The JISC Core Middleware Call

Slides:

Advertisements

Similar presentations

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

Advertisements

Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.

Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

Joint Information Systems Committee 01/04/2014 | slide 1 Support e-Research at JISC Access Management and Security Joint Information Systems CommitteeSupporting.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

DyVOSE Status Report Dr Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director Technical Bioinformatics Research Centre University.

VO Support and directions in OMII-UK Steven Newhouse, Director.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Joint Information Systems Committee Digital Library Services BL/JISC Workshop Rachel Bruce JISC Programme Director The Digital Library and its Services,

Supporting education and research JISC ‘Accessing the Future’ Addressing the needs of Further Education and smaller institutions Nicole Harris, JISC Programme.

Joint Information Systems Committee 25/08/2014 | slide 1 JISC Core Middleware Programme Meeting Middleware in Development Joint Information Systems CommitteeSupporting.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

Joint Information Systems Committee 19/05/2015 | | Slide 1 Connecting People to Resources The UK Access Management Federation Nicole Harris Programme Manager.

Supporting education and research E-learning tools, standards and systems Sarah Porter Head of Development, JISC.

Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

CoLaB 22nd December 2005 Secure Access to Service-based Collaborative Workflow for DAME Duncan Russell Informatics Institute University of Leeds, UK.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Developments in Access and Identity Management Phil Leahy – Athens Product Manager.

Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.

Supporting further and higher education Authentication & Authorisation for JISC and UK e-Science Alan Robiette, JISC Development Group.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

Implications for UK infrastructure No more dependency on the VERY LARGE centralised database of Athens Need for implementation of a national WAYF service.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.

New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.

Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.

Supporting further and higher education UK Middleware Update TF-EMC2 Meeting, 4 November 2004 Alan Robiette, JISC Development Group.

ETICS2 All Hands Meeting VEGA GmbH INFSOM-RI Uwe Mueller-Wilm Palermo, Oct ETICS Service Management Framework Business Objectives and “Best.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group.

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.

Grid Authorization Landscape and Futures Von Welch NCSA

Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.

The UK Access Management Federation John Chapman Project Adviser – Becta.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

PAPI-PERMIS Integration Project Proposal David Chadwick

Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Supporting education and research Access Management: the Campus Issues Alan Robiette, JISC Development Group.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

ETICS An Environment for Distributed Software Development in Aerospace Applications SpaceTransfer09 Hannover Messe, April 2009.

Bob Jones EGEE Technical Director

Security Requirements for ChinaGrid Applications - What the current grid security solutions cannot do Hai Jin Huazhong University of Science and Technology.

LCG Security Status and Issues

A user-friendly approach to grid security

Tweaking the Certificate Lifecycle for the UK eScience CA

OGSA-WG Security Use Cases Jan 29, 2004

Shibboleth for Non-Web-Based Applications: GridShib

NSF Middleware Initiative: GridShib

Federated Digital Rights Management

O. Otenko PERMIS Project Salford University © 2002

SISAI STATISTICAL INFORMATION SYSTEMS ARCHITECTURE AND INTEGRATION

Community AAI with Check-In

Supporting Institutions Towards a Shibbolized Infrastructure

Presentation transcript:

The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research

Purpose To develop new and extend existing technologies in access management (AAA), which are Standards-based Aligned with other national and international developments Aimed at future service deployment, in national and/or institutional contexts Designed to address certain scenarios which are currently difficult to handle

Present position Two very different services with national scope exist today Athens: username/password based service for unifying access to electronic library-type resources Mainly though not exclusively licensed via JISC consortium deals UK e-Science CA: service for issuing digital certificates for access to Grid-type resources

Scope of Athens Over 2 million current usernames Username/password database; maintenance devolved to institutions Around 500 HigherEd and FurtherEd institutions use the Athens service Around 200 licensed resources are controlled via Athens

So why change? Athens today still uses its own, proprietary protocols Little international take-up Athens design lacks the flexibility of more recent approaches Not well adapted to inter-institutional scenarios, e.g. virtual organisations

The e-Science CA Part of the Grid Support Centre Based on OpenCA software (with local modifications) Verification of user identities carried out by trusted RAs around the community Current scale of operation a few hundred certificates per year

So why change? The vision is to extend e-Science technologies to larger communities E.g. social sciences, bioinformatics A general view is that the existing CA will be difficult to scale up In practice larger scale AAA regimes are almost always based around institutions, who are best placed to administer their own members

Key scenarios A next-generation AAA infrastructure must support the following scenarios: Internal (intra-institutional) applications as well as use between organisations Management of access to third-party digital library-type resources (as now) Inter-institutional use – stable, long-term resource sharing between defined groups (e.g. shared e-learning scenarios) Inter-institutional use – ad hoc collaborations, potentially dynamic in nature (virtual organisations or VOs)

VO characteristics A VO's members typically belong to more than one real organisation Wishing to share resources across real- world organisational boundaries (often problematic in security terms) VO membership – which may be more or less formal – could be based on numerous criteria (discipline, project, course enrolment, personal interests ...) The authority regulating VO membership could equally take many forms And timescales may be very varied also

Shibboleth Options for Moving Forward: PAPI from RedIRIS (Spain) Shibboleth (Internet2) The decision was to significantly spend on introducing Shibboleth with the aim of a national implementation by 2006 First tranche (Call 01/04) for $5m over 3 years

Shibboleth cons Software still lacks user-friendly management tools In its present state, still quite demanding to install and run Might require outsourced or packaged services for smaller institutions? Relatively unsophisticated authorisation model Single attribute authority No generalised decision engine

Coping with VOs Problem: typically a VO involves at least two sources of authority User's identity derives from home institution User's VO membership and privileges derive from the VO's own authority Solution: add more intelligence to the Shibboleth resource manager Policy-driven decision engine Multiple sources of authority

Permis What is Permis? A policy-based decision engine Policy expressed in XML (compliance with the OASIS XACML standard planned) Supports multiple sources of authority Decisions based on roles or discrete attributes of users User attributes stored in X.509 standard attribute certificates Stable, portable implementation now included in NMI release

Shibboleth + Permis Extend Shibboleth resource manager by incorporating the Permis decision engine Resource owners can then set much more complex policies, embodying their conditions of access Attributes can be gathered from more than one location (and be supplied by more than one authority) Thus meeting the needs of VOs and providing much more fine-grained control

Linking to e-Science Many Grid authorisation models ... GGF Authorisation Working Group developing requirements summary + conceptual framework Work in progress on authorisation API (Welch, Chadwick et al.) Incidentally expressed in SAML Though may need to be revisited in the light of recent developments

The Outcome 34 proposals, grouped into 5 areas Technology Development (5 ‘accepted’) Grid-orientated proposals (3 accepted) Portal integration (2 accepted) Inter-institutional collaboration (4 acc) Miscellaneous (2 accepted) Formally the proposals are in process of getting acceptance from committee members

Parallel activities Building a national Shibboleth service infrastructure will take place in parallel Existing JISC services are likely to be asked to carry out much of the work On a 2-year timescale, 2004/5 & 2005/6 Will provide a critical mass of Shibboleth- accessible resources This work is separately funded, with an additional budget of some $5m over 3 years

Questions?