Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware.

Slides:

Advertisements

Similar presentations

04 June 2002, TERENA, Limerick MACE: Directories at Work Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group.

Advertisements

College An insight Into the College VLE Graham Mason

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

June 10-15, 2012 Growing Community; Growing Possibilities Benn Oshrin, The Oshrinium, LLC Keith Hazelton, UW-Madison, Internet2 CIFER Community Identity.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

Inter-Institutional Registration UNC Cause December 4, 2007.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

SIMI: Secure Identity Management Infrastructure for the CSU A. Michael Berman, Cal Poly Pomona.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Chapter 3: The Project Management Process Groups

Business Intelligence Dr. Mahdi Esmaeili 1. Technical Infrastructure Evaluation Hardware Network Middleware Database Management Systems Tools and Standards.

CORDRA Philip V.W. Dodds March The “Problem Space” The SCORM framework specifies how to develop and deploy content objects that can be shared and.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Enterprise Architecture

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 August 15th, 2012 BP & IA Team.

What is Business Analysis Planning & Monitoring?

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Functional Model Workstream 1: Functional Element Development.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

The University of Wisconsin University Directory Service UDS A repository of people information Has been in production for about a year. Serves White pages,

Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

Quote for today “Sometimes the questions are complicated and the answers are simple” - ?? ????? “Sometimes the questions are complicated and the answers.

RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.

MaceMed and Related Activities Rob Carter Duke University 12 January 2001.

Roles and Responsibilities

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Technical Policy and Standards Andy Gorton – Senior Architect: Institutional Networks.

Page 1Prepared by Sapient for MITVersion 0.1 – August – September 2004 This document represents a snapshot of an evolving set of documents. For information.

Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

The DSpace Course Module – User management and authentication options.

SWIM-SUIT Information Models & Services

Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago.

Directory Policy, Privacy, etc. David Millman – Columbia Keith Hazelton – Wisconsin et al.

Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.

Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.

Considering Community and Open Source Lois Brooks Stanford Terry Ryan UCLA A Decision Framework for Selecting.

Enabling Collaborations via a Transformative Virtual Organization Platform Dr. Gordon K. Springer University of Missouri-Columbia CS Department Seminar.

Directory Workshop Parallel Sessions Rob Banz, Univ. of Maryland, Baltimore County Tom Barton, University of Memphis Keith Hazelton, University of Wisconsin,

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

Rich Kogut October, 2002 IT Vision/Strategy Working Presentation.

Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Implementing a Role Management System Mair é ad Martin Carrie Regenstein Internet2 Fall Meeting September 20, 2005.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Higher Ed Certificate Authority by CREN: Update CSG February 2, 2000.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

MACE-CourseID Working Group Birds of a Feather Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison for WG Chair, Grace Agnew, Digital Library.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

The UW-Madison IAM Experience Building our Dream Home Presented by Steve Devoti, Senior IT Architect © 2007 Board of Regents of the University of Wisconsin.

Information Resource Stewardship A suggested approach for managing the critical information assets of the organization.

2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.

Authority Management Systems Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Middleware Architecture Committee for Education, Internet2.

MODERN BoF Managing, Ordering, Distributing, Exposing, and Registering telephone Numbers IETF 92.

Directory based Middleware Services Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Middleware Architecture Committee for Education, Internet2.

Enterprise Architectures. Core Concepts Key Learning Points: This chapter will help you to answer the following questions: What are the ADM phase names.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

UW-Madison. BUILDING A DISTRIBUTED ACCESS MANAGEMENT INFRASTRUCTURE Reports from the Real World.

Project Roles and Responsibilities

ESA Single Sign On (SSO) and Federated Identity Management

Privilege Management: the Big Picture

Signet Privilege Management

Signet & Privilege Management

Access Control What’s New?

Signet Privilege Management

Presentation transcript:

Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware Architecture Comm. for Education (MACE) Internet2 Fall Member Meeting, Indianapolis, Oct. 15, 2003 Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware Architecture Comm. for Education (MACE) Internet2 Fall Member Meeting, Indianapolis, Oct. 15, 2003

15-Oct-03 1 Authorization related services: A broad vision and selected details UW-Madison as a concrete reference point for thinking Authorization thoughts

15-Oct-03 2 Core middleware services suite

15-Oct-03 3 Core middleware services suite Identity Mgmt Services

15-Oct-03 4 Core Middleware Services: Directory / Identity Mgmt. AuthZ Info Mgmt.: Internet2 Grouper, Stanford Authority (PrivGroups), UW-Msn PASE Source system a Source system b Source system c

15-Oct-03 5 Core middleware services suite Identity Mgmt Services Security Services AuthN / AuthZ…

15-Oct-03 6 Core Middleware Services: Authentication, Authorization,… AuthZ Info Access: Shibboleth (intra and inter-inst.) AuthN: LDAP bind; PKI

15-Oct-03 7 PASE: A system for managing authorization information A secure, delegated service to maintain and provide information about: Populations of interest to the university Affiliations (or roles) that a person has Services that members of a role get (i.e. what they are entitled to do)

15-Oct-03 8 PASE and authorization Typically, authorization decisions indicates whether a person or other principal is permitted to access a requested resource or invoke a requested service PASE is an authorization information management tool; it helps us manage key information needed for authorization processes PASE is the companion to our Identity Management System -- The University Directory Service (UDS)

15-Oct-03 9 Current Limitations: Handling all populations Having clearly defined affiliation information Applying and documenting rules about who gets what Getting timely information with which to make access control decisions Handling special populations

15-Oct Current limitations: handling special populations No system support for defining new types of affiliations Binary entitlement: Either a person gets all services or gets none No delegated management: For defining new groups of people For granting group members access to services Result: Difficult to add new groups

15-Oct What is needed: An authorization information system with: Flexibility to handle new services and population types without reprogramminng or other undo hassle Logical “single source” AuthZ info repository Secure, delegated administration A framework on which to implement policy

15-Oct PASE relates the correct entities for greater flexibility and scalability A sponsor (Source) person affiliation service provider who has registers which is mapped to which consists of which is owned by

15-Oct PASE, peer institutions and NMI/Internet2 Draws from pioneer efforts Stanford’s Authority system MIT’s Roles DB Internet2 Grouper WG On the cutting edge Similar efforts at some institutions We are one of the {b}leaders

15-Oct The non-technical aspects of PASE Interests of sponsors and service providers are often not fully aligned Need for a business process to agree on mappings between affiliations and service bundles New role for sponsors as a result of their greater control: advocate for populations in negotiations with service providers

15-Oct PASE Development: An Iterative Approach We intend to deliver PASE services in several phases. First cut: A Pilot To create the underlying structure end-to-end To provide many of the functions for managing entities and their relationships To manage risks (e.g., service disruption) To assess design choices and make adjustments with minimum impact

15-Oct PASE Pilot – Spec Auth Retirees Sponsor: Office of Human Resources Person (Population): Retiree bio/demo data Affiliation: Retirees Affiliation Types: UW-Madison, UW Extension, UW System Administration and UW Colleges Service Bundle: “Bucky Bundle” Services: UW Madison Libraries, My UW Madison Portal, UW Madison Photo Identification, UW Madison Recreational Sports, etc. Service Provider: Service Representatives

15-Oct PASE Pilot - Out of Pilot Scope General access to information, both to maintain the data and use the data for authorization decisions Negotiation between Sponsors and Service Providers Batch inputs

15-Oct What’s Next? Report the results of the pilot Capture current services’ authorization rules Define roles and responsibilities of the various players Refine the links to UDS Develop interfaces to service providers

15-Oct More on PASE /index.asp Scott Fullerton

15-Oct Identity Mgmt Services Security Services AuthN / AuthZ… What’s off this frame? Target-side: Evaluating authZ info and policies

15-Oct What’s off this frame? Target-side: processing authZ info and policies

15-Oct Appendix: PASE Terms Affiliation: A person’s relationship to the institution. A person can have zero, one or many affiliations. An affiliation is similar to a role. Authorization: Typically, authorization indicates what a person, properly authenticated, is permitted to do with a networked object or resource. Service: One or more activities represented in business terms. A service can either be totally automated (e.g., the mail system) or partially so (e.g., Rec Sports). Services of interest to this project are protected by an authorization process.

15-Oct PASE Terms (continued) Service Bundle: A set of one or more services. An example of this might be the bundle of services that all current members of the community get. In PASE, access privileges are defined by mapping one or more affiliations to a service bundle. Service Entitlement: The specific, more granular, actions within a service, e.g., Update student data. Service Provider: The organizational entity responsible for a service. Sponsor: The UW entity that proposes new affiliations possibly registers new groups of people into the UDS and possibly also defines a person’s affiliation(s).