Development and deployment of integrated attribute based access control for collaboration
Collaborations and Virtual Organizations • IdM is a critical dimension of collaboration, crossing many applications and user communities • Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. • Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity. kjk@internet2.edu
Collaboration Platform • Integrated set of collaboration apps (wikis, listprocs, CVS, file share, calendaring, etc) • Integration of at least identity and access control via group memberships • Integration with domain science apps • Integration of content and meta-data is harder • Repackages successful approaches for a collaborative/ project/VO setting • Federated identity, group management, directories, and security token services (aka credential convertors) kjk@internet2.edu
Collaboration Infrastructure (COIN) • Dutch National Collaboration Infrastructure • Domesticated tools -Adobe Connect; Alfresco; Foodle; Filesender; Confluence; WSO2 mashup server; OpenFire; Drupal; KnowledgeTree, Sympa and Limesurvey • Domesticated services -Google Apps; MyExperiment.org; Twitter; PubMed • Integration across VO, institution and third-party domains • Workflow • Grid integration kjk@internet2.edu
Domestication of applications • The work of re-factoring applications to use the emergent identity services infrastructure • Begins with federated identity and authentication, use of directories; gains a lot from group management for access control, etc • Needs a fine grain set of authorization tools down the road • Domesticated apps can receive IdM attributes via LDAP, SAML, X.509, SQL, Kerberos PAC, and maybe all of the above kjk@internet2.edu
Typical activities in collaboration management • Add or remove people from groups • Create new subgroups, identify overlapping memberships, etc. • Permit or deny access control to wiki pages, calendars, computing resources, version control systems, etc • Add people to mailing lists, wikis, etc • Create and delete/archive users, accounts, keys • Identify group membership on a given date kjk@internet2.edu
COManage Elements Dashboard Shib SP Shib IdP Data Store LdapPC Grouper STS Including provisioning Applications kjk@internet2.edu
What’s in a COmanage data store Enterprise Attributes Project/VO attributes Federated Id PI groups Enrolled classes Wiki editing permissions Display name Instrument permissions Citizenship VO certificates Enterprise affiliation … kjk@internet2.edu
Grouper • A general purpose, extensible, open-source group management tool • In production at many institutions in the US and overseas • Core national infrastructure service in several countries • Manages groups of things – people, devices, processes • Has GUI, people picker, group math, inheritance, delegation, provisioning and deprovisioning, etc. • Stores values in LDAP directory • Aimed at spectrum from power user to collabmin, sysadmin and enterprise IdM. kjk@internet2.edu
Security Token Service • Converts the form of an existing credential or packs a set of attributes into a new credential • Presents external security information to an application or service in the lingua of the app/service • Conversions – SAML into X.509, SAML into Kerberos, SAML to LDAP, etc. • Mythical in a single comprehensive package; legion in individual instances kjk@internet2.edu
What forms does COmanage take? • Usually as an assembled set of services • A dashboard, directory product, Shibboleth IdP and SP, Grouper, and a set of applications provisioned on other servers • On an enterprise level to serve its collaborations and VO’s, within a large VO, or at a federation level to serve a national community • Can also be a VM, a VM in the cloud, or a service with the applications in the cloud. • Can be embedded in a science portal or gateway kjk@internet2.edu
Flows of attributes - 1 Party Relying Enterprise Project comanage Data Store Enterprise kjk@internet2.edu
Use cases it enables • A student adds a class and is immediately enabled to use the VO wiki; a student drops the class and is immediately disabled from using the VO instruments • A resource prohibited from use by foreign nationals is protected • International privacy laws are adhered to • Anonymous access is enabled but limited to those authorized to participate • Security is commensurate with the risks kjk@internet2.edu
Recommend
More recommend
