead of individual users
Research and Education Federations around the world• Growing national federations
– UK, France, Germany, Switzerland, Australia, Netherlands, Norway, Spain, Denmark, etc.
– Many (most) operated by National Research and Education Network (NREN) organizations
– Many are Shib-based; all speak Shib on the outside…
• US Federations– InCommon (Internet2)– State-based
• Texas, UCOP, Maryland, etc.
Federation activities in APRU countries
Australia Federation in formation
Canada Federating activity going on
Chile
China CERNET experimenting with Shibboleth
Taiwan
Indonesia
Japan UPKI initiative of 7 national universities
Korea
Malaysia
Mexico
New Zealand Pilot activity
Philippines
Russia
Singapore
Thailand
USA InCommon Federation up and running
Ways to engage in national identity federation work
• Internet2 working groups• TERENA (Europe) EMC2 working group• APAN middleware working group• TestShib
– Open to non-US institutions– An opportunity to try out Shib
implementation
Thanks!
• www.internet2.edu
• heather@internet2.edu