Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Future of Indoor Plumbing

Published byJeremy Cobb Modified over 5 years ago

Similar presentations

Presentation on theme: "The Future of Indoor Plumbing"— Presentation transcript:

1 The Future of Indoor Plumbing
Dr Ken Klingenstein Director, Internet2 Middleware and Security

2 Topics The Work So far Indoor, policy-based plumbing
IdM in the enterprise Inter-realm and inter-institutional The Next Several Years Internet identity Interfederation and confederation In collaboration and virtual organizations In the Internet of Things In the attribute ecosystem and the Tao of Attributes

3

4 Over the last ten years, we’ve built
Enterprise identity middleware plumbing Directories, Authentication, Single Sign-on, Group managers, some authorization Connected the applications to the plumbing Extended the enterprise to work in a bigger world with federations Created a foundation for collaboration

5 Enterprise IdM middleware plumbing
4

6 Indoor, policy-based plumbing
Before this, each application had to provide its own identity management – authentication, groups and privileges, etc After this, applications can use an set of pipes and services that provide basic identity Applications can concentrate on what they are special at The pipes have standard interfaces to help the applications use them What flows through these pipes are identity, assurance and attributes

7

8

9

10

11 Connecting applications to plumbing
Academic applications E-learning, Grids, Access to Digital content Administrative applications The infrastructure apps Legacies and the systems of records The collaboration tools , web, calendaring, IM, etc… (Collaboration management platforms) The network layer needs plumbing too (Firewall negotiation, Spam control, Network access)

12 E-learning

13 Grids

14 The Legacy Administrative Apps

15 Federation - Extending beyond the institution
The need to collaborate drove the R&E community to create SAML and Shibboleth Federations have technical and policy sides Aggregate, secure, and distribute members’ metadata Coordinate policies, attributes, etc Showed that privacy, secrecy and security could coexist Now applies to clouds, national service providers

16 Early federations without indoor plumbing

17 Modern federation

18 Looking back, some of the easier pieces…
The design of the technology – “we saw a different problem and solved it in the obvious way” Getting attention – the need for Internet identity was growing We are not so much different from the corporate world – we just have a more urgent need to collaborate beyond our organizational borders

19 Looking back, some of the hard parts...
Implementing the technologies Policies - Getting the institution to understand what it does and document it The many types of communities we serve The embedded base of bad solutions Having the legacy applications learn to rely on, and supply, the middleware layer Dealing with a mess of privacy laws

20 Middleware Architects

21

22 Looking Forward The future of Internet identity and privacy
Interfederation and confederation Collaborations and Virtual Organizations Non-web applications The Internet of things The Attribute Ecosystem and the Tao of Attributes

23 Internet identity futures
Integration of social networking and federated identity technologies OpenId within the Shibboleth platform eduPersonOpenId? Attribute management within OpenId Focus on business processes, not on protocols Privacy management by end-users The attribute ecosystem becomes the real set of issues

24

25 Interfederation Connecting autonomous federations
Critical for global scaling, accommodating state and local federations, integration across sectors Has technical, financial and policy dimensions Elegant technical solution being developed in the eduGAIN project of Geant Policy activities in Kalmar2 Union, Geant, Kantara, Terena

26 MDX – metadata exchange protocol
Institutions and organizations will pick a registrar to give their metadata to Institutions and organizations will pick an aggregator (or several) to get their partners metadata from Aggregators exchange metadata with each other and registrars If this sounds like DNS registration and routing, it is, one layer up In the land of data, metadata is king; imagine many new kinds of metadata

27 Confederation The union of federations Primary use case is Europe
Ultimately represents an alignment of policies (privacy, cookies, etc), attributes (semantics), and others more than a technology Policy space looks very hard Differences among national policies Differences between national and EU policies Differences between policies and courts

28 Collaborations and Virtual Organizations
IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.

29 Domestication of applications
The work of re-factoring applications to use the emergent identity services infrastructure Begins with federated identity and authentication, use of directories; gains a lot from group management for access control, etc Needs a fine grain set of authorization tools down the road Domesticated apps can receive IdM attributes via LDAP, SAML, X.509, SQL, Kerberos PAC, and maybe all of the above

30 COmanage can provide authentication and basic authorization services (group membership, privilege management, etc) to domesticated apps “Domesticated” applications currently include Mediawiki, Confluence, Jira, Subversion, Sympa, Listserv, Drupal, Nagios, Wordpress, Git. Plan to add audioconferencing, IM and chat rooms, EC2, Fedora, web-based file share, etc. Not “collaboration in a box”. More collaboration in an open-standard, integrated box. The “stand-alone” can be readily replumbed to be completely integrated into enterprise, federated or other attribute ecosystems as they develop Implemented as a service or as a VM, perhaps in a cloud

31 Collaboration Management Platform (CMP) and the Attribute Ecosystem
Collaboration Tools/ Resources File Sharing Calendar List Manager Phone/ Video Conference Federated Wiki Domain Science Grid Domain Science Instrument Application Attributes C o manage Collaboration Management Platform Authorization – Group Info Authorization – Privilege Info Authentication People Picker Other Functions Attribute/Resource Info Data Store Attribute Ecosystem Flows Laboratory X Home Org & Id Providers/ Sources of Authority University A University B Sources of Authority

32 End user accesses a service
confluence drupal sympa apache/IIS bedework SAKAI3 TeraGrid uPortal webFiles Google Groups legacy OSG End user accesses a service User goes to service Redirected to platform IdP, then back to user’s home Platform attributes, groups, and privs added SP Local store local store user attrs user accounts groups & privs platform use provisioner policy engine monitoring diagnostics user invitation account linking service manager register provisioning user dashboard service status notifications access manager groups privileges IdP STS LDAP ID services 3 2 end user Variants: service gets attributes etc from LDAP or from ID services. Variant: service (or container it’s in) uses STS to obtain usable user token. Org IdP

33 End user accesses a service
confluence drupal sympa apache/IIS bedework SAKAI3 TeraGrid uPortal webFiles Google Groups legacy OSG End user accesses a service User goes to service Redirected to platform IdP, then back to user’s home Platform attributes, groups, and privs added 2 3 1 SP Local store local store user attrs user accounts groups & privs platform use provisioner policy engine monitoring diagnostics user invitation account linking service manager register provisioning user dashboard service status notifications access manager groups privileges IdP STS LDAP ID services 3 2 end user 2 Variants: service gets attributes etc from LDAP or from ID services. Variant: service (or container it’s in) uses STS to obtain usable user token. Org IdP

34 Collabmin adds a new CO to the platform
confluence drupal sympa apache/IIS bedework SAKAI3 TeraGrid uPortal webFiles Google Groups legacy OSG Collabmin adds a new CO to the platform Create group, assign Admin to power user Allocate service resources 2 SP Local store local store user attrs user accounts groups & privs platform use provisioner policy engine monitoring diagnostics user invitation account linking service manager register provisioning user dashboard service status notifications access manager groups privileges IdP STS LDAP ID services collabmin 1 2 Until services expose service management WS interfaces, allocating service resources might be done by encapsulating service management UIs in portlets, so that they are all have collabmin sessions established and waiting for the collabmin to use them. Org IdP

35

36 Non web applications Many non-web apps want federated identity – wireless roaming, videoconferencing, soft phones, signed , Grids, next-generation Internet, calendaring, etc. Adding federated authentication and authorization to them is generally engineered on a per case basis. The embedded base of devices, systems, etc that are part of the non-web applications space is huge and diverse. ISOC, GEANT and others are interested but the task is daunting.

37 Non-web Applications

38

39 The Internet of things We have built the Internet of computers and now the Internet of people and identity; next is things. Federation is a powerful model – it provides a degree of local freedom but a scalable infrastructure; with interfederation it can reach Internet scale. Devices need to have identity, attributes, access control privileges, etc that tend to federate and also need to interact with identity federation. Next generation Internet work has many types of federated voodoo – federations of identities, of firewalls, of routers, etc.

40

41 Trust, Identity and the Internet
Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC’s and protocols First target area is DKIM; subsequent targets include SIP and firewall traversal (trust-mediated transparency)

42 The Attribute Ecosystem
Authentication is very important, but identity is just one of many attributes And attributes provide scalable access control, privacy, customization, linked identities, federated roles and more We now have our first transport mechanisms to move attributes around – SAML and federations There will be many sources of attributes, many consumers of attributes, query languages and other transport mechanisms Together, this attribute ecosystem is the “access control” layer of infrastructure

43 Attribute use cases are rapidly emerging
Disaster “first responders” attributes and qualifications dynamically Access-ability use cases Public input processes – anonymous but qualified respondents Grid relying parties aggregating VO and campus attributes The “IEEE” problem The “over legal age” and the difference in legal ages use cases Self-asserted attributes – friend, interests, preferences, etc

44 Attribute aggregation Metadata of attributes, LOA, etc
Key Issues Attribute aggregation Metadata of attributes, LOA, etc Sources of authority and delegation Schema management, mapping, etc User interface Privacy and legal issues

45 Attribute aggregation
From where - Gathering attributes from multiple sources From IdP or several IdP From other sources of authority From intermediaries such as portals When - static and dynamic acquisition Some attributes are volatile (group memberships); others are static (Date of Birth) Some should be acquired per assertion; some once in a boarding process Will require a variety of standardized mechanisms – Bulk feeds, user activated links, triggers

46 The Tao of Attributes workshop 属性之道
Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc. Participants were the best and brightest – the folks who invented LDAP, SAML, OpenId, etc. Webcast at Twittered at TAOA

47 Principles of the Tao Least privilege/minimal release
Using data “closest” to source of authority Late and dynamic bindings where possible Dynamic identity data increases in value the shorter the exposure. How much meaning is encoded in the attribute versus context, metadata? How much flat attribute proliferation can be managed through a structured data space?

48 Future applications

49

50

51 But without the indoor plumbing...

52 Noel

Download ppt "The Future of Indoor Plumbing"

Similar presentations

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.

Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.
© 2006 IBM Corporation IBM Software Group Relevance of Service Orientated Architecture to an Academic Infrastructure Gareth Greenwood, e-learning Evangelist,

© 2006 IBM Corporation IBM Software Group Relevance of Service Orientated Architecture to an Academic Infrastructure Gareth Greenwood, e-learning Evangelist,
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.

Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.

Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.

Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security.

Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security.
VO and Internet2 Middleware. Presenter’s Name Topics Motivations for Internet2 Middleware work Federated identity and InCommon Other IdM Groups, privileges,

VO and Internet2 Middleware. Presenter’s Name Topics Motivations for Internet2 Middleware work Federated identity and InCommon Other IdM Groups, privileges,
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.

Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.
Middleware, Ten Years In: Vapority into Reality into Virtuality Dr. Ken Klingenstein, Senior Director, Middleware and Security, Internet2 Technologist,

Middleware, Ten Years In: Vapority into Reality into Virtuality Dr. Ken Klingenstein, Senior Director, Middleware and Security, Internet2 Technologist,

Similar presentations

Ads by Google