New CyberInfrastructure for Collaboration between Higher Ed and NIH
Drivers in the R&E community Topics Drivers in the R&E community A very brief history of federated identity Shibboleth and InCommon today How robust is the cyberinfrastructure Collaboration and federated identity
Drivers in the R&E community Strong, urgent needs to collaborate inter-institutionally First TCP/IP, now federated identity Importance of Virtual Organizations A common infrastructure to serve research, educational, and administrative needs Need to preserve privacy and provide rich attribute exchange mechanisms
A brief history of federated identity Shibboleth discussions begin in Feb 2000 at a meeting of higher ed’s best/brightest IT architects OASIS SAML effort forms December 2000 and engages higher ed to align work SAML would handle basic formats for attribute packets and simple push/pull protocols for exchanging them Shibboleth would build on SAML mechanisms for multilateral federation support, user control of privacy, metadata, etc. Shibboleth::SAML ~ TCP::IP Three of the seven authors of the SAML 1 spec are Shib folks; the technical editor of SAML 2.0, Scott Cantor of OSU, is the lead Shib architect
Shibboleth use ~ 12 M in Europe/Asia and ~6 M in the US; growing exponentially in many countries; almost all Shib 1.3 Almost all users do not know they are using it (some may see a redirect…) but that is to change OpenSAML used by Google, Verisign, etc.
Federations Federations are now occurring broadly, and internationally, to support inter-institutional and external partner collaborations Almost all in the corporate world are bi-lateral; almost all in the R&E world are multilateral Federations are learning to peer Internal federations are also proving quite useful
R&E Federations Substantial deployments in many countries, including UK, Norway, Switzerland, Sweden, Australia, France, Denmark, Finland, Spain, Germany, Netherlands, etc. Coverage in a number of countries is now 100%. InCommon, Texas (three federations), UCTrust, CalState Trust, CCLA of Florida, CC of Washington State DHS + DOJ
InCommon US R&E Federation, a 501(c)3 Addresses legal, LOA, shared attributes, business proposition, etc Members are universities, service providers, government agencies, national labs Over 70 organizations and growing steadily; 1.3 million user base now, crossing 2 million by the end of the year Almost all use is transparent to users (its middleware) but that is about to change www.incommonfederation.org
Uses Access controlled wikis Access to academic content, such as Elsevier Access to popular content, such as Cdigix Access to services, such as student travel agencies, testing services, Grid computational resources, portal providers, recruitment services, etc (Trust base for dynamic circuit authorization/accounting) (Access to parts of MS) (Google Apps for Education)
The Higher Ed interests in federated NIH Researchers using their campus credentials to access major NIH data and computational resources such as BIRN and caBIG Researchers using local credentials to submit grant proposals, compliance certificates Administrators using local credentials, or roles, to submit regular statistical reporting Students using enrollment in appropriate campus courses to access federal research materials
Benefits for the campus Improve the overall security environment Reduce accounts, improve identity vetting, etc Provide enhanced services for their researchers Privacy management, integrated workflows, manage firewalls etc. Ability to integrate research with instruction in a more sustainable fashion Reduce exposure of internal passwords to off-campus sites Motivate the campus business processes to improve local identity management
It works both ways – NIH as an identity provider Researchers at NIH wanting to participate in academic processes Using your NIH credential to access Elsevier journals, with privacy-protection enabled Accessing a controlled campus research wiki using NIH credentials Staff at NIH wanting to access inter-realm resources Using the NIH login to access professional development society materials Soon, access to MS NIH interns using their NIH credentials for medical school applications Students-only services, portal providers, etc…
For application owners Scalable growth in communities of users Relief from much of the pain of identity management Compliance with privacy directives The potential to offer higher risk applications in a secure and scalable fashion
The Transition Barriers The duct tape and the yellow sticky Either run dual systems for a while or ask some of the existing user base to do a one-time change Not all the pieces for scale are in place yet Getting to the network externality level in use
Robustness of infrastructure Coverage Reliability How good is the credential
Coverage and Reliability Shibboleth deployment widespread but often in local or state federations InCommon is growing steadily, and has a more significant research institution percentage Peering is not yet in place The enterprise directory and federation platform are usually redundant/load-balanced and secured systems.
How good is the credential As good as it needs to be… Broadly, credentialing in higher ed is good; it is the scope of who are granted identities that is unusual Campuses can do strong identity proofing, two factor authentication and extended audits for key subsets of their users that need such strength At most campuses, assertions within minutes can reflect account compromise, loss of credentials by the user, suspension of privileges by the campus, etc. DOJ and DHS
Collaboration and Federated Identity Two powerful forces being leveraged the rise of federated identity the bloom in collaboration tools, most particularly in the Web 2.0 space but including file shares, email list procs, etc Collaboration management platforms provide identity services to “well-behaved collaboration applications” Results in user and collaboration centric identity, not tool-based identity
Such interesting use cases UW-M wants to put their strategic planning process on a wiki and solicit inputs. They would like the inputs to be restricted to campus members but also be anonymous A class wiki has write access restricted to enrolled students, and another section available only to TA’s Permitting specific external users to view parts of some users calendars (e.g. allowing certain collaborators to search a local users calendar for open space) Scientific and administrative integrated workflow
Collaboration management platforms Addresses the pain of collaboration management, not the joy of collaboration tools Built on federated identity, they permit collaborators to organize around their shared activities, not the tools they might use to collaborate in their activities Manage the groups that have access to a wiki, are an email list, are in your video application phone book, have their own IM channel and audioconference, share files, etc. The applications make external calls for their identity services Communicate with each other via an attribute ecosystem
Collaboration Management Platform (CMP) and the Attribute Ecosystem Collaboration Tools/ Resources File Sharing Calendar Email List Manager Phone/ Video Conference Federated Wiki Domain Science Grid Domain Science Instrument Application Attributes C o manage Collaboration Management Platform Authorization – Group Info Authorization – Privilege Info Authentication People Picker Other Functions Attribute/Resource Info Data Store Attribute Ecosystem Flows Laboratory X Home Org & Id Providers/ Sources of Authority University A University B Sources of Authority
What we’re on the edge of… A brave new world of operational interrealm trust Visible to the user as privacy managers, info-cards, etc Creating a richness of services and applications that build on the security and privacy On top of that trust layer, an operational collaboration mesh Supporting sciences, R&D and social collaboration Many of the web 2.0 genre, real time communications, file shares, etc Likely leveraging both federated and p2p trust A lot of unanticipated consequences…