1 / 23

Towards Common Identity Services

Tom Barton University of Chicago. Towards Common Identity Services. Matterhorn. Consortium of Universities building an enterprise-level, easy-to-install open source podcast and rich media capture, processing and delivery system. Typical security issues need to be handled User authentication

miguelk
Download Presentation

Towards Common Identity Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tom Barton University of Chicago Towards Common Identity Services

  2. Matterhorn • Consortium of Universities building an enterprise-level, easy-to-install open source podcast and rich media capture, processing and delivery system. • Typical security issues need to be handled • User authentication • Service authentication • Proxy authentication • Long-running processes • Integration with enterprise services • Out-of-the-box support for enterprises lacking those services

  3. “Is this a problem that the Matterhorn software needs to solve? … I hope we can come up with a cheap & easy solution in order to get on with our fundamental tasks involving the handling of media.” Josh Holtzman, Matterhorn Team member opencast list, May 15, 2009

  4. Identity services for applications Manage Convey Interface Privileges LDAP Permissions Roles SAML Roles Groups SQL Groups Credentials SOAP/REST Attributes Subjects Kerberos Authentication

  5. WANTED: Domesticated applications • Integrate collaboration tools into a common platform • User and collaboration centric identity, not tool-based identity • How much domestication is needed? • COmanage • SURFGroepen • Sympa as VO group manager • Duke’s OZ • SWITCH VO platform • U Malaga “identity bus” • Bamboo?

  6. The identity services problem Applications can't be developed that easily integrate with external IAM services until there's broadly held agreement on the interfaces between the two

  7. It’s a tower of turtles • Application developers • Framework developers • Platform developers • Standards bodies • Too many • Not enough • Communities of practice • Education & Research • Internet Identity • Integrators • Deployers

  8. Don’t try to solve the general problem! Focus on a small set of related, constrained use cases and make progress on those

  9. June 2009 Advanced CAMP: Identity Services Summit • Participation • Open source project developers • Jasig (uPortal, CAS, Bedework) • SAKAI • Kuali • Campus developers & architects • Internet2/MACE • Kantara • Project reviews (surveys & sessions) • Lightning talks, break-outs

  10. Some action items from the Identity Services Summit • Access management glossary and mapping between open source projects • KIM – Grouper service implementation proof of concept • uPortal – Grouper service implementation proof of concept • Shibbolized & CASified .NET & sharepoint • Bedework & COmanage discovery • Enhance development frameworks with roles, etc. • Spring, django

  11. MACE-Paccman: some problems • Access Management terminology is confusing e.g. privilege, permission, entitlement, authorization • Access Management is often embedded in applications and so is reinvented often • Access Management often does not account for federations • Provisioning is easier than de-provisioning • Audit trails are often per application if they exist at all Paccman slides courtesy of Tom Dopirak

  12. MACE-Paccman Initial Deliverables • Glossary and models for Access Management • How to use groups • How to use privileges • How to provision embedded Access Management software • Audit Considerations • Comparative glossary with major access management endeavors and Open Source Higher ED projects e.g. Sakai, uPortal, Kuali • Use Cases in Access Management • Mapping use cases to existing efforts • Kuali KIM • MIT’s perMIT • Grouper

  13. Kuali Foundation “open source administrative software for higher education, by higher education” • kuali financials • kualicoeus (research administration) • kuali student • kuali rice (middleware framework) • Incubation projects • ole (integrated library system) • continuity planning • payroll/hr • materials management

  14. Kuali Identity Management (KIM) • A new module of the Kuali Rice middleware framework (http://rice.kuali.org) • Implemented as a set of services for identity and access management • Designed with the needs of the other Kuali applications in mind (financials, research administration and student system) • But also meant to be general enough to be used by other applications as well KIM slides courtesy of Eric Westfall

  15. KIM Services • IdentityService • Principals and entities • GroupService • Group data, group membership checks • PermissionService • Authorization checks • RoleService • Role data • ResponsibilityService • Resolve responsibilities for certain actions (integration point with the workflow engine) • AuthenticationService • Establishes an authenticated user’s session

  16. Where does it fit? • Topic of discussion at Advanced CAMP on identity management in June • Where does Kuali Identity Management fit into the broader identity and access management space in higher education? • A few possibilities • Can be used solely for implementation of specific Kuali applications • Can be positioned as the primary identity and access management services at an institution • Certain pieces of the reference implementation can be used, while others can be integrated with or replaced with other solutions (i.e. LDAP, Grouper, Active Directory) • Working on some projects surrounding the last item, specifically working with Grouper team on a proof of concept for integration with KIM

  17. uPortal’s group-related services • GAP: Groups And Permissions • Gather groups from configured group stores • UI to manage groups and permissions • Desired to outsource to Grouper • PAGS: Person-Attribute Group Service • Present group memberships from attributes in user’s security context • PD: Person Directory • Gather Subjects from configured stores

  18. uPortal-Grouper integration needs • Refactor PAGS • New group admin UI • Portal Subjects source adapter • Add GAP interface • Add group-pull WS PAGS UI PD GAP pull groups (& Subjects) Subject Source Portal DB LDAP DB-A

  19. End matter • “The thing with integration is that it takes a lot of work, and especially in the early stages, and the work has to come from the real experts, so it's expensive.” -- RL “Bob” Morgan • Is it enough to have ID Services interfaces, or do we also need to somehow unify management of privileges external to applications with application specific privileges? • Advanced CAMP 2010 will continue the identity services for OSS theme

  20. For more information, visit https://spaces.internet2.edu/display/IdSrvcsClearhouse

More Related