Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Ecosystem for Scientific Collaboration and some related thoughts Michael Helm on behalf of Jim Basney, Greg Bell, Irwin Gaines, Dhiva Muruganantham,

Published byEdith Foster Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Ecosystem for Scientific Collaboration and some related thoughts Michael Helm on behalf of Jim Basney, Greg Bell, Irwin Gaines, Dhiva Muruganantham,"— Presentation transcript:

1 Identity Ecosystem for Scientific Collaboration and some related thoughts Michael Helm on behalf of Jim Basney, Greg Bell, Irwin Gaines, Dhiva Muruganantham, Ruth Pordes

2 3 - 5 year outlook What should OSG, ESnet (and other partners) do to make identity and related protocols work in scientific research partnerships? Where is research "culture" going? Where is technology and commercial IT headed? What about PKI? Let’s talk about some 01 Aug 2011Identity Ecosystem OSG-ESnet

3 Scope OSG – ESnet document o Looking for feedback/critical review of this preview Some other things o Science Identity Federation (SIF) o SAML-Social gateways o Mobile o The Luddite Position! 01 Aug 2011Identity Ecosystem OSG-ESnet

4 Grids: Combined OSG & ESnet process 01 Aug 2011Identity Ecosystem OSG-ESnet

5 The Sociology of Scientific Collaborations 01 Aug 2011Identity Ecosystem OSG-ESnet

6 What do we learn from this? Our identity process is a mess o Evolved (only partly designed) o Nobody is satisfied o Inefficient Different collaborations have different strengths/weaknesses, requirements, desires o Resource constraints o Ability to absorb change 01 Aug 2011Identity Ecosystem OSG-ESnet

7 OSG-ESnet vision NSTIC: use a standard identity proofing framework Use authenticators (tokens) from standard ID proofing (where possible) Eliminate multiple registrations Credential store in the cloud (where PKI goes) DNSSEC/DANE for PKI certificates Focus on SAML groupware OAuth/OpenID Connect for cloud 01 Aug 2011Identity Ecosystem OSG-ESnet

8 NSTIC Use standard, accredited ID providers We must have something that is understood outside US borders Lower the high cost of federation 01 Aug 2011Identity Ecosystem OSG-ESnet

9 Tokens Use high quality authenticators (tokens) from standardized ID process o Eliminates duplicate services o Eliminates user confusion Not always possible 01 Aug 2011Identity Ecosystem OSG-ESnet

10 Duplicate Registrations This is really “project identity” under cover We have no choice but to support this pattern as best we can Integrate the project “provisioning” process with standardized identity proofing 01 Aug 2011Identity Ecosystem OSG-ESnet

11 Keys in the Cloud Where are my credentials/tokens !!?!?!? We need “follow-me” credentials PKI OAuth tokens Other derived credentials 01 Aug 2011Identity Ecosystem OSG-ESnet

12 DNSSEC - DANE PKI re-generation Disruptive development o End of 3 rd party PKI business o Federation metadata o Significant change in DNS operation Other offshoots likely o CAA – what CAs are authorized for this domain (PKIX) 01 Aug 2011Identity Ecosystem OSG-ESnet

13 SAML Extensive use of SAML assertions/payloads inside OSG authorization services SAML IDPs in use in US Universities … and some national labs (see SIF, below) Support from I2/NSF for continued development of groupware tools Deepen this investment! 01 Aug 2011Identity Ecosystem OSG-ESnet

14 OpenID Connect Industry-supported rework of OAuth 2 & OpenID 2 OAuth 2 – “quantized authorization” o OAuth: breakthrough in authZ/delegation without entanglement in identity OpenID 2 – “quantized identity” Depends on TLS for integrity & confidentiality (see DNSSEC above) Like Facebook Connect, but … more open 01 Aug 2011Identity Ecosystem OSG-ESnet

15 OpenID Connect (2) Basic OAuth flow: App #1 calls App #2 – needs authorization– redirect to OAuth authorization server o Gets authorization token for App #2 o How? User did it directly; pre-authorized; other But that’s not enough! Who/what are you? o Add User’s OpenID server (OP) as scope o Authorized to connect to OP  This step “introduces” OP – connect o Fetch user attributes This scenario models our Grid system … maybe Cloud providers... definitely RESTful, no SOAP 01 Aug 2011Identity Ecosystem OSG-ESnet

16 What will this look like? 01 Aug 2011Identity Ecosystem OSG-ESnet

17 Science Identity Federation DOE Labs collaborate heavily with Higher Ed SAML authentication is the best choice o For internal, security-related reasons o For collaboration with major research universities o For international collaborations (inter-federation) SIF began at NLIT in 2009 o We have about ½ of the SC Labs in InCommon o We have about ½ of the SC labs with production IDPs o The overlap is exactly 2 sites! 01 Aug 2011Identity Ecosystem OSG-ESnet

18 SAML – Social Gateways Doppelgänger of OpenID Connect Gateway between SAML & public resources o Facebook, Twitter, Google, &al o Map an OpenID attribute into a SAML assertion for local consumption In the long run, the co-evolution of OpenID Connect and SAML federation 01 Aug 2011Identity Ecosystem OSG-ESnet

19 Mobility/Mobile computing Can the disruptive effect of mobile computing be overestimated? I don’t think so. We can expect o Different authentication techniques o Need for application access on mobile device or o Applications executing directly on mobile device o Further erosion of heavy-weight web protocols o Network effects 01 Aug 2011Identity Ecosystem OSG-ESnet

20 Not everybody is eager! 01 Aug 2011Identity Ecosystem OSG-ESnet

21 The Conservative Position Some things I hear…. We’re doing real work here We mix command line & web tools We don’t collaborate at the major institute level We collaborate at o The individual level o The department/small lab/company level o Our “collaborators” are “competitors” 01 Aug 2011Identity Ecosystem OSG-ESnet

22 One position in particular…. We are happy, & think it’s appropriate, to be the gatekeeper to the ID token issuance process We do want the processes & roles around it to improve We want to delegate the group membership and manage this process We want to be part of the policy process, & participate in the technical infrastructure that manages it We’re happy to use technology to support this (eg SAML, OpenID) but replace it 01 Aug 2011Identity Ecosystem OSG-ESnet

23 This is not a Luddite position! We can develop and improve our identity infrastructure … As long as we listen to, respect, and adapt to requirements and patterns we find, including this one 01 Aug 2011Identity Ecosystem OSG-ESnet

24 Outlook Don’t be confused! We can get value from all of these technologies now. Opportunity: more local control, decentralization (= federation, but more evolved) Opportunity: increased efficiency & reduced friction – need small R&D effort to move forward Lesson from Google - where is our market research? 01 Aug 2011Identity Ecosystem OSG-ESnet

Download ppt "Identity Ecosystem for Scientific Collaboration and some related thoughts Michael Helm on behalf of Jim Basney, Greg Bell, Irwin Gaines, Dhiva Muruganantham,"

Similar presentations

Contrail and Federated Identity Management

Contrail and Federated Identity Management
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
Implementing and Administering AD FS

Implementing and Administering AD FS
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Www.incommon.org A View into the Mi$t 1 RL Bob Morgan University of Washington Co-chair, InCommon Technical Advisory Committee.

A View into the Mi$t 1 RL "Bob" Morgan University of Washington Co-chair, InCommon Technical Advisory Committee.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Similar presentations

Ads by Google