Dr Ken Klingenstein Director, Internet2 Middleware and Security Emerging Infrastructure for Collaboration: Next Generation Plumbing

Topics Frameworks Enterprise-based middleware Federated services and applications Virtual organizations and trust fabrics Activities in Collaborative Middleware Deployments Development Related Activities – a bunch of Mellons, instant messaging, etc Implications for the higher ed community Implications for the marketplace and the public sector

Frameworks Enterprise-based middleware Middleware that provides institutional core middleware needs (academic and administrative) Constructed in similar but locally adaptive fashions on campuses, with standard external service points (directory objectclasses, handle servers, etc.) Federated services and applications Enterprises come together into federations, with formal trust structures that permit exchange of attributes, including identity User actions within the federation are generally moderated by their enterprise Resource discovery, security, privacy, authorizations managed by user and enterprise Virtual organizations leverage the above in a cross-stitch Sparse mode collaborative communities with real resources and authorizations to share Trust fabrics (global, federated, P2P) necessary for secure and private collaboration

A Map of Middleware Land

Core Middleware Scope Identity and Identifiers – namespaces, identifier crosswalks, real world levels of assurance, etc. Authentication – campus technologies and policies, interrealm interoperability via PKI, Kerberos, etc. Directories – enterprise directory services architectures and tools, standard objectclasses, interrealm and registry services Authorization – permissions and access controls, delegation, privacy management, etc. Integration Activities – open management tools, application of P2P, federated and hierarchical trust, enabling common applications with core middleware

Campus Core Middleware Architecture: (Origin perspective)

Federated administration Given the strong collaborations within the academic community, there is an urgent need to create inter-realm tools, so Build consistent campus middleware infrastructure deployments, with outward facing objectclasses, service points, etc. and then Federate (multilateral) those enterprise deployments with interrealm attribute transports, trust services, etc. and then Leverage that federation to enable a variety of applications from network authentication to instant messaging, from video to web services, from p2p to virtual organizations, etc. while we Be cautious about the limits of federations and look for alternative fabrics where appropriate.

Federated administration OTOT OTOT TT A CM CM A VO T Campus 1 Campus 2 Federation

Unified field theory of Trust Bridged, global hierarchies of identification-oriented, often government based trust – laws, identity tokens, etc. Passports, drivers licenses Future is typically PKI oriented Federated enterprise-based; leverages ones security domain; often role-based Enterprise does authentication and attributes Federations of enterprises exchange assertions (identity and attributes Peer to peer trust; ad hoc, small locus personal trust A large part of our non-networked lives New technology approaches to bring this into the electronic world. Distinguishing P2P apps arch from P2P trust

Virtual Organizations Geographically distributed, enterprise distributed community that shares real resources as an organization. Examples include team science (NEESGrid, BIRN, NEON), digital content managers (library cataloguers, curators, etc), life-long learning consortia, etc. On a continuum from interrealm groups (no real resource management, few defined roles) to real organizations (primary identity/authentication providers) Want to leverage enterprise middleware and external trust fabrics

Leveraging V.O.s Today VO Target Resource User Enterprise Federation

Leveraged V.O.s Tomorrow VO Target Resource User Enterprise Federation Collaborative Tools Authority System etc

Middleware Activities NMI-EDIT Management – MACE, Internet2, EDUCAUSE, SURA In deployment Directories Security Federations In development Virtual organizations - JISC Diagnostics Authorization and privilege management

MACE (Middleware Architecture Committee for Education) Purpose - to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher education Membership - Bob Morgan (UW) Chair, Tom Barton (Chicago), Scott Cantor (Ohio State), Steven Carmody (Brown), Michael Gettes (Duke), Keith Hazelton (Wisconsin), Paul Hill (MIT), Jim Jokl (Virginia), Mark Poepping (CMU), Bruce Vincent (Stanford), David Wasley (California), Von Welch (Grid) European members - Brian Gilmore (Edinburgh), Ton Verschuren (Netherlands), Diego Lopez (Spain) Creates working groups in major areas, including directories, interrealm access control, PKI, video, P2P, etc. Works via conference calls, s, occasional serendipitous in-person meetings...

In deployment - International

In deployment - US

Directories Creation and deployment of consistent internal directory infrastructure within the higher-ed community. Includes metadirectory services Standard internal objectclasses Most applications have become directory enabled Development and adoption of outward facing directory objectclasses – eduPerson and eduOrg eduPerson - Identity and associated attribute values, entitlements, etc. eduOrg – enterprise attribute values Internationalization of eduPerson underway H.350 – desktop video resource discovery, now an ITU standard

Security Emergence of federating software and federations Rise of SAML ( Shibboleth In PKI, deployments remain challenging Escrow, mobility, path construction and validation remain very hard Non-standards proliferate – little I in the PK that exists Some campuses have traction First generation WebSSOs proliferate and show limits Credential converters (KCA and a Shibbed CA) HEBCA (a bridge certificate authority for higher education) and USHER (US Higher Ed root CA) are under slooooow construction Security as creating new capabilities as well as restricting use…

Shibboleth Status Open source, privacy preserving federating software Being very widely deployed in US and international universities Target - works with Apache(1.3 and 2.0) and IIS targets; Java origins for a variety of Unix platforms. V2.0 likely to include portal support, identity linking, non web services (plumbing to GSSAPI,P2P, IM, video) etc. Work underway on intuitive graphical interfaces for the powerful underlying Attribute Authority and resource protection Likely to coexist well with Liberty Alliance and may work within the WS framework from Microsoft. Growing development interest in several countries, providing resource manager tools, digital rights management, listprocs, etc. Used by several federations today – NSDL, InQueue, SWITCH and several more soon (JISC, Australia, etc.)

GUIs to manage Shibboleth

Federations Associations of enterprises that come together to exchange information about their users and resources in order to enable collaborations and transactions Enroll and authenticate and attribute locally, act federally. Uses federating software (e.g. Liberty Alliance, Shibboleth, WS-*) common attributes (e.g. eduPerson), and a security and privacy set of understandings Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision. Several federations now in construction or deployment

InCommon federation Federation operations – Internet2 Federating software – Shibboleth 1.1 and above Federation data schema - eduPerson or later and eduOrg or later Federation privacy and security requirements – in discussion, could be Privacy requirements: –Initially, destroy received attributes immediately upon use Security requirements: –Initially, enterprises post local I/A and basic business rules for assignment of eduPersonAffiliation values –Likely to progress towards standardized levels of authn

InQueue Origins Rutgers University University of Wisconsin New York University Georgia State University University of Washington University of California Shibboleth Pilot University at Buffalo Dartmouth College Michigan State University Georgetown Duke The Ohio State University UCLA Internet2 Carnegie Mellon University National Research Council of Canada Columbia University University of Virginia University of California, San Diego Brown University University of Minnesota Penn State University Cal Poly Pomona London School of Economics University of North Carolina at Chapel Hill University of Colorado at Boulder UT Arlington UTHSC-Houston University of Michigan University of Rochester University of Southern California

In development Virtual organizations Privilege management and authorization systems Middleware diagnostics Federated network-layer security services and capabilities

Stanford Authz Model

Authr Deliverables The deliverables consist of A recipe, with accompanying case studies, of how to take a role-based organization and develop apprpriate groups, policies, attributes etc to operate an authority service Templates and tools for registries and group management a Web interface and program APIs to provide distributed management (to the departments, to external programs) of access rights and privileges, and delivery of authority information through the infrastructure as directory data and authority events.

Home

Grant Authority Wizard

Related Activities in Collaboration Tools Chandler Instant Messaging P2P filesharing – Lionshare

Chandler Open source and calendaring package Being developed by Open Source Application Foundation (Mozilla et al, led by Mitch Kapor) Both stand-alone and enterprise versions due out before the end of the year Intended to be collaborative in nature Shared role-based views Federated views

Lionshare P2P file sharing application that is: Enterprise-based – uses authentication and campus directory and resource discovery Federated – works between institutions, using local authentication and authorization Learning object oriented – meta-data based; linked to digital repositories, courseware, etc. Developed at Penn State University, now being extended with assistance from Mellon Foundation, Internet2, OKI, Edusource URL is

Instant Messaging Federated IM authentication by enterprise Screen name authenticated; opaque or transparent by choice Access control to chat rooms Across enterprises Across IM technologies Payloads Signalling

Implications for the Higher Ed Community A variety of collaborative apps are being middleware enabled There is a growing federated trust infrastructure among the R&E community with potential international usefulness. New architectures for passing attributes and identity; new tools to learn for managing privacy and security Emergent tools for authority management; new tools to learn for managing authorization A marketplace of identity service providers may emerge

Implications for the Marketplace and Public Sector Inter-sector federation activities are not understood International issues Consistency of trust Interoperability of technologies A marketplace of identity service providers may emerge Collaborative tools will need to work across a variety of trust fabrics Users will need to manage both privacy and trust; defaults will be important