Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Rest of the World, in 75 minutes… Ken Klingenstein Director, Internet2 Middleware and Security.

Similar presentations

Presentation on theme: "The Rest of the World, in 75 minutes… Ken Klingenstein Director, Internet2 Middleware and Security."— Presentation transcript:

1 The Rest of the World, in 75 minutes… Ken Klingenstein Director, Internet2 Middleware and Security

2 Topics Directory Activities: Eduperson, CourseID, Entitlements, others… Shibboleth Update: Core Code, Federations, GUI’s, Project Management Grids: GGF and EGA, Campus Grids, Integration with enterprises PKI: HEBCA, USHER, TACAR and EuroPMA Diagnostics: Middleware diagnostics, performance and security diagnostics, the SURFnet Detective

3 Directory activities  Eduperson Entitlements and TargetID Affiliate vs Member  Localperson  CourseID

4 Shibboleth Today  V1.2 on the streets, v1.3 in development  Software still is “simple” but getting increasingly complex. Software is still early.  Identified as the national R&E federation technology in the US, the UK, Australia, Switzerland, Finland, and perhaps others…  Increasingly “at” Burton, Catalyst, DigitalID Conferences  Interoperability discussions and commitments being made among federating software developers

5 Core software development  V1.0 April 2003, v 1.2 May 2004  V1.3 targeted for fall; priorities include portal support, perhaps artifact SAML profile  SAML 2.0, OpenSAML 2.0 and the meaning of Shibboleth  WS-Fed interoperability  Shib as WebISO  SOAP and SAML –interim and long-term  Whole-grain Shib  Refactoring into core and module for long-term management  Integrated documentation and install guides

6 SAML 2.0  Historic relationship of SAML and Shib  Contributions from both Liberty and Shibboleth to spec.  TC under OASIS, with contributing editor S. Cantor, Individual  Largely done, perhaps final committee work by end of August, then approval by Nov or IBM…  Refactors a lot, in Shib and vendor products – how quickly will vendors adopt?  OpenSAML 2.0 will happen…

7 Coordination of Shib development  Development now taking place in several countries, with significant investments outside the original development crew.  A reasonable re-layering of architecture and code might be helpful  Management role models: Likely: OpenLDAP, Apache Less likely: GGF  Alignment of licensing and copyright could be challenging

8 Federations  Seem to be happening. InQueue has > 50. InCommon is nearing completion of policies, pricing, membership decisions. Ten phase 1 participants doing the lifting  Shib R&E feds in UK, Australia, Switzerland, Finland, others; non-Shib FEIDE in Norway  Federations in business still bilateral, nonpersistent  International federation peering in UK in October  Some activity in US federal gov  Other efforts, such as Salsa-NetAuth, plan to leverage federations

9 Coupled systems  The major GUI’s – SysAdmin, Autograph, PRM  Other AA backend plug-ins  Alternative WAYF approaches Interim Long-term  Other trust fabrics

10 GUI’s to manage Shibboleth

11 SysPriv ARP GUI  A tool to help administrators (librarians, central IT sysadmins, etc) set attribute release policies enterprise- wide For access to licensed content For linking to outsourced service providers Has implications for end-user attribute release manager (Autograph)  GUI design now actively underway, lead by Stanford  Plumbing to follow shortly

12 End-user attribute release manager (Autograph)  Intended to allow end-users to manage release policies themselves and, perhaps, understand the consequences of their decisions  Needs to be designed for everyone even though only 3% will use it beyond the defaults.  To scale, must ultimately include extrapolation on settings, exportable formats, etc.

13 Privacy Management Systems

14 Personal Resource Manager

15 Grids  GGF and EGA – two standards organizations, no standards…  Enterprise Grids – a developing approach  The Terrorgrid – of integration and security  Integration with enterprises – leveraging enterprise infrastructure and R&E federations

16 PKI  HEBCA  USHER  TACAR and EuroGrid PMA  Buy a global higher ed root

17 Virtual Organizations  Geographically distributed, enterprise distributed community that shares real resources as an organization.  Examples include team science (NEESGrid, HEP, BIRN, NEON), digital content managers (library cataloguers, curators, etc), life-long learning consortia, etc.  On a continuum from interrealm groups (no real resource management, few defined roles) to real organizations (primary identity/authentication providers)  Want to leverage enterprise middleware and external trust fabrics

18 Virtual Organizations  Some things seem consistent across almost all VO’s The need to manage and delegate VO authorizations Unique naming, and managed resource discovery A set of collaboration tools, including a list manager, calendar, shared web content management, etc that are seamlessly integrated into users’ everyday environment A need to factor in, and leverage, local domain requirements and capabilities  Some things are specific to each VO The members and the resources being managed Requirements for advanced services, such as Grids and instrument management

19 Virtual organizations  Need a model to support a wide variety of use cases Native v.o. infrastructure capabilities, differences in enterprise readiness, etc. Variations in collaboration modalities Requirements of v.o.’s for authz, range of disciplines, etc  JISC in the UK has lead; builds on NSF NMI  Tool set likely to include seamless listproc, web sharing, shared calendaring, real-time video, privilege management system, etc.

20 Leveraging V.O.s Today VO Target Resource User Enterprise Federation

21 Leveraged V.O.s Tomorrow VO Target Resource User Enterprise Federation Collaborative Tools Authority System etc

22 Middleware Diagnostics Problem Statement The number and complexity of distributed application initiatives and products has exploded within the last 5 years Each must create its own framework for providing diagnostic tools and performance metrics Distributed applications have become increasingly dependent not only on the system and network infrastructure that they are built upon, but also each other Middleware diagnostics need to integrate with network performance diagnostics and security diagnostics

23 Goals Create an event collection and dissemination infrastructure that uses existing system, network and application data (Unix/WIN logs, SNMP, Netflow ©, etc.) Establish a standardized event record that normalizes all system, network and application events into a common data format Build a rich tool platform to collect, distribute, access, filter, aggregate, tag, trace, probe, anonymize, query, archive, report, notify, perform forensic and performance analysis

24 Cisco NetFlow Events RMON Events Event Record Standard Normalization of each diagnostic data feed type (SHIB, HTTP, Syslog, RMON, etc.) into a common event record The tagging of specific events to help downstream correlation processes DB Access Log SHIB log HTTP Access log GRID Application Log Normalization And Event Tagging NETFLOW:TIME:SRC:DST:… RMON:HOST:TIME:DSTPORT.. DB:TIME:HOST:REQ:ASTRON SHIB:TIME:HOST:UID… HTTP:TIME:HOST:URL… GRIDAPP:TIME:HOST:UID:… Variable Star Catalog DB Application

25 Diagnostic Data Pipelining Data flows can be constructed to provide the desired function and policy within a enterprise or federation Filter C-4 Network Events ArchiveDBAnonimizationTaggingAggregationNormalization C-3 C-1 P-1 C-2 P-2 P-3 P-4 P-5 C-* Collection Module Host P-* Processing Module Host Host or Security Events

26 Event Record Event Descriptor Meta Field Event Descriptor Version Number Observation Description Pointer ID – unique event identifier Time - start/stop IP Address(es) – source/(destination) Source Class – application, network, system, compound, bulk, management Event Name Tag – Native language ID, user defined Status – normal, informational, warning, measurement, critical, error, etc. Major Source Name – filename, Netflow, Syslogd, SNMP, shell program, etc. Minor Source Name – logging process name (named), SNMP variable name, etc. Raw Data Encoding Mechanism – Binary, ASN1, ASCII, XML, etc. Raw Event Data Description Pointer Raw Event Data

27 A context for diagnostics  SURFnet detective  Integrated I2 diagnostic efforts

Download ppt "The Rest of the World, in 75 minutes… Ken Klingenstein Director, Internet2 Middleware and Security."

Similar presentations

Ads by Google