Emerging Infrastructure for Collaboration: Next Generation Plumbing - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Emerging Infrastructure for Collaboration: Next Generation Plumbing

Description:

Directories ... Most applications have become directory enabled. Development and adoption of outward facing directory objectclasses eduPerson and eduOrg ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 35
Provided by: vide
Category:

less

Transcript and Presenter's Notes

Title: Emerging Infrastructure for Collaboration: Next Generation Plumbing


1
Emerging Infrastructure for Collaboration Next
Generation Plumbing
2
Topics
  • Frameworks
  • Enterprise-based middleware
  • Federated services and applications
  • Virtual organizations and trust fabrics
  • Activities in Collaborative Middleware
  • Deployments
  • Development
  • Related Activities a bunch of Mellons,
    instant messaging, etc
  • Implications for the higher ed community
  • Implications for the marketplace and the public
    sector

3
Frameworks
  • Enterprise-based middleware
  • Middleware that provides institutional core
    middleware needs (academic and administrative)
  • Constructed in similar but locally adaptive
    fashions on campuses, with standard external
    service points (directory objectclasses, handle
    servers, etc.)
  • Federated services and applications
  • Enterprises come together into federations, with
    formal trust structures that permit exchange of
    attributes, including identity
  • User actions within the federation are generally
    moderated by their enterprise
  • Resource discovery, security, privacy,
    authorizations managed by user and enterprise
  • Virtual organizations leverage the above in a
    cross-stitch
  • Sparse mode collaborative communities with real
    resources and authorizations to share
  • Trust fabrics (global, federated, P2P) necessary
    for secure and private collaboration

4
A Map of Middleware Land
5
Core Middleware Scope
  • Identity and Identifiers namespaces, identifier
    crosswalks, real world levels of assurance, etc.
  • Authentication campus technologies and
    policies, interrealm interoperability via PKI,
    Kerberos, etc.
  • Directories enterprise directory services
    architectures and tools, standard objectclasses,
    interrealm and registry services
  • Authorization permissions and access controls,
    delegation, privacy management, etc.
  • Integration Activities open management tools,
    application of P2P, federated and hierarchical
    trust, enabling common applications with core
    middleware

6
Campus Core Middleware Architecture(Origin
perspective)
7
Federated administration
  • Given the strong collaborations within the
    academic community, there is an urgent need to
    create inter-realm tools, so
  • Build consistent campus middleware infrastructure
    deployments, with outward facing objectclasses,
    service points, etc. and then
  • Federate (multilateral) those enterprise
    deployments with interrealm attribute transports,
    trust services, etc. and then
  • Leverage that federation to enable a variety of
    applications from network authentication to
    instant messaging, from video to web services,
    from p2p to virtual organizations, etc. while we
  • Be cautious about the limits of federations and
    look for alternative fabrics where appropriate.

8
Federated administration
VO
VO
O T
A CM
O T
CM A
Campus 1
Campus 2
T
T
T
Federation
9
Unified field theory of Trust
  • Bridged, global hierarchies of identification-orie
    nted, often government based trust laws,
    identity tokens, etc.
  • Passports, drivers licenses
  • Future is typically PKI oriented
  • Federated enterprise-based leverages ones
    security domain often role-based
  • Enterprise does authentication and attributes
  • Federations of enterprises exchange assertions
    (identity and attributes
  • Peer to peer trust ad hoc, small locus personal
    trust
  • A large part of our non-networked lives
  • New technology approaches to bring this into the
    electronic world.
  • Distinguishing P2P apps arch from P2P trust

10
Virtual Organizations
  • Geographically distributed, enterprise
    distributed community that shares real resources
    as an organization.
  • Examples include team science (NEESGrid, BIRN,
    NEON), digital content managers (library
    cataloguers, curators, etc), life-long learning
    consortia, etc.
  • On a continuum from interrealm groups (no real
    resource management, few defined roles) to real
    organizations (primary identity/authentication
    providers)
  • Want to leverage enterprise middleware and
    external trust fabrics

11
Leveraging V.O.s Today
VO
User
Federation
Enterprise
Target Resource
12
Leveraged V.O.s Tomorrow
VO
User
Collaborative Tools Authority System etc
Federation
Enterprise
Target Resource
13
Middleware Activities
  • NMI-EDIT Management MACE, Internet2, EDUCAUSE,
    SURA
  • In deployment
  • Directories
  • Security
  • Federations
  • In development
  • Virtual organizations - JISC
  • Diagnostics
  • Authorization and privilege management

14
MACE (Middleware Architecture Committee for
Education)
  • Purpose - to provide advice, create experiments,
    foster standards, etc. on key technical issues
    for core middleware within higher education
  • Membership - Bob Morgan (UW) Chair, Tom Barton
    (Chicago), Scott Cantor (Ohio State), Steven
    Carmody (Brown), Michael Gettes (Duke), Keith
    Hazelton (Wisconsin), Paul Hill (MIT), Jim Jokl
    (Virginia), Mark Poepping (CMU), Bruce Vincent
    (Stanford), David Wasley (California), Von Welch
    (Grid)
  • European members - Brian Gilmore (Edinburgh), Ton
    Verschuren (Netherlands), Diego Lopez (Spain)
  • Creates working groups in major areas, including
    directories, interrealm access control, PKI,
    video, P2P, etc.
  • Works via conference calls, emails, occasional
    serendipitous in-person meetings...

15
In deployment - International
16
In deployment - US
17
Directories
  • Creation and deployment of consistent internal
    directory infrastructure within the higher-ed
    community.
  • Includes metadirectory services
  • Standard internal objectclasses
  • Most applications have become directory enabled
  • Development and adoption of outward facing
    directory objectclasses eduPerson and eduOrg
  • eduPerson - Identity and associated attribute
    values, entitlements, etc.
  • eduOrg enterprise attribute values
  • Internationalization of eduPerson underway
  • H.350 desktop video resource discovery, now an
    ITU standard

18
Security
  • Emergence of federating software and federations
  • Rise of SAML (www.opensaml.org)
  • Shibboleth
  • In PKI, deployments remain challenging
  • Escrow, mobility, path construction and
    validation remain very hard
  • Non-standards proliferate little I in the PK
    that exists
  • Some campuses have traction
  • First generation WebSSOs proliferate and show
    limits
  • Credential converters (KCA and a Shibbed CA)
  • HEBCA (a bridge certificate authority for higher
    education) and USHER (US Higher Ed root CA) are
    under slooooow construction
  • Security as creating new capabilities as well as
    restricting use

19
Shibboleth Status
  • Open source, privacy preserving federating
    software
  • Being very widely deployed in US and
    international universities
  • Target - works with Apache(1.3 and 2.0) and IIS
    targets Java origins for a variety of Unix
    platforms.
  • V2.0 likely to include portal support, identity
    linking, non web services (plumbing to
    GSSAPI,P2P, IM, video) etc.
  • Work underway on intuitive graphical interfaces
    for the powerful underlying Attribute Authority
    and resource protection
  • Likely to coexist well with Liberty Alliance and
    may work within the WS framework from Microsoft.
  • Growing development interest in several
    countries, providing resource manager tools,
    digital rights management, listprocs, etc.
  • Used by several federations today NSDL,
    InQueue, SWITCH and several more soon (JISC,
    Australia, etc.)
  • http//shibboleth.internet2.edu/

20
GUIs to manage Shibboleth
21
Federations
  • Associations of enterprises that come together to
    exchange information about their users and
    resources in order to enable collaborations and
    transactions
  • Enroll and authenticate and attribute locally,
    act federally.
  • Uses federating software (e.g. Liberty Alliance,
    Shibboleth, WS-) common attributes (e.g.
    eduPerson), and a security and privacy set of
    understandings
  • Enterprises (and users) retain control over what
    attributes are released to a resource the
    resources retain control (though they may
    delegate) over the authorization decision.
  • Several federations now in construction or
    deployment

22
InCommon federation
  • Federation operations Internet2
  • Federating software Shibboleth 1.1 and above
  • Federation data schema - eduPerson200210 or later
    and eduOrg200210 or later
  • Federation privacy and security requirements in
    discussion, could be
  • Privacy requirements
  • Initially, destroy received attributes
    immediately upon use
  • Security requirements
  • Initially, enterprises post local I/A and basic
    business rules for assignment of
    eduPersonAffiliation values
  • Likely to progress towards standardized levels of
    authn

23
InQueue Origins2.12.04
  • National Research Council of Canada
  • Columbia University
  • University of Virginia
  • University of California, San Diego
  • Brown University
  • University of Minnesota
  • Penn State University
  • Cal Poly Pomona
  • London School of Economics
  • University of North Carolina at Chapel Hill
  • University of Colorado at Boulder
  • UT Arlington
  • UTHSC-Houston
  • University of Michigan
  • University of Rochester
  • University of Southern California
  • Rutgers University
  • University of Wisconsin
  • New York University
  • Georgia State University
  • University of Washington
  • University of California Shibboleth Pilot
  • University at Buffalo
  • Dartmouth College
  • Michigan State University
  • Georgetown
  • Duke
  • The Ohio State University
  • UCLA
  • Internet2
  • Carnegie Mellon University

24
In development
  • Virtual organizations
  • Privilege management and authorization systems
  • Middleware diagnostics
  • Federated network-layer security services and
    capabilities

25
Stanford Authz Model
26
Authr Deliverables
  • The deliverables consist of
  • A recipe, with accompanying case studies, of how
    to take a role-based organization and develop
    apprpriate groups, policies, attributes etc to
    operate an authority service
  • Templates and tools for registries and group
    management
  • a Web interface and program APIs to provide
    distributed management (to the departments, to
    external programs) of access rights and
    privileges, and
  • delivery of authority information through the
    infrastructure as directory data and authority
    events.

27
Home
28
Grant Authority Wizard
29
Related Activities in Collaboration Tools
  • Chandler
  • Instant Messaging
  • P2P filesharing Lionshare

30
Chandler
  • Open source email and calendaring package
  • Being developed by Open Source Application
    Foundation (Mozilla et al, led by Mitch Kapor)
  • Both stand-alone and enterprise versions due out
    before the end of the year
  • Intended to be collaborative in nature
  • Shared role-based views
  • Federated views

31
Lionshare
  • P2P file sharing application that is
  • Enterprise-based uses authentication and campus
    directory and resource discovery
  • Federated works between institutions, using
    local authentication and authorization
  • Learning object oriented meta-data based
    linked to digital repositories, courseware, etc.
  • Developed at Penn State University, now being
    extended with assistance from Mellon Foundation,
    Internet2, OKI, Edusource
  • URL is

32
Instant Messaging
  • Federated IM
  • authentication by enterprise
  • Screen name authenticated opaque or transparent
    by choice
  • Access control to chat rooms
  • Across enterprises
  • Across IM technologies
  • Payloads
  • Signalling

33
Implications for the Higher Ed Community
  • A variety of collaborative apps are being
    middleware enabled
  • There is a growing federated trust infrastructure
    among the RE community with potential
    international usefulness.
  • New architectures for passing attributes and
    identity new tools to learn for managing privacy
    and security
  • Emergent tools for authority management new
    tools to learn for managing authorization
  • A marketplace of identity service providers may
    emerge

34
Implications for the Marketplace and Public Sector
  • Inter-sector federation activities are not
    understood
  • International issues
  • Consistency of trust
  • Interoperability of technologies
  • A marketplace of identity service providers may
    emerge
  • Collaborative tools will need to work across a
    variety of trust fabrics
  • Users will need to manage both privacy and trust
    defaults will be important
Write a Comment
User Comments (0)
About PowerShow.com