Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington

Plan for the afternoon [All] Why are we here? [Tom] Internet2 Middleware big picture [Scott] Identity-enabling web applications Break [Patrick] Catalyst case study [Tom] Collaboration management [All] IAM current issues 2

Earlier Identity & Access Management plumbing Federations are rising Later Identity Services Collaboration management 3 Internet2 Middleware Initiative (I2MI) big picture themes

Many Sources of Authority Policy making bodies Resource managers Program/activity heads Self Identification vs. authorization Distributed management Within an organization Among organizations Common & articulating infrastructure Departments/programs/activities should not have to build their own Articulate between organizations Access Management Realities 4

To ease the management of inter-org collaborative activities, campus IAM practices must be good enough Identification & identifiers Authentication Attributes Common practices & standards Early I2MI revelation 5

Pre-indoor plumbing

Basic enterprise-wide services that are used by many applications Now being extended through federations to include inter-institutional and virtual organization needs Authentication, single sign on, directories, identifiers, authorization and privilege management Perhaps workflow, digital rights management, enterprise service bus and a few others As much policy, governance, and practice as technology I2MI's notion of middleware

Application integration Administrative Academic and collaborative Institutional and business process integration Working with authoritative sources Becoming an authoritative source People and process time - not software and hardware expense Making it reliable, flexible and invisible – true indoor plumbing Keys to success in middleware

9

Identity & Access Management reflected in a campus LDAP entry uid: tbarton chicagoID: N eduPersonAffiliation: staff isMemberOf: uc:drdepts:nsit:integration uc:adhoc:fact uc:directors uc:nsit:srdirs uc:nsit:integration:iteco_wr app:gems:44:251:staff uid: tbarton chicagoID: N eduPersonAffiliation: staff isMemberOf: uc:drdepts:nsit:integration uc:adhoc:fact uc:directors uc:nsit:srdirs uc:nsit:integration:iteco_wr app:gems:44:251:staff

New tools Management Capabilities Infrastructure & Application Integration Distributed Management Namespace Management Delegation Roles Privileges Externalize Access Management

Relative Roles of Signet & Grouper Users are placed into groups Privileges are assigned to groups Groups can be arranged hierarchically to give privileges indirectly Grouper manages groups Signet manages privileges Aligns with diverse Sources of Authority Grouper Signet

13 Privilege Elements by Example By authority of the Dean grantor principal investigators grantee (group/role) who have completed training prerequisite can approve purchases function in the School of Medicine scope for research projects resource up to $100,000 limit until January 1, 2009 as long as a faculty member at … conditions Privilege Lifecycle

Single domain University (usually!) Single service domain, two user domains Campus services & users, plus "guests" Single service domain, many user domains Higher Ed service providers such as … Library services, administrative ASPs, direct-to-student services Many service domains, many user domains State & regional consortia Some Virtual Orgs or Collaborative Orgs Some grid infrastructures Sources of Authority & access management infrastructure are distributed across domains Multi-domain access scenarios 14

15 Federated Identity "IdP" "SP" ala Shibboleth

16 The rise of federations Federations are now occurring broadly, and internationally, to support inter-institutional and external partner collaborations Almost all in the corporate world are bi- lateral; almost all in the R&E world are multilateral They provide a powerful leverage of enterprise (campus, site) credentials Federations are learning to peer Internal federations are also proving useful

17 InCommon Federation: Essential Data US R&E Federation, a 501(c)3 Addresses legal, LoA, shared attributes, business proposition Members are universities, service providers, government agencies, national labs Over 80 organizations and growing steadily 1.7 million user base now Uses range over popular and academic content, wiki and list controls, ASPs, NIH, MS DreamSpark, …

Trust fabric: Metadata so that IdP's & SP's can mutually authenticate & interoperate Multilateral agreement among federation participants Agree to actually operate as they claim to A “Where Are You From Service” available InCommon Federation: Essential Services 18

19 Campus Science Gateway provision accounts run monitor attributes run monitor InCommon Federation TeraGrid Resources ~10 Sites run monitor ~20 Sites ~125 Sites Example: TeraGrid and multiple domains

In the cloud 20 ServiceSelf IdentityAttributes Org IdentityAttributes Many technologies

Decouple application design from implementation of identity services Identity Services 21 Application Attributes PrivsGroups Identity Intro- duction Authen- tication

Two powerful forces being leveraged the rise of federated identity the bloom in collaboration tools, most particularly in the Web 2.0 space but including file shares, list procs, etc Collaboration management platforms provide identity services to “well-behaved collaboration applications” Results in user and collaboration centric identity, not tool-based identity Collaboration and Federated Identity

Management of collaboration a real impediment to collaboration, particularly with the growing variety of tools Goal is to develop a “platform” for handling the identity management aspects of many different collaboration tools Platform includes a framework and model, specific running code that implements the model, and applications that take advantage of the model This space presents possibilities of improving the overall unified UI as well as UI for specific applications and components. Collaboration Management Platforms

A collaboration management platform, supported in part by a NSF OCI grant, being developed by the Internet2 community, with Stanford as a lead institution Open source, open protocol Uses Shibboleth, Grouper, and Signet Parallels activities in the UK and Australia COmanage

Already done Sympa, Federated wikis, Asterisk (open-source IP audioconferencing), Dim-Dim (open-source web meeting), Bedeworks (federated open-source calendar) Immediate targets Rich access controlled wikis Web-based file shares, IM, Google Apps for Education Domain science resources Instruments Grids Comanageable applications

Some general COmanage comments A limited number of consoles present the basic identity services; can move directly between services as a standard workflow Early in the development; the GUI is particularly primitive Underlying store is an LDAP directory; alternatives include MySQL db, RTF store, etc. COmanage can be deployed by a campus, a department, a VO, a VO service center; COmanage instances communicate with each other by the “attribute ecosystem” voodoo

Federated Wiki Domain Science Grid Domain Science Instrument University AUniversity B Laboratory X Collaboration Management Platform Collaboration Tools/ Resources Application Attributes Home Org & Id Providers/ Sources of Authority Attribute Ecosystem Flows Attribute/Resource Info Data Store Collaboration Management Platform (CMP) and the Attribute Ecosystem Sources of Authority C o Authorization – Group Info Authorization – Privilege Info Authentication People Picker Other Functions manage File Sharing Calendar Phone/ Video Conference List Manager

Level of Assurance Campus Roles Shibboleth & Active Directory OpenID and (campus) attributes Privacy & consent Guest management Current issues in IAM 28