ppt
DESCRIPTION
TRANSCRIPT
An Integrated Framework for Identity and Access Management (IAM)
An Integrated Framework for Identity and Access Management (IAM)
RL”Bob” Morgan, U Wash., MACE
Keith Hazelton, U Wisc., MACE
Internet2 Spring Member Meeting
May 3, 2005, Arlington, VA
RL”Bob” Morgan, U Wash., MACE
Keith Hazelton, U Wisc., MACE
Internet2 Spring Member Meeting
May 3, 2005, Arlington, VA
2
Session overviewSession overview
I. Integration: IAM and applications (Keith)
II. Drivers & requirements (RL “Bob”)
III. From talking to doing (Keith again)
3
I: From Construction to IntegrationI: From Construction to Integration
• Construction• Raw materials into systems
• Integration • Subsystems into whole systems• Multiple systems into ecosystems
• We’re all moving from construction to integration
• Let’s review state of middleware systems’ readiness for integration
4
IAM: Generic FunctionsIAM: Generic Functions
Verb Objects
Reflect Data of interest from systems of record into registry, directory
Join Identity information across systems
Manage Credentials, group memberships, affiliations, privileges, services, policies
Provide IAM info via
- run-time request/response
- provisioning into App/Service storesAuthenticate (AuthN) Claimed identities
Authorize (AuthZ) Access or denial of access
Log Usage for audit
5
Reflect, Join, and Manage CredentialsReflect, Join, and Manage Credentials
Systems of Record
Stdnt
HR
Other
Enterprise Directory
Registr
y LD
AP
6
• Collect bits of identity information in all the relevant IT systems
• Use business logic to • Establish which records correspond to the
same person• Maintain that identity join in the face of
changes to data in collected systems
• Assign a unique identifier for cross-system link
Reflect, Join, and Manage CredentialsReflect, Join, and Manage Credentials
7
Manage CredentialsManage Credentials
• When to assign, activate credentials • (as early as possible)
• Who gets them? Applicants? Prospects?• “Guest” NetIDs (temporary, identity-less)• Reassignment (never; except…)• Please send me a feed…
• Argument for WebISO
8
Manage IAM Info and Provide it via run-time calls or provisioningManage IAM Info and Provide it via run-time calls or provisioning
System
s of R
ecord
Central AuthN/WebISO
Apps / ResourcesEnterprise Directory
9
IAM functions & big picturesIAM functions & big pictures
10
IAM functions & big picturesIAM functions & big pictures
Reflect
JoinCredential
Provide/run-time
(AuthN)
Provide/provision
AuthZ
Manage Grps
Manage Privs
Log
11
• The User to Service Provider slice across the systems
Another aspect or perspectiveCourtesy of Mark Poepping, CMUAnother aspect or perspectiveCourtesy of Mark Poepping, CMU
12
Another aspect or perspectiveCourtesy of Mark Poepping, CMUAnother aspect or perspectiveCourtesy of Mark Poepping, CMU
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
13
The User to Service ProviderperspectiveThe User to Service Providerperspective
14
The User to Service ProviderperspectiveThe User to Service Providerperspective
15
Next-up integration servicesNext-up integration services
• Message queuing (pub-sub, point-to-point)• Workflow (business process orchestration)• Policy info mgmt• Policy decision point
• Service Oriented Architecture (SOA) as current buzz-word for the overall vision• The vision will outlast the name
16
Middleware -- Application IntegrationMiddleware -- Application Integration
• ERPs
• SAKAI
• uPortal
• …
17
IAM and Application IntegrationIAM and Application Integration
18
Inter-institutional integrationInter-institutional integration
• Virtual Organization (VOs)
• Federations
• League of Federations
19
Part II: Drivers & RequirementsPart II: Drivers & Requirements
20
Part III: Doing Integration: Service Oriented Architecture (SOA)Part III: Doing Integration: Service Oriented Architecture (SOA)
• Goals • What software is deployed during an
integration, where and how is it deployed?• What development is needed to accomplish an
integration?• What is the development / deployment process?• How is the installation managed, maintained
and expanded?• How do individual integrations work together
to form an infrastructure?
21
Service Oriented Architecture
(SOA) Migration Strategy Service Oriented Architecture
(SOA) Migration Strategy
• Courtesy of Jim Phelps, Architect• U Wisconsin System Initiative• Common Systems Interoperability
Architecture Working Group (CSIAWG)
22
Migration Strategy - SOAMigration Strategy - SOA
• Organization - Change Management
• Process - Business Process Analysis
• Information - Enterprise Data Definitions
• Infrastructure - Architecture and Technology
• Vendors – Fill the Gaps
23
Migration Strategy - SOA Migration Strategy - SOA
• Organization - Change Management• Culture shift from data to services• Staff Training and Support• New Expertise
• Service Interface Designer(2)
• Service Library Manager(2)
• Integration Competency Centers(3)
24
Integration Competency Center Integration Competency Center
25
Migration Strategy - SOA Migration Strategy - SOA
• Organization - Change Management• Culture shift from data to services• Staff Training and Support• New Expertise
• Service Interface Designer(2)
• Service Library Manager(2)
• Integration Competency Centers(3)
26
Migration Strategy - SOA Migration Strategy - SOA
• Process - Business Process Analysis• Prioritization -Most Pain, Most Gain• Define/Document Business Processes• Look for optimization opportunities• Data needs (timeliness, availability,
etc)• Use disruption to your advantage
27
Migration Strategy - SOA Migration Strategy - SOA
• Information - Enterprise Data Identification
• Let the Business Process Analysis drive the data definitions.
• Don’t build a complete dictionary
• Start with the most needed definitions
• Build on standards
28
Migration Strategy - SOA Migration Strategy - SOA
• Infrastructure - Architecture and Technology
• Gap analysis - what pieces are missing
• Architecture Analysis
• Business Process Analysis and Enterprise Data Identification lead the efforts.
29
Migration Strategy - SOA Migration Strategy - SOA
• We want to fix this business process.
• It needs data and services to/from these systems.
• We need these adaptors and data stores.
• We need these technologies to deploy these services.
30
Migration Strategy - SOA Migration Strategy - SOA
• Vendor - Evaluation to fill gaps• Business Process Analysis• Enterprise Data Identification• Data Definitions / schema
development• Service Design• Technology Gaps
31
Migration Strategy - SOA Migration Strategy - SOA
Always ask “is the request for data really a request for
service”
32
Roadmap to SOARoadmap to SOA
Business Application Level
UW System Level
Campus Level
33
Roadmap to SOARoadmap to SOA
• Integration Competency Center ( ICC )• Registry• Establish Governance• Development Standards• Common Tools
UW System Level
34
Roadmap to SOARoadmap to SOA
• Analysis of Interfaces• Analysis of Business Processes• Reduction of Interfaces• Schema Definitions• Migration to Services
Business Application Level
35
Roadmap to SOARoadmap to SOA
• ICC• Take advantage of disruption• Analysis of Business Processes• Reduction of Interfaces• Migration to Services
Campus Level
36
ReferencesReferences
1. Enterprise Application Integration, Revere Group Presentation June 26, 2003
2. Service-Oriented Architecture, A Field Guide to Integrating XML and Web Services, Thomas Erl
3. Introduction to Integration Competency Centers, Darwinmag.com http://www.darwinmag.com/read/070104/integration.html
4. Enterprise Service Bus, David A. Chappell5. ICC - The Fab Five - Competency Center
Models and core skill sets, CIO Magazine http://www.cio.com/archive/110104/office.html
37
ReferencesReferences
• OASIS on Tuesday is announcing the formation of a technical committee that will develop a reference model to provide clarity on the definition of an SOA, said Duane Nickull, chairman of the new OASIS SOA-RM (Reference Model) Technical Committee and senior standards strategist at Adobe.
-- Infoworld, May 03, 2005
38