Integrated Identity and Access Management with I2MI Tools Integ-tb-kh-01.ppt Tom Barton, U Chicago Keith Hazelton,

Slides:



Advertisements
Similar presentations
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Advertisements

 Troy Hopwood Program Manager Microsoft Corporation BB53.
EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006.
Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
CPR Overview 28-April Agenda Introduction Requirements Data Model Services Model Service Providers Implementation Contact Information.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
1 Data Strategy Overview Keith Wilson Session 15.
System Design/Implementation and Support for Build 2 PDS Management Council Face-to-Face Mountain View, CA Nov 30 - Dec 1, 2011 Sean Hardman.
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration
Creating Business Workflow Using SharePoint Designer 2007 Presented by Tarek Ghazali IT Technical Specialist Microsoft SQL Server MVP Microsoft SQL Server.
Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
The University of Wisconsin University Directory Service UDS A repository of people information Has been in production for about a year. Serves White pages,
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.
Penn Groups PennGroups Central Authorization System June 2009.
KUALI IDENTITY MANAGEMENT Provides services for Identity and Access Management in Kuali Integrated Reference Implementations User Interfaces An “integration.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago.
MEDIU Learning for HE Ahmad Nimer | Project Manager.
An Integrated Framework for Identity and Access Management (IAM) RL”Bob” Morgan, U Wash., MACE Keith Hazelton, U Wisc., MACE Internet2 Spring Member Meeting.
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.
Directory Workshop Parallel Sessions Rob Banz, Univ. of Maryland, Baltimore County Tom Barton, University of Memphis Keith Hazelton, University of Wisconsin,
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
© 2006 The University of Chicago Grouper Backgrounder for Authorization WG Tom Barton, U Chicago.
Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.
Implementing a Role Management System Mair é ad Martin Carrie Regenstein Internet2 Fall Meeting September 20, 2005.
KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
05 October 2001 Directories: The Next Stage Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect University.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Oracle HFM Implementation Boot Camp
ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Moving Forward in Stages Tom Barton, University of Chicago.
Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware.
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
The overview How the open market works. Players and Bodies  The main players are –The component supplier  Document  Binary –The authorized supplier.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
Introduction to Terra Dotta Applications Integration with Campus Data Systems for institutions beginning their software implementation.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
I2/NMI Update: Signet, Grouper, & GridShib
Identity and Access Management Services
Matthew Levy Azure AD B2B vs B2C Matthew Levy
Shibboleth Deployment Overview
2/24/2019 6:15 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Grouper: A Toolkit for Managing Groups
Signet & Privilege Management
NSF Middleware Initiative: GridShib
Presentation transcript:

Integrated Identity and Access Management with I2MI Tools Integ-tb-kh-01.ppt Tom Barton, U Chicago Keith Hazelton, U Wisconsin Internet2 Fall Member Meeting Sept. 21, 2005, Philadelphia Integ-tb-kh-01.ppt Tom Barton, U Chicago Keith Hazelton, U Wisconsin Internet2 Fall Member Meeting Sept. 21, 2005, Philadelphia

2 Session overview Identity and Access Management (IAM) service-based model & I2MI tools Service integration across I2MI and with I2MI: illustrative examples I2MI suite and integration techniques Gaps in the tools and in the model Harmonization objectives for I2MI tools

3 From Construction to Integration Construction Raw materials into systems Integration Subsystems into whole systems Multiple systems into ecosystems We’re all moving from construction to integration The integration story across IAM services and with IAM services

4 IAM: Generic Services VerbObjects ReflectData of interest from systems of record into registry, directory JoinIdentity information across systems ManageCredentials, group memberships, affiliations, privileges, services, policies ProvideIAM info via - relay thru run-time request/response - provisioning into App/Service stores Authenticate (AuthN)Claimed identities Authorize (AuthZ)Access or denial of access LogUsage for audit

5 Reflect, Join, and Manage Credentials: One mapping to I2MI Systems of Record Stdnt HR Other Enterprise Directory Registry LDAP

6 Collect bits of identity information in all the relevant IT systems Use business logic to Establish which records correspond to the same person Maintain that identity join in the face of changes to data in collected systems Assign a unique identifier for cross- system link Reflect, Join, and Manage Credentials

7 Manage Credentials When to assign, activate credentials (as early as possible) Who gets them? Applicants? Prospects? “Guest” NetIDs (temporary, identity-less) Reassignment (never; except…) Please send me a feed… Argument for WebISO

8 Manage IAM Info and Provide it via run-time calls or provisioning Systems of Record Apps / Resources Enterprise Directory

9 IAM Services mapped to I2MI Tools Systems of Record Central AuthN/ WebISO Apps / Resources Enterprise Directory GrouperSignet Shibboleth

10 Other I2MI artifacts Object classes (info models, data structures, protocol bindings) Documentation of practices Implementation roadmaps

11 New services: integration issues "New hires should get into system as soon as they accept the offer of employment instead of after they show up for work.” They should get NetIDs, , calendar, portal, but not Health Services or Rec. Sports facility access."

12 New services: integration issues “Undergrad applicants should get into the system once they've accepted offer of admittance and not when they show up to register for classes.” They should get NetIDs, , calendar, portal, but not Health Services or Rec. Sports facility access."

13 Weaving in the new service Reflect Employee/Applicant lifecycle events (accepted offer, start date,...) Join Many new employees are students; Some employees apply to become students. Credential / AuthN Give them NetIDs with lower level of assurance because Identity proofing is weak until they show up in person.

14 Weaving in the new service Manage affiliations Define lifecycle of employee/applicant role, automate state changes based on events in Systems of Record / Authoritative Systems (HR, SIS) Manage privileges Map employee/applicant-lifecycle affiliations to appropriate set of privileges

15 Weaving in the new service Provide/Provision Push new hire info out to systems that need to create accounts/user records Provide/Relay Make Affil/Priv info available at App/Service run time when user requests it AuthZ Make sure target apps act in line with the person/affil/privilege info

16 LDAP Attribute Management & Delivery: Affiliation, Privilege, & Privacy uid: jdoe eduPersonAffiliation: … isMemberOf: … eduCourseMember: … eduPersonEntitlement: … SIS HR Distributed Authorities Loaders Person Registry Group Registry Grouper Privilege Registry Signet Core Business Systems Shibboleth/ GridShib Attribute Authority Attribute Release Policies ShARPe Library ERMs/ Self Subject API

17 ShARPe – Shibboleth Attribute Release Policy Editor Manages claims expressed about organization’s managed identities Under development by the Meta-Access Management System (MAMS) project in Australia Initially targeted at Library Enterprise Resource Managers Possibly expand to all users for self-management of per-user ARPs Enables ARP assignment to groups too Organizational counterpart to MS’s “Identity Metasystem” concept?

18 Grouper & Signet: Site IAM Integration Requirements Subject - a person, group, application, or other type of object whose identity is managed by your IAM system Abstract the underlying technology and data model from a relying application Enable identifier namespaces to be selected to match application needs Username vs. opaque registryID vs. … Scenarios Map authenticated user to internal security principal Search for or select subjects within application

19 Subject API: Integration with Site’s IAM

20 More Subject API Info Subject and Source interface specs are at v0.1 – they may yet change Searching Some per-subjectType methods? Grouper includes a GroupSourceAdapter that is a provider of ‘group’ subjectTypes from the Group Registry Subject API will not support the Join function JDBC source adapter is included now, JNDI source adapter will be provided in a subsequent release

21 IAM Services mapped to I2MI Tools Systems of Record Central AuthN/ WebISO Apps / Resources Enterprise Directory GrouperSignet Shibboleth

22 Empty spaces in the I2MI toolbox Those pesky lines between the boxes-- left to the reader The lines are where service integration happens Metadirectory functions Provisioning (in the general sense) ?? Should I2MI try to help with integration tasks?

23 Modeling the lines: Initial thoughts Data flows? Event publication on a service bus Content-based routing (a la OM) Service invocations? SAML request/responses WS-* wide world of web services Is it a particle or a wave? Document-oriented transformation services

24 Revive MOM & SIS? Keith’s early, prescient ideas MOM = Message Oriented Middleware SIS = Smart Information Switch Roland’s deep design (mantra: OM) Content based information routing Governed by embedded policy engine (SPOCP’s brain) Walter’s Nth generation provisioner Nexus: consumer-specific mappings & transforms configured transparently

25 Identity Information Integration Specifications Standard interfaces and constructs are needed to develop, evaluate, or integrate off-the-shelf “identity information integration tools” into the IAM picture Interface between SIS and provisioner Structure of a stateful lifecycle policy Presentation, management & persistence of policy configuration

26 Role of Grouper, Signet (& ShARPe?) Are they source systems? Are they registries? Until we’ve got a SIS, need to provision directly from each, treated as registries Probably should ultimately be treated as source systems Avoid duplicating lifecycle management logic in multiple provisioners

27 Refine Model of Stateful Lifecycle Management? Service-oriented epicylces on some state(s)? Standard means of specifying it to SIS?

28 Clarify Policy Management ShARPe manages Attribute Release Policy Currently siloed with the Shibboleth Attribute Authority Should it somehow expand to constrain the Delivery service more generally? Signet is also a policy execution tool We lack a unifying framework and an understanding of the requirements it should serve

29 Harmonizing I2MI Tools: Objectives Deployment of second and subsequent I2MI tools should be harmonious with the first Common UI look and feel Common 3rd party libraries Common customization & configuration technique Common & complementary build layout & build process

30 Harmonizing I2MI Tools: Objectives We should eat our own dogfood Common technique for integration with site IAM infrastructure Capable of integration with external privilege and/or group management Common or coordinated web presence, documentation, product placement info Just starting to address this Steering group formed & documentation resource assigned

31 Further I2MI Integration Needs Cookbook of ways to deploy I2MI tools to address various attribute and access management scenarios Mechanism for sustained viability of I2MI tools On-going support Post-working-group model for continued development & QA

32 Alternative boxes & lines The service model could be implemented with any number of toolsets I2MI Home-grown (perl scripts, SQL tables & procedures, OpenLdap directories,…) Vendor offerings Novell, Sun, Oracle, Microsoft, IBM,… The latter is how many of the non-I2 institutions will proceed. Are their needs out of scope for us?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.