Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Rest of the World, in 75 minutes… Ken Klingenstein Director, Internet2 Middleware and Security.

Published byAxel Curt Modified over 10 years ago

Similar presentations

Presentation on theme: "The Rest of the World, in 75 minutes… Ken Klingenstein Director, Internet2 Middleware and Security."— Presentation transcript:

1 The Rest of the World, in 75 minutes… Ken Klingenstein Director, Internet2 Middleware and Security

2 Topics Directory Activities: Eduperson, CourseID, Entitlements, others… Shibboleth Update: Core Code, Federations, GUI’s, Project Management Grids: GGF and EGA, Campus Grids, Integration with enterprises PKI: HEBCA, USHER, TACAR and EuroPMA Diagnostics: Middleware diagnostics, performance and security diagnostics, the SURFnet Detective

3 Directory activities  Eduperson Entitlements and TargetID Affiliate vs Member  Localperson  CourseID

4 Shibboleth Today  V1.2 on the streets, v1.3 in development  Software still is “simple” but getting increasingly complex. Software is still early.  Identified as the national R&E federation technology in the US, the UK, Australia, Switzerland, Finland, and perhaps others…  Increasingly “at” Burton, Catalyst, DigitalID Conferences  Interoperability discussions and commitments being made among federating software developers

5 Core software development  V1.0 April 2003, v 1.2 May 2004  V1.3 targeted for fall; priorities include portal support, perhaps artifact SAML profile  SAML 2.0, OpenSAML 2.0 and the meaning of Shibboleth  WS-Fed interoperability  Shib as WebISO  SOAP and SAML –interim and long-term  Whole-grain Shib  Refactoring into core and module for long-term management  Integrated documentation and install guides

6 SAML 2.0  Historic relationship of SAML and Shib  Contributions from both Liberty and Shibboleth to spec.  TC under OASIS, with contributing editor S. Cantor, Individual  Largely done, perhaps final committee work by end of August, then approval by Nov or IBM…  Refactors a lot, in Shib and vendor products – how quickly will vendors adopt?  OpenSAML 2.0 will happen…

7 Coordination of Shib development  Development now taking place in several countries, with significant investments outside the original development crew.  A reasonable re-layering of architecture and code might be helpful  Management role models: Likely: OpenLDAP, Apache Less likely: GGF  Alignment of licensing and copyright could be challenging

8 Federations  Seem to be happening. InQueue has > 50. InCommon is nearing completion of policies, pricing, membership decisions. Ten phase 1 participants doing the lifting  Shib R&E feds in UK, Australia, Switzerland, Finland, others; non-Shib FEIDE in Norway  Federations in business still bilateral, nonpersistent  International federation peering in UK in October  Some activity in US federal gov  Other efforts, such as Salsa-NetAuth, plan to leverage federations

9 Coupled systems  The major GUI’s – SysAdmin, Autograph, PRM  Other AA backend plug-ins  Alternative WAYF approaches Interim Long-term  Other trust fabrics

10 GUI’s to manage Shibboleth

11 SysPriv ARP GUI  A tool to help administrators (librarians, central IT sysadmins, etc) set attribute release policies enterprise- wide For access to licensed content For linking to outsourced service providers Has implications for end-user attribute release manager (Autograph)  GUI design now actively underway, lead by Stanford  Plumbing to follow shortly

12 End-user attribute release manager (Autograph)  Intended to allow end-users to manage release policies themselves and, perhaps, understand the consequences of their decisions  Needs to be designed for everyone even though only 3% will use it beyond the defaults.  To scale, must ultimately include extrapolation on settings, exportable formats, etc.

13 Privacy Management Systems

14 Personal Resource Manager

15 Grids  GGF and EGA – two standards organizations, no standards…  Enterprise Grids – a developing approach  The Terrorgrid – of integration and security  Integration with enterprises – leveraging enterprise infrastructure and R&E federations

16 PKI  HEBCA  USHER  TACAR and EuroGrid PMA  Buy a global higher ed root

17 Virtual Organizations  Geographically distributed, enterprise distributed community that shares real resources as an organization.  Examples include team science (NEESGrid, HEP, BIRN, NEON), digital content managers (library cataloguers, curators, etc), life-long learning consortia, etc.  On a continuum from interrealm groups (no real resource management, few defined roles) to real organizations (primary identity/authentication providers)  Want to leverage enterprise middleware and external trust fabrics

18 Virtual Organizations  Some things seem consistent across almost all VO’s The need to manage and delegate VO authorizations Unique naming, and managed resource discovery A set of collaboration tools, including a list manager, calendar, shared web content management, etc that are seamlessly integrated into users’ everyday environment A need to factor in, and leverage, local domain requirements and capabilities  Some things are specific to each VO The members and the resources being managed Requirements for advanced services, such as Grids and instrument management

19 Virtual organizations  Need a model to support a wide variety of use cases Native v.o. infrastructure capabilities, differences in enterprise readiness, etc. Variations in collaboration modalities Requirements of v.o.’s for authz, range of disciplines, etc  JISC in the UK has lead; builds on NSF NMI  Tool set likely to include seamless listproc, web sharing, shared calendaring, real-time video, privilege management system, etc.

20 Leveraging V.O.s Today VO Target Resource User Enterprise Federation

21 Leveraged V.O.s Tomorrow VO Target Resource User Enterprise Federation Collaborative Tools Authority System etc

22 Middleware Diagnostics Problem Statement The number and complexity of distributed application initiatives and products has exploded within the last 5 years Each must create its own framework for providing diagnostic tools and performance metrics Distributed applications have become increasingly dependent not only on the system and network infrastructure that they are built upon, but also each other Middleware diagnostics need to integrate with network performance diagnostics and security diagnostics

23 Goals Create an event collection and dissemination infrastructure that uses existing system, network and application data (Unix/WIN logs, SNMP, Netflow ©, etc.) Establish a standardized event record that normalizes all system, network and application events into a common data format Build a rich tool platform to collect, distribute, access, filter, aggregate, tag, trace, probe, anonymize, query, archive, report, notify, perform forensic and performance analysis

24 Cisco NetFlow Events RMON Events Event Record Standard Normalization of each diagnostic data feed type (SHIB, HTTP, Syslog, RMON, etc.) into a common event record The tagging of specific events to help downstream correlation processes DB Access Log SHIB log HTTP Access log GRID Application Log Normalization And Event Tagging NETFLOW:TIME:SRC:DST:… RMON:HOST:TIME:DSTPORT.. DB:TIME:HOST:REQ:ASTRON SHIB:TIME:HOST:UID… HTTP:TIME:HOST:URL… GRIDAPP:TIME:HOST:UID:… Variable Star Catalog DB Application

25 Diagnostic Data Pipelining Data flows can be constructed to provide the desired function and policy within a enterprise or federation Filter C-4 Network Events ArchiveDBAnonimizationTaggingAggregationNormalization C-3 C-1 P-1 C-2 P-2 P-3 P-4 P-5 C-* Collection Module Host P-* Processing Module Host Host or Security Events

26 Event Record Event Descriptor Meta Field Event Descriptor Version Number Observation Description Pointer ID – unique event identifier Time - start/stop IP Address(es) – source/(destination) Source Class – application, network, system, compound, bulk, management Event Name Tag – Native language ID, user defined Status – normal, informational, warning, measurement, critical, error, etc. Major Source Name – filename, Netflow, Syslogd, SNMP, shell program, etc. Minor Source Name – logging process name (named), SNMP variable name, etc. Raw Data Encoding Mechanism – Binary, ASN1, ASCII, XML, etc. Raw Event Data Description Pointer Raw Event Data

27 A context for diagnostics  SURFnet detective  Integrated I2 diagnostic efforts

Download ppt "The Rest of the World, in 75 minutes… Ken Klingenstein Director, Internet2 Middleware and Security."

Similar presentations

Dr Ken Klingenstein Director, Internet2 Middleware and Security Emerging Infrastructure for Collaboration: Next Generation Plumbing.

Dr Ken Klingenstein Director, Internet2 Middleware and Security Emerging Infrastructure for Collaboration: Next Generation Plumbing.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.

Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.
Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.

Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.
Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.

Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.

Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Authority, Virtual Organizations and Diagnostics: Building and Managing Complexity Ken Klingenstein Director, Internet2 Middleware and Security.

Authority, Virtual Organizations and Diagnostics: Building and Managing Complexity Ken Klingenstein Director, Internet2 Middleware and Security.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
Frameworks To get on the same page word wise To suggest some useful analytic approaches To identify opportunities for integration.

Frameworks To get on the same page word wise To suggest some useful analytic approaches To identify opportunities for integration.
Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.

Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Similar presentations

Ads by Google