1 / 47

Internet2 Middleware Activities Progress

Explore various activities and initiatives related to Internet2 Middleware, including Mace, Early Harvest/Early Adopters, LDAP Recipe, EduPerson, Directory of Directories, Shibboleth, PKI Labs, and more.

jsheila
Télécharger la présentation

Internet2 Middleware Activities Progress

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet2 Middleware Activities Progress Renee Wqodten Frost, Project Manager, Internet2 Middleware Initiative I2 Middleware Liaison, University of Michigan ………………. And an ensemble of hundreds

  2. Activities • Mace - RL “Bob” Morgan (Washington) • Early Harvest / Early Adopters - Renee Frost (Michigan) • LDAP Recipe - Michael Gettes (Georgetown) • EduPerson - Keith Hazelton (Wisconsin) • Directory of Directories - Michael Gettes (Georgetown) • Metadirectories - Keith Hazelton (Wisconsin) • Shibboleth - Steven Carmody (Brown) • PKI Labs - Dartmouth and Wisconsin • HEPKI-TAG and PAG - Jim Jokl (Virginia) and Ken Klingenstein (Colorado) • HEBCA - Mark Luker (EDUCAUSE) • Medical Middleware - Rob Carter (Duke), Jack Buchanan (UT, Memphis) • Opportunities - video, the GRID, K-12 CNI Spring 2001 Task Force Meeting

  3. MACE (Middleware Architecture Committee for Education) • Purpose: to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher ed • Membership: Bob Morgan (UW) Chair • Steven Carmody (Brown) • Michael Gettes (Georgetown) • Keith Hazelton (Wisconsin) • Paul Hill (MIT) • Jim Jokl (Virginia) • Mark Poepping (CMU) • David Wasley (U California) • Von Welch (NCSA) CNI Spring 2001 Task Force Meeting

  4. Early Harvest and Early Adopters • Early harvest in the barn… • http://middleware.internet2.edu/best-practices.html • Early adopters aggressively doing deployments • http://middleware.internet2.edu/earlyadopters • Michigan Tech, U Maryland BC, Johns Hopkins, etc • http://www.colorado.edu/committees/DirectoryServices/ CNI Spring 2001 Task Force Meeting

  5. LDAP Recipe • How to build and operate a directory in higher ed • 1 Tsp. DIT planning 1 Tbsp Schema design 3 oz. configuration 1000 lbs of data • Good details, such as tradeoffs/recommendations on indexing, how and when to replicate, etc. • http://www.georgetown.edu/giia/internet2/ldap-recipe/ CNI Spring 2001 Task Force Meeting

  6. LDAP Recipe Contents • Directory Information TreeSchema DesignDirectory of Directories for Higher Education (DoDHE) expectationsSchema Design (continued)Schema: How to upgrade it?Password ManagementBindingseduPerson attribute discussionsAccess ControlReplicationName PopulationLDAP filter config file for white pagestelephoneNumber formattingCHANGELOG CNI Spring 2001 Task Force Meeting

  7. A directory objectclass intended to support inter-institutional applications Fills gaps in traditional directory schema For existing attributes, states good practices where known Specifies several new attributes and controlled vocabulary to use as values. Provides suggestions on how to assign values, but it is up to the institution to choose. Version 1.0 now done; one or two revisions anticipated eduPerson CNI Spring 2001 Task Force Meeting

  8. eduPerson inherits attributes from person, iNetOrgPerson Some of those attributes need conventions about controlled vocabulary (e.g. telephones) Some of those attributes need ambiguity resolved via a consistent interpretation (e.g. email address) Some of the attributes need standards around indexing and search (e.g. compound surnames) Many of those attributes need access control and privacy decisions (e.g jpeg photo, email address, etc.) Issues about Upper Class Attributes CNI Spring 2001 Task Force Meeting

  9. eduPersonAffiliation eduPersonPrimaryAffiliation eduPersonOrgDN eduPersonOrgUnitDN eduPersonPrincipalName eduPersonNickname New eduPerson Attributes CNI Spring 2001 Task Force Meeting

  10. Multi-valued list of relationships an individual has with institution Controlled vocabulary includes: faculty, staff, student, alum, member, affiliate, employee Applications that use: DoD, white pages eduPersonAffiliation CNI Spring 2001 Task Force Meeting

  11. Single-valued attribute that would be the status put on a name badge at a conference Controlled vocabulary includes: faculty, staff, student, alum, member, affiliate, employee Applications that use: DoD, white pages eduPersonPrimaryAffiliation CNI Spring 2001 Task Force Meeting

  12. userid@securitydomain EPPN may look like an email address but it is used by different systems. One must be able to authenticate against the EPPN used in inter-realm authentication such as Shibboleth In some situations, it can be used for access control lists; if used, a site should understand the reassignment policy. eduPersonPrincipalName CNI Spring 2001 Task Force Meeting

  13. eduPerson 1.0 done, along with FAQ and letter to implementers Ties closely to LDAP recipe Version 2.0 to include attributes for videoconferencing, additional collaboration factors, links to Grids, portals, etc. Check with web site for additional changes Participate: mace-dir@internet2.edu Next Steps CNI Spring 2001 Task Force Meeting

  14. A Campus Directory Architecture Border directory Metadirectory Enterprise directory OS directories (MS, Novell, etc) Departmental directories Dir DB Registries Source systems CNI Spring 2001 Task Force Meeting

  15. A Directory of Directories • An experiment to build a combined directory search service • To show the power of coordination • Will highlight the inconsistencies between institutions • Technical investigation of load and scaling issues, centralized and decentralized approaches • Human interfaces issues - searching large name spaces with limits by substring, location, affiliation, etc... • Two different experimental regimes to be tested • centralized indexing and repository with referrals • large-scale parallel searches with heuristics to constrain search space • SUN donation of server and iPlanet license (6,000,000 dn’s) • Michael Gettes, Georgetown, is the project manager CNI Spring 2001 Task Force Meeting

  16. DoD Architecture • Inputs to DoDHE • Inputs: Local Site View • Central Deposit Service • DoD Config Directory • Operation • Search Operations • Search Drill Down from a list CNI Spring 2001 Task Force Meeting

  17. Inputs Remote Site Directories Remote Data Sources LDAP Oracle Etc… Search Data Filtering & Submit to CDS DoD Config Central Deposit Systems (CDS) CNI Spring 2001 Task Force Meeting

  18. CDS Inputs: Local Site View Submit final LDIF to CDS using authenticated POST via HTTPS. Local Data Source LDAP Filter LDIF according to local policy. Generate new LDIF for submission. DODHE Generate LDIF Data CNI Spring 2001 Task Force Meeting

  19. Inputs: Why this way? • Standardized input is LDIF • Could be XML but few products generate XML now (01/2001) • Could use Metamerge Integrator as filter and submission mechanism • Site always submits full dataset. No worry of reconciling. Easier site participation in the DoDHE service. • CDS handles reconciliation and controls data processing. Can provide feedback. CNI Spring 2001 Task Force Meeting

  20. Metadirectories: Metamerge • www.architech.no is now Metamerge • Higher Education Contact for USA • Keith Hazelton, University of Wisconsin – Madison • hazelton@doit.wisc.edu • This product is available free of charge to Higher Ed in USA • Source code will be in escrow. See Keith for further details. CNI Spring 2001 Task Force Meeting

  21. Metamerge Features • GUI development environment • NOT a Meta-Directory, but a tool to build same functionality • Various Languages: JavaScript, Java, Perl, Rexx, etc… • Various Parsers: XML, LDIF, CSV, Script Interface, etc … • for input and output • Various Connectors: COMport, Files, HTTP, HTTPserver, FTP, LDAP, JDBC, Oracle and more … • The product is ALL Java CNI Spring 2001 Task Force Meeting

  22. This begs the following … • If you were given both this Metamerge LDIFTransformer and a Perl script that is the basis for the same functionality – each need to be customized for local purposes – which appears more attractive to you? • Answer: from querying various institutions on this question the common response, nearly 100%, is that use of Metamerge is good, interesting and yields other possibilities not likely with just a Perl script. So, the DoDHE will progress assuming Metamerge. If your institution would like to do something different, then you are welcome to do so. Hopefully a common solution will have benefits beyond a custom solution. CNI Spring 2001 Task Force Meeting

  23. Shibboleth • A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. • Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. • - Webster's Revised Unabridged Dictionary (1913): CNI Spring 2001 Task Force Meeting

  24. Shibboleth • An initiative to analyze and develop mechanisms(architectures, frameworks, protocols and implementations) for inter-institutional web access control • Facilitated by Mace (a committee of leading higher ed IT architects) and Internet2 • “Authenticate locally, act globally” the Shibboleth shibboleth • Oriented towards privacy and complements corporate standards efforts • Open solution • http://middleware.internet2.edu/shibboleth • Vendor participation - IBM et al CNI Spring 2001 Task Force Meeting

  25. Isn’t This What PKI Does? • PKI does this and a whole lot more; as a consequence, PKI does very little right now • End-to-end PKI fits the Shibboleth model, but other forms of authentication do as well • Uses a lightweight certificate approach for inter-institutional communications - uses the parts of PKI that work today (server side certs) and avoids the parts of PKI that don’t work today (eg client certs). • Allows campuses to use other forms of authentication locally • May actually have benefits over the end-user to target-site direct interactions... CNI Spring 2001 Task Force Meeting

  26. Related Work • Previous DLF work • http://www.clir.org/diglib/presentations/cnis99/sld001.htm • OASIS Technical Committee (vendor activity, kicked off 1/2001) • http://www.oasis-open.org/committees/security/index.shtml • http://lists.oasis-open.org/archives/security-services/ • UK - Athens and Sparta projects • http://www.jisc.ac.uk/pub00/sparta_disc.html • Spain - rediris project • http://www.rediris.es/app/papi/index.en.html CNI Spring 2001 Task Force Meeting

  27. Assumptions • “authenticate locally, act globally” the Shibboleth shibboleth • Leverage vendor and standards activity wherever possible • Disturb as little of the existing campus infrastructure as possible • Work with common, minimal authorization systems (eg htaccess) • Encourage good campus behaviors • Learn through doing • Create a marketplace and reference implementations • We will not be another dead guppy • Protect Personal Privacy! CNI Spring 2001 Task Force Meeting

  28. Scenarios leading to requirements Establish model architectures for common services and scenario-specific services Develop service and protocol requirements Identify service options/begin protocol development Produce open implementations of missing service components; provide external services as needed Development Process CNI Spring 2001 Task Force Meeting

  29. Model • Local Authentication • Local Entity Willing to Create and Sign Entitlement • Set of assertions about the user (Attribute/value pairs) • User has control over disclosure • Identity optional • “active member of community”, “Associated with Course XYZ” • Target responsible for Authorization • Rules engine • Matches contents of entitlements against ruleset associated with target object • Cross Domain Trust • Previously created between origin and target • Perhaps there is a contract (information providers..) CNI Spring 2001 Task Force Meeting

  30. Shibboleth ArchitectureConcepts - High Level Browser Pass content if user is allowed Target Web Server Authorization Phase Authentication Phase First Access - Unauthenticated Origin Site Target Site CNI Spring 2001 Task Force Meeting

  31. Shibboleth ArchitectureConcepts #1 (managing trust) Club Shib Server (holds certs and contracts) Attribute Server Shib htaccess plugin Target Web Server Browser Origin Site Target Site CNI Spring 2001 Task Force Meeting

  32. Campus and Resource Requirements • To Participate in Shibboleth, a site must have: • Campus-wide authentication service • Campus-wide identifier space (EPPN) • Implementation of EduPerson objectclass • Ability to generate attributes (eg “active member of the community”) CNI Spring 2001 Task Force Meeting

  33. Issues • Personal Privacy (reasonable expectation, laws) • Relation to local weblogin (Single Signon) • Portals • Use of Shibboleth framework by services beyond the web • Grid resources and users CNI Spring 2001 Task Force Meeting

  34. There are component services that are assumed to exist already on campuses There are new functional services that must be implemented There are new protocols that must be developed There are data and metadata definitions that must be standardized. Internals of the Shibboleth Model:Functions and Standards CNI Spring 2001 Task Force Meeting

  35. Internals of the Shibboleth Model:Services, standards, protocols Identifier privacy engine Institutional shib key distribution service Where from service Web access control service Inter-realm information exchange protocols for authentication and authorization OASIS XML Standard Credential Factory Local authentication service Web SSO service Local Shibboleth control point Local attribute server CNI Spring 2001 Task Force Meeting

  36. Project Status/Next Steps • Requirements and Scenarios document nearly finished • IBM and Mace-Shibboleth are refining architecture and evaluating issues • IBM intends to develop an Apache web module • Internet2 intends to develop supporting materials (installation, documentation, etc) and web tools (for htaccess construction, filter and access control, remote resource attribute discovery). • Technical design complete - April, 2001 • Coding... • Pilot site start-up - Aug, 2001 • Public demo- Internet2 Fall Member Meeting 2001 CNI Spring 2001 Task Force Meeting

  37. Shibboleth, eduPerson, and everything else Middleware Inputs & Outputs Licensed Resources Embedded App Security Grids OKI JA-SIG & uPortal Inter-realm calendaring futures Shibboleth, eduPerson, Affiliated Dirs, etc. Enterprise AuthZ Campus web sso Enterprise Directory Enterprise Authentication Legacy Systems CNI Spring 2001 Task Force Meeting

  38. Internet2 PKI Labs • At Dartmouth and Wisconsin in computer science departments and IT organizations • Doing the deep research - two to five years out • Policy languages, path construction, attribute certificates, etc. • National Advisory Board of leading academic and corporate PKI experts provides direction • Catalyzed by startup funding from ATT CNI Spring 2001 Task Force Meeting

  39. HEPKI-TAG • Chaired by Jim Jokl, Virginia • Certificate profiles • survey of existing uses • development of standard presentation • identity cert standard recommendation • Mobility options – IETF SACRED scenarios • Public domain software alternatives CNI Spring 2001 Task Force Meeting

  40. HEPKI-PAG • David Wasley, UCOP, prime mover • Draft certificate policy for a campus • HEBCA certificate policy • FERPA • State Legislatures • Gartner Group Decision Maker software CNI Spring 2001 Task Force Meeting

  41. Medical Middleware • Unique requirements - HIPAA, disparate relationships, extended community, etc. • Unique demands - 7x24, visibility • PKI seen as a key tool • Mace-med recently formed to explore the issues CNI Spring 2001 Task Force Meeting

  42. The complex challenges of academic medical middleware • Intra-realm issues - multiple vendors, proprietary systems, evolving regulations • Enterprise issues - security, directories, authorization; balance of institutional and medical enterprises • Inter-realm issues - standards, gateways, common operational processes and policies, performance • Multiple communities of interest - institutional, medical center, affiliated hospitals, state and federal regulatory and certification organizations, insurance companies, medical researchers, etc. CNI Spring 2001 Task Force Meeting

  43. Client (in this scenario) Server (in this scenario) Request lab data, This Soldier, this time frame VA Clinical System DoD Clinical System Who’s asking? What role? What is need to know? Convert to server’s terms Where is lab info on this person? Who is this person? Who knows this person? Request observation Health Information Locator Service (HILS) Terminology Query Service (TQS) outbound Clinical Observation Access Service (COAS) Person Identification Service (PIDS) Resource Access Decision (RAD) The applications view of medical upperware CNI Spring 2001 Task Force Meeting

  44. The enterprise architect view of medical middleware Internet Research Systems Hospital Administrative Systems Medical Administrative Systems App dir LAN dir Border Directory Peer institutions Institutional Student Financial Personnel Systems Enterprise directory Corporate collaborators PKI Federal State Gov’ts Person registry Authorization Services Authentication Services CNI Spring 2001 Task Force Meeting

  45. Video • A variety of tools - vic/vat, H.323, MPEG 2, HDTV • Point-to-point and MCU options • H.323 desktop video within reach at physical layer • Lacks identifiers and authentication • EPPN and Shibboleth-type flow could address CNI Spring 2001 Task Force Meeting

  46. K-12 • The killer app may be a spreadsheet and resource discovery • Directories to locate information • Directories to store experiments • Technology isn’t enough CNI Spring 2001 Task Force Meeting

  47. More information • Early Harvest / Early Adopters: http://middleware.internet2.edu/earlyadopters/ • Mace: middleware.internet2.edu • LDAP Recipe: http://www.georgetown.edu/giia/internet2/ldap- recipe/ • EduPerson: www.educause.edu/eduperson • Directory of Directories: middleware.internet2.edu/dodhe • Shibboleth: middleware.internet2.edu/shibboleth • HEPKI-TAG: www.educause.edu/hepki • HEPKI-PAG: www.educause.edu/hepki • Medical Middleware: web site to follow • Opportunities: video, the GRID, K-12 CNI Spring 2001 Task Force Meeting

More Related