Emerging Infrastructure for Collaboration: Next Generation Plumbing

1
Emerging Infrastructure for Collaboration Next
Generation Plumbing
2
Topics

• Frameworks
• Enterprise-based middleware
• Federated services and applications
• Virtual organizations and trust fabrics
• Activities in Collaborative Middleware
• Deployments
• Development
• Related Activities a bunch of Mellons,
  instant messaging, etc
• Implications for the higher ed community
• Implications for the marketplace and the public
  sector

3
Frameworks

• Enterprise-based middleware
• Middleware that provides institutional core
  middleware needs (academic and administrative)
• Constructed in similar but locally adaptive
  fashions on campuses, with standard external
  service points (directory objectclasses, handle
  servers, etc.)
• Federated services and applications
• Enterprises come together into federations, with
  formal trust structures that permit exchange of
  attributes, including identity
• User actions within the federation are generally
  moderated by their enterprise
• Resource discovery, security, privacy,
  authorizations managed by user and enterprise
• Virtual organizations leverage the above in a
  cross-stitch
• Sparse mode collaborative communities with real
  resources and authorizations to share
• Trust fabrics (global, federated, P2P) necessary
  for secure and private collaboration

4
A Map of Middleware Land
5
Core Middleware Scope

• Identity and Identifiers namespaces, identifier
  crosswalks, real world levels of assurance, etc.
• Authentication campus technologies and
  policies, interrealm interoperability via PKI,
  Kerberos, etc.
• Directories enterprise directory services
  architectures and tools, standard objectclasses,
  interrealm and registry services
• Authorization permissions and access controls,
  delegation, privacy management, etc.
• Integration Activities open management tools,
  application of P2P, federated and hierarchical
  trust, enabling common applications with core
  middleware

6
Campus Core Middleware Architecture(Origin
perspective)
7
Federated administration

• Given the strong collaborations within the
  academic community, there is an urgent need to
  create inter-realm tools, so
• Build consistent campus middleware infrastructure
  deployments, with outward facing objectclasses,
  service points, etc. and then
• Federate (multilateral) those enterprise
  deployments with interrealm attribute transports,
  trust services, etc. and then
• Leverage that federation to enable a variety of
  applications from network authentication to
  instant messaging, from video to web services,
  from p2p to virtual organizations, etc. while we
• Be cautious about the limits of federations and
  look for alternative fabrics where appropriate.

8
Federated administration
VO
VO
O T
A CM
O T
CM A
Campus 1
Campus 2
T
T
T
Federation
9
Unified field theory of Trust

• Bridged, global hierarchies of identification-orie
  nted, often government based trust laws,
  identity tokens, etc.
• Passports, drivers licenses
• Future is typically PKI oriented
• Federated enterprise-based leverages ones
  security domain often role-based
• Enterprise does authentication and attributes
• Federations of enterprises exchange assertions
  (identity and attributes
• Peer to peer trust ad hoc, small locus personal
  trust
• A large part of our non-networked lives
• New technology approaches to bring this into the
  electronic world.
• Distinguishing P2P apps arch from P2P trust

10
Virtual Organizations

• Geographically distributed, enterprise
  distributed community that shares real resources
  as an organization.
• Examples include team science (NEESGrid, BIRN,
  NEON), digital content managers (library
  cataloguers, curators, etc), life-long learning
  consortia, etc.
• On a continuum from interrealm groups (no real
  resource management, few defined roles) to real
  organizations (primary identity/authentication
  providers)
• Want to leverage enterprise middleware and
  external trust fabrics

11
Leveraging V.O.s Today
VO
User
Federation
Enterprise
Target Resource
12
Leveraged V.O.s Tomorrow
VO
User
Collaborative Tools Authority System etc
Federation
Enterprise
Target Resource
13
Middleware Activities

• NMI-EDIT Management MACE, Internet2, EDUCAUSE,
  SURA
• In deployment
• Directories
• Security
• Federations
• In development
• Virtual organizations - JISC
• Diagnostics
• Authorization and privilege management

14
MACE (Middleware Architecture Committee for
Education)

• Purpose - to provide advice, create experiments,
  foster standards, etc. on key technical issues
  for core middleware within higher education
• Membership - Bob Morgan (UW) Chair, Tom Barton
  (Chicago), Scott Cantor (Ohio State), Steven
  Carmody (Brown), Michael Gettes (Duke), Keith
  Hazelton (Wisconsin), Paul Hill (MIT), Jim Jokl
  (Virginia), Mark Poepping (CMU), Bruce Vincent
  (Stanford), David Wasley (California), Von Welch
  (Grid)
• European members - Brian Gilmore (Edinburgh), Ton
  Verschuren (Netherlands), Diego Lopez (Spain)
• Creates working groups in major areas, including
  directories, interrealm access control, PKI,
  video, P2P, etc.
• Works via conference calls, emails, occasional
  serendipitous in-person meetings...

15
In deployment - International
16
In deployment - US
17
Directories

• Creation and deployment of consistent internal
  directory infrastructure within the higher-ed
  community.
• Includes metadirectory services
• Standard internal objectclasses
• Most applications have become directory enabled
• Development and adoption of outward facing
  directory objectclasses eduPerson and eduOrg
• eduPerson - Identity and associated attribute
  values, entitlements, etc.
• eduOrg enterprise attribute values
• Internationalization of eduPerson underway
• H.350 desktop video resource discovery, now an
  ITU standard

18
Security

• Emergence of federating software and federations
• Rise of SAML (www.opensaml.org)
• Shibboleth
• In PKI, deployments remain challenging
• Escrow, mobility, path construction and
  validation remain very hard
• Non-standards proliferate little I in the PK
  that exists
• Some campuses have traction
• First generation WebSSOs proliferate and show
  limits
• Credential converters (KCA and a Shibbed CA)
• HEBCA (a bridge certificate authority for higher
  education) and USHER (US Higher Ed root CA) are
  under slooooow construction
• Security as creating new capabilities as well as
  restricting use

19
Shibboleth Status

• Open source, privacy preserving federating
  software
• Being very widely deployed in US and
  international universities
• Target - works with Apache(1.3 and 2.0) and IIS
  targets Java origins for a variety of Unix
  platforms.
• V2.0 likely to include portal support, identity
  linking, non web services (plumbing to
  GSSAPI,P2P, IM, video) etc.
• Work underway on intuitive graphical interfaces
  for the powerful underlying Attribute Authority
  and resource protection
• Likely to coexist well with Liberty Alliance and
  may work within the WS framework from Microsoft.
• Growing development interest in several
  countries, providing resource manager tools,
  digital rights management, listprocs, etc.
• Used by several federations today NSDL,
  InQueue, SWITCH and several more soon (JISC,
  Australia, etc.)
• http//shibboleth.internet2.edu/

20
GUIs to manage Shibboleth
21
Federations

• Associations of enterprises that come together to
  exchange information about their users and
  resources in order to enable collaborations and
  transactions
• Enroll and authenticate and attribute locally,
  act federally.
• Uses federating software (e.g. Liberty Alliance,
  Shibboleth, WS-) common attributes (e.g.
  eduPerson), and a security and privacy set of
  understandings
• Enterprises (and users) retain control over what
  attributes are released to a resource the
  resources retain control (though they may
  delegate) over the authorization decision.
• Several federations now in construction or
  deployment

22
InCommon federation

• Federation operations Internet2
• Federating software Shibboleth 1.1 and above
• Federation data schema - eduPerson200210 or later
  and eduOrg200210 or later
• Federation privacy and security requirements in
  discussion, could be
• Privacy requirements
• Initially, destroy received attributes
  immediately upon use
• Security requirements
• Initially, enterprises post local I/A and basic
  business rules for assignment of
  eduPersonAffiliation values
• Likely to progress towards standardized levels of
  authn

23
InQueue Origins2.12.04

• National Research Council of Canada
• Columbia University
• University of Virginia
• University of California, San Diego
• Brown University
• University of Minnesota
• Penn State University
• Cal Poly Pomona
• London School of Economics
• University of North Carolina at Chapel Hill
• University of Colorado at Boulder
• UT Arlington
• UTHSC-Houston
• University of Michigan
• University of Rochester
• University of Southern California

• Rutgers University
• University of Wisconsin
• New York University
• Georgia State University
• University of Washington
• University of California Shibboleth Pilot
• University at Buffalo
• Dartmouth College
• Michigan State University
• Georgetown
• Duke
• The Ohio State University
• UCLA
• Internet2
• Carnegie Mellon University

24
In development

• Virtual organizations
• Privilege management and authorization systems
• Middleware diagnostics
• Federated network-layer security services and
  capabilities

25
Stanford Authz Model
26
Authr Deliverables

• The deliverables consist of
• A recipe, with accompanying case studies, of how
  to take a role-based organization and develop
  apprpriate groups, policies, attributes etc to
  operate an authority service
• Templates and tools for registries and group
  management
• a Web interface and program APIs to provide
  distributed management (to the departments, to
  external programs) of access rights and
  privileges, and
• delivery of authority information through the
  infrastructure as directory data and authority
  events.

27
Home
28
Grant Authority Wizard
29
Related Activities in Collaboration Tools

• Chandler
• Instant Messaging
• P2P filesharing Lionshare

30
Chandler

• Open source email and calendaring package
• Being developed by Open Source Application
  Foundation (Mozilla et al, led by Mitch Kapor)
• Both stand-alone and enterprise versions due out
  before the end of the year
• Intended to be collaborative in nature
• Shared role-based views
• Federated views

31
Lionshare

• P2P file sharing application that is
• Enterprise-based uses authentication and campus
  directory and resource discovery
• Federated works between institutions, using
  local authentication and authorization
• Learning object oriented meta-data based
  linked to digital repositories, courseware, etc.
• Developed at Penn State University, now being
  extended with assistance from Mellon Foundation,
  Internet2, OKI, Edusource
• URL is

32
Instant Messaging

• Federated IM
• authentication by enterprise
• Screen name authenticated opaque or transparent
  by choice
• Access control to chat rooms
• Across enterprises
• Across IM technologies
• Payloads
• Signalling

33
Implications for the Higher Ed Community

• A variety of collaborative apps are being
  middleware enabled
• There is a growing federated trust infrastructure
  among the RE community with potential
  international usefulness.
• New architectures for passing attributes and
  identity new tools to learn for managing privacy
  and security
• Emergent tools for authority management new
  tools to learn for managing authorization
• A marketplace of identity service providers may
  emerge

34
Implications for the Marketplace and Public Sector

• Inter-sector federation activities are not
  understood
• International issues
• Consistency of trust
• Interoperability of technologies
• A marketplace of identity service providers may
  emerge
• Collaborative tools will need to work across a
  variety of trust fabrics
• Users will need to manage both privacy and trust
  defaults will be important