maturation & convergence in authentication & authorization services in us higher education:...

Maturation & Convergence in Authentication & Authorization Services in US Higher Education:

Maturation & Convergence in Authentication & Authorization Services in US Higher Education:

Keith Hazelton, hazelton@doit.wisc.edu

Sr. IT Architect, University of Wisconsin-Madison

Internet2 MACE

20th APAN, Taipei, Taiwan

August 24, 2005

Keith Hazelton, hazelton@doit.wisc.edu

Sr. IT Architect, University of Wisconsin-Madison

Internet2 MACE

20th APAN, Taipei, Taiwan

August 24, 2005

2

TopicsTopics

• Middleware service layer concepts & models

• Roots of the Internet2 middleware initiative

• Growing relevance of middleware for network layer services and Grid services

• Possible paths of convergence

3

• What is Identity Management?

“Identity [and access] management is• the set of business processes, • and a supporting infrastructure, • for the

• creation, • maintenance, • and use

• of digital identities.”

The Burton Group (a research firm specializing in IT infrastructure for the enterprise)

Identity and Access Management (IAM) definedIdentity and Access Management (IAM) defined

4

The IAM Stone AgeThe IAM Stone Age

• List of functions:

• AuthN: Authenticate principals (people, servers) seeking access to a service or resource

• Log: Track access to services/resources

5

The IAM Stone AgeThe IAM Stone Age

• Every application for itself in performing these functions

• User list, credentials, if you’re on the list, you’re in (AuthN is authorization (AuthZ)

• As Hobbes might say: Stone age IAM “nasty, brutish & short on features”

6

Vision of a better way to do IAMVision of a better way to do IAM

• IAM as a middleware layer at the service of any number of applications

• Requires an expanded set of basic functions• Reflect: Track changes to institutional data

from changes in Systems of Record (SoR) & other IdM components

• Join: Establish & maintain person identity across multiple independent sources of person information• Human Resources and Student Info. Systems• …or Department X and Department Y IT systems

7

Vision of a better way to do IAMVision of a better way to do IAM

• More in the expanded set of basic functions• Credential: issue digital credentials to people in the

community• Mng. Affil.: Manage affiliation and group information• Mng. Priv.: Manage privileges and permissions at

system and resource level • Provision: Push IAM info out to systems and services

as required• Deliver: Make access control / authorization

information available to services and resources at run time

• AuthZ: Make the allow deny decision independent of AuthN

8

IAM functionsIAM functions

Reflect Data of interestJoin Identity across SoRCredential NetID, otherManage Affil/Groups AuthZ infoManage Privileges More AuthZ infoProvision For legacy applicationsDeliver Get AuthZ info to appAuthenticate Check identity claimAuthorize Make allow/deny decisionLog Track usage for audit

9

Roots of the Internet2 Middleware InitiativeRoots of the Internet2 Middleware Initiative

• Stated goal is to support educational institution as a whole in its various missions• Requires focus on entire population of

various service consumers (students, staff, researchers, lecturers, etc.)

• Plus two critical requirements:• Scalability• Flexibility

10

Basic IAM functions mapped to theInternet2 NMI / MACE componentsBasic IAM functions mapped to theInternet2 NMI / MACE components

Systems of Record

Stdnt

HR

Other

Enterprise Directory

Registr

y LD

AP

11

Basic IAM functions mapped to theInternet2 NMI / MACE componentsBasic IAM functions mapped to theInternet2 NMI / MACE components

System

s of R

ecord

Enterprise Directory

Grouper Signet

WebISO

Shibboleth

Apps / Resources

12

Middleware becoming crucial to network and Grid communities Middleware becoming crucial to network and Grid communities

• QoS, Authenticated network access and network service all require IAM suite of functions

• Grid services have that PLUS need to support multiple-institution virtual organizations (VOs)

• Middleware becomes crucial in both for• Scalability• Flexibility

13

The GridShib pictureThe GridShib picture

(1) Grid Authentication

(2) Shib Attribute Request

Shibboleth(3) Attributes

GridService

(4) Attribute-basedauthorization

Campus

User

(0) Attribute Release Policy

14

LDAP

Getting Attributes into a Site’s Attribute AuthorityGetting Attributes into a Site’s Attribute Authority

uid: jdoeeduPersonAffiliation: …isMemberOf: …eduPersonEntitlement: …

SIS

HR

On-site Authorities

Loaders PersonRegistry

GroupRegistry

GrouperUI

PrivilegeRegistry

Off-site Authorities

SignetUI

Attribute Authority

Core Business Systems

Shib/GridShib

using Shibboleth

15

Do APAN attendees thus represent a new market for I2-style middleware?Do APAN attendees thus represent a new market for I2-style middleware?

• If so, what are likely paths of collaboration and convergence?

• SAML and WS* and PKI interoperability • to bring institutional IAM and Grid IAM into

alignment--See Project GridShib & JISC news

• IAM infrastructures at departmental in addition to institutional levels

• Federations as organizational umbrellas for VOs• A quick glance at federation building initiatives

16

Federation Value PropositionFederation Value Proposition

• Set of cooperating IdPs and SPs forms a community needing agreement on:• Trust Fabric

• X.509 certs• IdP and SP identifiers & other metadata

• Community standard for attribute semantics• Community standards for IdP and SP operational

practices• Strength of authentication• Confidentiality

• For N IdPs and M SPs, which is easier?• N*M agreements• N+M agreements

17

The Research and EducationFederation Space TodayThe Research and EducationFederation Space Today

REFCluster

InQueue(a starting point)

InCommon

SWITCH

The ShibResearch Club

Other national nets

Other clusters

Other potential USR+E feds

State of Penn Fin Aid Assoc

NSDL

Slippery slope- Med Centers, etc

Indiana

18

Specific possibilitiesSpecific possibilities

• Participate in beta testing of middleware components to get your requirements into development stream

• Participate in middleware-enhanced VO trials

• Others???

19

Q & AQ & A

• hazelton@doit.wisc.edu• http://middleware.internet2.edu• http://shibboleth.internet2.edu• http://grid.ncsa.uiuc.edu/GridShib• http://middleware.internet2.edu/dir/groups/

grouper• http://middleware.internet2.edu/signet• http://www.incommonfederation.org