Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Common Identity Services Tom Barton University of Chicago.

Published bySavannah Hansen Modified over 10 years ago

Similar presentations

Presentation on theme: "Towards Common Identity Services Tom Barton University of Chicago."— Presentation transcript:

1 Towards Common Identity Services Tom Barton University of Chicago

2 Consortium of Universities building an enterprise- level, easy-to-install open source podcast and rich media capture, processing and delivery system. Typical security issues need to be handled – User authentication – Service authentication – Proxy authentication – Long-running processes – Integration with enterprise services – Out-of-the-box support for enterprises lacking those services 2 Matterhorn 17-18 November 2009

3 Is this a problem that the Matterhorn software needs to solve? … I hope we can come up with a cheap & easy solution in order to get on with our fundamental tasks involving the handling of media. Josh Holtzman, Matterhorn Team member opencast list, May 15, 2009 317-18 November 2009

4 4

5 Identity services for applications Manage Subjects Groups Roles Privileges Credentials Interface Roles Groups Permissions Attributes Authentication Convey Kerberos SQL SAML LDAP SOAP/REST 17-18 November 20095

6 Integrate collaboration tools into a common platform User and collaboration centric identity, not tool-based identity How much domestication is needed? – COmanage – SURFGroepen – Sympa as VO group manager – Dukes OZ – SWITCH VO platform – U Malaga identity bus – Bamboo? 17-18 November 20096 WANTED: Domesticated applications

7 Applications can't be developed that easily integrate with external IAM services until there's broadly held agreement on the interfaces between the two 17-18 November 20097 The identity services problem

8 Its a tower of turtles Application developers Framework developers Platform developers Standards bodies – Too many – Not enough Communities of practice – Education & Research – Internet Identity Integrators Deployers 817-18 November 2009

9 Dont try to solve the general problem! Focus on a small set of related, constrained use cases and make progress on those 917-18 November 2009

10 June 2009 Advanced CAMP: Identity Services Summit Participation – Open source project developers Jasig (uPortal, CAS, Bedework) SAKAI Kuali – Campus developers & architects – Internet2/MACE – Kantara Project reviews (surveys & sessions) Lightning talks, break-outs 17-18 November 2009

11 Access management glossary and mapping between open source projects KIM – Grouper service implementation proof of concept uPortal – Grouper service implementation proof of concept Shibbolized & CASified.NET & sharepoint Bedework & COmanage discovery Enhance development frameworks with roles, etc. – Spring, django Some action items from the Identity Services Summit 17-18 November 200911

12 Access Management terminology is confusing e.g. privilege, permission, entitlement, authorization Access Management is often embedded in applications and so is reinvented often Access Management often does not account for federations Provisioning is easier than de-provisioning Audit trails are often per application if they exist at all MACE-Paccman: some problems 17-18 November 2009 Paccman slides courtesy of Tom Dopirak

13 MACE-Paccman Initial Deliverables Glossary and models for Access Management – How to use groups – How to use privileges – How to provision embedded Access Management software – Audit Considerations Comparative glossary with major access management endeavors and Open Source Higher ED projects e.g. Sakai, uPortal, Kuali Use Cases in Access Management Mapping use cases to existing efforts – Kuali KIM – MITs perMIT – Grouper 17-18 November 2009

14 Kuali Foundation open source administrative software for higher education, by higher education kuali financials kuali coeus (research administration) kuali student kuali rice (middleware framework) Incubation projects – ole (integrated library system) – continuity planning – payroll/hr – materials management 17-18 November 2009

15 Kuali Identity Management (KIM) A new module of the Kuali Rice middleware framework (http://rice.kuali.org) Implemented as a set of services for identity and access management Designed with the needs of the other Kuali applications in mind (financials, research administration and student system) But also meant to be general enough to be used by other applications as well KIM slides courtesy of Eric Westfall 17-18 November 200915

16 KIM Services IdentityService – Principals and entities GroupService – Group data, group membership checks PermissionService – Authorization checks RoleService – Role data ResponsibilityService – Resolve responsibilities for certain actions (integration point with the workflow engine) AuthenticationService – Establishes an authenticated users session 17-18 November 200916

17 17-18 November 2009

18 Topic of discussion at Advanced CAMP on identity management in June – Where does Kuali Identity Management fit into the broader identity and access management space in higher education? A few possibilities – Can be used solely for implementation of specific Kuali applications – Can be positioned as the primary identity and access management services at an institution – Certain pieces of the reference implementation can be used, while others can be integrated with or replaced with other solutions (i.e. LDAP, Grouper, Active Directory) Working on some projects surrounding the last item, specifically working with Grouper team on a proof of concept for integration with KIM Where does it fit? 17-18 November 200918

19 17-18 November 2009

20 GAP: Groups And Permissions – Gather groups from configured group stores – UI to manage groups and permissions – Desired to outsource to Grouper PAGS: Person-Attribute Group Service – Present group memberships from attributes in users security context PD: Person Directory – Gather Subjects from configured stores 17-18 November 2009 uPortals group-related services 20

21 PD GAP Portal DB LDAP DB-A uPortal-Grouper integration needs WS UI PAGS pull groups (& Subjects) Subject Source Add GAP interface Add group-pull Refactor PAGS New group admin UI Portal Subjects source adapter 17-18 November 2009

22 End matter The thing with integration is that it takes a lot of work, and especially in the early stages, and the work has to come from the real experts, so it's expensive. -- RL Bob Morgan Is it enough to have ID Services interfaces, or do we also need to somehow unify management of privileges external to applications with application specific privileges? Advanced CAMP 2010 will continue the identity services for OSS theme 17-18 November 2009

23 For more information, visit https://spaces.internet2.edu/display/IdSrvcsClearhousehttps://spaces.internet2.edu/display/IdSrvcsClearhouse 17-18 November 2009

Download ppt "Towards Common Identity Services Tom Barton University of Chicago."

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.

Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.
CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington.

CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington.
April 22nd 2008 Internet2 Spring member meeting Caleb Racey Newcastle University UK Studies in Advanced Access Management.

April 22nd 2008 Internet2 Spring member meeting Caleb Racey Newcastle University UK Studies in Advanced Access Management.
TF-EMC2 – Internet2 update Dr. Ken Klingenstein, Senior Director, Middleware and Security, Internet2 Technologist, University of Colorado at Boulder.

TF-EMC2 – Internet2 update Dr. Ken Klingenstein, Senior Director, Middleware and Security, Internet2 Technologist, University of Colorado at Boulder.
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Presenter(s): Candace Soderston Matt Sargent Bill Yock Date:November 16, 2011 Time:2:30 to 3:30 pm Help Shape the Future of Open Source Identity and Access.

Presenter(s): Candace Soderston Matt Sargent Bill Yock Date:November 16, 2011 Time:2:30 to 3:30 pm Help Shape the Future of Open Source Identity and Access.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.

NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, 2010 8:30 am.

Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
Kuali Technology Mark Norton – Nolaria Consulting Zachary Naiman – Member Liaison, Kuali Foundation.

Kuali Technology Mark Norton – Nolaria Consulting Zachary Naiman – Member Liaison, Kuali Foundation.
Introduction to Kuali Rice ITANA Screen2Screen: Kuali on Campus May 2009 Eric Westfall – Kuali Rice Project Manager.

Introduction to Kuali Rice ITANA Screen2Screen: Kuali on Campus May 2009 Eric Westfall – Kuali Rice Project Manager.
Building the Future: Millennium’s Relationship with Campus Systems and Services John Culshaw Faculty Director for Systems University of Colorado at Boulder.

Building the Future: Millennium’s Relationship with Campus Systems and Services John Culshaw Faculty Director for Systems University of Colorado at Boulder.
Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.

Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.
A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.

A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.
Identity Services Goals ① Improved and timely access to MIT services ② Reliable modular utilities (i.e. power, water, phone) ③ Easy integration for.

Identity Services Goals ① Improved and timely access to MIT services ② Reliable modular utilities (i.e. power, water, phone) ③ Easy integration for.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
CASE STUDY: UNIVERSITY OF CALIFORNIA, DAVIS. UNIVERSITY OF CALIFORNIA, DAVIS Implemented Rice 1.0.0 in October 2009 Integrated home-grown Faculty Merit.

CASE STUDY: UNIVERSITY OF CALIFORNIA, DAVIS. UNIVERSITY OF CALIFORNIA, DAVIS Implemented Rice in October 2009 Integrated home-grown Faculty Merit.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Similar presentations

Ads by Google