current middleware picture tom barton university of chicago tom barton university of chicago
DESCRIPTION
Current activities span … … typical dimensions of middleware for management of security Directories, identifiers, schema Authentication Authorization Messaging Diagnostics Operational practices but …TRANSCRIPT
Current Middleware Picture
Tom BartonUniversity of Chicago
MACE:Objective & Modus Operandi
• Promote deployment of common middleware infrastructure across higher ed
• Practices, standards, models, tools, documentation to facilitate campus design & implementation
• Community-based, community-driven• Early adopters, working groups
• Liaison, collaboration with other middleware communities
• Demonstrate viable models to vendor community
Current activities span …
• … typical dimensions of middleware for management of security• Directories, identifiers, schema• Authentication• Authorization• Messaging• Diagnostics• Operational practices
• but …
… take account of realities that are particularly higher ed
• Students• Courses• Multiple affiliations • Multiple authorities and authority
structures• Self-identified activities
• Loosely affiliated populations• Activities that span many organizations
Selected Harvest
• Recent releases• eduPerson (200604)• Enterprise Authentication Implementation
Roadmap • Higher Education Person Survey• Use Cases: AAMC Identifier in Identity
Management Systems• Shibboleth 1.3d• Signet 1.0• Grouper 0.9• Nexus pre-release 3
• And a few integrative moments
Identity & Access Management:Functional Vocabulary
Verb ObjectsReflect Data of interest from systems of record
into registry, directoryJoin Identity information across systemsManage Credentials, group memberships,
affiliations, privileges, services, policiesProvide IAM info via
- relay thru run-time request/response - provisioning into App/Service stores
Authenticate (AuthN) Claimed identitiesAuthorize (AuthZ) Access or denial of accessLog Usage for audit
Connecting Sources of Authority
LDAP
Attribute Management & Delivery:Affiliation, Privilege, & Privacy
uid: jdoeeduPersonAffiliation: …isMemberOf: …eduCourseMember: …eduPersonEntitlement: …
SIS
HR
Distributed Authorities/
Self
Loaders PersonRegistry
GroupRegistryGrouper
PrivilegeRegistry
Signet
Core Business Systems
Shibboleth/GridShibAttribute
AuthorityAttributeReleasePolicies
ShARPe
Subject API
Nexus
Finishing What’s On Our Plate
• Shibboleth 2.X & openSAML 2• Delegation, standards-based webSSO• Enhanced management (AU partnership)
• Signet 1.X & Grouper 1.X• Signet API, UI customization, XACML• Group math• Common rules engine, final Subject API
Finishing What’s On Our Plate
• Documentation• Integrated story of when & how to deploy
tools• Concrete scenarios harvested from early
adoption• Toolset integration• Harmonious design: configuration,
internationalization, installation, site integration, composability
Tour of related track sessions
• Tuesday• Federations – 1:15• EDDY – 3:00• FWNA – 4:30• VO Management – 4:30
• Wednesday• Preparing for Shibboleth – 8:45• Roles & Privileges – 1:15• PKI & USHER – 1:15• Inter-campus resource sharing – 3:00• Accessibility – 4:15• Managing Middleware – 4:15