Running List: Collab Stuff Framework Services Appliance

Transcription

1 Running List: Collab Stuff Framework Services Appliance

2 Next Steps Appliance

3 Next Steps Service Internet2 to put together a service instance in skunkworks, using previous code, Shib, Grouper, etc. Dutch to do the same, using

4 Some Next Steps MarkeJng/PR Graphics/slides for comanage as a lightweight collab planorm linked to the waffles of federajon Surfnet Graphics/slides for comanage refactored for enterprise or federajon level deployment Video of the four types of users using comanage/apps Ala hrp:// accessmanagement/federajon/animajon.aspx

5 Next Steps Process Figure out groups dev, community,?? Figure out communicajon modes and Jmes for each group Work out the internajonal dimensions in dev and in apps

6 Next Steps Framework Understand scope of framework what concepts included/excluded Understand, for concepts within scope, the specificajons linked to the concept Specific instance domesjcajon? Is the externalizajon LDAP or SAML or ApplicaJon service registry issues (coordinajon of domesjcajon)

7 More steps framework IdenJfy good candidates/work arounds for the missing elements of the model, e.g. STS, provisioning Open up an account linking discussion

8 Current Comanage Materials

9 PosiJoning COmanage Comanage is not intended as an enterprise class approach, though many enterprises and federajons may well deploy large numbers of instances or a refactored for industrial use implementajon Comanage is intended as a collaborajon class approach that works well and sustainably with enterprise, federated and interfederated infrastructure CollaboraJon class means lightweight in scope of services commonly managed (just IdM), minimal applicajon requirements, easy implementajon opjons (for example as a collaborajon support appliance offered in a cloud), lack of enterprise oriented features (such as a full ESB), etc. Works well and sustainably with enterprise, federated and interfederated infrastructure means that Comanage can easily and gracefully link Comanage and federated accounts, work with data feeds from enterprise services, be refactored to leverage different types of infrastructure, etc. A lightweight collaborajon support approach that integrates with deeper infrastructure

10 Types of folks sysadmin install a new instance of the sobware, and configure it service mgr (the person managing a CO instance, which may contain muljple COs) create a new VO, grant mgmt priv's to others archive the content of a VO phase 2 remove a VO definijon Collabadmin manages a single specific VO manage the home page of the CO enable a new service to support the work of the VO; use the mgmt GUI of the specific applicajon to assign priv's within the applicajon manage a group (create a group, manage membership, delete the group)invite a person to join the VO (automajcally adding person to some groups collabadmin manage each service (these acjons would be done within each service) configure a service (eg this list should be associated with ldap group X manage permissions within a service (eg GROUP X can do ACTION Y) power user PI, with some enhanced funcjonality, a subset end user go to the "home page" of the CO navigate to services supporjng the work of the CO (service specific; uses GUI provided by applicajon) various acjons within the services supporjng the work of the CO, depending on how privileges have been assigned

11 STS services {K, SAML} in, GridShib cert out Pubcookie in, SAML out Authn in, dedicated user/pwd out SAML token in, webcookie out

12 Binding the framework to app development environments: At what level does stuff need to be specified Which development environments.net, php, Apache Who will write the services

13 Framework 1 Several different but consistent perspecjves, for different audiences CIO (block funcjonality flows) Apps developer (API s, services, etc) User (user workflows, for different types of users) Others? Framework also has layers Language and tech specs Data and metadata specs (to follow later) Others?

14 Block flow framework parts A local datastore STS (security token service, aka credenjal convertor) Provisioning/deprovisioning into local store service An account linking mechanism Group and privilege manager (represent as unified for now) SP stub Local IdP InvitaJon engine Plug and play service for apps that want it ARribute services (?) Policy engine System monitoring and diagnosjcs User dashboard that includes a user collaborajon data feed service

15 Org IdP Org IdP Org IdP Org IdP integrated domesjcated authn/link attrs/authz legacy provision confluence drupal sympa apache/iis bedework SAKAI3 TeraGrid uportal webfiles Google Groups legacy legacy OSG persona SP Local store local store user attrs user accounts groups & privs platform use provisioner policy engine monitoring diagnosjcs user invitajon account linking service manager register provisioning user dashboard service status notifications access manager groups privilege s IdP STS LDAP ID services

16 drupal sympa bedework confluence SAKAI3 webfiles apache/iis Google Groups OSG TeraGrid legacy legacy uportal Collabmin adds a new CO to the platform 1. Create group, assign Admin to power user 2. Allocate service resources IdP LDAP STS ID services provisioner collabmi Org Org Org Org IdP IdP IdP IdP access manager user invitajon service manager groups privilege s service status notifications register provisioning policy engine n SP account Local local linking store store user dashboard monitoring diagnosjcs user attrs user accounts groups & privs platform use

17 drupal sympa bedework confluence SAKAI3 webfiles apache/iis Google Groups OSG TeraGrid legacy legacy uportal Power user invites a collaborator and gives them privileges 1. Invite user 2. Add user to CO group 3. User receives invitation token, presents it to invitation service to register with the platform IdP LDAP STS ID services provisioner power user end user Org Org Org Org IdP IdP IdP IdP SP access manager user invitajon account linking user dashboard service manager groups privilege s service status notifications register provisioning policy engine Local local store store monitoring diagnosjcs user attrs user accounts groups & privs platform use

18 drupal sympa bedework confluence SAKAI3 webfiles apache/iis Google Groups OSG TeraGrid legacy legacy uportal End user accesses a service 1. User goes to service 2. Redirected to platform IdP, then back to user s home 3. Platform attributes, groups, and privs added IdP LDAP STS ID services provisioner end user Org Org Org Org IdP IdP IdP IdP SP access manager user invitajon account linking user dashboard service manager groups privilege s service status notifications register provisioning policy engine Local local store store monitoring diagnosjcs user attrs user accounts groups & privs platform use

19 drupal sympa bedework confluence SAKAI3 webfiles apache/iis Google Groups OSG TeraGrid legacy legacy uportal End user accesses a service 1. User goes to service 2. Redirected to platform IdP, then back to user s home 3. Platform attributes, groups, and privs added IdP LDAP STS ID services provisioner end user Org Org Org Org IdP IdP IdP IdP SP access manager user invitajon account linking user dashboard service manager groups privilege s service status notifications register provisioning policy engine Local local store store monitoring diagnosjcs user attrs user accounts groups & privs platform use

20 Shared files CollaboraJon map publish wiki events list read/write receive Execute jobs on shared resources read students in authorized classes Project leaders Admin list post ScienJsts Teaching LMS read/write Foodle TA and RA

21 Shared files CollaboraJon map wiki read General public publish Colleagues list read/write Foodle respond publish ACCI members ACCI Chairs Admin list Awards DB read/write NSF personnel

22 App developer framework Two types Stand alone app Apps wriren in an applicajon development environment, e.g..net or Spring or Make clear that app data stays in app, not in comanage Presents a set of services which ones

23 App developer framework Services provided are: Authn Authz (Y/N/?) ARributes for app needs Provisioning (?) Some kind of monitoring Services explicitly not provided are:

24 How do apps get info Push into legacy apps DomesJcated apps ask for it DomesJcated apps need to speak LDAP or SAML or generic STS

25 Flows

26 Refactoring COmanage Right word for the concept? Unbundling, debinding, distribujng What are likely refactorings? What connecjons need to be in place among refactored pieces

27 Parked issues Discussion of how to share the work of domesjcajng apps Cutover issues for exisjng VO's, and type of collabs to target for appliance, etc DomesJcated Zimbra a lot of us are interested in it and claim to have connecjons with the company How might the appliance and an RSS feed offer a "collaborajon stream Maintaining a base level appliance Serng a new Jme for the COmanage dev calls Assess the viability of the exisjng appliance code base

28 More parked issues VOMS comparison/integrajon Licensing issues ApplicaJon check in services Developing use cases Is the proper technical phrasing claimsaware, STS aware, externalized or something else

29 ARribute Flows ScienJst COmanage ACLs cloud ACLs LDAP IDP wiki R 1 Systems of Record p o r t a l R 2 Agency A non-real-time push model

30 ARribute Flows Student cloud COmanage Systems of Record wiki IDP R 1 p o r t a l A real-time pull model R 2

31 Important CharacterisJcs of Flows Across trust domains SemanJc control enforced at COmanage

32 Front Door 1. Rabbit accesses CO in usual fashion, login via Shib 2. Rabbit clicks button on CO front page to access Science Portal (flow shown) The CO SVCs 1. SP Grouper 2. Ldap 4. Science Portal 5. IDP Home IDP 3. SP portal