210 likes | 405 Views
Access management: challenges and approaches James Dalziel Adjunct Professor and Director Macquarie E-learning Centre of Excellence james@melcoe.mq.edu.au www.melcoe.mq.edu.au. Overview. COLIS and access management Access management challenges MAMS MAMS and other projects
E N D
Access management: challenges and approachesJames DalzielAdjunct Professor and Director Macquarie E-learning Centre of Excellence james@melcoe.mq.edu.auwww.melcoe.mq.edu.au
Overview • COLIS and access management • Access management challenges • MAMS • MAMS and other projects • Access management framework
COLIS and access management • Demonstrator project based on open standards • IMS CP, IMS DRI, IMS LRM, ODRL • Five universities and five vendors • Many different conceptions of the problem • Language difficulties • The COLIS Demonstrator is not “the solution” • Work in progress to help uncover practical issues • Functioning Demonstrator for discussion
Systems Chunks in COLIS Learning Space Application Integration Learning Content Management Learning Management Content Management Integration Services Library E-Services E-Reserve E-Journals Digital Rights Management Directory Services
COLIS and access management • Access management requirements • No modification to target systems • SSO “Deep linking” • Support multiple windows • Different approaches to solving access management • Large scale “corporate” solution • Small scale pragmatic approach, legacy systems
User hasn’t logged in User Browser Login Form LDAP Authentication Authorisation DBase User hasn’t logged in Application URL Authentication Challenge Authentication Token User has logged in Web Page 1 COLIS SSO Model SSO Proxy + Scripting Application Web Server
Access management challenges • Need for practical, incremental solutions • Recognition of education systems environment • Many legacy systems, impractical to change/remove • No single solution will be sufficient • Need more than one way of accessing targets • “Multi-modal Single Sign On” • Intra-institutional and inter-institutional needs • Role of identity management • Directories, unique identifiers, extensible attributes
MAMS • MAMS - “Meta Access Management System” • An umbrella system with numerous modules for access to different systems as required • Inter-institutional communication between MAMS • Originally a proposal to DEST SII in 2002 • Now a consortium bid for ARIIC 2003 common technical services Demonstrator
Current University Access Management Challenge Access System (eg, Portal) Directories ? One type of SSO mechanism (eg, Kerberos) x x x Application A (requires scripting) Application B (requires reverse proxy) Application C (requires IP address restriction) Application D (requires Kerberos)
Meta Access Management System (MAMS) Architecture Access System (eg, Portal) Directories Other Institution MAMS Local MAMS Scripting module Reverse proxy modules IP address restriction module Kerberos module Application A (requires scripting) Application B (requires reverse proxy) Application C (requires IP address restriction) Application D (requires Kerberos)
Example MAMS Implementation (Type 4) Access System Access System X.500 LDAP University B MAMS University A MAMS Kerberos Certificate system Learning Management System (scripting enabled) Learning Object Management System (reverse proxy enabled) Library Premium Databases (IP restrictions enabled) Library Premium Databases (Kerberos enabled) Digital Rights Management System (Kerberos enabled)
MAMS and other projects • MAMS has liaisons with: • COLIS partners (MQ, UNE, USQ, Tas, Newcastle) • Indirect liaison to OTEN and WestOne from IIS&R project • WALAP partners (UWA, Curtin, EC, Murdoch, ND) • Telstra Research Labs, National Library of Australia, education.au • Vendors: Sun, Microsoft, Novell • Internet2/MACE Shibboleth project (US) • Open Knowledge Initiative (OKI) (US) • Various JISC/CETIS projects (UK) • University of Ulster/Athens (UK) • National Library of New Zealand (NZ)
MAMS and other projects • MAMS open standards research covers: • Security Assertion Markup Language (SAML) • eXtensible Access Control Markup Language (XACML) • Directory Assertion Markup Language (DAML) • Service Provisioning Markup Language (SPML) • Various components of the Web Services family of standards (WS-*) • EduPerson Directory Schema • Open Archives Initiative Protocol for Metadata Harvesting (OAI PMH) • Dublin Core (DCMI) • Australian Government Locator Service (AGLS) • IMS Learning Resource Metadata (IMS LRM) • IEEE Learning Object Metadata (IEEE LOM) • Metadata Encoding and Transmission Standard (METS) • Open Digital Rights Language (ODRL) • MPEG Rights Expression Language (MPEG REL) • Open Grid Services Architecture (OGSA) • Open Knowledge Initiative Open Service Interface Definitions (OSID) • ISO 2146 Collection Agencies Directory Standard • Z39.50 (ISO 23950) Search protocol • IMS Digital Repository Interoperability (IMS DRI)
MAMS and Shibboleth • Shibboleth is an Internet2/MACE project • Best practice at cross-authentication for education • Standards basis to Shibboleth, especially SAML • Common elements • MAMS umbrella and Shibboleth • Shibboleth “resource handlers” and MAMS modules • Shibboleth inter-institutional federation • Crucial importance of anonymity and privacy within foundation architectural model
Example MAMS Implementation (Type 4) + Recent Projects overlay WALAP WALAP Access System Access System X.500 LDAP Shibboleth University B MAMS University A MAMS Kerberos Certificate system PKI or other Digital Certificates MAMS (Resource Handlers) Learning Management System (scripting enabled) Learning Object Management System (reverse proxy enabled) Library Premium Databases (IP restrictions enabled) Library Premium Databases (Kerberos enabled) Digital Rights Management System (Kerberos enabled)
A Framework for Access Management • The following slides provide a high level, (very) crude framework for thinking about different components of access management
Breadth of access management solution Authen- tication Author- isation Single Sign On Federated Trust Identity & Attributes (Directories) Sophistication of component
Breadth of access management solution Authen- tication Identity & Attributes Sophistication of component Sample PKI approach
Breadth of access management solution Authen- tication Single Sign On Identity & Attributes Sophistication of component COLIS approach
Breadth of access management solution Integrated, federated access and identity management infrastructure Authen- tication Author- isation Single Sign On Federated Trust Identity & Attributes Sophistication of component MAMS goals
Conclusion • Access management as a key element of research and education infrastructure • Need for Demonstrator, incremental development, recognition of current education sector realities • No one SSO method will be sufficient • Importance of open standards • Architectural challenge of privacy and anonymity • Common ground between MAMS and VET