Presentation is loading. Please wait.

Presentation is loading. Please wait.

SMXL: Tailoring Technology to Collaboration. SMXL FAQ Is SMXL a new web scripting language? No, it is the art of tailoring IdM and access.

Published byJune Carmel Lynch Modified over 8 years ago

Similar presentations

Presentation on theme: "SMXL: Tailoring Technology to Collaboration. SMXL FAQ Is SMXL a new web scripting language? No, it is the art of tailoring IdM and access."— Presentation transcript:

1 SMXL: Tailoring Technology to Collaboration

2 kjk@internet2.edu SMXL FAQ Is SMXL a new web scripting language? No, it is the art of tailoring IdM and access control technology to collaborations Why is there only Small, Medium, and XL (extra large)? Why is there no Large ? VO’s don’t come in Large – as soon as they grow to L, they think of themselves as XL

3 kjk@internet2.edu Topics VO’s and their IdM needs Nature of VO’s Identity and Access Controls Collaboration and Domain Apps The Bedrock Grant The cloth we have SAML and federated identity Growing ability to integrate social identity Group management with some privilege add-ons Collaboration management platforms Domesticated applications Making the suit fit

4 kjk@internet2.edu The art of tailoring Fitting identity and access management systems to collaborations Serve both the collaboration and domain apps Leverage and plumb into emergent federated identity infrastructure Collaborations are like snowflakes – no two are alike. A big variety in the needs and styles of collaborations Work with the collaboration to analyze their needs – for most, “gee, we never thought about things this way…”

5 kjk@internet2.edu General VO Characteristics Multi-institutional, usually multi-national collaborations Frequently centered on unique instruments (e.g. CERN, Sloan), data repositories (e.g. medical records, economic data), etc A VO is distinct from a general collaboration by formal roles, ownership of resources, real budgets, scholarly deliverables, accountability and audit requirements, etc. Use standard collaboration tools and domain tools, often in an integrated fashion VO’s have business processes but they don’t know them…

6 kjk@internet2.edu VO Requirements for Identity Management Permit or deny access control to wiki pages, calendars, computing resources, version control systems, file sharing and drop boxes, etc Add or remove people from groups Create new subgroups, identify overlapping memberships, etc. Add/delete people to mailing lists, wikis, etc Ad hoc calendaring; VO activity calendaring Create and delete/archive users, accounts, keys Identify group membership on a given date Usage reporting, metering and throttling VO generally focus more heavily on distributed management or self- service than most brick-and-mortar institutions do

7 kjk@internet2.edu Integration of identity and access control Identity and access control (groups) need to integrate across three science environments Command-line-managed instruments generate data feeds that populate data bases Using web browsers, scientists access the database, mark events, set data feeds, etc. Other communities come in through science gateways and portals Federated identity and domestication of applications is needed Automated provisioning and deprovisioning a big win

8 kjk@internet2.edu More on the VO IdM How VO and Enterprise IdM differ Enterprise IdM (usually) has a stronger LoA Enterprise IdM (usually) have a stronger infrastructure VO’s have less privilege crust than enterprises VO’s never think about deprovisioning VO’s don’t think much about privacy, except sometimes very deeply Some VO’s are deep in science and less wide in outreach Some are as much wide as deep

9 kjk@internet2.edu VO Requirements: Applications Collaborative Federated, Access controlled wikis File shares and Drop Boxes Lists, Chats, Ad hoc calendaring, Netmeetings, Audioconferences, etc. Domain SSH iRods, databases Globus, Open Science Grid, etc. NSF, NIH, DoE, etc. Biotorrent

10 kjk@internet2.edu Meeting the VO Identity /Access Control needs Leverage federated identity Integrate institutional and VO attributes Use groups for primary access control – understandable to most Integrate with campus processes (identity management, course memberships, citizenship and other attributes) Address security and privacy in ways that are appropriate, yet invisible to the user and the collaboration

11 kjk@internet2.edu Single Profile As VO’s get more data-centric in nature, profiles are the automated way to match users with new data sources, and a simple access control mechanism Attributes with profile determine wiki permissions, db privileges The controlled vocabulary/ontology aspects of profiles needs active management tools as well as storing the profiles and managing releases. Some of the new NSF data nets are using multiple profiles; single profile is the next single sign-on…. VIVO is an important building block for answers here http://www.vivoweb.org/

12 kjk@internet2.edu The “Bedrock” Grant Building from Bedrock: Infrastructure Improvements for Collaboration and Science – an NSF OCI grant (Fall, 2010) Focus on further developing and integrating tools to allow collaborations to operate efficiently in the IdM space COmanage Grouper Shibboleth Beginning the art of tailoring technology to collaboration http://www.internet2.edu/bedrock/

13 kjk@internet2.edu Engaged VO’s LIGO – www.ligo.org - high profile international gravitional physicswww.ligo.org iPlant – www.iplantcollaborative.org - comprehensive cyberinfrastructure for Plant Biologywww.iplantcollaborative.org Bamboo - http://projectbamboo.org/ - comprehensive cyberinfrastructure for Arts and Humanitieshttp://projectbamboo.org/ GENI – www.geni.net - NSF next generation Internet researchwww.geni.net Earth Science Women’s Network http://www.sage.wisc.edu/eswn/ - international peer-mentoring for women in earth sciences http://www.sage.wisc.edu/eswn/

14 kjk@internet2.edu

15 How collaborative is LIGO? Blindly (secretly) injected simulated signal into data stream Much activity ensued! 7000 emails exchanged 3 TB of data analysis output 150 (long and detailed) wiki pages constructed 50 people actively writing paper All of this for one astrophysical (non) event…

16 kjk@internet2.edu Observations from LIGO Efficient collaboration begins with scalable and robust identity management infrastructure that can easily be leveraged and integrated with the wide spectrum of tools LIGO scientists use to collaborate and analyze the LIGO data. Middleware, including Shibboleth and Grouper, is enabling more LIGO science through easier collaboration and access to resources. Science VOs have little IdM experience and need consulting to prevent repeating old mistakes IdM is the bedrock foundation but alone is not enough Collaboration management platforms (CMP) needed Efficiency for researchers is key Need to spin up collaboration spaces quickly and easily

17 kjk@internet2.edu The Cloth we work with SAML and federated identity A set of powerful attribute and authorization tools, connectable to Bedrock Person registries and VO business processes Group management with add-ons for permissions Domesticated applications and back-ends

18 kjk@internet2.edu The Importance of Groups As federated identity blooms, so does federated access control needs, especially in R&E 100’s of wikis with 100’s of users, dynamic adds (not sigh, deletes) File shares, calendar coordination, gated chat rooms, etc… Scholarly authorship, management of the collaboration 80% of authorization needs can be addressed through groups 15% more can be addressed badly through groups…

19 kjk@internet2.edu Collaboration Management Platforms An integrated “collaboration identity management system” Provides basic group and role management for a group of federated users Plugs into federated infrastructure to permit automatic data management A growing set of applications that derive their authentication and authorization needs from such external systems Collaboration apps – wikis, lists, calendaring, netmeeting Domain apps – instruments, databases, computers, storage

20 kjk@internet2.edu CMP from the technical perspective A combination of enterprise tools refactored for VO’s Shib, Grouper, Directories, etc A person registry with automated life-cycle maintenance Includes provisioning and deprovisioning A place to create, maintain local attributes Using Groups and Roles A place to combine local and institutional attributes for access to applications A place to push/pull attributes to domesticated applications Attributes delivered via SAML, LDAP, X.509, etc

21 kjk@internet2.edu Deployment options for a CMP Proprietary approaches – Google Apps, MS Live Embedded in a portal or gateway As a stand-alone platform, assembled from components, with application servers around it In a cloud, with apps in the cloud As a national service Surfnet – http://www.surfnet.nl/en/Thema/coin/Pages/Default. aspx

22 kjk@internet2.edu Domesticated Applications Wikis, Chats, Lists, Jabber, etc. Drupal, Moodle, Sakai, etc Audioconferencing and netmeeting Ad hoc and group event calendaring Sharepoint, Webex, Adobe Connect, etc File sharing, drop boxes, etc Administrative SaaS, including Salesforce, Workday, etc. A steadily growing list at https://wiki.surfnetlabs.nl/display/domestication/Overview

23 http://www.internet2.edu/comanage/ A set of replaceable modules: user console, person registry, Shibboleth IdP and SP, Grouper, provisioning and deprovisioning, etc. A set of domesticated apps A kit, not a VM or a service Funded by an NSF-SDCI grant and Internet2 API developed for the platform now in use at LIGO 23 – 6/18/2016, © 2011 Internet2

24 kjk@internet2.edu The art of tailoring Bringing powerful tools that can be used in VO and institutional contexts Federated identity Group and privilege management Registries Bringing in a different way of thinking Of systemic business and collaborative processes Of leveraging an attribute ecosystem And listening and learning the organizational mission and culture To make the VO look marvelous…

25 kjk@internet2.edu IdM geeks think differently… A rich understanding of Internet identity Bringing in an IdM perspective Separating roles and groups from identity Life-cycle of privilege, triggers, thresholds, etc Provisioning and deprovisioning Starting with fresh new VO’s is good to avoid legacy bad code

26 kjk@internet2.edu VO Assessment Tool Culture and management Community – users, outreach, admin, etc Application Requirements Access Control and Profiles Existing Middleware infrastructure https://spaces.internet2.edu/display/COmanage/CO+Requi rements+Assessment

27 kjk@internet2.edu Helping with basic VO IdM infrastructure Name space Local schema Multiple federation issues Use of social identity Attribute aggregation

28 kjk@internet2.edu Tailoring dimensions - 1 Breadth of outreach – influences identity approaches Depth of science – impacts security and LOA Size of the collaboration and capabilities of IT staff Assemble piece parts or use an outsourced platform Locus of collaborators Global scheduling, availability of identities, etc. Affects privacy and ARP issues

29 kjk@internet2.edu Tailoring dimensions - 2 Dataness of collaboration – affects needs for taxonomies, profiles, etc. Management style of collaboration Role of PI’s, collabmins, sources of authority Separate instruments lead to more complex authorization Nature of collaborators Balance of tools, communicating styles, etc Autonomy of collaborations When to include vs. to do VO-federation

30 kjk@internet2.edu Intake and Enrollment Process The automatic enrollment of individuals into a CMP as a result of input from the participating institutions' central IdM systems via federated tools such as Shibboleth or protocols such as OAuth. Multi-stage process Invitation or self-registration tool Provisioning on the CMP Identity intake – static or dynamic Enrollment - The process of inviting, adding to groups, establishing authorizations in the CO

31 kjk@internet2.edu Identity Flows

32 kjk@internet2.edu Typical Tailoring Issue: Where to Put the Access Control At the IdP or at the SP At the portal or in the back-end db E.g. domesticating iRods Teach its internal policy engines to do attributes Convert attributes to iRods policy at the portal Use cases are diverse May depend on meter and throttle needs Use personal allocations or group allocations

33 kjk@internet2.edu Looking Ahead Integrating international CMP standards if LOFAR is using COIN and LIGO is using COmanage... The metadata of a CMP (identifiers supported and indexed, name spaces, etc) Managing attribute release better Tagging apps and attribute bundles Putting the informed into “informed consent” Campuses bridging the gap to VO’s, rather than ignoring them VO’s spreading the gospel…

Download ppt "SMXL: Tailoring Technology to Collaboration. SMXL FAQ Is SMXL a new web scripting language? No, it is the art of tailoring IdM and access."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…

From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Which server is right for you? Get in Contact with us 021- 671 2170

Which server is right for you? Get in Contact with us
Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.

Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.
© 2006 IBM Corporation IBM Software Group Relevance of Service Orientated Architecture to an Academic Infrastructure Gareth Greenwood, e-learning Evangelist,

© 2006 IBM Corporation IBM Software Group Relevance of Service Orientated Architecture to an Academic Infrastructure Gareth Greenwood, e-learning Evangelist,
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System architectures Updated: November 2014.

Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System architectures Updated: November 2014.
Peter Deutsch Director, I&IT Systems July 12, 2005

Peter Deutsch Director, I&IT Systems July 12, 2005
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
SaaS, PaaS & TaaS By: Raza Usmani

SaaS, PaaS & TaaS By: Raza Usmani
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.

Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.
Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over the Internet. Cloud is the metaphor for.

Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over the Internet. Cloud is the metaphor for.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Updates on Internet Identity. Topics Consumer marketplace update The big consumer players – OIX - and the other big consumer players.

Updates on Internet Identity. Topics Consumer marketplace update The big consumer players – OIX - and the other big consumer players.

Similar presentations

Ads by Google