Network Identity Management Concepts and Standards: The Key Role of Middleware

Size: px

Start display at page:

Download "Network Identity Management Concepts and Standards: The Key Role of Middleware"

Augusta Atkinson
8 years ago
Views:

1 Network Identity Management Concepts and Standards: The Key Role of Middleware Keith Hazelton, University of Wisconsin IT Architect Internet2 Middleware Architecture Committee for Education

University of Wisconsin IT Architect Internet2

2 Please ask questions at any time!!! Tokyo University, Sept. 26,

3 Network Identity Management Concepts and Standards: The Key Role of Middleware Introductions Middleware: What and Why? Concepts and Architectures Tokyo University, Sept. 26,

4 Enterprise Middleware Definitions Tokyo University, Sept. 26,

5 Map of Middleware Land Tokyo University, Sept. 26,

6 So what is Core Middleware? Suite of campus-wide security, access, and information services Integrates data sources and manages information about people and their contact locations Establishes electronic identity of users Issues identity credentials Uses administrative data and management tools to assign affiliation attributes and gives permission to use services based on those attributes Tokyo University, Sept. 26,

information about people and their contact locations Establishes electronic identity of users Issues

7 Some key terms Talk first about a person (you) Attributes: specific items of information about you or associated with you. Identity: the whole set of attributes about you dd dd dd hfjakfhlafhh dd hfjakfhlafhh dd hfjakfhlafhh hfjakfhlafhh dd Tokyo University, Sept. 26, hfjakfhlafhh

Identity: the whole set of attributes about you dd dd dd hfjakfhlafhh

8 Some key terms Then remind you that these terms can apply as well to online resources, servers and services Attributes: specific items of information about X or associated with X. Identity: the whole set of attributes about X dd dd dd hfjakfhlafhh dd hfjakfhlafhh dd hfjakfhlafhh hfjakfhlafhh dd hfjakfhlafhh Tokyo University, Sept. 26,

9 Another key term Identity credential Something issued to you (or to X) by an organization It associates you with a specific identity known to the organization Tokyo University, Sept. 26,

10 More key terms Authentication (AuthN) process of proving your identity by presenting an identity credential. In IT systems, often done by a login process Authorization (AuthZ) process of determining if policy permits a requested action to proceed Often associated with an authenticated identity, but not always and not necessarily Tokyo University, Sept. 26,

In IT systems, often done by a login process Authorization (AuthZ) process of determining

11 Another key term: Identifiers Identifiers your electronic identification Multiple names and corresponding information in multiple places Single unique identifier for each authorized user Names and information in other systems can be cross-linked to it Admin systems, library systems, building systems Tokyo University, Sept. 26,

each authorized user Names and information in other systems can be cross-linked to

12 Definition: Enterprise Directory Services Enterprise Directory services - where your electronic identifiers are reconciled and your institutional identity is established and maintained Very quick lookup function Machine address, voice mail box, box location, address, campus identifiers Tokyo University, Sept. 26,

established and maintained Very quick lookup function Machine address, voice mail

13 Underlying Concepts & Architecture

14 What IT needs to do Determine who you are Determine what resources you can use Tokyo University, Sept. 26,

15 Three service architectures: #1 Stovepipe (or Silo) Service performs its own authentication. Consults own database for authorization and customization attributes (Traditional or legacy service architecture). service authn attrs Tokyo University, Sept. 26,

Consults own database for authorization and customization

16 #1 Stovepipe (or Silo) Architecture Characteristics Stovepipes authentication and attribute services are run by separate offices. Environment is more challenging to users, who may need to contact each office to arrange for service. No automated life cycle management of resources. Per-service identifiers and security practices make it more difficult to achieve a given level of security across the enterprise. Tokyo University, Sept. 26,

Environment is more challenging to users, who may need to contact each office to arrange for service.

17 Three service architectures: #2 Integrated Service refers authentication to and obtains attributes for authorization and customization from enterprise infrastructure services (modern service architecture). authentication service attribute service An Organization Tokyo University, Sept. 26, service1 service2

infrastructure services (modern service architecture).

18 #2 Integrated Architecture Characteristics Enterprise authentication and attribute services are run by a central office. All attributes known by the organization about a member can be integrated and made available to services. Automated life cycle resource management is possible across the enterprise. Common identifiers across integrated services make an easier and more secure user environment. Tokyo University, Sept. 26,

All attributes known by the organization about a member can be integrated and made available to services.

19 Three service architectures: #3 Federated Service refers authentication to and obtains attributes for authorization and customization from possibly external infrastructure services (emerging service architecture). authentication service attribute service Tokyo University, Sept. 26, service Organization 1 Organization 2

infrastructure services (emerging service architecture).

20 #3 Federated Architecture Characteristics Federated authentication and attribute services rely on participating organization s enterprise services. Inter-organizational applications such as Grids and digital-library content provision are integrated with and facilitated by enterprise services. Tokyo University, Sept. 26,

Inter-organizational applications such as Grids and digital-library content

21 Middleware Initiative Objective Help prepare campuses to implement core middleware for an integrated and ultimately a federated architecture. authentication service attribute service An Organization service1 service2 Tokyo University, Sept. 26,

22 Core middleware for an integrated architecture Tokyo University, Sept. 26,

23 Demo analysis Set of demos portray: Seamlessness of transitions between services Independence of location of service or user Suites of services designed to support activities of different constituencies Absence of need to make prior arrangement for resources required to enable services Tokyo University, Sept. 26,

24 Provisioning Vignette: New staff member accessing campus portal <to model> authn Account Init HRS Metadirectory attrs My UW Madison Tokyo University, Sept. 26,

25 Federated/Restricted Resources Vignette: Sam using remote, online database <to architectures> Content Provider Database1 Database 2 A University B University Federation Tokyo University, Sept. 26,

26 Integrated Services Architecture: University of Wisconsin Portal Demo Tokyo University, Sept. 26,

27 Federated Services Architecture: Blackboard, Inc. Shibboleth Demo webapps/portal/frameset.jsp Tokyo University, Sept. 26,

28 Websites and Discussion Lists Websites Middleware information and discussion lists Tokyo University, Sept. 26,

29 Questions and Comments? Keith Hazelton University of Wisconsin/Internet2 Tokyo University, Sept. 26,

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories http://arch.doit.wisc.edu/keith/apan/ apanshib-060122-01.ppt Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect,