Post on 27-Dec-2015
transcript
Stuff
Ken Klingenstein
kjk@internet2.edu
Stuff sack
• InCommon Stuff• Infocard, Open Id, etc…• Federation soup• Cormack slides on EU (and US) privacy• International federation & Liberty Alliance
• ISOC and Identity and trust• COmanage and collaboration support• Kumbaya for open source middleware?• Rumors and gossip
kjk@internet2.edu
About federating software…• Shibboleth project formation - Feb 2000 • OASIS starts SAML work; linkages with Shib
established Dec 2000 • Release dates: Shib alpha1 April 2002, OpenSAML
July, 2002, Shib v1.0 April 2003• SAML TC evolved a fusion of Liberty, Shib and
SAML into SAML 2.0 Nov 2005• Microsoft-led business consortium develops WS-*,
including WS-Fed, 2002-2008• Closure likely next year around SAML 2.0 and Shib
metadata as the first metadata profile in OASIS
kjk@internet2.edu
InCommon•Approximately 90 members and growing steadily
•More than two million “users”
•Most of the major research institutions
•New types of members• Non usual suspects – Lafayette, NITLE, Univ of Mary Washington, etc.• National Institute of Health, soon NSF and research.gov• Energy Labs, ESnet, TeraGrid• MS, Apple, soon Google• Student service providers
•Steering Committee chaired by Clair Goldsmith of Univ of Texas; Technical Committee chaired by Renee Shuey of Penn State
kjk@internet2.edu
Uses
• Access controlled wikis• Access to academic content, such as Elsevier• Access to popular content, such as Cdigix• Access to Microsoft, iTunes U• Access to services, such as student travel agencies,
testing services, • Access to Grid computational resources, portal
providers, recruitment services, etc• Access to external apps (e.g. Google Apps for
Education) and clouds
kjk@internet2.edu
InCommon•Impacts of federation are real
• Dreamspark - Microsoft delivery of developer kits, source code, etc to students https://downloads.channel8.msdn.com/; over 50% of all download traffic from Microsoft was federation-enabled one week after announcement.
• {Federation + persistent, opaque identifier + attributes with consent} addresses international privacy requirements.
•InCommon Silver, a new profile is now being deployed to serve higher assurance applications•Federated Sharepoint, federated wikis are proving to be killer apps….•www.incommonfederation.org
kjk@internet2.edu
A brief history of federations
• Federations at national levels in several countries, beginning with a variety of protocols and converging on SAML
• Federations form along natural relationships – state university systems, state educational agencies, regional optical networks,…
• Federations in the business context begin as 1-1 (outsourced services, like accounting) and sometimes grow into hub and spoke (e.g. automobile industry)
• Other types of identity federations exist in pockets (e.g. federated PKI roots for IGTF)
kjk@internet2.edu
Federation Soup
• Workshop held early June• Brought together all manners of federation to figure out
federation relationships• InCommon, JISC, state federations, library federations, university
system federations, grid federations, etc.• Topics include alignment of policies, technologies, attributes,
metadata, etc.
• Approaches include peering, nested, leveraged, and a whole lot of ad hoc
• Web site at https://spaces.internet2.edu/display/FederationSoup/Home
kjk@internet2.edu
Why we are here:Interfederation Interactions
• Peering and soup• Service providers often belong to multiple federations;
some identity providers are being asked to join several federations• Federal government interactions happening, but not as
first anticipated• Virtual organizations (e.g. OOI and LIGO) are now
presenting real use cases that require international federation interactions• Other sectors keenly watching us
kjk@internet2.edu
Workshop Goals and Outcomes
• Inform specific efforts• fostering of local federations• blending of local federations with national ones• minimizing challenges down the road through some up-front
consensus and coordination (ala federation best practices)• international peering/soup
• Exchange governance and organizational approaches• Understand businesses and business models• Establish ongoing mechanisms for communication and
coordination• Grow community
kjk@internet2.edu
Some soup dimensions
• Alignments – LOA, attributes, user experience• Legal models – Dispute Resolution,
Indemnification, etc• Business models – Operator, Source of funds,
Services offered, Communities served• Privacy management and international issues• User experience – large multiplier…
kjk@internet2.edu
Federations.org
• Interfederation of national R&E federations• More peering than soup
• Possible activities• Reference point for new national federations• Aggregation of common materials• Triage for SP’s that want to learn how to deal with multiple
federations• Assist in taking the federation template doc to RFC status• IDABC and EU Article 29 coordination
• Successor to Refeds(http://www.terena.org/activities/refeds/)
kjk@internet2.edu
International Activities
• http://www.terena.org/activities/refeds/ • A summary of discussions among R&E networks, including
a survey of national efforts
• http://www.jisclegal.ac.uk/access/• Excellent policy analytics, especially around international
issues of privacy, peering, and attributes
• http://ec.europa.eu/idabc/• TransEuropean activities in IdM for use among citizens,
governments, and businesses
kjk@internet2.edu
Peering Parameters
Parameters:
•LOA•Attribute mapping•Legal structures• Liability• Adjudication•Metadata
•VO Support•Economics•Privacy
kjk@internet2.edu
Peering frameworks
• JISC Member-Federated Operator analysis• Feasability of cross-federation
• EAuth-InCommon peering corpse
• Kalmar Union
• JISC template for inter-federation
kjk@internet2.edu
Next soup steps
• Affinity group in system federations• State feds – not yet• PII normalization• Ask NACUA
• Coping with EU privacy compliance• Interfederation template agreement• InCommon as a focus point for interfederation in
the US
kjk@internet2.edu
Trust, Identity and the Internet
• ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC’s and protocols
• Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities
• Will leverage both federated and p2p trust (for those instances where there is no trusted IdP)
• http://www.isoc.org/isoc/mission/initiative/trust.shtml• Dublin IETF at the end of July kick-off…
kjk@internet2.edu
ISOC Key Objectives
• Architecture and TrustImplementing open trust mechanisms throughout the full cycle of Internet research, standardization, development and deployment
• Current Problems/Solutions and TrustMitigating the social, policy, and economic factors that may hinder development and deployment for trust enabling technologies
• Identity and TrustElevating "Identity" to a core issue in network research and standards development
kjk@internet2.edu
Infocard, Open ID, etc.
• OpenId widespread inter-site authn• lightweight technically and legally• you get what you pay for…• Warrants intelligent integration with federated identity
• User control of identity selection and attribute release becoming critical• One model is the ARPviewer approach• Another attractive model is InfoCard
kjk@internet2.edu
Collaboration and Federated Identity
• Two powerful forces being leveraged• the rise of federated identity• the bloom in collaboration tools, most particularly in the
Web 2.0 space but including file shares, email list procs, etc
• Collaboration management platforms provide identity services to “domesticated” collaboration applications
• Results in user and collaboration centric identity, not tool-based identity
kjk@internet2.edu
A Bloom of Collaboration Tools
• An over-abundance of new tools that provide rich and growing collaboration capabilities (aka Web 2.0)
• Do you• Wiki, blog, moodle, sakai, IM, Chat, videoconference,
audioconference, calendar, flikr, netmeeting, access grid, dimdim, listserv, webdav, etc
• Share files among workgroups, access Elsevier, work with the IEEE, etc
• No uber-app – limits invention and community of users• 3 - 4 is fine, but many per user is hard to manage• Leads to the need to manage the collaborations and its tools
kjk@internet2.edu
COmanage
• A collaboration management platform, supported in part by a NSF OCI grant, being developed by the Internet2 community, with Stanford as a lead institution
• “Domesticated” applications externalize their identity management dimensions to an general identity/group/privilege/etc repository (LDAP, MySQL, etc.)
• Users manage IdM in a collaboration-centric way, not in a tool-centric way
• Uses Shibboleth, Grouper, and Signet• Open source, open protocol
kjk@internet2.edu
COmanage
• A “stand-alone” platform to manage IdM for many different applications.
• User accounts to access COmanage can be based in COmanage or, preferably, federated.
• COmanage can provide authentication and authorization services (group membership, privilege management, etc) to apps
• The “stand-alone” can be readily replumbed to be fully integrated into enterprise, federated or other attribute ecosystems as they develop
kjk@internet2.edu
Two types of application enablement
• “domesticated” apps know to draw their entitlements, attributes and roles from the CMP directory or db or… (something external to the app)
• Other apps can have information from COManage pushed into them• Static or dynamic provisioning• Connectors could be X.509 certs, SAML assertions,
etc.
kjk@internet2.edu
Domesticated applications
• Applications that externalize their identity management dimensions
• Domestication typically goes in stages – first identity, then group and privilege management, perhaps then provisioning
• Domestication relative to the external access protocols used (SAML, LDAP, MySQL, web services, etc.)
• Applications domesticated or being targeted• Sympa, Confluence, Asterisk (open-source IP audioconferencing),
Dim-Dim (open-source web meeting), Bedeworks (federated open-source calendar), Subversion, JIRA, Al fresco, Foodle
• Finally domain science resources – Instruments, Grids, etc
FederatedWiki
Domain Science
Grid
Domain Science
Instrument
University A University B Laboratory X
CollaborationManagement
Platform
CollaborationTools/ Resources
ApplicationAttributes
Home Org & Id Providers/
Sources ofAuthority
AttributeEcosystem
Flows
Attribute/Resource Info Data Store
Collaboration Management Platform (CMP)and the Attribute Ecosystem
Sources of Authority
CoAuthorization –
Group InfoAuthorization –Privilege Info
AuthenticationPeoplePicker
OtherFunctions
manage
File Sharing
CalendarPhone/Video
Conference
Email List
Manager
kjk@internet2.edu
COmanage specifics
• Wiki, dev and users being set up • Beta release in July, 1.0 in August, OpenLDAP
as the data store.• Debian VMware• Domesticated apps in bundle where licenses
permit• Testing in several venues and VO’s• GUI issues, modularity of components issues
under discussion
FederatedWiki
Domain Science
Grid
Domain Science
Instrument
University A University B Laboratory X
CollaborationManagement
Platform
CollaborationTools/ Resources
ApplicationAttributes
Home Org & Id Providers/
Sources ofAuthority
AttributeEcosystem
Flows
Attribute/Resource Info Data Store
Collaboration Management Platform (CMP)and the Attribute Ecosystem
Sources of Authority
CoAuthorization –
Group InfoAuthorization –Privilege Info
AuthenticationPeoplePicker
OtherFunctions
manage
File Sharing
CalendarPhone/Video
Conference
Email List
Manager
kjk@internet2.edu
Kumbaya for open source?
• Now that people believe there is a middleware layer, they want only one of them…
• Most open source apps started well before plumbing and middleware
• Some left open API’s, etc; some didn’t
• Alignment between JA-SIG, Kuali Student, Kuali Financials, OKI, Fedora, Dspace, Sakai, etc. happening, slowly, intermittently, but happening…
kjk@internet2.edu
Rumors and Gossip
• Nuclear winter at summer solstice• Internet2, strategic planning and tactical• NLR and Darkstrand
• NSF and OCI
• Teragrid, OGF, Condor, Genesis II, etc.