Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago.

Slides:

Advertisements

Similar presentations

04 June 2002, TERENA, Limerick MACE: Directories at Work Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group.

Advertisements

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Directories at the University of Florida Mike Conlon Director of Data Infrastructure University of Florida.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Schema: eduPerson views Michael R Gettes Duke University EuroCAMP, November 2005.

Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.

Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.

Active Directory: Final Solution to Enterprise System Integration

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Understanding Active Directory

OCLC Online Computer Library Center A Global OpenURL Resolver Registry Phil Norman OCLC Dlsr4lib Workshop March 23 rd, 2006 Arlington VA.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

Directories Update: Status & Next Steps Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.

Signet and Grouper for Distributed Attribute Administration

07 May 2002, I2 Member Meeting MACE: Directories at Work Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

01 February 2002 Directories are Fundamental Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect University.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.

Access Management with Grouper Tom Barton University of Chicago.

KUALI IDENTITY MANAGEMENT Provides services for Identity and Access Management in Kuali Integrated Reference Implementations User Interfaces An “integration.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.

Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.

1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.

Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.

Schema: eduPerson views Michael R Gettes Duke University EuroCAMP, March 2005.

Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes,

Topics in Directories: Metadirectories Practices in Higher Education Brendan Bellina, University of Notre Dame I2 Base CAMP June 2002, Boulder, CO.

Enabling Collaborations via a Transformative Virtual Organization Platform Dr. Gordon K. Springer University of Missouri-Columbia CS Department Seminar.

19 May 2003, TERENA, Zagreb Civilizing eduPerson Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group Keith Hazelton,

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.

MACE-Dir: Attributes, Schema and Information Models for Education and Research InCommon Virtual Working Groups, May 21, 2013 Keith Hazelton MACE-Dir Chair,

Windows Role-Based Access Control Longhorn Update

© 2006 The University of Chicago Grouper Backgrounder for Authorization WG Tom Barton, U Chicago.

Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.

1 Registry Services Overview J. Steven Hughes (Deputy Chair) Principal Computer Scientist NASA/JPL 17 December 2015.

Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.

Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.

Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.

Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware.

2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.

Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.

May I introduce you to eduPerson? Keith Hazelton Sr. IT Architect, UW-Madison TNC 2001, Antalya, Turkey, 15-May-2001.

Welcome to CAMP Directory Workshop Ken Klingenstein, Internet2 and University of Colorado-Boulder.

Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.

NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Mark Luker, EDUCAUSE Copyright Mark Luker, This work is the intellectual.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

IPDA Registry Definitions Project Dan Crichton Pedro Osuna Alain Sarkissian.

Middleware: Directories Metadirectories Related Work Brendan Bellina, University of Notre Dame.

Issues need harmonization

I2/NMI Update: Signet, Grouper, & GridShib

ACTIVE DIRECTORY ADMINISTRATION

Grid Metadata Management

Moving Beyond Implementation: Authorization

Privilege Management: the Big Picture

Identity Management: Shibboleth Activity Update

Grouper: A Toolkit for Managing Groups

Signet & Privilege Management

The Attribute and the ecosystem

Presentation transcript:

Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago

Spring 2004 I2MM 2 Outline  localDomainPerson  International collaboration on person schema  Grouper  Selection of other threads

Directories The Local Domain Person Survey

Spring 2004 I2MM 4 The Local Attribute Problem  Ongoing Development of inter-institutional standards eduPerson eduOrg  Application Requirements for Local Attributes/Information  Lack of standards/guidelines for Local Attributes

Spring 2004 I2MM 5 The Local Domain Person Survey  Intentions: Use of eduPerson oc and attributes Use of local oc and attributes for people Local attributes common to multiple applications  Distribute Survey  Analyze Responses  Publish Analysis and Responses  Publish Recommendations White Paper

Spring 2004 I2MM 6 Local Domain Person Object Class Study  Initial draft to be included with Spring 2004 NMI-Release  A MACE-Dir effort (Middleware Architecture Committee for Education Directories subgroup)  Analysis of results from 22 survey respondents

Spring 2004 I2MM 7 Study Document Structure  Attribute Creation and Institutional Policy  Use of eduPerson and deviations  Use of Local Attributes and Object Classes

Spring 2004 I2MM 8 Local Attribute Categories  Personal Characteristics  Contact Information  Student-Specific Information  Employee-Specific Information  Multi-Campus Information  Linkage Identifiers

Spring 2004 I2MM 9 Local Attribute Categories  Entry Metadata  Security Attributes  Privacy Attributes  Authorization Information  Other Miscellaneous Attributes

Spring 2004 I2MM 10 Study Document Structure cont.  Local Object Class Characteristics  Future Plans  Multiple-Use Local Attributes  Links to Survey Responses and other materials

Spring 2004 I2MM 11 Next Steps  Release of Survey Study Draft – Spring 2004  Release of Survey Study Final and website – Summer 2004 (projected)  MACE-Dir Recommendations White Paper – Winter 2004 (projected)

Directories International Person Schema Coordination

Spring 2004 I2MM 13 Int’l Collaboration on Schema  (Ingrid Melve)

Spring 2004 I2MM 14 Int’l Collaboration on Schema Work Goals  Agreement on a list of interesting attributes  Common syntax and semantics across schema for some subset of attribute types  Proposed inclusion of some attributes in a standard schema eduPerson? Next release of X.520? Other candidates? Processes for ongoing schema coordination  Even common syntax & semantics would boost interoperability in attribute mapping

Spring 2004 I2MM 15 Int’l Collaboration on Schema: Affiliations, statuses, roles  Virtual organizations (as origin) swissEduPersonHomeOrganizationType: vlo RedIRIS: irisgridVoCode: bioinformatics  Entitlements (asserted by origin for target) eduPersonEntitlement: urn:mace:whatever

Spring 2004 I2MM 16 Int’l Collaboration on Schema Affiliations, statuses, roles  Attributes (asserted by federation rules, either local or global) norEduPersonLIN: HIO RedIRIS: attributes linking to a classification schema RedIRIS: catreCode: a01b02c03  Ticket mechanisms (federation, origin or target)

Spring 2004 I2MM 17 Int’l Collaboration on Schema Affiliations, statuses, roles  eduPersonAffiliation  eduPersonPrimaryAffiliation  manager  auEduPersonSubType  auEduPersonType  swissEduPersonHomeOrganizationType  swissEduPersonStudyLevel  RedIRIS: irisgridRole

Spring 2004 I2MM 18 Int’l Collaboration on Schema Affiliations, statuses, roles  funetEduPersonDegreeUniversity  funetEduPersonDegreePolytech  pleduPersonDegree  pleduPersonPosition  swissEduPersonHomeOrganizationType  swissEduPersonStudyLevel  RedIRIS: irisgridRole

Spring 2004 I2MM 19 Int’l Collaboration on Schema Persons as individuals  X.521 person: sn  RedIRIS: sn1, sn2  auEduPersonPreferredGivenName  auEduPersonPreferredSurname  auEduPersonSalutation

Spring 2004 I2MM 20 Int’l Collaboration on Schema Persons as individuals  funetEduPersonDateOfBirth  norEduPersonBirthDate  swissEduPersonDateOfBirth  swissEduPersonGender  nlEduPerson - gender

Spring 2004 I2MM 21 Int’l Collaboration on Schema Identifiers, foreign keys  Cultural variations in acceptability, scope of use  eduPersonPrincipalName  auEduPersonID  funetEduPersonStudentID  nl - employeeNumber  norEduPersonLIN  norEduPersonNIN  pleduPersonGId  pleduPersonLId  swissEduPersonUniqueID  RedIRIS: irisDnComp

Spring 2004 I2MM 22 This is part of what federation implementation looks like  Agreements on information schema for:  Applications that need persistent identifiers For personalization, transcript, training records  Applications that base access control on attributes (affiliation, role, group within Os and VOs)  Other info to support resource sharing across boundaries

Directories Grouper

Spring 2004 I2MM 24 Some high-level identity management requirements  ¡ authorization != authentication !  Muster information supporting … Per-application or resource access control policies Exceptions to those policies Identification of groups of collaborating peers  Common infrastructure to manage and provision requisite information Information resides in both databases & brains Many authoritative sources Group management is one aspect of this picture

Spring 2004 I2MM 25 Grouper in Context

Spring 2004 I2MM 26 Features in Grouper v1  Basic group management  Subgroups & compound groups  Aging of groups and memberships  Abstracted interfaces for Privileges Member Lookup Last Activity  Signet integration

Spring 2004 I2MM 27 Privileges  CREATE group with specified name  VIEW group’s name in lists & can refer to group  READ basic information about a group  UPDATE membership and administer membership related privileges  ADMIN can modify everything, including group name, description, & privileges. Can delete the group.  OPTIN can add self to the members list  OPTOUT can remove self from the members list

Spring 2004 I2MM 28 Default Privilege Interface  CREATE a group named stem:aString Granted by effective membership in a set of grouperCreator:… groups Hierarchical stems, hierarchical creation authority Managed through the API or UI  Other privileges are each granted by effective membership in a list associated with each group viewers, readers, updaters, admins, optins, optouts Also managed through the API or UI

Spring 2004 I2MM 29 Examples  Personal personal-tbarton:myFriends –admins: tbarton personal-tbarton:myTrueFriends –admins: tbarton –optouts: personal-tbarton:myTrueFriends  Administrative uofc-bsd:xyz-project-team –updaters: uofc-bsd-bsdis:enterpriseAdmins

Spring 2004 I2MM 30 Examples  Administrative uofc-bsd-obgyn:staff –updaters: uofc-bsd-obgyn:techsupport –viewers: uofc-bsd:staff, uofc-hospital:staff student:owesUsTooMuchMoney –readers: uofc-nsit:services uofc-nsit:netsec-sig –optins: uofc:uofc –optouts: uofc-nsit:netsec-sig –readers: uofc-nsit:netsec-sig

Spring 2004 I2MM 31 Grouper roadmap  3 phases of Grouper v1 development 1.Basic management and export functions 2.Compound groups 3.Aging of groups and memberships  Deliverables Java API, UI, sample batch import/export scripts, documentation Some type of prototype demo at AuthZ CAMP  Contributed elements sought Provisioning connectors (especially LDAP & AD) LDAP Member Lookup Interface

Spring 2004 I2MM 32 Other Threads  eduPerson & eduOrg Added eduPersonScopedAffiliation Associated LDIF tweaks & fixes Registered eduPersonTargetedID “Everything eduPerson” – it’s not just an object class anymore  Attribute registries eduPerson* on Peter Gietz’s at

Spring 2004 I2MM 33 Other Threads  address as identifier  Character set issues & policies  Top level entity types in directories  Representing organizational structures in directories  What is “LDAP compliance”?

Spring 2004 I2MM 34