The Collaboration Game Niels van Dijk, Technical Product Manager SURFnet
Topics - Identity federations 2010 - The Collaboration Game - A distributed landscape - Enter Domestication - The future of Domestication
Identity federations 101 Source: David Simonsen, WAYF
Identity federations Source: David Simonsen, WAYF
Identity federations Source: David Simonsen, WAYF
Identity federations Source: David Simonsen, WAYF
Federations 2010 By now Identity Federations in edu have become mature: - 27 federations (EU, US, Asia) - Interfederation (Kalmar, eduGAIN, REFEDs) - Interdomain (US, Denmark) - SAML 2 (Shibboleth, SimpleSAMLphp) - Vendor supported (Microsoft, Google, Cisco, Atlassian) and many OpenSource products
Stuff federations provide Or they will, shortly ;) - Is that your “staff” attribute? - Level of assurance (LOA) - Get interfederation working! - WAYF - Getting the GUI sorted out Core building block for trusted relations
Mature? Source: http://xkcd.com/806/
The Collaboration game Modern universities are developing towards loose conglomerates of (inter)discipline expertise → Collaboration is therefor core business Collaboration involves people in multiple institutions in multiple countries Collaboration is about using shared resources People + resources = Virtual Organization
Collab usecases - 1 “Student Thesis” - Group of students - University staff - Employee at Commercial Company Tools - Generic collaboration tools Example - Every university campus
Collab usecases - 2 Sharing 'data' - Groups of (inter)discipline scientists in several countries - Staff at multiple universities - Employees at multiple commercial companies Tools - (Webbased) generic collaboration tools - (Webbased) shared data resources Examples - Lifewatch, Clarin, Knowledge Exchange, Terena
Collab usecases - 3 Sharing (expensive) eScience infrastructures - VERY Large groups of international scientists - Staff at multiple universities Tools - generic collaboration tools - Shared infrastructure & data resources Examples - LHC, LIGO, LOFAR, eVLBI
LOFAR: distributed low frequency array A distributed multibeam array for radioastronomy - Large number of very simple antennas, with very - high bandwidth connections
E-VLBI: a global radiotelescope
LHC Computing Grid and LHCOPN
A distributed landscape Modern science combines eScience resources from multiple sources with generic collaboration - The core resources are within the R&E domain - Some activities already moving off campus (MyExperiment, Mendeley) Collaboration is already in 'the cloud' Twitter, Facebook, Linkedin, Wikis, Blogs →
18 (C) 2009 SURFnet B.V.
COIN vision
Dealing with a distributed landscape NRENs can play a vital role as trusted third parties: - Provide collaboration services SURFgroepen → - Provide ' putty ' the COIN Project → What is our putty made off? - Trust framework - Attributes - Externalized Groups - Roles and Rights - Coherence
Applying putty - Trust framework Identity Federations → - Attributes Identity Federations + aggregation → - Groups Group management tools → - Roles and Rights ? → - Coherence VO Platfoms → Domestication is the process of applying putty to applications and services
Domestication Domestication can be described as the process of • externalizing authentication, authorization and group management from services Domestication fits nicely in the Service Oriented • Architecture paradigm where a platform is created for reusable services and service components It becomes easier to share (generic) information • among services and to replace similar services It is only useful in multi-domain collaboration or • enterprise environments, hence (delegation of) trust is a point of concern
Domestication (2) Domesticated applications enable single sign-on - features for users, as well as the ability to share group context between multiple applications Main Candidates - Identity and access control - Group management - Events like presence and activities - Perhaps Monitoring and Reporting and - messaging?
End User Perspective Pro - Single Sign On - One password (and identity) for multiple - services Cons - WAYF – where are you from - Service might ask again and again your profile - information etc.
Organizational Perspective Pros - In control – one set of credentials for all - services Happy and secure users - Cons - None? - Prerequisites - Get your Identity Management on track - Get organized – convince service providers to - become domesticated
Service Provider Perspective Pros - Validated and up-to-date (user) information - Focus on core business - Reduction of administrative overhead – no more “I - lost my password” Economy of scale (after initial investment – adding - new organizations is easy Cons - Most services already provide a solution for the - generic functionality (needs to combined with legacy generic functionality) Invest in APIs in an unknown technology territory -
NREN Strategy Create economy of scale to create a valid - business case for Service Providers Do it yourself (maintainable?!) - Need for standardized interfaces, APIs and - availability of libraries Need to deal with trust -
Doing it yourself
Doing it yourself -2
External systems - AuthN Authentication SAML → - Use an already SAML enabled application - Modify an application to handle SAML based authentication (Shibboleth, SimpleSAMLphp, OIOsaml, etc) - Use a 'proxy' if the application has an API
External systems - Attributes Getting Attributes - SAML assertion Often a SAML assertions contains → attributes, which are mostly standardized (eduPerson, SCHAC) - SAML Attribute Query not widely implemented → - Attribute Query via other means, e.g. LDAP, → Webservice API - Let user fill in missing attributes
External systems - Groups Getting Groups – Nothing here yet.... - SAML assertion Only at login, cumbersome at IdP → - SAML Attribute Query not widely implemented → - Attribute Query LDAP, SPML, Webservice API → What if an application needs group memberschip before login?
External systems - Roles Getting Roles – Again, nothing here yet.... - SAML assertion Only at login, cumbersome at IdP → - SAML Attribute Query not widely implemented → - Attribute Query LDAP, SPML, Webservice API → (Ab)using groups as roles? What if an application needs to set roles before login?
Provisioning Provisioning is application specific - Preferably done by the vendor - Else, use APIs - Or hack the app... The amount of effort, and the most optimum way of provisioning depends on the functional requirements of the application. See: Provisioning scenarios in identity federations
Deprovisioning - This page was intentionally left blank -
The Future of Domestication Standardize - Settle on standards - Reduce and standardize the number of implementations What other stuff would we like externalized - Events - Messaging - Monitoring and Reporting How will domestication beyond the web?
Domestication Wiki https://wiki.surfnetlabs.nl/display/domestication
Questions? Niels.vanDijk@SURFnet.nl
Recommend
More recommend