Middleware Planning and Deployment 101: Setting the Stage Keith Hazelton, University of Wisconsin-Madison/Internet2 Renee Woodten Frost, Internet2/University of Michigan

March 24, 2003Middleware Planning and Deployment Agenda Introductions Middleware: What and Why? Concepts and Architectures Discussion Break Building a Business Case Discussion Research and Resources

March 24, 2003Middleware Planning and Deployment MW 101 Outcomes 1.Understand what middleware is 2.Recognize the value of a common middleware architecture 3.Begin planning for your own business case

March 24, 2003Middleware Planning and Deployment Middleware in Action

March 24, 2003Middleware Planning and Deployment Dr. Alice Agnew has just been hired to Chair the Dept. of Physiology and is very anxious to get access to campus IT resources such as e- mail, calendar, web services and the mainframe and cannot wait for the requisite 3-5 business days it takes to get the accounts setup. Since IT already knows of her through the HR system, she can use a self-service interface to accomplish this goal. And because her new institution has her new credentials, she does not need to give her research consortium new credentials.

March 24, 2003Middleware Planning and Deployment Dr. Alice Agnew Self-registration Minimal time delay for enabling services Administrative data flows to research applications Administrative and security services integration Privacy trust Inter-organizational impact University vouches for and acts on behalf of Alice

March 24, 2003Middleware Planning and Deployment Mary has been reported to the Dean of Students for plagiarism. Through the campus portal, the Dean with authorization, accesses the Student Information System, where he searches for Mary’s record. He places an electronic “hold” on it and sends an to Mary requesting her presence at a preliminary discipline hearing. Minutes later, Mary cannot check out library books, enter restricted labs, use the student health facilities, or access her computer files. After reviewing Mary’s case, the Dean finds the accusation in error and removes the “hold,” restoring Mary’s access within minutes.

March 24, 2003Middleware Planning and Deployment Mary Decision maker performs action Integration of services Increased security Status change affects service offerings Short-time to disable and enable services Suite of services

March 24, 2003Middleware Planning and Deployment Sam is taking a class in genetics at Alpha U and needs to do some research for a paper. At lunch, he goes online to access a restricted EBSCO database AU shares with Beta U. A window pops up in the browser asking if it’s okay for AU to give EBSCO information about his status --- only students from subscribing institutions can access the database. He clicks ok, knowing that only his status is passed, not his name or contact information. The browser then loads the restricted website.

March 24, 2003Middleware Planning and Deployment Sam Privacy trust Sam controls personal information flow Administrative and security services integration Inter-campus access University vouches for and acts on behalf of Sam

March 24, 2003Middleware Planning and Deployment What is IT being asked to do? One stop for university services (portal) integrated with course management systems -for-life Automatic creation and deletion of computer accounts Submission and/or maintenance of information online Privacy protection

March 24, 2003Middleware Planning and Deployment More on the “to do” list Multi-campus scanning electron microscopes Integrated voic , , and faxmail for Advancement staff Secure PDA and wireless support All-campus announcements (spam) Expensive library databases shared with other schools by joint agreement Browser or desktop preferences follow you

March 24, 2003Middleware Planning and Deployment What questions are common to these scenarios? Are the people using these services who they claim to be? Are they a member of our campus community? Have they been given permission? Is their privacy being protected? What is the answer…?

March 24, 2003Middleware Planning and Deployment Enterprise Middleware Definitions

March 24, 2003Middleware Planning and Deployment Middleware Specialized networked services that are shared by applications and users A set of core software components that permit scaling of applications and networks Tools that take complexity out of application integration A second layer of the IT infrastructure, sitting above the network A land where technology meets policy The intersection of what networks designers and applications developers each do not want to do

March 24, 2003Middleware Planning and Deployment Map of Middleware Land

March 24, 2003Middleware Planning and Deployment What is middleware? Suite of campus-wide security, access, and information services –Integrates data sources and manages information about people and their contact locations –Establishes electronic identity of users –Uses administrative data to assign affiliation and gives permission to use services based on that role

March 24, 2003Middleware Planning and Deployment Definitions: Identifiers Identifiers– your electronic identification –Multiple names and corresponding information in multiple places –Single unique identifier for each authorized user –Names and information in other systems can be cross-linked to it Admin systems, library systems, building systems

March 24, 2003Middleware Planning and Deployment Definitions: Authentication Authentication – maps the physical you to an electronic identifier –Password authentication most common –Security need should drive authentication method –Distance learning and inter-campus applications

March 24, 2003Middleware Planning and Deployment Definitions: Authorization Authorization services – allowing you access to data and services –Affiliated with the school (role) –Permitted to use the services based on that role

March 24, 2003Middleware Planning and Deployment Definitions: Enterprise Directory Services Enterprise Directory services - where your electronic identifiers are reconciled and basic characteristics are kept –Very quick lookup function –Machine address, voice mail box, box location, address, campus identifiers

Underlying Concepts & Architecture

March 24, 2003Middleware Planning and Deployment What IT needs to do Determine who you are Determine what resources you can use

March 24, 2003Middleware Planning and Deployment What IT needs to do Possible ways it might do that –Ask you to login and look up info in its own database. –Ask you to login in and look up info in a common database. –Trust some other source to assert needed info (and other source might ask you to login). Examples –Videoconference: current network address –Video for course: enrolled in the course – or calendar: University username –Library resource: current member of the set of licensees

March 24, 2003Middleware Planning and Deployment Pause for some terminology Identity: set of attributes. Attributes: specific information stored about you. Authentication: process used to prove your identity. Often a login process. Authorization: process of determining if policy permits an intended action to proceed. Customization: presentation of user interface (UI) tailored to user’s identity.

March 24, 2003Middleware Planning and Deployment Three service architectures: #1 Stovepipe (or Silo) Service performs its own authentication. Consults own database for authorization and customization attributes. service authNattrs

March 24, 2003Middleware Planning and Deployment #1 Stovepipe (or Silo) Architecture Characteristics Stovepipes authentication and attribute services are run by separate offices. –Environment is more challenging to users, who may need to contact each office to arrange for service. –No automated life cycle management of resources. –Per-service identifiers and security practices make it more difficult to achieve a given level of security across the enterprise.

March 24, 2003Middleware Planning and Deployment Three service architectures: #2 Integrated Service refers authentication to and obtains attributes for authorization and customization from enterprise infrastructure services. service1 authentication service attribute service service2 An Organization

March 24, 2003Middleware Planning and Deployment #2 Integrated Architecture Characteristics Enterprise authentication and attribute services are run by a central office. –All attributes known by the organization about a member can be integrated and made available to services. –Automated life cycle resource management is possible across the enterprise. –Common identifiers across integrated services make an easier and more secure user environment.

March 24, 2003Middleware Planning and Deployment Three service architectures: #3 Federated Service refers authentication to and obtains attributes for authorization and customization from possibly external infrastructure services. service authentication service attribute service Organization 1Organization 2

March 24, 2003Middleware Planning and Deployment #3 Federated Architecture Characteristics Federated authentication and attribute services rely on participating organization’s enterprise services. Inter-organizational applications such as Grids and digital-library content provision are integrated with and facilitated by enterprise services.

March 24, 2003Middleware Planning and Deployment Middleware Initiative Objective Help prepare campuses to implement core middleware for an integrated and ultimately a federated architecture. service1 authentication service attribute service service2 An Organization

March 24, 2003Middleware Planning and Deployment Core middleware for an integrated architecture

March 24, 2003Middleware Planning and Deployment Vignettes Revisited

March 24, 2003Middleware Planning and Deployment Vignette analysis Set of vignettes portray: –Seamlessness of transitions between services –Independence of location of service or user –Suites of services designed to support activities of different constituencies –Absence of need to make prior arrangement for resources required to enable services –Services rendered in airport waiting areas remotely

March 24, 2003Middleware Planning and Deployment Provisioning Vignette Provisioning Vignette: Dr. Alice Agnew begins as department chair to model HRS Metadirectory Acct Init Service authN attrs

March 24, 2003Middleware Planning and Deployment Integrated Services Vignette Integrated Services Vignette: Mary accused of plagiarism to model Mailbox Building access Lib Proxy Files authN attrs Health Facilities

March 24, 2003Middleware Planning and Deployment Federated/Restricted Resources Vignette Federated/Restricted Resources Vignette: Sam using remote, online database  University  University Federation Database1 Database 2 Content Provider

March 24, 2003Middleware Planning and Deployment Refreshment Break

Building the Business Case

March 24, 2003Middleware Planning and Deployment Business Case Components By definition, middleware cannot be effective unless it maps closely to an institution’s business policies and practices. In this context, a strong business case will… Outline the Institution-specific Drivers Articulate the Opportunities & Challenges Define the Benefits Enumerate the Costs

March 24, 2003Middleware Planning and Deployment Groups to Consider Business case audience –Select stakeholders and possible champions Stakeholders –Executive Leadership –Business and Finance VPs –HR Directors and Registrars –CIOs –IT staff –Program Directors and Data Stewards –Auditors and Risk Managers –Faculty –Staff –Students

March 24, 2003Middleware Planning and Deployment Institution-specific Drivers Internal Drivers –Specific application(s) –Financial –User expectations External Drivers –Federal/state legislation –E-enterprise functions –Inter-institutional collaboration

March 24, 2003Middleware Planning and Deployment Opportunities Legislative pressure to reduce paperwork, secure information, and deploy electronic services (grants, financial aid, HIPAA, etc.) Interdisciplinary and inter-institutional research and collaboration Changing needs of teaching and learning User expectations of access to technology Budgetary pressures

March 24, 2003Middleware Planning and Deployment Benefits to the Institution Economies for central IT - reduced account management, tighter network security… Economies for distributed IT - reduced administration, access to better information, easier integration of depart. applications... Improved services for students and faculty - access to scholarly information, control of personal data, reduced legal exposures... Participation in future shared environments - Grids, videoconferencing, digital libraries, etc. Participation in new collaborative initiatives - Shibboleth, Inter-institutional resource sharing…

March 24, 2003Middleware Planning and Deployment Benefits: Specifically.. Achieves Economies for Central and Distributed IT organizations –Access to primary user identity sources such as HR, Payroll, SIS, and secondary sources such as library, parking, alumni assoc., etc. can be more effectively managed by fewer people saving time and money –Access to any one of these services can be enabled or disabled more readily –Access to a range of services can be accomplished more quickly and in a more coordinated manner –Deployment time for new applications is reduced

March 24, 2003Middleware Planning and Deployment Benefits: Specifically.. Enhanced Security –A secure enterprise directory can: Be used to manage access to multiple apps/services (web, remote access, etc.) to the entire institutional community Facilitate differential access to wireless ports, restricted content, restricted listservs, etc. Allow identity management to be administered by fewer staff Simplified Network and on-line service access –A common middleware infrastructure can enable single sign-on access to a larger range of customized and personalized services

March 24, 2003Middleware Planning and Deployment Challenges Investing the time and effort for planning, review and negotiation Surviving the politics of reviewing/revising data stewardship policies and procedures Resource reallocation – People and $$! Covering up-front costs Finding $$ to build/maintain data feeds from authoritative data sources to central directory Potential legal risk WRT publishing personal data in white pages

March 24, 2003Middleware Planning and Deployment Expected Costs to the Institution Modest increases in capital equipment and staffing requirements for central IT Considerable time and effort to conduct campus wide planning and vetting processes One-time costs to retrofit some applications to new central infrastructure One-time costs to build feeds from legacy source systems to central directory services The political wounds from the reduction of duchies in data and policies

March 24, 2003Middleware Planning and Deployment Enterprise Directory Costs Phase 1: Building the Enterprise Directory –Hire new staff vs. Repurpose current staff –New equipment/software vs. Use of existing resources Phase 2: Deploying Applications –Application dependent, but ROI is high considering: Cost Savings Lost Productivity Increased Opportunity Increased Security

March 24, 2003Middleware Planning and Deployment Where are you in your business case process?

Research and Resources

March 24, 2003Middleware Planning and Deployment Research Community Expert, diverse leadership and collaborators Broad participation and review –MACE and related working groups –NSF catalytic grants –Early Adopters –Higher Education Partners campuses, CNI, CREN, GRIDS, NACUBO, NACUA… –Government Partners NSF, NIH, NIST, fPKI TWG… –Corporate Partners Liberty Alliance, IBM, Sun, WebCt, Radvision, … –International communities –Standards bodies IETF, ITU, OASIS

March 24, 2003Middleware Planning and Deployment NSF Middleware Initiative NSF award for middleware integrators to –GRIDS Center Globus (NCSA, UCSD, University of Chicago, USC/ ISI, and University of Wisconsin) –NMI-EDIT Consortium Internet2, EDUCAUSE, and SURA Separate awards to academic pure research components Build on the successes of the Globus project and Internet2/MACE initiative Multi-year effort A practical (deployment) activity that necessitates some research Releases occur every six months, roughly May and October

March 24, 2003Middleware Planning and Deployment Research Working Groups/Projects Directories –Group Utilities –Directory Management Utilities –Practice Papers and Implementation Roadmap –Directory Schema Shibbolet: Inter-institution web access PKI: HEPKI-TAG & PAG, S/MIME, PKI Labs Middleware for Video – VC, Video on Demand Medical Middleware

March 24, 2003Middleware Planning and Deployment Enterprise Middleware Resources Available NMI-EDIT Release Components Software Directory Object Classes Conventions and Practices Recommended Practices White Papers Policies Services

March 24, 2003Middleware Planning and Deployment Enterprise Middleware Educational Opportunities Workshops –Pre-conference Seminars at EDUCAUSE Regional Meetings (Like this one) –Campus Architectural Middleware Planning Workshops CAMP – June 4-6, 2003 –Management and Technical staff –Campuses beginning implementations Advanced CAMP– July 9-11, 2003 –Highly technical –Research topics –Campuses with mature directory and authentication infrastructures

March 24, 2003Middleware Planning and Deployment On-line Resources Available Introductory Documents –Sample Middleware Business Case and corresponding Writer’s Guide –Identifiers, Authentication, and Directories: Best Practices for Higher Education –Identifier Mapping Template and Campus Examples See resource list

March 24, 2003Middleware Planning and Deployment Websites Look for the Enterprise Implementation Directory Roadmap Coming in April! Middleware information and discussion lists NMI lists (see websites) EDUCAUSE Constituency Group on Middleware Coming Soon! Websites and Discussion Lists

March 24, 2003Middleware Planning and Deployment Contacts Keith Hazelton University of Wisconsin-Madison/Internet2 Renee Woodten Frost Internet2/University of Michigan