New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.

Slides:



Advertisements
Similar presentations
Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Advertisements

Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Supporting Further and Higher Education Building the UK National Information Environment - Lessons from the Past and Pointers To the Future Norman Wiseman.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
ICT and Civil ProtectionSenigallia, June 2007 A Service-Oriented Middleware for EU Civil Protection cooperation Regione Marche.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
03 December 2003 Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Developments in Access and Identity Management Phil Leahy – Athens Product Manager.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.
Supporting further and higher education Authentication & Authorisation for JISC and UK e-Science Alan Robiette, JISC Development Group.
Middleware challenges to service providers, the Nordic view TERENA, Ingrid Melve, UNINETT.
Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.
New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Norman Wiseman JISC Head of Programmes Presentation to JISC Authentication Concertation Day March 1999 International Authentication Activities Joint Information.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.
The Grid System Design Liu Xiangrui Beijing Institute of Technology.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group.
The privacy risks and rewards of distributed identity Conference Presentation (8 September 2003) Surveillance and Privacy 2003, University of New South.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Supporting Further and Higher Education Collection description as Middleware The Information Environment Service Registry (IESR) Rachel Bruce, Information.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
White paper overview 2 nd eIRG meeting April, 16 th 2004 Fotis Karayannis, Editor GRNET - Greek Research & Technology Network
Security, Accounting, and Assurance Mahdi N. Bojnordi 2004
Athens – integrated AMS services Ed Zedlewski JISC/CNI Conference Edinburgh, June 2002.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Supporting further and higher education The JISC Information Environment Programmes Alan Robiette, JISC Development Group.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.
Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Sally Chambers University of London TERENA Networking Conference, Rhodes, Greece: June 2004 Supporting authorised access to Online Library resources: the.
E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Programme ›TERENA ›Overview of the middleware initiatives in the European Higher Education ›What is eduroam: the technology and how to set up eduroam ›eduroam-in-a-box:
Authentication - an overview of Hybrid Library requirements Jonathan Eaton eLib Concertation Day - Authentication 10th March 1999 Project HeadLine.
Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.
Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Supporting education and research Access Management: the Campus Issues Alan Robiette, JISC Development Group.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
ACGT Architecture and Grid Infrastructure Juliusz Pukacki ‏ EGEE Conference Budapest, 4 October 2007.
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
Cryptography and Network Security
Component-Based Software Engineering: Technologies, Development Frameworks, and Quality Assurance Schemes X. Cai, M. R. Lyu, K.F. Wong, R. Ko.
The JISC Core Middleware Call
Presentation transcript:

New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002

27 June 2002 JISC-CNI Conference, Edinburgh 2 Outline Overview and terminology Authentication – problems and progress Authorisation – problems and progress Summary and conclusions

27 June 2002 JISC-CNI Conference, Edinburgh 3 The High-Level Problem We need national-scale services for Authentication (linking people to electronic IDs) Authorisation (linking IDs to privileges) Profiling (linking IDs to personal preferences) Accounting (in the sense of tracking and recording usage, whether or not for actual billing) All in an interoperable framework which can be realistically implemented by our institutions Not to mention all our third-party suppliers …

27 June 2002 JISC-CNI Conference, Edinburgh 4 Authentication On a local scale, largely a solved problem Various solutions exist, some with single sign-on (Internet2 promoting WebISO for web resources) Digital certificates are on the increase All serious Grid middleware requires them But the management problems get no easier Public-key technology will itself evolve XML-based schemes may become a real factor E.g. XKMS, Web Services Security

27 June 2002 JISC-CNI Conference, Edinburgh 5 Authentication Issues on a National Scale Naming and name-space management How is uniqueness assured nationally? What happens in the case of multiple affiliations? Should real IDs be generally visible to off campus providers? Trade-offs between privacy, convenience and accountability

27 June 2002 JISC-CNI Conference, Edinburgh 6 Authorisation Issues Determining an individual’s privileges What attributes (roles) is it useful to consider? Which are generic and which application-specific? How many could be defined sector-wide? Location of the access control decision At the resource itself (greatest provider control)? At the institution (i.e. devolution of trust)? At some intermediate point (e.g. as in the present case in the UK, at the Athens server)?

27 June 2002 JISC-CNI Conference, Edinburgh 7 Where Should Control Be Applied? Logically at the resource itself The resource owner logically should determine who gets access and who does not; but this may require more user information to be disclosed For electronic information, this is often delegated (e.g. on the basis of a contract) A better model for a bibliographic database than for a supercomputer? Or even a telescope?

27 June 2002 JISC-CNI Conference, Edinburgh 8 Where is the Complexity Felt? Do we best achieve interoperability by having the same software interface at All service providers’ servers? All campuses? All users’ local environments (wherever they are)? More than one of these? And where the complexity ends up, so do most of the costs …

27 June 2002 JISC-CNI Conference, Edinburgh 9 Other Concerns The single sign-on question How important is “seamlessness”? The portal problem To address this properly is quite hard Standards and interoperability There aren’t many, especially for authorisation The international scene A system for JISC services is all very well, but what about integrating resources from the wider world?

27 June 2002 JISC-CNI Conference, Edinburgh 10 Current UK Developments EduServ’s development plan for Athens Single sign-on introduced Spring 2002 White paper and proposed trial of distributed authentication Summer 2002 JISC call for projects issued Summer 2002 With the objective of exploring a range of emerging technologies, particularly for authorisation JISC is actively working with Internet2- MACE in the US and TERENA in Europe

27 June 2002 JISC-CNI Conference, Edinburgh 11 Developments Elsewhere (1) Shibboleth (Internet2) Devolves authentication and attribute assertion to campuses Resource owner requests attributes from campus and makes decisions based on the response Model allows both campus and user control over attribute release (strong emphasis on privacy) Open source reference implementation due to be released Autumn 2002 Publishers getting involved in trial programme

27 June 2002 JISC-CNI Conference, Edinburgh 12 Developments Elsewhere (2) PAPI (Spanish national network) Distributed architecture: authentication and authorisation both carried out at campus (i.e. campuses have to be trusted by resource owners) Multi-tier architecture – easy to interface to existing publishers’ services Open source and in use in a number of sites/consortia in Spain, including some publisher involvement

27 June 2002 JISC-CNI Conference, Edinburgh 13 Is a Common View Emerging? What is clearly needed is a single, widely accepted vendor-independent scheme At first sight the different projects (PAPI, Shibboleth, Athens+) look very distinct However they share many components and a common architecture appears feasible

27 June 2002 JISC-CNI Conference, Edinburgh 14 And What About the Grid? Currently the Grid community’s problems appear more complex Grid middleware relies heavily on X.509 identity certificates, which are far from universal otherwise Even in the longer term, it may not be possible to standardise on one single Grid authorisation solution But there may be analogies with other relatively complex problems, e.g. medical middleware

27 June 2002 JISC-CNI Conference, Edinburgh 15 Conclusions Authorisation in particular remains a tough problem But some of the emerging solutions look promising, for quite large sets of commonly encountered applications International co-operation in this area is looking very promising

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.