Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | julian-moses-bradley |
View: | 214 times |
Download: | 1 times |
New CyberInfrastructure for Collaboration between Higher Ed and NIH
Presenter’s Name
Topics
• Drivers in the R&E community• A very brief history of federated identity• Shibboleth and InCommon today• How robust is the cyberinfrastructure• Collaboration and federated identity
Presenter’s Name
Drivers in the R&E community
• Strong, urgent needs to collaborate inter-institutionally• First TCP/IP, now federated identity• Importance of Virtual Organizations
• A common infrastructure to serve research, educational, and administrative needs
• Need to preserve privacy and provide rich attribute exchange mechanisms
Presenter’s Name
A brief history of federated identity
• Shibboleth discussions begin in Feb 2000 at a meeting of higher ed’s best/brightest IT architects
• OASIS SAML effort forms December 2000 and engages higher ed to align work• SAML would handle basic formats for attribute packets and simple
push/pull protocols for exchanging them• Shibboleth would build on SAML mechanisms for multilateral federation
support, user control of privacy, metadata, etc.• Shibboleth::SAML ~ TCP::IP
• Three of the seven authors of the SAML 1 spec are Shib folks; the technical editor of SAML 2.0, Scott Cantor of OSU, is the lead Shib architect
Presenter’s Name
Shibboleth use
• ~ 12 M in Europe/Asia and ~6 M in the US; growing exponentially in many countries; almost all Shib 1.3
• Almost all users do not know they are using it (some may see a redirect…) but that is to change
• OpenSAML used by Google, Verisign, etc.
Presenter’s Name
Federations
• Federations are now occurring broadly, and internationally, to support inter-institutional and external partner collaborations
• Almost all in the corporate world are bi-lateral; almost all in the R&E world are multilateral
• Federations are learning to peer• Internal federations are also proving quite
useful
Presenter’s Name
R&E Federations
• Substantial deployments in many countries, including UK, Norway, Switzerland, Sweden, Australia, France, Denmark, Finland, Spain, Germany, Netherlands, etc. Coverage in a number of countries is now 100%.
• InCommon, Texas (three federations), UCTrust, CalState Trust, CCLA of Florida, CC of Washington State
• DHS + DOJ
Presenter’s Name
InCommon
•US R&E Federation, a 501(c)3
•Addresses legal, LOA, shared attributes, business proposition, etc
•Members are universities, service providers, government agencies, national labs
•Over 70 organizations and growing steadily; 1.3 million user base now, crossing 2 million by the end of the year
•Almost all use is transparent to users (its middleware) but that is about to change
•www.incommonfederation.org
Presenter’s Name
Uses
• Access controlled wikis• Access to academic content, such as Elsevier• Access to popular content, such as Cdigix• Access to services, such as student travel agencies,
testing services, Grid computational resources, portal providers, recruitment services, etc
• (Trust base for dynamic circuit authorization/accounting)
• (Access to parts of MS)• (Google Apps for Education)
Presenter’s Name
The Higher Ed interests in federated NIH
• Researchers using their campus credentials to access major NIH data and computational resources such as BIRN and caBIG
• Researchers using local credentials to submit grant proposals, compliance certificates
• Administrators using local credentials, or roles, to submit regular statistical reporting
• Students using enrollment in appropriate campus courses to access federal research materials
Presenter’s Name
Benefits for the campus
• Improve the overall security environment• Reduce accounts, improve identity vetting, etc
• Provide enhanced services for their researchers• Privacy management, integrated workflows, manage firewalls etc.• Ability to integrate research with instruction in a more sustainable
fashion
• Reduce exposure of internal passwords to off-campus sites• Motivate the campus business processes to improve local
identity management
Presenter’s Name
It works both ways – NIH as an identity provider
• Researchers at NIH wanting to participate in academic processes• Using your NIH credential to access Elsevier journals, with privacy-
protection enabled• Accessing a controlled campus research wiki using NIH credentials
• Staff at NIH wanting to access inter-realm resources• Using the NIH login to access professional development society
materials• Soon, access to MS
• NIH interns using their NIH credentials for medical school applications
• Students-only services, portal providers, etc…
Presenter’s Name
For application owners
• Scalable growth in communities of users
• Relief from much of the pain of identity management
• Compliance with privacy directives
• The potential to offer higher risk applications in a secure and scalable fashion
Presenter’s Name
The Transition Barriers
• The duct tape and the yellow sticky• Either run dual systems for a while or ask some of the existing user base to do a one-time change
• Not all the pieces for scale are in place yet• Getting to the network externality level in use
Presenter’s Name
Robustness of infrastructure
• Coverage
• Reliability
• How good is the credential
Presenter’s Name
Coverage and Reliability
• Shibboleth deployment widespread but often in local or state federations
• InCommon is growing steadily, and has a more significant research institution percentage
• Peering is not yet in place
• The enterprise directory and federation platform are usually redundant/load-balanced and secured systems.
Presenter’s Name
How good is the credential
• As good as it needs to be…• Broadly, credentialing in higher ed is good; it is the scope
of who are granted identities that is unusual• Campuses can do strong identity proofing, two factor
authentication and extended audits for key subsets of their users that need such strength
• At most campuses, assertions within minutes can reflect account compromise, loss of credentials by the user, suspension of privileges by the campus, etc.
• DOJ and DHS
Presenter’s Name
Collaboration and Federated Identity
• Two powerful forces being leveraged• the rise of federated identity• the bloom in collaboration tools, most particularly in the
Web 2.0 space but including file shares, email list procs, etc
• Collaboration management platforms provide identity services to “well-behaved collaboration applications”
• Results in user and collaboration centric identity, not tool-based identity
Presenter’s Name
Such interesting use cases
• UW-M wants to put their strategic planning process on a wiki and solicit inputs. They would like the inputs to be restricted to campus members but also be anonymous
• A class wiki has write access restricted to enrolled students, and another section available only to TA’s
• Permitting specific external users to view parts of some users calendars (e.g. allowing certain collaborators to search a local users calendar for open space)
• Scientific and administrative integrated workflow
Presenter’s Name
Collaboration management platforms
• Addresses the pain of collaboration management, not the joy of collaboration tools
• Built on federated identity, they permit collaborators to organize around their shared activities, not the tools they might use to collaborate in their activities
• Manage the groups that have access to a wiki, are an email list, are in your video application phone book, have their own IM channel and audioconference, share files, etc. The applications make external calls for their identity services
• Communicate with each other via an attribute ecosystem
FederatedWiki
Domain Science
Grid
Domain Science
Instrument
University A University B Laboratory X
CollaborationManagement
Platform
CollaborationTools/ Resources
ApplicationAttributes
Home Org & Id Providers/
Sources ofAuthority
AttributeEcosystem
Flows
Attribute/Resource Info Data Store
Collaboration Management Platform (CMP)and the Attribute Ecosystem
Sources of Authority
CoAuthorization –
Group InfoAuthorization –Privilege Info
AuthenticationPeoplePicker
OtherFunctions
manage
File Sharing
CalendarPhone/Video
Conference
Email List
Manager
Presenter’s Name
What we’re on the edge of…
• A brave new world of operational interrealm trust• Visible to the user as privacy managers, info-cards, etc• Creating a richness of services and applications that build on
the security and privacy• On top of that trust layer, an operational collaboration
mesh• Supporting sciences, R&D and social collaboration• Many of the web 2.0 genre, real time communications, file
shares, etc• Likely leveraging both federated and p2p trust
• A lot of unanticipated consequences…