Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.

Published byChloe Gregory Modified over 9 years ago

Similar presentations

Presentation on theme: "Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps."— Presentation transcript:

1 Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps

2 Topics  Background on Shibboleth  Trust fabrics  Federations and Federating Software  InCommon  Of particular interest  Next Steps

3 Shibboleth AA Process Resource WAYF Users Home OrgResource Owner 1 SHIRE I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. SHAR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

4 Shibboleth Architecture

5 Target Web Server Origin Site Target Site Browser Shibboleth Architecture -- Managing Trust Federation Attribute Server Shib engine

6 Milestones  Project formation - Feb 2000 Stone Soup  Process - began late summer 2000 with bi-weekly calls to develop scenario, requirements and architecture.  Linkages to SAML established Dec 2000  Architecture and protocol completion - Aug 2001  Design - Oct 2001  Coding began - Nov 2001  Alpha-1 release – April 24, 2002  OpenSAML release – July 15, 2002  v1.0 April 2003  v1.1 July 2003  V1.2 April 2004  V2.0 likely end of the major evolution

7 Shibboleth Status  Open source, privacy preserving federating software  Being very widely deployed in US and international universities  Target - works with Apache(1.3 and 2.0) and IIS targets; Java origins for a variety of Unix platforms.  V2.0 likely to include portal support, identity linking, non web services (plumbing to GSSAPI,P2P, IM, video) etc.  Work underway on intuitive graphical interfaces for the powerful underlying Attribute Authority and resource protection  Likely to coexist well with Liberty Alliance and may work within the WS framework from Microsoft.  Growing development interest in several countries, providing resource manager tools, digital rights management, listprocs, etc.  http://shibboleth.internet2.edu/

8 Adoption  Over 40 + universities using it for access to OCLC, JSTOR, Elsevier, WebAccess, Napster, etc.  Common status is “moving into production”  The hard part is not installing Shibboleth but running “plumbing” to it: directories, attributes, authentication  Deployments in Europe and the UK  Development efforts broadening to the UK and Australia  Likely to be the interrealm aspect to Sakai, Lionshare, video

9 Federated administration  Given the strong collaborations within the academic community, there is an urgent need to create inter-realm tools, so  Build consistent campus middleware infrastructure deployments, with outward facing objectclasses, service points, etc. and then  Federate (multilateral) those enterprise deployments with interrealm attribute transports, trust services, etc. and then  Leverage that federation to enable a variety of applications from network authentication to instant messaging, from video to web services, from p2p to virtual organizations, etc. while we  Be cautious about the limits of federations and look for alternative fabrics where appropriate.

10 Federations  Associations of enterprises that come together to exchange information about their users and resources in order to enable collaborations and transactions  Enroll and authenticate and attribute locally, act federally.  Uses federating software (e.g. Liberty Alliance, Shibboleth, WS-*) common attributes (e.g. eduPerson), and a security and privacy set of understandings  Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision.  Several federations now in construction or deployment

11 Federated administration OTOT OTOT TT A CM CM A VO T Campus 1 Campus 2 Federation

12 InCommon federation  Federation operations – Internet2  Federating software – Shibboleth 1.1 and above  Federation data schema - eduPerson200210 or later and eduOrg200210 or later  Becomes operational April 5, with several early entrants to help shape the policy and membership issues.  Precursor federation, InQueue, has been in operation for about six months and will feed into InCommon  http://www.incommonfederation.org http://w

13 InQueue Origins 2.12.04  Rutgers University  University of Wisconsin  New York University  Georgia State University  University of Washington  University of California Shibboleth Pilot  University at Buffalo  Dartmouth College  Michigan State University  Georgetown  Duke  The Ohio State University  UCLA  Internet2  Carnegie Mellon University  National Research Council of Canada  Columbia University  University of Virginia  University of California, San Diego  Brown University  University of Minnesota  Penn State University  Cal Poly Pomona  London School of Economics  University of North Carolina at Chapel Hill  University of Colorado at Boulder  UT Arlington  UTHSC-Houston  University of Michigan  University of Rochester  University of Southern California

14 InCommon Management  Operational services by I2 Member services Backroom (CA, WAYF service, etc.)  Governance Executive Committee - Carrie Regenstein - chair (Wisconsin), Jerry Campbell, (USC), Lev Gonick (CWRU), Clair Goldsmith (Texas System), Mark Luker (EDUCAUSE),Tracy Mitrano (Cornell), Susan Perry (Mellon), Mike Teetz, (OCLC), David Yakimischak (JSTOR). Project manager – Renee Frost (Internet2)  Membership open to.edu and affiliated business partners (Elsevier, OCLC, Napster, Diebold, etc…)  Contractual and policy issues being defined now…  Likely to take 501(c)3 status

15 Trust in InCommon - initial  Members trust the federated operations to perform its activities well The operator (Internet2) posts its procedures, attempts to execute them faithfully, and makes no warranties Enterprises read the procedures and decide if they want to become members  Origins and targets trust each other bilaterally in out-of- band or no-band arrangements Origins trust targets dispose of attributes properly Targets trust origins to provide attributes accurately Risks and liabilities managed by end enterprises, in separate ways

16 InCommon Trust - ongoing  Use trust  Build trust cycle  Clearly need consensus levels of I/A  Multiple levels of I/A for different needs Two factor for high-risk Distinctive requirements (campus in Bejing or France, distance ed, mobility)  Standardized data definitions unclear  Audits unclear  International issues

17 The potential for InCommon  The federation as a networked trust facilitator  Needs to scale in two fundamental ways Policy underpinnings need to move to normative levels among the members; “post and read” is a starting place… Inter-federation issues need to be engineered; we are trying to align structurally with emerging federal recommendations  Needs to link with PKI and with federal and international activities  If it does scale and grow, it could become a most significant component of cyberinfrastructure…

18 Beyond web services…  Federated security services Collaborative incident correlation and analysis Trust-mediated transparency and other security-aware capabilities  Federated extensions to other architectures Lionshare project for P2P file sharing IM Federated Grids

19 Next Steps  Shibboleth The GUI’s – SysPriv, Autograph, MySpace Linked identities New development model – international participation  InCommon Policy development Membership  Distnguishing buyers clubs from federations

20 GUI’s to manage Shibboleth

21 SysPriv ARP GUI  A tool to help administrators (librarians, central IT sysadmins, etc) set attribute release policies enterprise- wide For access to licensed content For linking to outsourced service providers Has implications for end-user attribute release manager (Autograph)  GUI design now actively underway, lead by Stanford  Plumbing to follow shortly

22 End-user attribute release manager (Autograph)  Intended to allow end-users to manage release policies themselves and, perhaps, understand the consequences of their decisions  Needs to be designed for everyone even though only 3% will use it beyond the defaults.  To scale, must ultimately include extrapolation on settings, exportable formats, etc.

23 Privacy Management Systems

24 Personal Resource Manager

25 Virtual Organizations  Geographically distributed, enterprise distributed community that shares real resources as an organization.  Examples include team science (NEESGrid, HEP, BIRN, NEON), digital content managers (library cataloguers, curators, etc), life-long learning consortia, etc.  On a continuum from interrealm groups (no real resource management, few defined roles) to real organizations (primary identity/authentication providers)  Want to leverage enterprise middleware and external trust fabrics

26 Virtual organizations  Need a model to support a wide variety of use cases Native v.o. infrastructure capabilities, differences in enterprise readiness, etc. Variations in collaboration modalities Requirements of v.o.’s for authz, range of disciplines, etc  JISC in the UK has lead; solicitation is on the streets (see (http://www.jisc.ac.uk/c01_04.html); builds on NSF NMIhttp://www.jisc.ac.uk/c01_04.html  Tool set likely to include seamless listproc, web sharing, shared calendaring, real-time video, privilege management system, etc.

27 Leveraging V.O.s Today VO Target Resource User Enterprise Federation

28 Leveraged V.O.s Tomorrow VO Target Resource User Enterprise Federation Collaborative Tools Authority System etc

29 Stanford Authz Model

30 Authr Deliverables The deliverables consist of  A recipe, with accompanying case studies, of how to take a role-based organization and develop apprpriate groups, policies, attributes etc to operate an authority service  Templates and tools for registries and group management  a Web interface and program APIs to provide distributed management (to the departments, to external programs) of access rights and privileges, and  delivery of authority information through the infrastructure as directory data and authority events.

31 Home

32 Grant Authority Wizard

33 Person

Download ppt "Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps."

Similar presentations

Dr Ken Klingenstein Director, Internet2 Middleware and Security Emerging Infrastructure for Collaboration: Next Generation Plumbing.

Dr Ken Klingenstein Director, Internet2 Middleware and Security Emerging Infrastructure for Collaboration: Next Generation Plumbing.
The Rest of the World, in 75 minutes… Ken Klingenstein Director, Internet2 Middleware and Security.

The Rest of the World, in 75 minutes… Ken Klingenstein Director, Internet2 Middleware and Security.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.

Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
1 Update on the InCommon Federation, Higher Education’s Community of Trust EDUCAUSE 2005 October 19 10:30am-11:20am.

1 Update on the InCommon Federation, Higher Education’s Community of Trust EDUCAUSE 2005 October 19 10:30am-11:20am.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Ken Klingenstein Director, Internet2 Middleware and Security Middleware and Security Update.

Ken Klingenstein Director, Internet2 Middleware and Security Middleware and Security Update.
Authority, Virtual Organizations and Diagnostics: Building and Managing Complexity Ken Klingenstein Director, Internet2 Middleware and Security.

Authority, Virtual Organizations and Diagnostics: Building and Managing Complexity Ken Klingenstein Director, Internet2 Middleware and Security.
Federated Administration: The Cutting Edge. Topics  Federations: The Basics Business drivers and the basic model Technical Considerations and the marketplace.

Federated Administration: The Cutting Edge. Topics  Federations: The Basics Business drivers and the basic model Technical Considerations and the marketplace.
Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.

Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.

1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.
1 The InCommon Federation John Krienke Internet2 Spring Member Meeting Tuesday, April 25, 2006.

1 The InCommon Federation John Krienke Internet2 Spring Member Meeting Tuesday, April 25, 2006.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
1 The InCommon Federation, Higher Education’s Community of Trust: Why join and how to do it EDUCAUSE 2005 Pre-Conference Seminar October 18 8:30am-Noon.

1 The InCommon Federation, Higher Education’s Community of Trust: Why join and how to do it EDUCAUSE 2005 Pre-Conference Seminar October 18 8:30am-Noon.

Similar presentations

Ads by Google