Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet2 Middleware Activities Progress

Published byConstance Shepherd Modified over 5 years ago

Similar presentations

Presentation on theme: "Internet2 Middleware Activities Progress"— Presentation transcript:

1 Internet2 Middleware Activities Progress
Renee Woodten Frost Project Manager, Internet2 Middleware Initiative I2 Middleware Liaison, University of Michigan ………………. And an ensemble of hundreds _______________________________________________________________

2 Activities Mace - RL “Bob” Morgan (Washington)
Early Harvest / Early Adopters - Renee Frost (Michigan) LDAP Recipe - Michael Gettes (Georgetown) EduPerson - Keith Hazelton (Wisconsin) Directory of Directories - Michael Gettes (Georgetown) Metadirectories - Keith Hazelton (Wisconsin) Shibboleth - Steven Carmody (Brown) PKI Labs - Dartmouth and Wisconsin HEPKI-TAG and PAG - Jim Jokl (Virginia) and Ken Klingenstein (Colorado) HEBCA - Mark Luker (EDUCAUSE) Medical Middleware - Rob Carter (Duke), Jack Buchanan (UT, Memphis) Opportunities - video, the GRID, K-12 CIC AIS Directors Spring 2001

3 MACE (Middleware Architecture Committee for Education)
Purpose: to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher ed Membership: Bob Morgan (UW) Chair Steven Carmody (Brown) Michael Gettes (Georgetown) Keith Hazelton (Wisconsin) Paul Hill (MIT) Jim Jokl (Virginia) Mark Poepping (CMU) David Wasley (U California) Von Welch (NCSA) CIC AIS Directors Spring 2001

4 Early Harvest and Early Adopters
Early harvest in the barn… Early adopters aggressively doing deployments Michigan Tech, U Maryland BC, Johns Hopkins, etc CIC AIS Directors Spring 2001

5 LDAP Recipe How to build and operate a directory in higher ed
1 Tsp. DIT planning 1 Tbsp Schema design 3 oz. configuration lbs of data Good details, such as tradeoffs/recommendations on indexing, how and when to replicate, etc. CIC AIS Directors Spring 2001

6 LDAP Recipe Contents Directory Information Tree Schema Design Directory of Directories for Higher Education (DoDHE) expectations Schema Design (continued) Schema: How to upgrade it? Password Management Bindings eduPerson attribute discussions Access Control Replication Name Population LDAP filter config file for white pages telephoneNumber formatting CHANGELOG CIC AIS Directors Spring 2001

7 eduPerson A directory objectclass intended to support inter-institutional applications Fills gaps in traditional directory schema For existing attributes, states good practices where known Specifies several new attributes and controlled vocabulary to use as values. Provides suggestions on how to assign values, but it is up to the institution to choose. Version 1.0 now done; one or two revisions anticipated CIC AIS Directors Spring 2001

8 Issues about Upper Class Attributes
eduPerson inherits attributes from person, iNetOrgPerson Some of those attributes need conventions about controlled vocabulary (e.g. telephones) Some of those attributes need ambiguity resolved via a consistent interpretation (e.g. address) Some of the attributes need standards around indexing and search (e.g. compound surnames) Many of those attributes need access control and privacy decisions (e.g jpeg photo, address, etc.) CIC AIS Directors Spring 2001

9 New eduPerson Attributes
eduPersonAffiliation eduPersonPrimaryAffiliation eduPersonOrgDN eduPersonOrgUnitDN eduPersonPrincipalName eduPersonNickname CIC AIS Directors Spring 2001

10 eduPersonAffiliation
Multi-valued list of relationships an individual has with institution Controlled vocabulary includes: faculty, staff, student, alum, member, affiliate, employee Applications that use: DoD, white pages CIC AIS Directors Spring 2001

11 eduPersonPrimaryAffiliation
Single-valued attribute that would be the status put on a name badge at a conference Controlled vocabulary includes: faculty, staff, student, alum, member, affiliate, employee Applications that use: DoD, white pages CIC AIS Directors Spring 2001

12 eduPersonPrincipalName
EPPN may look like an address but it is used by different systems. One must be able to authenticate against the EPPN used in inter-realm authentication such as Shibboleth In some situations, it can be used for access control lists; if used, a site should understand the reassignment policy. CIC AIS Directors Spring 2001

13 Next Steps eduPerson 1.0 done, along with FAQ and letter to implementers Ties closely to LDAP recipe Version 2.0 to include attributes for videoconferencing, additional collaboration factors, links to Grids, portals, etc. Check with web site for additional changes Participate: CIC AIS Directors Spring 2001

14 A Campus Directory Architecture
Border directory Metadirectory Enterprise directory OS directories (MS, Novell, etc) Departmental directories Dir DB Registries Source systems CIC AIS Directors Spring 2001

15 A Directory of Directories
An experiment to build a combined directory search service To show the power of coordination Will highlight the inconsistencies between institutions Technical investigation of load and scaling issues, centralized and decentralized approaches Human interfaces issues - searching large name spaces with limits by substring, location, affiliation, etc... Two different experimental regimes to be tested centralized indexing and repository with referrals large-scale parallel searches with heuristics to constrain search space SUN donation of server and iPlanet license (6,000,000 dn’s) Michael Gettes, Georgetown, is the project manager CIC AIS Directors Spring 2001

16 DoD Architecture Inputs to DoDHE Inputs: Local Site View
Central Deposit Service DoD Config Directory Operation Search Operations Search Drill Down from a list CIC AIS Directors Spring 2001

17 Inputs Remote Site Directories Remote Data Sources LDAP Oracle Etc…
Search Data Filtering & Submit to CDS DoD Config Central Deposit Systems (CDS) CIC AIS Directors Spring 2001

18 Inputs: Local Site View
Submit final LDIF to CDS using authenticated POST via HTTPS. Local Data Source LDAP Filter LDIF according to local policy. Generate new LDIF for submission. DODHE CDS Generate LDIF Data CIC AIS Directors Spring 2001

19 Inputs: Why this way? Standardized input is LDIF
Could be XML but few products generate XML now (01/2001) Could use Metamerge Integrator as filter and submission mechanism Site always submits full dataset. No worry of reconciling. Easier site participation in the DoDHE service. CDS handles reconciliation and controls data processing. Can provide feedback. CIC AIS Directors Spring 2001

20 Metadirectories: Metamerge
is now Metamerge Higher Education Contact for USA Keith Hazelton, University of Wisconsin – Madison This product is available free of charge to Higher Ed in USA Source code will be in escrow. See Keith for further details. CIC AIS Directors Spring 2001

21 Metamerge Features GUI development environment
NOT a Meta-Directory, but a tool to build same functionality Various Languages: JavaScript, Java, Perl, Rexx, etc… Various Parsers: XML, LDIF, CSV, Script Interface, etc … for input and output Various Connectors: COMport, Files, HTTP, HTTPserver, FTP, LDAP, JDBC, Oracle and more … The product is ALL Java CIC AIS Directors Spring 2001

22 This begs the following …
If you were given both this Metamerge LDIFTransformer and a Perl script that is the basis for the same functionality – each need to be customized for local purposes – which appears more attractive to you? Answer: from querying various institutions on this question the common response, nearly 100%, is that use of Metamerge is good, interesting and yields other possibilities not likely with just a Perl script. So, the DoDHE will progress assuming Metamerge. If your institution would like to do something different, then you are welcome to do so. Hopefully a common solution will have benefits beyond a custom solution. CIC AIS Directors Spring 2001

23 Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. - Webster's Revised Unabridged Dictionary (1913): CIC AIS Directors Spring 2001

24 Shibboleth An initiative to analyze and develop mechanisms(architectures, frameworks, protocols and implementations) for inter-institutional web access control Facilitated by Mace (a committee of leading higher ed IT architects) and Internet2 “Authenticate locally, act globally” the Shibboleth shibboleth Oriented towards privacy and complements corporate standards efforts Open solution Vendor participation - IBM et al CIC AIS Directors Spring 2001

25 Isn’t This What PKI Does?
PKI does this and a whole lot more; as a consequence, PKI does very little right now End-to-end PKI fits the Shibboleth model, but other forms of authentication do as well Uses a lightweight certificate approach for inter-institutional communications - uses the parts of PKI that work today (server side certs) and avoids the parts of PKI that don’t work today (eg client certs). Allows campuses to use other forms of authentication locally May actually have benefits over the end-user to target-site direct interactions... CIC AIS Directors Spring 2001

26 Related Work Previous DLF work
OASIS Technical Committee (vendor activity, kicked off 1/2001) UK - Athens and Sparta projects Spain - rediris project CIC AIS Directors Spring 2001

27 Assumptions “authenticate locally, act globally” the Shibboleth shibboleth Leverage vendor and standards activity wherever possible Disturb as little of the existing campus infrastructure as possible Work with common, minimal authorization systems (eg htaccess) Encourage good campus behaviors Learn through doing Create a marketplace and reference implementations We will not be another dead guppy Protect Personal Privacy! CIC AIS Directors Spring 2001

28 Development Process Scenarios leading to requirements
Establish model architectures for common services and scenario-specific services Develop service and protocol requirements Identify service options/begin protocol development Produce open implementations of missing service components; provide external services as needed CIC AIS Directors Spring 2001

29 Stage 1 - Addressing Three Scenario’s
Member of campus community accessing licensed resource Anonymity required Member of a course accessing remotely controlled resource Member of a workgroup accessing controlled resources Controlled by unique identifiers (e.g. name) Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy. CIC AIS Directors Spring 2001

30 Architectural Model Local Authentication
Local Entity Willing to Create and Sign Entitlement Set of assertions about the user (Attribute/value pairs) User has control over disclosure Identity optional “active member of community”, “Associated with Course XYZ” Target responsible for Authorization Rules engine Matches contents of entitlements against ruleset associated with target object Cross Domain Trust Previously created between origin and target Perhaps there is a contract (information providers..) CIC AIS Directors Spring 2001

31 Shibboleth Architecture Concepts - High Level
Browser Pass content if user is allowed Target Web Server Authorization Phase Authentication Phase First Access - Unauthenticated Origin Site Target Site CIC AIS Directors Spring 2001

32 Shibboleth Architecture Concepts (detail)
Browser Target Web Server Authentication Phase Authorization Phase Success! Attribute Server Entitlements Ent Prompt Req Ent Second Access - Authenticated Auth OK Web Login Server Pass entitlements for authz decision Redirect User to Local Web Login Pass content if user is allowed Authentication Ask to Obtain Entitlements First Access - Unauthenticated Target Site Origin Site CIC AIS Directors Spring 2001

33 Shibboleth Architecture Concepts #1 (managing trust)
Club Shib Server (holds certs and contracts) Attribute Server Shib htaccess plugin Target Web Server Browser Origin Site Target Site CIC AIS Directors Spring 2001

34 Campus and Resource Requirements
To Participate in Shibboleth, a site must have: Campus-wide authentication service Campus-wide identifier space (EPPN) Implementation of EduPerson objectclass Ability to generate attributes (eg “active member of the community”) CIC AIS Directors Spring 2001

35 Issues Personal Privacy (reasonable expectation, laws)
Relation to local weblogin (Single Signon) Portals Use of Shibboleth framework by services beyond the web Grid resources and users CIC AIS Directors Spring 2001

36 Internals of the Shibboleth Model: Functions and Standards
There are component services that are assumed to exist already on campuses There are new functional services that must be implemented There are new protocols that must be developed There are data and metadata definitions that must be standardized. CIC AIS Directors Spring 2001

37 Internals of the Shibboleth Model: Services, standards, protocols
Identifier privacy engine Institutional shib key distribution service Where from service Web access control service Inter-realm information exchange protocols for authentication and authorization OASIS XML Standard Credential Factory Local authentication service Web SSO service Local Shibboleth control point Local attribute server CIC AIS Directors Spring 2001

38 Shibboleth Components
CIC AIS Directors Spring 2001

39 Descriptions of services
local authentication server - assumed part of the campus environment web sso server - typically works with local authn service to provide web single sign-on resource manager proxy, resource manager - may serve as control points for actual web page access attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables attribute repository - an LDAP directory, or roles database or…. Where are you from service - one possible way to direct external users to their own local authn service attribute mapper - converts user entitlements into local authorization values PDP - policy decision points - decide if user attributes meet authorization requirements SHAR - Shibboleth Attribute Requestor - used by target to request user attributes CIC AIS Directors Spring 2001

40 Component Relationship Model
ORIGIN TARGET CIC AIS Directors Spring 2001

41 Authorization Attributes
Typical Assertions in the Higher Ed Community “active member of the community” “active in course X” member of group “georgetown.giia ? Signed by the institution! (optional in OASIS, required in Shib) CIC AIS Directors Spring 2001

42 Isn’t This What LDAP Does?
Since this doesn’t exist yet, it can do a lot more than LDAP! (-: XML is so extensible that this is the last protocol that we’ll ever need! (-: OK, tell me really….. The key here is the CONTROLLED dissemination of attribute information, based on multiple factors. CIC AIS Directors Spring 2001

43 Charge -- OASIS Security Services Technical Committee
Standardize: an XML format for "assertions” (authentication, authorization, authorization decision, access yes/no) (maybe) a (stateless ?) request/response protocol for obtaining assertions transport bindings for this protocol to HTTP, S/MIME, RMI, etc. This will be accompanied by requirements/scenarios, compliance info, security considerations, etc Out of Scope… How authentication is done Defining specific attributes (eg “member of community”) Establishing trust between origin and target Note.. Inter-product, not explicitly inter-domain CIC AIS Directors Spring 2001

44 Project Status/Next Steps
Requirements and Scenarios document nearly finished IBM and Mace-Shibboleth are refining architecture and evaluating issues IBM intends to develop an Apache web module Internet2 intends to develop supporting materials (documentation, installation, etc) and web tools (for htaccess construction, filter and access control, remote resource attribute discovery). Technical design complete - May, 2001 Coding of a prototype begins June 1 Pilot sites start-up - Aug, 2001 Public demo of the prototype by the pilots - Internet2 Fall Member Meeting 2001 CIC AIS Directors Spring 2001

45 Shibboleth, eduPerson, and everything else
Middleware Inputs & Outputs Licensed Resources Embedded App Security Grids OKI JA-SIG & uPortal Inter-realm calendaring futures Shibboleth, eduPerson, Affiliated Dirs, etc. Enterprise AuthZ Campus web sso Enterprise Directory Enterprise Authentication Legacy Systems CIC AIS Directors Spring 2001

46 Internet2 PKI Labs At Dartmouth and Wisconsin in computer science departments and IT organizations Doing the deep research - two to five years out Policy languages, path construction, attribute certificates, etc. National Advisory Board of leading academic and corporate PKI experts provides direction Catalyzed by startup funding from ATT CIC AIS Directors Spring 2001

47 HEPKI-TAG Chaired by Jim Jokl, Virginia Certificate profiles
survey of existing uses development of standard presentation identity cert standard recommendation Mobility options – IETF SACRED scenarios Public domain software alternatives CIC AIS Directors Spring 2001

48 HEPKI-PAG David Wasley, UCOP, prime mover
Draft certificate policy for a campus HEBCA certificate policy FERPA State Legislatures Gartner Group Decision Maker software CIC AIS Directors Spring 2001

49 Medical Middleware Unique requirements - HIPAA, disparate relationships, extended community, etc. Unique demands - 7x24, visibility PKI seen as a key tool Mace-med recently formed to explore the issues CIC AIS Directors Spring 2001

50 The complex challenges of academic medical middleware
Intra-realm issues - multiple vendors, proprietary systems, evolving regulations Enterprise issues - security, directories, authorization; balance of institutional and medical enterprises Inter-realm issues - standards, gateways, common operational processes and policies, performance Multiple communities of interest - institutional, medical center, affiliated hospitals, state and federal regulatory and certification organizations, insurance companies, medical researchers, etc. CIC AIS Directors Spring 2001

51 The applications view of medical upperware
Client (in this scenario) VA Clinical System Server (in this scenario) DoD Clinical System Request lab data, This Soldier, this time frame Request observation Who’s asking? What role? What is need to know? Who is this person? Who knows this person? Where is lab info on this person? Convert to server’s terms Resource Access Decision (RAD) Person Identification Service (PIDS) Health Information Locator Service (HILS) Terminology Query Service (TQS) outbound Clinical Observation Access Service (COAS) CIC AIS Directors Spring 2001

52 The enterprise architect view of medical middleware
Internet Research Systems Hospital Administrative Systems Medical Administrative Systems App dir LAN dir Border Directory Peer institutions Institutional Student Financial Personnel Systems Enterprise directory Corporate collaborators PKI Federal State Gov’ts Person registry Authentication Services Authorization Services CIC AIS Directors Spring 2001

53 Video A variety of tools - vic/vat, H.323, MPEG 2, HDTV
Point-to-point and MCU options H.323 desktop video within reach at physical layer Lacks identifiers and authentication EPPN and Shibboleth-type flow could address CIC AIS Directors Spring 2001

54 K-12 The killer app may be a spreadsheet and resource discovery
Directories to locate information Directories to store experiments Technology isn’t enough CIC AIS Directors Spring 2001

55 More information Early Harvest / Early Adopters: Mace: middleware.internet2.edu LDAP Recipe: recipe/ EduPerson: Directory of Directories: middleware.internet2.edu/dodhe Shibboleth: middleware.internet2.edu/shibboleth HEPKI-TAG: HEPKI-PAG: Medical Middleware: web site to follow Opportunities: video, the GRID, K-12 CIC AIS Directors Spring 2001

Download ppt "Internet2 Middleware Activities Progress"

Similar presentations

Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Directory of Directories for Higher Education (DoDHE) October 5, 2001 Michael R. Gettes Principal Technologist Georgetown University Project Leader, DoDHE.

Directory of Directories for Higher Education (DoDHE) October 5, 2001 Michael R. Gettes Principal Technologist Georgetown University Project Leader, DoDHE.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Middleware Activities Update Internet2 Membership, with coordination provided by Internet2 et al presentation by Renee Woodten Frost Internet2 and the.

Middleware Activities Update Internet2 Membership, with coordination provided by Internet2 et al presentation by Renee Woodten Frost Internet2 and the.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Middleware Tutorial and Use Renee Woodten Frost Project Manager, Internet2 Middleware Initiative Internet2 Middleware Liaison, University of Michigan ARKNet.

Middleware Tutorial and Use Renee Woodten Frost Project Manager, Internet2 Middleware Initiative Internet2 Middleware Liaison, University of Michigan ARKNet.

Similar presentations

Ads by Google