~60 staff

1. Collaborators around the world2. Supports communities of collaborators

external to Internet23. Community uses wiki, mailing lists, instant

messaging, voice conferencing services4. Doesn’t want to be in the identity issuance

business for external collaborators5. Need to allow external + internal

collaborators to use same service instances

A Short description of Internet2

A MiddlewareUnified Field Theory

Identity Management / Directories Privileges / Groups

Single Sign-On / FederationDiagnostics

Enterprise Integration

from network to application Michael R GettesInternet2

October 2007An interpretation of the original MACE mission

What do we want?

Inter-EnterpriseWorkgroup

Collaborations

not sexy

or

Collaborative

Organizations

CO

Identity

Groups

Privileges

Federated Access

and …

Applications

“It’s the App stupid!”

Give

COntrol

To

COmmunity Members

Integrate withExisting

COmmonIT Infrastructures

in

Higher Education

FlexibleScalableModular

COmponents

S H I B B O L E T H

LDAP-PC

Signet Grouper

LDAPDirectory

IdentityMgr

Applications & Network

CO

stop talkingstart walking

demo

COmanage.internet2.edu

COmponents

S H I B B O L E T HS H I B B O L E T H

LDAP-PC

Signet Grouper

LDAPDirectory

IdentityMgr

Applications & Network

CO

Comanage …

is only a demonstration ofthe CO model

a CO fits within a service

delivery strategy

Application Management

App Access to data ismanaged by LDAP (initially)

Identity data can be distributed by any desired mechanism in the future. SQL databases, feeds, message bus technologies.

Many COson a single server

(if you wanna do that)

Grouper/Signet/LDAP-PC

Identity Mgr

Grouper/Signet/LDAP-PCGrouper/Signet/LDAP-PCGrouper/Signet/LDAP-PCGrouper/Signet/LDAP-PCGrouper/Signet/LDAP-PCGrouper/Signet/LDAP-PCGrouper/Signet/LDAP-PCGrouper/Signet/LDAP-PC

LDAP

Application setApplication setApplication setApplication setApplication setApplication set

No local identity issued for external users to access

CO servicesbig win!

O=University,c=USou=People (this is where 50K fac/staff/stu might reside)ou=CO (external identities for CO go here)ou=Groups (a place to store groups for all)

Example directory tree for CO environment

Applications pointed here for identitiesyields the union of internal and external

Future…Begin addressing issues of “attribute

eCOnomy”Protect CO by Identity Provider…

can solve “IEEE problem”?

Web site wants to

know:Are you a

member of IEEE?

MyUniversity

IEEE-COThis org hasmembershipdata but doesnot manageidentity - a COwith onlyexternal users.

User

HomeIdentity Provider

Diagnostics

Lifting up shib log filesand making EDDY deposits

Creating a unified and federated view of diag data•Network data: flows, snort, snmp•System stats: cpu, i/o, mem, etc…•Infrastructure: shib, ldap, authN, etc…•Application: http, confluence, sympa, calendar

etc, etc, etc…

http://web.cmu.edu/eddy

Network Layer?Why not?

Integrate with Grids?Why not?

Addresses VO scenarios?Why not?

VOVO?CO

Make your opinion known…

Should Internet2 use COmanage for service delivery?

Rick Summerhill rrsum@internet2.eduCheryl Fremon cmfremon@internet2.edu

and kjk@internet2.eduand gettes@internet2.edu