The Future of Indoor Plumbing. Dr Ken Klingenstein Director, Internet2 Middleware and Security

Transcription

1 The Future of Indoor Plumbing Dr Ken Klingenstein Director, Internet2 Middleware and Security

2 Topics The Work So far Indoor, policy-based plumbing IdM in the enterprise Inter-realm and inter-institutional The Next Several Years Internet identity Interfederation and confederation In collaboration and virtual organizations In the Internet of Things In the attribute ecosystem and the Tao of Attributes

3

4 Over the last ten years, we ve built Enterprise identity middleware plumbing Directories, Authentication, Single Sign-on, Group managers, some authorization Connected the applications to the plumbing Extended the enterprise to work in a bigger world with federations Created a foundation for collaboration

5 Enterprise IdM middleware plumbing 4

6 Indoor, policy-based plumbing Before this, each application had to provide its own identity management authentication, groups and privileges, etc After this, applications can use an set of pipes and services that provide basic identity Applications can concentrate on what they are special at The pipes have standard interfaces to help the applications use them What flows through these pipes are identity, assurance and attributes

7

8

9

10

11 Connecting applications to plumbing Academic applications E-learning, Grids, Access to Digital content Administrative applications The infrastructure apps Legacies and the systems of records The collaboration tools , web, calendaring, IM, etc (Collaboration management platforms) The network layer needs plumbing too (Firewall negotiation, Spam control, Network access)

12 E-learning

13 Grids

14 The Legacy Administrative Apps

15 Federation - Extending beyond the institution The need to collaborate drove the R&E community to create SAML and Shibboleth Federations have technical and policy sides Aggregate, secure, and distribute members metadata Coordinate policies, attributes, etc Showed that privacy, secrecy and security could coexist Now applies to clouds, national service providers

16 Early federations without indoor plumbing

17 Modern federation

18 Looking back, some of the easier pieces The design of the technology we saw a different problem and solved it in the obvious way Getting attention the need for Internet identity was growing We are not so much different from the corporate world we just have a more urgent need to collaborate beyond our organizational borders

19 Looking back, some of the hard parts... Implementing the technologies Policies - Getting the institution to understand what it does and document it The many types of communities we serve The embedded base of bad solutions Having the legacy applications learn to rely on, and supply, the middleware layer Dealing with a mess of privacy laws

20 Middleware Architects

21

22 Looking Forward The future of Internet identity and privacy Interfederation and confederation Collaborations and Virtual Organizations Non-web applications The Internet of things The Attribute Ecosystem and the Tao of Attributes

23 Internet identity futures Integration of social networking and federated identity technologies OpenId within the Shibboleth platform edupersonopenid? Attribute management within OpenId Focus on business processes, not on protocols Privacy management by end-users The attribute ecosystem becomes the real set of issues

24

25 Interfederation Connecting autonomous federations Critical for global scaling, accommodating state and local federations, integration across sectors Has technical, financial and policy dimensions Elegant technical solution being developed in the edugain project of Geant Policy activities in Kalmar2 Union, Geant, Kantara, Terena

26 MDX metadata exchange protocol Institutions and organizations will pick a registrar to give their metadata to Institutions and organizations will pick an aggregator (or several) to get their partners metadata from Aggregators exchange metadata with each other and registrars If this sounds like DNS registration and routing, it is, one layer up In the land of data, metadata is king; imagine many new kinds of metadata

27 Confederation The union of federations Primary use case is Europe Ultimately represents an alignment of policies (privacy, cookies, etc), attributes (semantics), and others more than a technology Policy space looks very hard Differences among national policies Differences between national and EU policies Differences between policies and courts

28 Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.

29 Domestication of applications The work of re-factoring applications to use the emergent identity services infrastructure Begins with federated identity and authentication, use of directories; gains a lot from group management for access control, etc Needs a fine grain set of authorization tools down the road Domesticated apps can receive IdM attributes via LDAP, SAML, X.509, SQL, Kerberos PAC, and maybe all of the above

30 COmanage can provide authentication and basic authorization services (group membership, privilege management, etc) to domesticated apps Domesticated applications currently include Mediawiki, Confluence, Jira, Subversion, Sympa, Listserv, Drupal, Nagios, Wordpress, Git. Plan to add audioconferencing, IM and chat rooms, EC2, Fedora, web-based file share, etc. Not collaboration in a box. More collaboration in an open-standard, integrated box. The stand-alone can be readily replumbed to be completely integrated into enterprise, federated or other attribute ecosystems as they develop Implemented as a service or as a VM, perhaps in a cloud

31 Collaboration Management Platform (CMP) and the Attribute Ecosystem Collaboration Tools/ Resources File Sharing Calendar List Manager Phone/ Video Conference Federated Wiki Domain Science Instrument Domain Science Grid Application Attributes Collaboration Management Platform Co Authorization Group Info Authorization Privilege Info manage Authentication People Picker Other Functions Attribute/Resource Info Data Store Attribute Ecosystem Flows Home Org & Id Providers/ Sources of Authority University A University B Laboratory X Sources of Authority

32 drupal legacy webfiles Google Groups OSG apache/iis TeraGrid uportal sympa SAKAI3 bedework confluence IdP End user accesses a service 1. User goes to service 2. Redirected to platform IdP, then back to user s home 3. Platform attributes, groups, and privs added legacy LDAP ST S ID services provisioner 3 2 end user SP access manager user invitation account linking user dashboard service manager groups privilege s policy engine Local local store store service status notifications register provisioning user attrs user accounts groups & privs platform use monitoring diagnostics 32

33 drupal legacy webfiles Google Groups OSG apache/iis TeraGrid uportal sympa SAKAI3 bedework confluence End user accesses a service 1. User goes to service 2. Redirected to platform IdP, then back to user s home 3. Platform attributes, groups, and privs added legacy 2 3 IdP 1 LDAP ST S ID services provisioner 3 2 end user SP 2 access manager user invitation account linking user dashboard service manager groups privilege s policy engine Local local store store service status notifications register provisioning user attrs user accounts groups & privs platform use monitoring diagnostics 33

34 drupal legacy webfiles Google Groups OSG apache/iis TeraGrid uportal sympa SAKAI3 bedework confluence Collabmin adds a new CO to the platform 1. Create group, assign Admin to power user 2. Allocate service resources legacy 2 IdP 1 collabmi n 2 SP LDAP access manager user invitation account linking user dashboard service manager ST S ID services groups privilege s provisioner policy engine Local local store store service status notifications register provisioning user attrs user accounts groups & privs platform use monitoring diagnostics 34

35

36 Non web applications Many non-web apps want federated identity wireless roaming, videoconferencing, soft phones, signed , Grids, next-generation Internet, calendaring, etc. Adding federated authentication and authorization to them is generally engineered on a per case basis. The embedded base of devices, systems, etc that are part of the non-web applications space is huge and diverse. ISOC, GEANT and others are interested but the task is daunting.

37 Non-web Applications

38

39 The Internet of things We have built the Internet of computers and now the Internet of people and identity; next is things. Federation is a powerful model it provides a degree of local freedom but a scalable infrastructure; with interfederation it can reach Internet scale. Devices need to have identity, attributes, access control privileges, etc that tend to federate and also need to interact with identity federation. Next generation Internet work has many types of federated voodoo federations of identities, of firewalls, of routers, etc.

40

41 Trust, Identity and the Internet Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC s and protocols First target area is DKIM; subsequent targets include SIP and firewall traversal (trust-mediated transparency)

42 The Attribute Ecosystem Authentication is very important, but identity is just one of many attributes And attributes provide scalable access control, privacy, customization, linked identities, federated roles and more We now have our first transport mechanisms to move attributes around SAML and federations There will be many sources of attributes, many consumers of attributes, query languages and other transport mechanisms Together, this attribute ecosystem is the access control layer of infrastructure

43 Attribute use cases are rapidly emerging Disaster first responders attributes and qualifications dynamically Access-ability use cases Public input processes anonymous but qualified respondents Grid relying parties aggregating VO and campus attributes The IEEE problem The over legal age and the difference in legal ages use cases Self-asserted attributes friend, interests, preferences, etc

44 Key Issues Attribute aggregation Metadata of attributes, LOA, etc Sources of authority and delegation Schema management, mapping, etc User interface Privacy and legal issues

45 Attribute aggregation From where - Gathering attributes from multiple sources From IdP or several IdP From other sources of authority From intermediaries such as portals When - static and dynamic acquisition Some attributes are volatile (group memberships); others are static (Date of Birth) Some should be acquired per assertion; some once in a boarding process Will require a variety of standardized mechanisms Bulk feeds, user activated links, triggers

46 The Tao of Attributes workshop 属性之道 Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc. Participants were the best and brightest the folks who invented LDAP, SAML, OpenId, etc. Webcast at Twittered at TAOA

47 Principles of the Tao Least privilege/minimal release Using data closest to source of authority Late and dynamic bindings where possible Dynamic identity data increases in value the shorter the exposure. How much meaning is encoded in the attribute versus context, metadata? How much flat attribute proliferation can be managed through a structured data space? 47

48 Future applications

49

50

51 But without the indoor plumbing...

52 Noel