the collaboration game
play

The Collaboration Game Niels van Dijk, Technical Product Manager - PowerPoint PPT Presentation

The Collaboration Game Niels van Dijk, Technical Product Manager SURFnet Topics - Identity federations 2010 - The Collaboration Game - A distributed landscape - Enter Domestication - The future of Domestication Identity federations 101


  1. The Collaboration Game Niels van Dijk, Technical Product Manager SURFnet

  2. Topics - Identity federations 2010 - The Collaboration Game - A distributed landscape - Enter Domestication - The future of Domestication

  3. Identity federations 101 Source: David Simonsen, WAYF

  4. Identity federations Source: David Simonsen, WAYF

  5. Identity federations Source: David Simonsen, WAYF

  6. Identity federations Source: David Simonsen, WAYF

  7. Federations 2010 By now Identity Federations in edu have become mature: - 27 federations (EU, US, Asia) - Interfederation (Kalmar, eduGAIN, REFEDs) - Interdomain (US, Denmark) - SAML 2 (Shibboleth, SimpleSAMLphp) - Vendor supported (Microsoft, Google, Cisco, Atlassian) and many OpenSource products

  8. Stuff federations provide Or they will, shortly ;) - Is that your “staff” attribute? - Level of assurance (LOA) - Get interfederation working! - WAYF - Getting the GUI sorted out Core building block for trusted relations

  9. Mature? Source: http://xkcd.com/806/

  10. The Collaboration game Modern universities are developing towards loose conglomerates of (inter)discipline expertise → Collaboration is therefor core business Collaboration involves people in multiple institutions in multiple countries Collaboration is about using shared resources People + resources = Virtual Organization

  11. Collab usecases - 1 “Student Thesis” - Group of students - University staff - Employee at Commercial Company Tools - Generic collaboration tools Example - Every university campus

  12. Collab usecases - 2 Sharing 'data' - Groups of (inter)discipline scientists in several countries - Staff at multiple universities - Employees at multiple commercial companies Tools - (Webbased) generic collaboration tools - (Webbased) shared data resources Examples - Lifewatch, Clarin, Knowledge Exchange, Terena

  13. Collab usecases - 3 Sharing (expensive) eScience infrastructures - VERY Large groups of international scientists - Staff at multiple universities Tools - generic collaboration tools - Shared infrastructure & data resources Examples - LHC, LIGO, LOFAR, eVLBI

  14. LOFAR: distributed low frequency array A distributed multibeam array for radioastronomy - Large number of very simple antennas, with very - high bandwidth connections

  15. E-VLBI: a global radiotelescope

  16. LHC Computing Grid and LHCOPN

  17. A distributed landscape Modern science combines eScience resources from multiple sources with generic collaboration - The core resources are within the R&E domain - Some activities already moving off campus (MyExperiment, Mendeley) Collaboration is already in 'the cloud' Twitter, Facebook, Linkedin, Wikis, Blogs →

  18. 18 (C) 2009 SURFnet B.V.

  19. COIN vision

  20. Dealing with a distributed landscape NRENs can play a vital role as trusted third parties: - Provide collaboration services SURFgroepen → - Provide ' putty ' the COIN Project → What is our putty made off? - Trust framework - Attributes - Externalized Groups - Roles and Rights - Coherence

  21. Applying putty - Trust framework Identity Federations → - Attributes Identity Federations + aggregation → - Groups Group management tools → - Roles and Rights ? → - Coherence VO Platfoms → Domestication is the process of applying putty to applications and services

  22. Domestication Domestication can be described as the process of • externalizing authentication, authorization and group management from services Domestication fits nicely in the Service Oriented • Architecture paradigm where a platform is created for reusable services and service components It becomes easier to share (generic) information • among services and to replace similar services It is only useful in multi-domain collaboration or • enterprise environments, hence (delegation of) trust is a point of concern

  23. Domestication (2) Domesticated applications enable single sign-on - features for users, as well as the ability to share group context between multiple applications Main Candidates - Identity and access control - Group management - Events like presence and activities - Perhaps Monitoring and Reporting and - messaging?

  24. End User Perspective Pro - Single Sign On - One password (and identity) for multiple - services Cons - WAYF – where are you from - Service might ask again and again your profile - information etc.

  25. Organizational Perspective Pros - In control – one set of credentials for all - services Happy and secure users - Cons - None? - Prerequisites - Get your Identity Management on track - Get organized – convince service providers to - become domesticated

  26. Service Provider Perspective Pros - Validated and up-to-date (user) information - Focus on core business - Reduction of administrative overhead – no more “I - lost my password” Economy of scale (after initial investment – adding - new organizations is easy Cons - Most services already provide a solution for the - generic functionality (needs to combined with legacy generic functionality) Invest in APIs in an unknown technology territory -

  27. NREN Strategy Create economy of scale to create a valid - business case for Service Providers Do it yourself (maintainable?!) - Need for standardized interfaces, APIs and - availability of libraries Need to deal with trust -

  28. Doing it yourself

  29. Doing it yourself -2

  30. External systems - AuthN Authentication SAML → - Use an already SAML enabled application - Modify an application to handle SAML based authentication (Shibboleth, SimpleSAMLphp, OIOsaml, etc) - Use a 'proxy' if the application has an API

  31. External systems - Attributes Getting Attributes - SAML assertion Often a SAML assertions contains → attributes, which are mostly standardized (eduPerson, SCHAC) - SAML Attribute Query not widely implemented → - Attribute Query via other means, e.g. LDAP, → Webservice API - Let user fill in missing attributes

  32. External systems - Groups Getting Groups – Nothing here yet.... - SAML assertion Only at login, cumbersome at IdP → - SAML Attribute Query not widely implemented → - Attribute Query LDAP, SPML, Webservice API → What if an application needs group memberschip before login?

  33. External systems - Roles Getting Roles – Again, nothing here yet.... - SAML assertion Only at login, cumbersome at IdP → - SAML Attribute Query not widely implemented → - Attribute Query LDAP, SPML, Webservice API → (Ab)using groups as roles? What if an application needs to set roles before login?

  34. Provisioning Provisioning is application specific - Preferably done by the vendor - Else, use APIs - Or hack the app... The amount of effort, and the most optimum way of provisioning depends on the functional requirements of the application. See: Provisioning scenarios in identity federations

  35. Deprovisioning - This page was intentionally left blank -

  36. The Future of Domestication Standardize - Settle on standards - Reduce and standardize the number of implementations What other stuff would we like externalized - Events - Messaging - Monitoring and Reporting How will domestication beyond the web?

  37. Domestication Wiki https://wiki.surfnetlabs.nl/display/domestication

  38. Questions? Niels.vanDijk@SURFnet.nl

Recommend


More recommend