Taking Care of Our Core Business: Managing Collaborations Dr. Ken Klingenstein, Senior Director, Internet2 Middleware and Security

Presenter’s Name Topics Internet identity The bloom of collaboration tools Collaboration management platforms Domesticated applications Use by virtual organizations Next step issues

Presenter’s Name Types of Internet identity Federated Leveraging enterprise identity for inter-realm purposes Authentication, entitlements and attributes are the common payloads Privacy, security and trust are the critical issues P2P Originally PGP, now Infocard, OpenId, etc. Need trust fabrics - may be coupled with reputation systems for trust – and privacy mechanisms Both are growing at exponential rates

Presenter’s Name Federated Identity Enterprises exchanging assertions about users Real time exchanges of standardized attribute/value pairs Often identity based but can preserve privacy through the use of attributes Basis for trusting the exchanged assertions via common policies, legal agreements, contracts, laws, etc. Federations offer a flexible and largely scalable privacy preserving identity management infrastructure

Presenter’s Name Another Internet identity - P2P Identities Provides tokens for interpersonal trust, but not trust (needs reputation systems, etc) Easy for application developers to incorporate Use cases include blogs and wikis, file and photo sharing, some encrypted , etc. Layered space – Cardspace by MS, Higgins and the Bandits, OpenId, etc. Rapidly growing but starting to hit the hard issues: Revocation Delegation and transitive trust Privacy

Presenter’s Name Collaboration and Federated Identity Two powerful forces being leveraged the rise of federated identity the bloom in collaboration tools, most particularly in the Web 2.0 space but including file shares, list procs, etc Collaboration management platforms provide identity services to “well-behaved” collaboration applications Results in user and collaboration centric identity, not tool-based identity

Presenter’s Name A Bloom of Collaboration Tools An over-abundance of new tools that provide rich and growing collaboration capabilities (aka Web 2.0) Do you Wiki, blog, moodle, sakai, IM, Chat, videoconference, audioconference, calendar, flikr, netmeeting, access grid, dimdim, listserv, webdav, etc Share files among workgroups, access Elsevier, work with the IEEE, etc No uber-app – limits invention and community of users is fine, but many per user is hard to manage Leads to the need to manage the collaborations and its tools

Presenter’s Name Collaboration management examples Wiki access control, list, IM, etc synchronization Adding a graduate student hired by a VO subgroup to a set of services Can manage the lists, manage access controls for the lab doors, manage the VO wiki, have course management privileges, join the VO chat room, schedule audioconferences… Goal is for the end user or their collabmin to manage these authorizations in an easy and sustainable way Providing access to scholarly material for a class The content lifecycle from research to instruction, for both external content and locally generated content

Presenter’s Name Collaboration Management Platforms Goal is to develop a “platform” for handling the identity management aspects of many different collaboration tools Platform includes a framework and model, specific running code that implements the model, and applications that take advantage of the model This space presents possibilities of improving the overall unified UI as well as UI for specific applications and components.

Presenter’s Name COmanage A collaboration management platform, supported in part by a NSF OCI grant, being developed by the Internet2 community, with Stanford as a lead institution Well-behaved applications externalize their identity management dimensions to an general identity/group/privilege/etc repository (LDAP, MySQL, etc.) Users manage IdM in a collaboration-centric way, not in a tool-centric way Uses Shibboleth, Grouper, and Signet Open source, open protocol

Presenter’s Name Domesticated applications Applications that externalize their identity management dimensions Domestication typically goes in stages – first identity, then group and privilege management, perhaps then provisioning Domestication relative to the external access protocols used (SAML, LDAP, MySQL, web services, etc.) Applications done or being targeted Sympa, Confluence, Asterisk (open-source IP audioconferencing), Dim-Dim (open-source web meeting), Bedeworks (federated open- source calendar), Subversion, JIRA, Al fresco Finally domain science resources – Instrument, Grids

Federated Wiki Domain Science Grid Domain Science Instrument University AUniversity B Laboratory X Collaboration Management Platform Collaboration Tools/ Resources Application Attributes Home Org & Id Providers/ Sources of Authority Attribute Ecosystem Flows Attribute/Resource Info Data Store Collaboration Management Platform (CMP) and the Attribute Ecosystem Sources of Authority C o Authorization – Group Info Authorization – Privilege Info Authentication People Picker Other Functions manage File Sharing Calendar Phone/ Video Conference List Manager

Presenter’s Name Some general COmanage comments A limited number of consoles present the basic identity services; can move directly between services as a standard workflow Early in the development; the GUI is particularly primitive Underlying store is an LDAP directory; alternatives include MySQL db, RTF store, etc. COmanage can be deployed by a campus, a department, a VO, a VO service center; COmanage instances communicate with each other by the “attribute ecosystem” voodoo It is plumbed; hence it is sustainable, secure, flexible.

Presenter’s Name The major COmanage consoles Applications – a growing list Identity View basic local stored data Privacy management, using Shib My Groups – manages collaboration groups across the full variety of applications, using Grouper My Privileges – manages permissions that you have and that you assign to others and groups, currently using Signet Once set up, COmanage automatically maintains and updates the applications, reflecting group changes from source feeds, aging privileges, etc.

Presenter’s Name Relative Roles of Signet & Grouper Grouper Signet RBAC (role-based access control) model Users are placed into groups (aka “roles”) Privileges are assigned to groups Groups can be arranged into hierarchies to effectively bestow privileges Grouper manages, well, groups Signet manages privileges Separates responsibilities for groups & privileges

Presenter’s Name Two types of application enablement “domesticated” apps draw their entitlements, attributes and roles from the CMP directory or db or… (something external to the app) Other apps can have information from COManage pushed into them Static or dynamic provisioning Connectors could be X.509 certs, SAML assertions, etc.

Presenter’s Name COmanage specifics Wiki, dev and users being set up Beta release in June, 1.0 in August, OpenLDAP as the data store. Debian VMware Domesticated apps in bundle where licenses permit Testing in several venues and VO’s GUI issues, modularity of components issues

Presenter’s Name COmanage next steps Growing the community Of apps and developers Of users Web services, API’s for tools within COmanage Leveraging federations Interactions with other CMP – Myworks, IAMSuites, G5PO, etc

Presenter’s Name C o C o C o C o C o How Collaboration Management Platforms (CMP) Communicate Campus Virtual Organization Virtual Organization Service Center Federation Linked Identities SAML Batch Attribute Ecosystem Key COmanage CMP Other CMP C o

Presenter’s Name Virtual Organizations An increasing artifact of the landscape of scientific research, largely from the cost complex nature of the new instruments and growing data sets Always inter-institutional, frequently international Having a “mission” in teaching and a need for administration Tend to cluster around unique global scale facilities and instruments Heavily reflected in agency solicitations and peer review processes Being seen now in the arts and humanities

Presenter’s Name Virtual Organization Characteristics Distributed across space Distributed across time Dynamic management structures Collaboratively enabled Computationally enhanced

Presenter’s Name Building Effective Virtual Organizations A workshop run by NSF in January 2008 to give many newly minted VO’s the wisdom of the ages Cross directorate with OCI catalytic A few very insightful talks Was intended to cover the complex social and economic issues as well as some common technical issues, but veered towards collaboration chaos…

Presenter’s Name Collaboration and Virtual Organizations VOs are first collaborative organizations General collaboration tools – listservs, wikis, audioconferencing, videoconferencing, shared calendars, etc. Academic collaboration tools – grant proposal and administration management, paper development and publication Many support components for such activities can also meet needs in the domain science management

Presenter’s Name Two specimen VO’s LIGO-GEO-VIRGO ( Ocean Observing Initiative ( Interests include federated identity, COmanage, and domain science use Both have international characteristics

Presenter’s Name Next Steps and Issues Feedback from virtual organizations Enterprise and VO deployments Leverage federations Inter-federation peering Virtual organization support centers The attribute ecosystem

Presenter’s Name Lessons Learned Collaborate externally; compete internally Time zones are hell Big turf issue of the local VO sysadmin Many of the instruments are black-boxes Physical access controls matter Scientific accomplishments and egos