Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual organization support services:

Published byCorey Pitts Modified over 5 years ago

Similar presentations

Presentation on theme: "Virtual organization support services:"— Presentation transcript:

1 Virtual organization support services:
Virtual organization support services: leveraging the common aspects of collaboration (the rise of indoor plumbing)

2 Virtual Organizations (VO’s)
Examples, differentiators, current challenges The common requirements Background on recent middleware work The virtual organization support space Role of enterprise and of federation Role of virtual organization support center Role of virtual organization The business case for/against the model How do we know if it is viable… 11/28/2018

3 11/28/2018

4 Virtual Organizations
Geographically distributed, enterprise distributed community that shares real resources as an organization. Examples include team science (NEESGrid, HEP, BIRN, NEON), digital content managers (library cataloguers, curators, etc), a state-based life-long learning consortia, a group of researchers coordinating a launch vehicle payload, etc. On a continuum from interrealm groups (no real resource management, few defined roles) to real organizations (primary identity/authentication providers) Want to leverage enterprise middleware and external trust fabrics, as well as support centers 11/28/2018

5 Virtual Organizations have…
Real resources that they share and manage May be computational resources May be scientific instruments May be bandwidth May be shared data and content Economic data Museum materials Cultural and artistic works A relatively small set of users who tend to travel in common circles Often the need to have some accounting and regulatory compliance 11/28/2018

6 Not Virtual Organizations
University of Colorado, Boulder. LBL. Fred Hutchinson Cancer Center. etc. – these are enterprises, doing primary identity management services for faculty, students and staff the Beverly PTA wiki, Alt.gerbils-in-leather – these are groups, a set of people with a common interest but not managing real resources AOL, MSN, IdentityCommons, etc. – these are commercial identity service providers 11/28/2018

7 Looking at V.O.s from a plumber’s view
11/28/2018

8 National Science Digital Library Content Managers
11/28/2018

9 The TeraGrid 11/28/2018

10 The Hadron Collider cluster of experiments
11/28/2018

11 Virtual organizations vary…
By lifetime of VO Some are relatively short-term, perhaps 1-2 years Some may persist for extended periods By size By cluster – at any one time, experiments (virtual orgs) are active at Fermi Lab, CERN. A shuttle launch may need coordination among several vo’s that have equipment aboard. By type of domain-specific tools A number are using Grids A number subscribe to major scientific data streams Some have no domain-specific tools 11/28/2018

12 Being a VO is hard… There are new requirements for security
There is the need for development of operational models that integrate requirements from sites with requirements from science Simplified end-user tools that are consistent with the rest of a user’s experience would be very helpful. Diagnostics across so many systems is difficult and getting significantly worse 11/28/2018

13 Being a VO is hard… Many resources use geographically-oriented access controls Regulatory requirements might span countries The local IT infrastructure of members of a VO may vary widely Tools are not designed to work together, present a common management infrastructure, etc. 11/28/2018

14 The Common Requirements
Communications support Multiple options for real-time and asynchronous intraVO work Integrated into the rest of one’s “presence” Collaboration support Transparent web content access control Workflow Diagnostics Plumbing the control plane into the domain science systems and virtual organization software Plumbing the vo technologies into the local enviroment 11/28/2018

15 Support services VO Service Center Collaboration services
Plumbing Into domain applications Collaboration services Communication services Enterprise based virtual organization shims Core middleware federation 11/28/2018

16 Communication support
Add this address book to my desktop video client as a vo setup Shared calendar access: Grant the following roles in my vo permission to read my calendar at a campus-equivalent level A “transparently manageable” mail list for the vo. Provide and maintain an IM buddy list for the vo Diagnostics 11/28/2018

17 Collaboration support
A transparent and managed wiki A transparent and managed set of web access controls Role based authorization Workflow A p2p trust fabric for vo use Data models Of the data Of the meta-data – what are the privileges, rights. Etc Management of international issues in privacy, copyright, etc. 11/28/2018

18 Plumbing the control plane
Management of the management aspects of the domain tools Domain tools include Globus for Grids, Chemistry workbench, a historical data archive manager, etc. Management aspects deal largely with managing users and uses, but can have initial configuration components “2% of the science, 50% of the pain …” Providing a common user experience for both enterprise and vo systems Today, each app believes it is the only one in your life… Common models, terminology, controls, etc. Distinct privileges being managed Integration of vo and enterprise Students in class X can run vo experiment Y VO and enterprise requirements can be joined 11/28/2018

19 Example University financials 1
11/28/2018

20 Example University financials 2
11/28/2018

21 Example University financials 3
11/28/2018

22 VO authorization 1 11/28/2018

23 VO authorization 2 11/28/2018

24 VO authorization 3 11/28/2018

25 The Middleware Work… The Basic Approach
Focus and manner of work The role of Mace The work at the enterprise level Directories Web SSO, namespace and basic authentication Signet The work at the federation level Shibboleth The work at the virtual organization level Bits and pieces 11/28/2018

26 The Model: Enterprises, Federations, VO’s
Given the strong collaborations within the academic community, there is an urgent need to create inter-realm tools, so Build consistent campus and enterprise middleware infrastructure deployments, with outward facing objectclasses, service points, etc. and then Federate those enterprise deployments, using the outward facing campus infrastructure, with interrealm attribute transports, trust services, etc. and then Leverage that federation to enable a variety of applications from network authentication to instant messaging, from video to web services, and then, going forward Create tools and templates that support the management and collaboration of virtual organizations by building on the federated campus infrastructures. 11/28/2018

27 Middleware Axioms Work the core areas
Focus on interrealm and collaborative needs Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions Develop a consistent directory infrastructure within R&E Provide security while not degrading privacy. Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Support for heterogeneity and open standards Influence the marketplace; develop where necessary 11/28/2018

28 11/28/2018

29 Core Middleware Scope Identity and Identifiers – namespaces, identifier crosswalks, real world levels of assurance, etc. Authentication – campus technologies and policies, interrealm interoperability via SAML, PKI, Shibboleth, etc. Directories – enterprise directory services architectures and tools, standard objectclasses, interrealm and registry services Authorization – permissions and access controls, delegation, privacy management, etc. Integration Activities – open management tools, use of virtual, federated and hierarchical organizations, enabling common applications with core middleware 11/28/2018

30 MACE (Middleware Architecture Committee for Education)
Purpose - to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher education Membership - Bob Morgan (UW) Chair, Tom Barton (Chicago), Scott Cantor (Ohio State), Steven Carmody (Brown), Michael Gettes (Duke), Keith Hazelton (Wisconsin), Paul Hill (MIT), Jim Jokl (Virginia), Mark Poepping (CMU), Lynn McRae (Stanford), David Wasley (California), Von Welch (Grid) European members - Brian Gilmore (Edinburgh), Ton Verschuren (Netherlands), Diego Lopez (Spain) Creates working groups in major areas, including directories, interrealm access control, PKI, video, P2P, etc. Works via conference calls, s, occasional serendipitous in-person meetings... I suspect that some audiences aill need varying amounts of mitoivaition with respect to the “why should I care about middleware” question. - why should I care about middleware? - why does it need a HE/I2 initiative? - Related initiatives… globus/grid, … - Relation to the NMI... 11/28/2018

31 RL “Bob” and Keith 11/28/2018

32 Indoor Plumbing for Application Communities
VO 4 VO 2 VO 3 Virtual Organization 1 VO Service Center Enterprise 2 Enterprise 1 Enterprise 2 Enterprise 3 Enterprise 3 Enterprise 1 Enterprise 2 Enterprise 1 Enterprise 4 Enterprise 5 Enterprise 6 Enterprise 4 Enterprise 3 Enterprise 5 Enterprise 5 Enterprise 6 Enterprise 4 11/28/2018

33 Fitting the plumbing together
VO 4 VO 2 VO 3 Virtual Organization 1 VO Service Center Enterprise 2 Enterprise 1 Enterprise 2 Enterprise 3 Enterprise 3 Enterprise 1 Enterprise 2 Enterprise 1 Enterprise 4 Enterprise 5 Enterprise 6 Enterprise 4 Enterprise 3 Enterprise 5 Enterprise 5 Enterprise 6 Enterprise 4 11/28/2018

34 Fitting the plumbing together
VO 4 VO 2 VO 3 Virtual Organization 1 VO Service Center Enterprise 2 Enterprise 1 Enterprise 2 Enterprise 3 Enterprise 3 Enterprise 1 Enterprise 2 Enterprise 1 Enterprise 4 Enterprise 5 Enterprise 6 Enterprise 4 Enterprise 3 Enterprise 5 Enterprise 5 Enterprise 6 Enterprise 4 11/28/2018

35 This is harder than it appears…
A place where technology meets policy Constantly… Many apps need to be reengineered to use the plumbing Owning data is having power Scaling is a constant concern What policies there are are often ill-informed This all has to be real and rock solid 11/28/2018

36 Into some specifics… R&E has needs that are not distinctive from the corporate sector, but more urgent R&E has distinctive clue, singularly and in aggregate Result is corporate and public sector attention and investment 11/28/2018

37 Enterprise plumbing Identity Management Services
Authentication Directories Authorization Connecting Legacy Data Running the water in Managing the complex policy issues Enabling applications Reengineering legacy apps Infrastructure apps – , web, calendaring, netauth, etc “Specialty apps” – streaming video servers, repositories, grids, etc 11/28/2018

38 Campus Core Middleware Architecture: (Origin perspective)
11/28/2018

39 Identity Management, the Big, Scary Picture
11/28/2018

40 What’s Happening - enterprise
Directory standards eduPerson, eduOrg, CourseId, localperson, etc. Metadirectory operational guidance Recipes and Business Cases H.350 Authentication Open Source WebSSO Roadmaps and Reference Models PKI certificate profiles Authorization Signet SPOCP, Permis 11/28/2018

41 Early federations without plumbing
11/28/2018

42 Business drivers for federations
Corporate Need to link consumer identities among disparate service providers Link corporate employees through a company portal to outsourced employee services transparently Allow supply chain partners to access each others internal web sites with role based controls Research and education Access to and sharing of digital content The visiting scientist and eduRoam Inter-institutional courseware Grids and collaborative tools 11/28/2018

43 Unified field theory of Trust
Bridged, global hierarchies of identification-oriented, often government based trust – laws, identity tokens, etc. Passports, drivers licenses Future is typically PKI oriented Federated enterprise-based; leverages one’s security domain; often role-based Enterprise does authentication and attributes Federations of enterprises exchange assertions (identity and attributes Peer to peer trust; ad hoc, small locus personal trust A large part of our non-networked lives New technology approaches to bring this into the electronic world. Distinguishing P2P apps arch from P2P trust Virtual organizations cross-stitch across one of the above 11/28/2018

44 Federations and PKI The rough differences are payload format (SAML vs X.509) and typical length of validity of assertion (real-time vs long-term) Federations use enterprise-oriented PKI heavily and make end-user PKI both more attractive and more tractable. The analytic framework (evaluation methodologies for risk in applications and strength of credentials) developed for PKI is useful for federations. The same entity can offer both federation and PKI services PKI-oriented infrastructure (e.g. FBCA) can be leveraged in support of federations 11/28/2018

45 Federation Plumbing Shared technologies Shared policies
To transport data between enterprises To provide meaning to the transported data Shared policies To provide security To preserve privacy Federation operations To operate the coordination services To drive the process To bridge to other federations 11/28/2018

46 What’s happening - federations
Shibboleth, SAML, Liberty and WS-Fed InCommon, InQueue, etc. Linkage with US Government e-Authentication Federations in varying stages of development in UK, Australia, Finland, Switzerland, Netherlands, France, Spain, etc. International peering meeting 11/28/2018

47 Federal government Federal E-Authentication has a number of pilots under way. One of them is now Shib. Phase 1 and Phase 2 efforts funded, with deliverables due over the next six months Policy framework comparison submitted Oct 7 Technical interop demonstrated October 14 Policy discussions and applications meetings now occurring Potential phase 3 and 4 would include working on a federal federation and peering with Higher Ed and other federations. 11/28/2018

48 Peering with federal government
Coordination of levels of assurance OMB for identity proofing Interim Credential Assessment Framework documents and The SAML authn context field and the dangers of complexity Coordination of federation operator principles Coordination of attributes being passed Mapping of attributes between federations A persistent opaque unique identifier Use of the FBCA and HEBCA as a vehicle for analysis and mapping 37 applications by the end of the year…Level 1 and 2 11/28/2018

49 International federation peering
Shibboleth-based federations in the UK, Netherlands, Finland, Switzerland, Australia, Spain, and others International peering meeting October in Upper Slaughter, England Issues include agreeing on policy framework, comparing policies, correlating app usage to trust level, aligning privacy needs, working with multinational service providers, scaling the WAYF function Leading trust to Slaughter… 11/28/2018

50 Lower Slaughter 11/28/2018

51 Upper Slaughter 11/28/2018

52 Leading trust to Slaughter
11/28/2018

53 League of federations issues
Brand, logo, presence Handling international resource-providers Qualifying new members Relationship to other sector activities, particularly government (and health services) Support for virtual organizations Promoting its use for applications: eduRoam, GLIF, Grids EU Privacy issues International WAYF and user experience Universal InQueue 11/28/2018

54 Leading trust from Slaughter
11/28/2018

55 The Virtual Organization Support Space
Role of enterprise and of federation Role of virtual organization support center Role of virtual organization The business case for/against the model 11/28/2018

56 Enterprise and federation
Collaboration and communications infrastructure Common plumbing interface Storage of VO attributes in enterprise object classes Hosting VO services for some VO Federation Trust fabric for enterprise assertions Dissemination of VO objectclasses International trust fabric 11/28/2018

57 VO Service Centers To provide infrastructure services for users whose enterprises can’t play To coordinate the dissemination of enterprise shims relative to the vo’s supported in the area To coordinate international efforts for multi-national vo’s To help train vo’s in the use of the tools and the organizational issues 11/28/2018

58 Virtual organization Data and metadata models
Attribute and role definition Domain specific infrastructure 11/28/2018

59 Business model For Against Integrated environment for the users
Costs are relatively modest Large economies of scale Against A tricky bootstrap process Requires modest campus participation Greatest leverage is from widely based adoption 11/28/2018

60 Interesting issues for the medical community
How does this apply to the clusters of organizations that gather into medical communities? University, Hospital, Community Clinics, Research Facilities, Parking Services What are the enterprises, federations, virtual organization structural equivalents? Where to store the attributes? Regulatory issues abound Proprietary systems abound Is NIH a federation? Can this model be adapted to work with patients accessing institutional medical records? 11/28/2018

Download ppt "Virtual organization support services:"

Similar presentations

Dr Ken Klingenstein Director, Internet2 Middleware and Security Emerging Infrastructure for Collaboration: Next Generation Plumbing.

Dr Ken Klingenstein Director, Internet2 Middleware and Security Emerging Infrastructure for Collaboration: Next Generation Plumbing.
The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Welcome to CAMP Shibboleth Ken Klingenstein, Director, Internet2 Middleware Initiative.

Welcome to CAMP Shibboleth Ken Klingenstein, Director, Internet2 Middleware Initiative.
Welcome to CAMP! Ken Klingenstein, Director, Internet2 Middleware Initiative.

Welcome to CAMP! Ken Klingenstein, Director, Internet2 Middleware Initiative.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.

Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
The Rise of Collaborative Tools Ken Klingenstein Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder.

The Rise of Collaborative Tools Ken Klingenstein Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
3 September 2015 Federated R US. Agenda  Background on Internet2 Middleware and NSF Middleware Initiative  The body of work  Directories  Shibboleth.

3 September 2015 Federated R US. Agenda  Background on Internet2 Middleware and NSF Middleware Initiative  The body of work  Directories  Shibboleth.
Authority, Virtual Organizations and Diagnostics: Building and Managing Complexity Ken Klingenstein Director, Internet2 Middleware and Security.

Authority, Virtual Organizations and Diagnostics: Building and Managing Complexity Ken Klingenstein Director, Internet2 Middleware and Security.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Similar presentations

Ads by Google