Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.

Slides:



Advertisements
Similar presentations
The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA
From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…
June 10-15, 2012 Growing Community; Growing Possibilities Benn Oshrin, The Oshrinium, LLC Keith Hazelton, UW-Madison, Internet2 CIFER Community Identity.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of.
CAMP Med Identity and Access Management: Terms and Concepts Keith Hazelton Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE CAMP Med, Tempe,
Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey This work is the intellectual property.
Practices from the Field NSF Middleware Initiative: Identity and Privilege Management Model Michael Gettes, Duke University Jim Phelps, UW-Madison EDUCAUSE.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.
Identity & Access Management DCS 861 Team2 Kirk M. Anne Carolyn Sher-Decaustis Kevin Kidder Joe Massi John Stewart.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
To Authentication and Beyond An update on C&C’s authentication-related middleware services UW Computing Support Staff Meeting December 16, 2004
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
Signet and Grouper for Distributed Attribute Administration
Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
CAMP Integration Provisioning and Relaying: The Integration Story provrel ppt Keith Hazelton
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
Integrated Identity and Access Management with I2MI Tools Integ-tb-kh-01.ppt Tom Barton, U Chicago Keith Hazelton,
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Frontiers of Authentication and Authorization Copyright 2003 Kenneth J. Klingenstein Internet2 and UC-Boulder Camp Meeting, June 5 th, 2003.
An Integrated Framework for Identity and Access Management (IAM) RL”Bob” Morgan, U Wash., MACE Keith Hazelton, U Wisc., MACE Internet2 Spring Member Meeting.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
CAMP Integration Identity and Access Management: a Functional Model iamintro ppt Keith Hazelton
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
Middleware Futures Internet2 Member Meeting Arlington VA, April 2006 RL “Bob” Morgan, University of Washington and Internet2.
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
~60 staff 1.Collaborators around the world 2.Supports communities of collaborators external to Internet2 3.Community uses wiki, mailing lists, instant.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware.
Advanced CAMP Emerging from the mists: Requirements for supporting VOs voReqs ppt Keith Hazelton
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
Oracle Virtual Directory
LIGO Identity and Access Management
Shibboleth Roadmap
e-Infrastructure Workshop 28th March 2006, University of Leeds
Topics The simple life The Simple Life GUI The full IdM life
NSF Middleware Initiative: GridShib
Open Source Web Initial Sign-On Packages
Identity & Access Management
Shibboleth Deployment Overview
Shibboleth and Federations
Presentation transcript:

Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE 20th APAN, Taipei, Taiwan August 24, 2005 Keith Hazelton, Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE 20th APAN, Taipei, Taiwan August 24, 2005

2 Topics Middleware service layer concepts & models Roots of the Internet2 middleware initiative Growing relevance of middleware for network layer services and Grid services Possible paths of convergence

3 What is Identity Management? “Identity [and access] management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise) Identity and Access Management (IAM) defined

4 The IAM Stone Age List of functions: AuthN: Authenticate principals (people, servers) seeking access to a service or resource Log: Track access to services/resources

5 The IAM Stone Age Every application for itself in performing these functions User list, credentials, if you’re on the list, you’re in (AuthN is authorization (AuthZ) As Hobbes might say: Stone age IAM “nasty, brutish & short on features”

6 Vision of a better way to do IAM IAM as a middleware layer at the service of any number of applications Requires an expanded set of basic functions Reflect: Track changes to institutional data from changes in Systems of Record (SoR) & other IdM components Join: Establish & maintain person identity across multiple independent sources of person information Human Resources and Student Info. Systems …or Department X and Department Y IT systems

7 Vision of a better way to do IAM More in the expanded set of basic functions Credential: issue digital credentials to people in the community Mng. Affil.: Manage affiliation and group information Mng. Priv.: Manage privileges and permissions at system and resource level Provision: Push IAM info out to systems and services as required Deliver: Make access control / authorization information available to services and resources at run time AuthZ: Make the allow deny decision independent of AuthN

8 IAM functions ReflectData of interest JoinIdentity across SoR CredentialNetID, other Manage Affil/GroupsAuthZ info Manage PrivilegesMore AuthZ info ProvisionFor legacy applications DeliverGet AuthZ info to app AuthenticateCheck identity claim AuthorizeMake allow/deny decision LogTrack usage for audit

9 Roots of the Internet2 Middleware Initiative Stated goal is to support educational institution as a whole in its various missions Requires focus on entire population of various service consumers (students, staff, researchers, lecturers, etc.) Plus two critical requirements: Scalability Flexibility

10 Basic IAM functions mapped to the Internet2 NMI / MACE components Systems of Record Stdnt HR Other Enterprise Directory Registry LDAP

11 Basic IAM functions mapped to the Internet2 NMI / MACE components Systems of Record Enterprise Directory GrouperSignet WebISO Shibboleth Apps / Resources

12 Middleware becoming crucial to network and Grid communities QoS, Authenticated network access and network service all require IAM suite of functions Grid services have that PLUS need to support multiple-institution virtual organizations (VOs) Middleware becomes crucial in both for Scalability Flexibility

13 The GridShib picture (1) Grid Authentication (2) Shib Attribute Request Shibboleth (3) Attributes Grid Service (4) Attribute-based authorization Campus User (0) Attribute Release Policy

14 LDAP Getting Attributes into a Site’s Attribute Authority uid: jdoe eduPersonAffiliation: … isMemberOf: … eduPersonEntitlement: … SIS HR On-site Authorities Loaders Person Registry Group Registry Grouper UI Privilege Registry Off-site Authorities Signet UI Attribute Authority Core Business Systems Shib/ GridShib using Shibboleth

15 Do APAN attendees thus represent a new market for I2-style middleware? If so, what are likely paths of collaboration and convergence? SAML and WS* and PKI interoperability to bring institutional IAM and Grid IAM into alignment--See Project GridShib & JISC news IAM infrastructures at departmental in addition to institutional levels Federations as organizational umbrellas for VOs A quick glance at federation building initiatives

16 Federation Value Proposition Set of cooperating IdPs and SPs forms a community needing agreement on: Trust Fabric X.509 certs IdP and SP identifiers & other metadata Community standard for attribute semantics Community standards for IdP and SP operational practices Strength of authentication Confidentiality For N IdPs and M SPs, which is easier? N*M agreements N+M agreements

17 The Research and Education Federation Space Today REF Cluster InQueue (a starting point) InCommon SWITCH The Shib Research Club Other national nets Other clusters Other potential US R+E feds State of Penn Fin Aid Assoc NSDL Slippery slope - Med Centers, etc Indiana

18 Specific possibilities Participate in beta testing of middleware components to get your requirements into development stream Participate in middleware-enhanced VO trials Others???

19 Q & A grouperhttp://middleware.internet2.edu/dir/groups/ grouper

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.