Presentation is loading. Please wait.

Presentation is loading. Please wait.

The JISC Core Middleware Call

Similar presentations


Presentation on theme: "The JISC Core Middleware Call"— Presentation transcript:

1 The JISC Core Middleware Call
Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research

2 Purpose To develop new and extend existing technologies in access management (AAA), which are Standards-based Aligned with other national and international developments Aimed at future service deployment, in national and/or institutional contexts Designed to address certain scenarios which are currently difficult to handle

3 Present position Two very different services with national scope exist today Athens: username/password based service for unifying access to electronic library-type resources Mainly though not exclusively licensed via JISC consortium deals UK e-Science CA: service for issuing digital certificates for access to Grid-type resources

4 Scope of Athens Over 2 million current usernames
Username/password database; maintenance devolved to institutions Around 500 HigherEd and FurtherEd institutions use the Athens service Around 200 licensed resources are controlled via Athens

5 So why change? Athens today still uses its own, proprietary protocols
Little international take-up Athens design lacks the flexibility of more recent approaches Not well adapted to inter-institutional scenarios, e.g. virtual organisations

6 The e-Science CA Part of the Grid Support Centre
Based on OpenCA software (with local modifications) Verification of user identities carried out by trusted RAs around the community Current scale of operation a few hundred certificates per year

7 So why change? The vision is to extend e-Science technologies to larger communities E.g. social sciences, bioinformatics A general view is that the existing CA will be difficult to scale up In practice larger scale AAA regimes are almost always based around institutions, who are best placed to administer their own members

8 Key scenarios A next-generation AAA infrastructure must support the following scenarios: Internal (intra-institutional) applications as well as use between organisations Management of access to third-party digital library-type resources (as now) Inter-institutional use – stable, long-term resource sharing between defined groups (e.g. shared e-learning scenarios) Inter-institutional use – ad hoc collaborations, potentially dynamic in nature (virtual organisations or VOs)

9 VO characteristics A VO's members typically belong to more than one real organisation Wishing to share resources across real- world organisational boundaries (often problematic in security terms) VO membership – which may be more or less formal – could be based on numerous criteria (discipline, project, course enrolment, personal interests ...) The authority regulating VO membership could equally take many forms And timescales may be very varied also

10 Shibboleth Options for Moving Forward:
PAPI from RedIRIS (Spain) Shibboleth (Internet2) The decision was to significantly spend on introducing Shibboleth with the aim of a national implementation by 2006 First tranche (Call 01/04) for $5m over 3 years

11 Shibboleth cons Software still lacks user-friendly management tools
In its present state, still quite demanding to install and run Might require outsourced or packaged services for smaller institutions? Relatively unsophisticated authorisation model Single attribute authority No generalised decision engine

12 Coping with VOs Problem: typically a VO involves at least two sources of authority User's identity derives from home institution User's VO membership and privileges derive from the VO's own authority Solution: add more intelligence to the Shibboleth resource manager Policy-driven decision engine Multiple sources of authority

13 Permis What is Permis? A policy-based decision engine
Policy expressed in XML (compliance with the OASIS XACML standard planned) Supports multiple sources of authority Decisions based on roles or discrete attributes of users User attributes stored in X.509 standard attribute certificates Stable, portable implementation now included in NMI release

14 Shibboleth + Permis Extend Shibboleth resource manager by incorporating the Permis decision engine Resource owners can then set much more complex policies, embodying their conditions of access Attributes can be gathered from more than one location (and be supplied by more than one authority) Thus meeting the needs of VOs and providing much more fine-grained control

15 Linking to e-Science Many Grid authorisation models ...
GGF Authorisation Working Group developing requirements summary + conceptual framework Work in progress on authorisation API (Welch, Chadwick et al.) Incidentally expressed in SAML Though may need to be revisited in the light of recent developments

16 The Outcome 34 proposals, grouped into 5 areas
Technology Development (5 ‘accepted’) Grid-orientated proposals (3 accepted) Portal integration (2 accepted) Inter-institutional collaboration (4 acc) Miscellaneous (2 accepted) Formally the proposals are in process of getting acceptance from committee members

17 Parallel activities Building a national Shibboleth service infrastructure will take place in parallel Existing JISC services are likely to be asked to carry out much of the work On a 2-year timescale, 2004/5 & 2005/6 Will provide a critical mass of Shibboleth- accessible resources This work is separately funded, with an additional budget of some $5m over 3 years

18 Questions?


Download ppt "The JISC Core Middleware Call"

Similar presentations


Ads by Google