Internet2: building and using an advanced network environment for research, teaching and learning APRU CIO Forum, 23 March 2007 Heather Boyles, Keith Hazelton, Ann Doyle,

Outline Internet2 Overview –Brief introduction: Overview of developments, services, activities of the Internet2 community –International R&E network connectivity overview - especially related to APRU institutions, Pacific Rim infrastructure and opportunities for collaboration Identity Management for Inter-institutional collaboration –Campus identity management developments in the Internet2 community –Identity management federations and their relationship to networked collaboration –Federation developments in the APRU community and opportunities for international cooperation

An Asset for the Community Universities Researchers Regional Networks K-12 Industry International An Asset for the Community Universities Researchers Regional Networks K-12 Industry International

Internet2 Activities

Internet2 Network Hybrid optical and IP network Dynamic and static wavelength services Fiber, equipment dedicated to Internet2; Level 3 maintains network and service level Platform supports production services and experimental projects

Internet2 Network - Layer 1 Internet2 Network Optical Switching Node Level3 Regen Site Internet2 Redundant Drop/Add Site ESnet Drop/Add Site

NREN organizations and networks serving APRU institutions AustraliaAARNET CanadaCANARIE – CA*net ChileREUNA ChinaCERNET, CSTNet TaiwanTWAREN IndonesiaITB* JapanSINET, JGN2 KoreaKOREN, KREONET2 MalaysiaMYREN MexicoCUDI New ZealandREANNZ - KAREN PhilippinesPREGINET RussiaRBnet, RUNNET SingaporeSingAREN ThailandUNINET, ThaiSARN (ThaiREN) USAInternet2, NLR

Pacific Rim R&E Networking Trends in global R&E networking –Increasing interconnectedness Number of countries connected, including lesser- developed Number of connections, bandwidth –Regionalization TEIN2 network in Southeast Asia CLARA in Latin America –Hybrid network capabilities Beyond best-efforts shared IP Dedicated circuits to support major global science collaborations

Current AARNet3 Footprint

TRANSPAC2TRANSPAC2

Topology

Internet2 Activities

Internet2 Middleware Goals Much as at the network layer, create a ubiquitous common, persistent & robust core middleware infrastructure for the R&E community In support of inter-institutional & inter-realm collaborations, provide tools & services (e.g. registries, bridge PKI components, root directories) as required

Inter-institutional Collaboration is the Driver One institution hosting course-content for another Students at one college taking an on-line course from another college Libraries purchasing licenses for multiple vendors with specific access policies Researchers making resources available to project members at other schools (e.g. grid resources) Schools in state systems or articulation relationships that require mutual access to services

What questions are common to these scenarios? Are the people using these services who they claim to be? Are they a member of our campus community? Have they been given permission? Is their privacy being protected?

Identity Management (IdM) “Hi! I’m Lisa.” (Identity) “…and here’s my NetID / password to prove it.” (Authentication) “I want to do some E-Reserves reading.” (Authorization : Allowing Lisa to use the services for which she’s authorized) “And I want to change my grade in last semester’s Physics course.” (Authorization  : Preventing her from doing things she’s not supposed to do)

Federated Approach to support inter- institutional collaboration Federated Identity & Access Management –Rely on the Identity Management infrastructure of institutions –To authenticate and pass authorization-related information to service providers or resource hosts –Via institution-to-provider agreements –Facilitated by common membership in a federation (like InCommon) Shibboleth is a way to move the authNZ info between parties

What is Shibboleth? (federating software system) An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services A framework built on a “Federated” model A project delivering an open source implementation of the architecture and framework Deliverables: open-source, standards-based, privacy- preserving federating software –Software for identity providers = campuses (origins) –Software for resource providers (targets) –Operational Federations (scalable trust)

What are Federations? An association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions. Uses common policy, technology, and business practices to establish trust Access services from (or provide services to) other institutions, corporate partners, government organizations A contractual arrangement

Identity Federations Enroll locally Authenticate locally Assign attributes locally Act federally

Identity Federations Simplified usability for all collaborations Home organizations carefully manage the release of personal information On-line resource providers focus on the protection and authorization of use of their on-line resources

A federation of higher education, by higher education, for higher education (in US)

InCommon Federation Created to support US Higher Education and its research and business partners Federation operator is an LLC operated by Internet2 Builds on existing campus identity management and single sign-on systems Makes use of open industry standards (SAML) and open source federating software (Shibboleth)

InCommon Members 2/27/07 Case Western Reserve University Clemson University Cornell University Dartmouth Duke University Florida State University Georgetown University Miami University New York University Ohio University Penn State Stanford University Stony Brook University SUNY Buffalo The Ohio State University The University of Chicago University of Alabama at Birmingham University of California, Irvine University of California, Los Angeles University of California, Merced University of California, Office of the President University of California, Riverside University of California, San Diego University of Maryland University of Maryland Baltimore County University of Maryland, Baltimore University of Rochester University of Southern California University of Virginia University of Washington University of Wisconsin - Madison Cdigix EBSCO Publishing Elsevier ScienceDirect Houston Academy of Medicine - Texas Medical Center Library Internet2 JSTOR Napster, LLC OCLC OhioLink - The Ohio Library & Information Network ProtectNetwork Symplicity Corporation Thomson Learning, Inc. Turnitin WebAssign

InCommon Uses Access control to content –Popular content – Napster, CDigix, etc –Scholarly content – Google, OCLC WorldCat –Downloads – Microsoft Access to external services –Student travel, charitable giving, web learning and testing, plagiarism testing service, etc. –Allure for alumni services and other internal businesses –Student loans, student testing, graduate school admissions, etc. Access to national services –The National Science Digital Library –The Teragrid pilot: building on Shibboleth and GridShib

GridShib “Integrating federated authorization infrastructure (Shibboleth) with Grid technology (the Globus Toolkit) to provide attribute-based authorization for distributed scientific communities”

GridShib - from Von Welch Allow the Grid to scale by leveraging existing campus identity management (IdM) –Consider Shibboleth as the interface to campus IdM systems –Get out of identity management game Making joining the Grid as easy as possible for users –No separate long-term credential for Grid access to manage –No new passwords, certificates, etc Allow campuses attributes and VO attributes to be aggregated and used by the Grid for authorization –Allow for scalability in user base through attribute-based authorization - I.e. know groups of users instead of individual users

Research and Education Federations around the world Growing national federations –UK, France, Germany, Switzerland, Australia, Netherlands, Norway, Spain, Denmark, etc. –Many (most) operated by National Research and Education Network (NREN) organizations –Many are Shib-based; all speak Shib on the outside… US Federations –InCommon (Internet2) –State-based Texas, UCOP, Maryland, etc.

Federation activities in APRU countries AustraliaFederation in formation CanadaFederating activity going on Chile ChinaCERNET experimenting with Shibboleth Taiwan Indonesia JapanUPKI initiative of 7 national universities Korea Malaysia Mexico New ZealandPilot activity Philippines Russia Singapore Thailand USAInCommon Federation up and running

Ways to engage in national identity federation work Internet2 working groups TERENA (Europe) EMC2 working group APAN middleware working group TestShib –Open to non-US institutions –An opportunity to try out Shib implementation

Thanks!