Intro to Identity for Developers

1
Intro to Identity for Developers

• Tom Barton, U Chicago
• Scott Cantor, Ohio State
• Patrick Michaud, U Washington

2
Plan for the afternoon

• All Why are we here?
• Tom Internet2 Middleware big picture
• Scott Identity-enabling web applications
• Break
• Patrick Catalyst case study
• Tom Collaboration management
• All IAM current issues

3
Internet2 Middleware Initiative (I2MI)big
picture themes

• Earlier
• Identity Access Management plumbing
• Federations are rising
• Later
• Identity Services
• Collaboration management

4
Access Management Realities

• Many Sources of Authority
• Policy making bodies
• Resource managers
• Program/activity heads
• Self
• Identification vs. authorization
• Distributed management
• Within an organization
• Among organizations
• Common articulating infrastructure
• Departments/programs/activities should not have
  to build their own
• Articulate between organizations

5
Early I2MI revelation

• To ease the management of inter-org collaborative
  activities, campus IAM practices must be good
  enough
• Identification identifiers
• Authentication
• Attributes
• Common practices standards

6
Pre-indoor plumbing
7
I2MI's notion of middleware

• Basic enterprise-wide services that are used by
  many applications
• Now being extended through federations to include
  inter-institutional and virtual organization
  needs
• Authentication, single sign on, directories,
  identifiers, authorization and privilege
  management
• Perhaps workflow, digital rights management,
  enterprise service bus and a few others
• As much policy, governance, and practice as
  technology

8
Keys to success in middleware

• Application integration
• Administrative
• Academic and collaborative
• Institutional and business process integration
• Working with authoritative sources
• Becoming an authoritative source
• People and process time - not software and
  hardware expense
• Making it reliable, flexible and invisible true
  indoor plumbing

9
(No Transcript)
10
Identity Access Management reflected in a
campus LDAP entry
uid tbarton chicagoID 01191359N eduPersonAffilia
tion staff isMemberOf ucdrdeptsnsitintegrat
ion ucadhocfact ucdirectors ucnsitsrdirs
ucnsitintegrationiteco_wr appgems44251sta
ff
11
New tools
12
Relative Roles of Signet Grouper

• Users are placed into groups
• Privileges are assigned to groups
• Groups can be arranged hierarchically to give
  privileges indirectly
• Grouper manages groups
• Signet manages privileges
• Aligns with diverse Sources of Authority

Grouper
13
Privilege Elements by Example
Lifecycle
Privilege
14
Multi-domain access scenarios

• Single domain
• University (usually!)
• Single service domain, two user domains
• Campus services users, plus "guests"
• Single service domain, many user domains
• Higher Ed service providers such as
• Library services, administrative ASPs,
  direct-to-student services
• Many service domains, many user domains
• State regional consortia
• Some Virtual Orgs or Collaborative Orgs
• Some grid infrastructures
• Sources of Authority access management
  infrastructure are distributed across domains

15
Authenticate _at_Home
Authorize _at_Resource
"IdP"
"SP"
Federated Identity
ala Shibboleth
16
The rise of federations

• Federations are now occurring broadly, and
  internationally, to support inter-institutional
  and external partner collaborations
• Almost all in the corporate world are bi-lateral
  almost all in the RE world are multilateral
• They provide a powerful leverage of enterprise
  (campus, site) credentials
• Federations are learning to peer
• Internal federations are also proving useful

17
InCommon FederationEssential Data

• US RE Federation, a 501(c)3
• Addresses legal, LoA, shared attributes, business
  proposition
• Members are universities, service providers,
  government agencies, national labs
• Over 80 organizations and growing steadily
• 1.7 million user base now
• Uses range over popular and academic content,
  wiki and list controls, ASPs, NIH, MS DreamSpark,
  
• www.incommonfederation.org

18
InCommon FederationEssential Services

• Trust fabric Metadata so that IdP's SP's can
  mutually authenticate interoperate
• Multilateral agreement among federation
  participants
• Agree to actually operate as they claim to
• A Where Are You From Service available

19
Example TeraGrid and multiple domains
provision accounts
TeraGrid Resources 10 Sites
125 Sites
run monitor
run monitor
Campus
attributes
run monitor
Science Gateway
20 Sites
20
In the cloud
Many technologies
21
Identity Services

• Decouple application design from implementation
  of identity services

22
Collaboration and Federated Identity

• Two powerful forces being leveraged
• the rise of federated identity
• the bloom in collaboration tools, most
  particularly in the Web 2.0 space but including
  file shares, email list procs, etc
• Collaboration management platforms provide
  identity services to well-behaved collaboration
  applications
• Results in user and collaboration centric
  identity, not tool-based identity

23
Collaboration Management Platforms

• Management of collaboration a real impediment to
  collaboration, particularly with the growing
  variety of tools
• Goal is to develop a platform for handling the
  identity management aspects of many different
  collaboration tools
• Platform includes a framework and model, specific
  running code that implements the model, and
  applications that take advantage of the model
• This space presents possibilities of improving
  the overall unified UI as well as UI for
  specific applications and components.

24
COmanage

• A collaboration management platform, supported in
  part by a NSF OCI grant, being developed by the
  Internet2 community, with Stanford as a lead
  institution
• Open source, open protocol
• Uses Shibboleth, Grouper, and Signet
• Parallels activities in the UK and Australia

25
Comanageable applications

• Already done
• Sympa, Federated wikis, Asterisk (open-source IP
  audioconferencing), Dim-Dim (open-source web
  meeting), Bedeworks (federated open-source
  calendar)
• Immediate targets
• Rich access controlled wikis
• Web-based file shares, IM, Google Apps for
  Education
• Domain science resources
• Instruments
• Grids

26
Some general COmanage comments

• A limited number of consoles present the basic
  identity services can move directly between
  services as a standard workflow
• Early in the development the GUI is particularly
  primitive
• Underlying store is an LDAP directory
  alternatives include MySQL db, RTF store, etc.
• COmanage can be deployed by a campus, a
  department, a VO, a VO service center COmanage
  instances communicate with each other by the
  attribute ecosystem voodoo

27
Collaboration Management Platform (CMP)and the
Attribute Ecosystem
FederatedWiki
CollaborationTools/ Resources
File Sharing
Calendar
Phone/VideoConference
Email List Manager
ApplicationAttributes
manage
CollaborationManagementPlatform
Authorization Group Info
Authorization Privilege Info
Authentication
PeoplePicker
OtherFunctions
Attribute/Resource Info Data Store
AttributeEcosystemFlows
Home Org Id Providers/Sources ofAuthority
Sources of Authority
University A
University B
28
Current issues in IAM

• Level of Assurance
• Campus Roles
• Shibboleth Active Directory
• OpenID and (campus) attributes
• Privacy consent
• Guest management