Advanced CAMP Emerging from the mists: Requirements for supporting VOs voReqs-050701-01.ppt Keith Hazelton

Slides:



Advertisements
Similar presentations
GT 4 Security Goals & Plans Sam Meder
Advertisements

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
1 Collaborators at the Gates of Troy: Extending eServices at USC.
Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.
EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of.
New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
How Do You Establish Student Identity Remotely: A Survey Keith Hazelton, University of Wisconsin-Madison Ann West, Internet2/InCommon Federation 2010 Fall.
Internet2 and other US WMD Update. Topics Update on non-merger, Newnet (and the control plane), InCommon and other feds “Product” update – Shib, Grouper,
A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration
Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
VO and Internet2 Middleware. Presenter’s Name Topics Motivations for Internet2 Middleware work Federated identity and InCommon Other IdM Groups, privileges,
Centralizing and Automating PeopleSoft Authority Management (Security) Session #20647 March 14, 2006 Alliance 2006 Conference Nashville, Tennessee.
The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
Setting up Privilege Management with Signet Metadata.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
G53SEC 1 Access Control principals, objects and their operations.
Authority Process & Policy   Advanced CAMP July 9, 2003 Copyright Sandra Senti This work is the intellectual property of the author. Permission.
Scared Straight… if you want to go outside… Authenticate Locally, Act Globally.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.
More Allergic Reactions Some Potential Next Steps Tom Barton University of Chicago.
Role Based Access Control In oneM2m
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Copyright © 2007, Oracle. All rights reserved. Implementing Role-Based Security.
INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.
Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware.
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
1 Managing Your Infrastructure in a Federated World CAMP – In Production: Management Tues, 22-June-2010, Raleigh, NC Kevin Morooney, Penn State, Moderator.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.
Introducing Access Management
OMG, Another Simple, Lightweight Authentication Service???
eduTEAMS – Current status & Future Plans
I2/NMI Update: Signet, Grouper, & GridShib
An authorization service for Virtual Organizations (VO)
Identity & Access Management InCommon Research and Scholarship
Privilege Management: the Big Picture
Signet Privilege Management
Guests and Collaborators
Community AAI with Check-In
Grouper: A Toolkit for Managing Groups
Signet & Privilege Management
Signet Privilege Management
Presentation transcript:

Advanced CAMP Emerging from the mists: Requirements for supporting VOs voReqs ppt Keith Hazelton Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE Advanced CAMP, Denver, July 1, 2005

Advanced CAMP 2 Federated Identity & Access Management (FIAM) FIAM: Self-predicting term in Latin: “I will be made” –root meaning: to make: –passive voice, –indicative mood, –future tense God bless the VO known as WIKIpedia

Advanced CAMP 3 VO challenges I heard at CAMP VO support utilities must be as easy to use as –managing a local collaboration team –sharing applications on a single host …or else? Or else the latter is exactly how it will be done

Advanced CAMP 4 VO challenges I heard at CAMP For both ScienceGateway & Vivarium: IdPs and SPs in a given VO will need mechanisms by which they –come to agreements on –manage –and use information. What information?

Advanced CAMP 5 VO challenges I heard at CAMP Well, MINIMALLY, information re: what user affiliations/groups there are (IdP) what resource/host-level privileges members of those affiliations should have (SP) what (SAML) attribute & values will express those affiliations/groups (IdP/SP agreement)

Advanced CAMP 6 Managing Roles & Privileges: The Internet2 way Grouper Signet Role-Based Access Control (RBAC) model Users are placed into groups Privileges are assigned to groups Groups can be arranged into hierarchies to effectively bestow privileges Signet manages privileges Grouper manages, well, groups

Advanced CAMP 7 MAXIMAL case: Model from Signet Business View Categories Functions Subsystems Clinical Trial Protocol A Patient Records Materials Control Manage Grant Lab Access Administration Student Admin Course Support Add/Drop students Schedule Classes Process Applicants Award Scholarships Manage Accounts Financial Aid Limits Which term From Fund… Read/Write Hours For school… For fund… Which campus Qty/day $ constraints organizing actions

Advanced CAMP 8 VO challenges I heard at CAMP MAXIMALLY, information re: what subsystems there are what functions in what organizing categories there are what affiliations/groups have those categories/functions on those subsystems what resource/host-level privileges are required to perform those functions

Advanced CAMP 9 VO challenges I heard at CAMP And information re: what attributes will express those groups and privileges which party will maintain the registries and delivery services for which bits of this information Signet suggested these categories of information

Advanced CAMP 10 Bold Conclusion (for debate) IdP site should manage users, groups/affiliations SP site should manage system-level permissions and what groups/affiliations get which ones That’s it! (for MINIMAL entry-level case)

Advanced CAMP 11 Bold Conclusion MAXIMAL case (for debate) IdP site should manage users, groups/affiliations SP site should manage system-level permissions Both must agree on subsystems and categories of functions down to syntax and semantics of attributes/expressions IdP should maintain map from user/group to function SP should maintain map from function to permissions

Advanced CAMP 12 VO challenges I heard at CAMP MUST have: Delegable IAM admin services with absolutely no dependencies on the specific institutional home base of the users the administrator(s) the service(s)

Advanced CAMP 13 VO challenges I heard at CAMP Users make requests that service providers approve or deny. The decision will sometimes depend on amalgamated bits of identity info…. …for which a variety of IdPs are the authoritative source. Whose job is it to overcome identity fragmentation at the federation level?

Advanced CAMP 14 Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.