Maturation

1
Maturation Convergence in Authentication
Authorization Services in US Higher Education

• Keith Hazelton, hazelton_at_doit.wisc.edu
• Sr. IT Architect, University of Wisconsin-Madison
• Internet2 MACE
• 20th APAN, Taipei, Taiwan
• August 24, 2005

2
Topics

• Middleware service layer concepts models
• Roots of the Internet2 middleware initiative
• Growing relevance of middleware for network layer
  services and Grid services
• Possible paths of convergence

3

Identity and Access Management (IAM) defined

• What is Identity Management?
• Identity and access management is
• the set of business processes,
• and a supporting infrastructure,
• for the
• creation,
• maintenance,
• and use
• of digital identities.
• The Burton Group (a research firm specializing in
  IT infrastructure for the enterprise)

4
The IAM Stone Age

• List of functions
• AuthN Authenticate principals (people, servers)
  seeking access to a service or resource
• Log Track access to services/resources

5
The IAM Stone Age

• Every application for itself in performing these
  functions
• User list, credentials, if youre on the list,
  youre in (AuthN is authorization (AuthZ)
• As Hobbes might say Stone age IAM nasty,
  brutish short on features

6
Vision of a better way to do IAM

• IAM as a middleware layer at the service of any
  number of applications
• Requires an expanded set of basic functions
• Reflect Track changes to institutional data from
  changes in Systems of Record (SoR) other IdM
  components
• Join Establish maintain person identity across
  multiple independent sources of person
  information
• Human Resources and Student Info. Systems
• or Department X and Department Y IT systems

7
Vision of a better way to do IAM

• More in the expanded set of basic functions
• Credential issue digital credentials to people
  in the community
• Mng. Affil. Manage affiliation and group
  information
• Mng. Priv. Manage privileges and permissions at
  system and resource level
• Provision Push IAM info out to systems and
  services as required
• Deliver Make access control / authorization
  information available to services and resources
  at run time
• AuthZ Make the allow deny decision independent
  of AuthN

8
IAM functions
Reflect Data of interest
Join Identity across SoR
Credential NetID, other
Manage Affil/Groups AuthZ info
Manage Privileges More AuthZ info
Provision For legacy applications
Deliver Get AuthZ info to app
Authenticate Check identity claim
Authorize Make allow/deny decision
Log Track usage for audit

9
Roots of the Internet2 Middleware Initiative

• Stated goal is to support educational institution
  as a whole in its various missions
• Requires focus on entire population of various
  service consumers (students, staff, researchers,
  lecturers, etc.)
• Plus two critical requirements
• Scalability
• Flexibility

10
Basic IAM functions mapped to theInternet2 NMI /
MACE components
Enterprise Directory
Systems of Record
Stdnt
Registry
LDAP
Reflect
HR
Join
Other
Credential
11
Basic IAM functions mapped to theInternet2 NMI /
MACE components
Apps / Resources
Enterprise Directory
AuthN
Systems of Record
AuthN
Log
Reflect
Provision
Join
WebISO
Credential
AuthZ
Mng. Affil.
Mng. Priv.
Deliver
Log
Grouper
Signet
Shibboleth
12
Middleware becoming crucial to network and Grid
communities

• QoS, Authenticated network access and network
  service all require IAM suite of functions
• Grid services have that PLUS need to support
  multiple-institution virtual organizations (VOs)
• Middleware becomes crucial in both for
• Scalability
• Flexibility

13
The GridShib picture
User
Grid Service
(1) Grid Authentication
(0) Attribute Release Policy
Campus
(2) Shib Attribute Request
(4) Attribute-based authorization
(3) Attributes
Shibboleth
14
Getting Attributes into a Sites Attribute
Authority
SIS
Person Registry
Loaders
Attribute Authority
HR
Shib/ GridShib
Core Business Systems
Group Registry
LDAP
Grouper UI
On-site Authorities
uid jdoe eduPersonAffiliation isMemberOf
eduPersonEntitlement
Privilege Registry
Signet UI
using Shibboleth
Off-site Authorities
15
Do APAN attendees thus represent a new market for
I2-style middleware?

• If so, what are likely paths of collaboration and
  convergence?
• SAML and WS and PKI interoperability
• to bring institutional IAM and Grid IAM into
  alignment--See Project GridShib JISC news
• IAM infrastructures at departmental in addition
  to institutional levels
• Federations as organizational umbrellas for VOs
• A quick glance at federation building initiatives

16
Federation Value Proposition

• Set of cooperating IdPs and SPs forms a community
  needing agreement on
• Trust Fabric
• X.509 certs
• IdP and SP identifiers other metadata
• Community standard for attribute semantics
• Community standards for IdP and SP operational
  practices
• Strength of authentication
• Confidentiality
• For N IdPs and M SPs, which is easier?
• NM agreements
• NM agreements

17
The Research and EducationFederation Space Today
Indiana
Slippery slope - Med Centers, etc
18
Specific possibilities

• Participate in beta testing of middleware
  components to get your requirements into
  development stream
• Participate in middleware-enhanced VO trials
• Others???

19
Q A

• hazelton_at_doit.wisc.edu
• http//middleware.internet2.edu
• http//shibboleth.internet2.edu
• http//grid.ncsa.uiuc.edu/GridShib
• http//middleware.internet2.edu/dir/groups/grouper
  
• http//middleware.internet2.edu/signet
• http//www.incommonfederation.org