~60 staff 1.Collaborators around the world 2.Supports communities of collaborators external to Internet2 3.Community uses wiki, mailing lists, instant messaging, voice conferencing services 4.Doesn’t want to be in the identity issuance business for external collaborators 5.Need to allow external + internal collaborators to use same service instances A Short description of Internet2
A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Diagnostics Enterprise Integration from network to application Michael R Gettes Internet2 October 2007 An interpretation of the original MACE mission
What do we want? Inter-Enterprise Workgroup Collaborations not sexy
or C ollaborative O rganizations CO
Identity Groups Privileges Federated Access
and … Applications “It’s the App stupid!”
Give COntrol To COmmunity Members
Integrate with Existing COmmon IT Infrastructures in Higher Education
Flexible Scalable Modular
COmponents S H I B B O L E T H LDAP-PC Signet Grouper LDAP Directory Identity Mgr Applications & Network COCO
stop talking start walking demo COmanage.internet2.edu
COmponents S H I B B O L E T H LDAP-PC Signet Grouper LDAP Directory Identity Mgr Applications & Network COCO
Comanage … is only a demonstration of the CO model a CO fits within a service delivery strategy
Application Management App Access to data is managed by LDAP (initially) Identity data can be distributed by any desired mechanism in the future. SQL databases, feeds, message bus technologies.
Truth be told… LDAP-PC Large-Scale Performance and namespaces SIGNET Minor UI and Deployment GROUPER Some UI and Large-scale Performance SIGNET only immediate concern
Many COs on a single server (if you wanna do that) Grouper/Signet/LDAP-PC Identity Mgr Grouper/Signet/LDAP-PC LDAP Application set
No local identity issued for external users to access CO services big win! O=University,c=US ou=People(this is where 50K fac/staff/stu might reside) ou=CO(external identities for CO go here) ou=Groups(a place to store groups for all) Example directory tree for CO environment Applications pointed here for identities yields the union of internal and external
Future… Begin addressing issues of “attribute eCOnomy” Protect CO by Identity Provider… can solve “IEEE problem”? Web site wants to know: Are you a member of IEEE? My University IEEE-CO This org has membership data but does not manage identity - a CO with only external users. User Home Identity Provider
Diagnostics Lifting up shib log files and making EDDY deposits Creating a unified and federated view of diag data Network data: flows, snort, snmp System stats: cpu, i/o, mem, etc… Infrastructure: shib, ldap, authN, etc… Application: http, confluence, sympa, calendar etc, etc, etc…
Network Layer? Why not? Integrate with Grids? Why not? Addresses VO scenarios? Why not?
V O VO? CO
Make your opinion known… Should Internet2 use COmanage for service delivery? Rick Summerhill Cheryl Fremon and and
it’s all about /me done Talk amongst yourselves