Dienstoverstijgend federatief groepsmanagement

Dienstoverstijgend federatief groepsmanagement Project : SURFworks / Collaboration Projectjaar : 2009 Projectmanager : Frank Pinxt Auteur(s) : Martin van Es Opleverdatum : 15 juni 2009 Versie : 2.0 Samenvatting Omdat de federatieve werkwijze per definitie instellingsoverstijgend kan zijn, is het niet mogelijk groepsgegevens van gebruikers uit verschillende instellingen in een lokale omgeving onder te brengen. Momenteel realiseert iedere dienst, daarom zijn eigen groepsdefinities (bijvoorbeeld de Teamsites in SURFgroepen). Gevolg hiervan is dat wanneer de gebruiker vervolgens van een andere dienst gebruik wil maken, hij binnen deze dienst het lidmaatschap van verschillende groepen opnieuw moet regelen. Er bestaat geen relatie tussen de groepen binnen dienst A en dienst B. Het is wenselijk om dit groepslidmaatschap eenmalig centraal te realiseren, waardoor het groepslidmaatschap kan worden gedeeld tussen verschillende diensten (applicatie omgevingen) en eindgebruikers zelf op eenvoudige wijze in staat zijn de indeling van hun eigen groepen te bepalen. Dit rapport beschrijft zowel de Technologieverkenning als de Proof of Concept Dienstoverstijgend federatief groepsmanagement. De Technologieverkenning is in 2008 in het kader van het SURFworks Programma opgeleverd, de Proof of Concept is in de eerste helft van 2009 uitgevoerd. Voor de leesbaarheid en overzichtelijkheid en zijn Technologieverkenning en Proof of Concept in dit rapport samengevoegd. Voor deze publicatie geldt de Creative Commons Licentie Attribution-Noncommercial-Share Alike 3.0 Netherlands. Meer informatie over deze licentie is te vinden op http://creativecommons.org/licenses/by-nc-sa/3.0/nl/

Colofon Programmalijn : SURFworks Technologieverkenning Collaboration Infrastructure & Federated Collaboratories Onderdeel : 4.2.2 Activiteit : Federated Collaboratories Deliverable : Rapport naar aanleiding van onderzoek naar dienstoverstijgend federatief groepsmanagement + PoC met één voorkeursproduct Toegangsrechten : publiek Externe partij : IGI Dit project is tot stand gekomen met steun van SURF, de organisatie die ICT vernieuwingen in het hoger onderwijs en onderzoek initieert, regisseert en stimuleert door onder meer het financieren van projecten. Meer informatie over SURF is te vinden op de website (www.surf.nl).

Context 4 dingen die je moet weten over Dienstoverstijgend federatief groepsmanagement Iedere SURFnetdienst realiseert op dit moment zijn eigen groepsdefinities (bijvoorbeeld de teamsites van SURFgroepen). Gevolg hiervan is dat wanneer een gebruiker gebruik wil maken van een andere dienst, hij binnen deze dienst het lidmaatschap van verschillende groepen opnieuw moet regelen. Het is wenselijk om dit groepslidmaatschap eenmalig centraal te regelen. In deze technologieverkenning is onderzoek gedaan naar een centrale voorziening om deze groepdefinities gekoppeld aan de federatieve authenticatie vast te leggen. Wat is het? Een centrale directory waarin groepslidmaatschap gekoppeld aan federatieve identiteit wordt vastgelegd. Voor wie is het? Het rapport Dienstoverstijgend federatief groepsmanagement is bestemd voor technisch georiënteerde lezers die geïnteresseerd zijn in het onderwerp en voor het Programma Management SURFworks ter voorbereiding op een mogelijk dienstontwikkeltraject. Het rapport is geschreven als voorbereiding op de mogelijke ontwikkeling van een dienst ten behoeve van groepsmanagement voor de gebruikers van SURFnet-diensten. Hoe werkt het? Gebruikers van dienstoverstijgend federatief groepsmanagement kunnen door middel van een grafische interface hun groepslidmaatschap beheren. Deze informatie wordt in een centrale database opgeslagen en is op die manier ook beschikbaar voor gebruik door andere dienst. Wat kan je ermee? Groepslidmaatschap beheren: - Aanmaken van groepen - Verwijderen van groepen - Deelnemers toevoegen (uitnodigen) - Deelnemers verwijderen Extra (Bijlagen, Thema, Gerelateerde thema s) Rapport Technologieverkenning Dienstoverstijgend federatief groepsmanagement Proof of Concept Dienstoverstijgend federatief groepsmanagement

Federative Group Management Technology scouting and proof of concept for service spanning group management Author: Martin van Es version: 2.0 date: 15-6-2009 Filename : Eindrapport Dienstoverstijgend federatief Auteur : Martin van Es 5/45

Table of Contents 1 Executive summary... 8 2 Introduction... 9 2.1 Service spanning group management... 9 2.2 Goal... 9 2.3 What is service spanning group management?... 9 2.4 A Schoolbook use case example: SURFgroepen & SURFmedia... 10 2.5 The SURFnet IdP/SP proxy (ESPEE)... 10 3 Integration Techniques... 12 3.1 Attributes/Assertions based (authorization)... 12 3.2 Webservices (SOAP/REST), LDAP, SQL (pull)... 12 3.3 Direct, automatic provisioning (push)... 12 3.4 Manual or automated Import/Export (out-of-band)... 13 3.5 Proxy server based on any of the above... 13 4 Products... 14 4.1 COmanage/Grouper... 14 4.2 IAMSuite... 15 UABgrid... 16 4.3 MyVocs... 16 4.4 SWITCH GMT (Group Management Tool)... 17 4.5 Imanami Group Management Solutions... 17 4.6 VOMS... 17 4.7 UVOS... 18 4.8 SymLABS Federated Identity Suite: People Service Server... 18 4.9 Homebrew... 19 4.10 Other projects worth mentioning... 19 4.10.1 G-FIV-O... 19 4.10.2 CUCKOO... 19 4.11 Conclusion... 19 5 SURFnet Services requirements... 21 5.1 Services... 21 5.1.1 SURFgroepen... 21 5.1.2 SURFgroepen/Video conferencing... 21 5.1.3 SURFmedia... 21 5.1.4 SURFnet TV... 21 5.1.5 SURFmedia Core... 21 5.1.6 SURF lists... 22 5.1.7 Dashboard... 22 5.1.8 SURF Advisories... 22 5.1.9 AIRT... 22 5.1.10 PACT... 22 5.1.11 Advisories... 22 5.1.12 Netflow tooling... 23 5.1.13 Bab... 23 5.1.14 Infoserver... 23 5.1.15 External webserver CMS... 23 5.1.16 FTP mirrorserver... 23 5.1.17 Mailfilter... 23 5.1.18 Office Automation... 23 5.2 Conclusions... 23 6 Product selection... 25 Filename : Eindrapport Dienstoverstijgend federatief Auteur : Martin van Es 6/45

6.1 Product candidates... 25 6.2 Conclusion... 25 6.3 Proof of Concept... 25 7 Grouper Proof of Concept... 26 7.1 Introduction... 26 7.2 Grouper design philosophy... 26 7.3 Subject Sources... 27 7.3.1 Choosing Identifiers for Subjects... 27 7.4 Grouper interaction... 28 7.4.1 Grouper Shell (gsh)... 29 7.4.2 Grouper web User-Interface... 29 7.4.3 Grouper web services... 29 7.4.4 Automation... 32 7.5 Grouper installation... 33 7.5.1 Grouper... 33 7.5.2 Grouper-ws (webservices)... 35 7.6 Grouper empty source issue and proposed solution... 35 7.7 Grouper Proof of Concept Custom UI... 37 7.7.1 The interface... 37 7.7.2 Internal housekeeping of the custom UI... 43 7.7.3 Grouper PHP SOAP call example... 44 7.8 Conclusions and Advise... 45 7.8.1 Grouper installation and setup... 45 7.8.2 Grouper usage... 45 7.8.3 Architecture and design... 45 Filename : Eindrapport Dienstoverstijgend federatief Auteur : Martin van Es 7/45

1 Executive summary SURFnet seeks to raise the level of integration between the various collaboration services that it delivers to its community. The possibility of applying group management features across the various services is regarded as a requirement to achieve this goal. A short investigation has been made of solutions for service spanning group management. i.e. user groups that can be managed centrally and can be used in different web based applications. Also SURFnet service managers were interviewed regarding group management in order to discover the utility of such groups for their service. In general, one can conclude that the services SURFgroepen en SURFmedia will immediately benefit from centrally managed user groups, but the rest is happy the way they are. If a central group manager would be implemented, some service managers could think of possible applications but they would all be related to role-based authorization based on group-membership. The search for a product that most likely will fulfill the needs for SURFnet is COManage/Grouper. Grouper offers the best interoperability and developer support of all evaluated products. A Proof of Concept has been done using Grouper. A custom user interface was designed to allow just-in-time provisioning of federated users to the Grouper subject store and to provide a simple group management interface to end users. Auteur : Martin van Es 8/45

2 Introduction 2.1 Service spanning group management SURFnet strives to create a seamless end-user experience for the different services it runs. With the introduction of the SURFfederation and SURFGuest IdP (non-federative Identity Provider) it is already possible to login to all SURFnet services using a single account, where possible the user's account at the organization of origin. Authorization can be provided based on roles provided by the authentication system. Such authorization is implied by the organisation of origin. However, there is a need for user defined authorization, where users can define groups that have access to the content or collaboration environment they have created within the SURFnet services. Many of the SURFnet services facilitate cooperation among end-users of multiple organizations. Hence the groups may contain members of different organizations, implying that roles defined within one organization cannot help out. Group management should be done at the level of the SURFnet services to minimize the administrative overhead and to increase the level of perceived integration. At this moment each service defines it's own groups (e.g. Teamsites in SURFgroepen and mailinglist subscribers in Listserv). One consequence is that when the end-user accesses another service, these group definitions have to be created again, even if the group consists of exactly the same members. Even worse: if the group changes, this change has to be applied to the groups in all services. It would be desirable to define a group only once and share it among several services. Although there are some tools that offer this functionality, at this moment it is not known if these could be used in the SURFnet environment. 2.2 Goal Evaluate the available tools for group management spanning multiple services, based on offered functionality, technology, interoperability and test at least one of the best alternatives in a Proof of Concept setup. This technology scouting and Proof of Concept may serve as a stepping stone for further research on Federated Collaborations next year, encompassing the welding of identity, group and privilege management among multi-media cooperation services into one coherent infrastructure of collaborative applications for the SURFnet community. 2.3 What is service spanning group management? To understand what is meant by service spanning group management, it is useful to look at the SURFfederation first. The federation is a way to authenticate members of different organizations as if they were local users. For this the protected application or service (Service Provider, SP) relies on the ability of the home organization (a so called Identity Provider, IdP) to correctly recognize a local user (to the IdP) and truthfully tell the Service Provider if this user has authenticated herself correctly or not. This requires a strong trust relationship between the SP and IdP. Now suppose a service (SP) is designed to let users of many organizations cooperate in a project so they can act like a group working on a common goal. A group administrator would invite other members to join the group, authorize them and start to work on the project sharing whatever they need to share in the service to go forward. Now suppose there is another service (SP) that would suit their needs but is designed Auteur : Martin van Es 9/45

around a different application framework which caters other services needed to complete the project. They still need to cooperate in the same group, however, and would like to protect their work from competing groups, in other words: they need the same group in this service. Normally the group administrator would have to recreate the whole group and invite all members to join this group in the new service. Illustration 1: Service spanning group management This is where service spanning group management would provide a big advantage: the group would have been defined in a separate service (group manager) once and from there provisioned to all applications. Groups like these are sometimes referred to as Virtual Organisations. How this can be achieved will be explained in Chapter 3, Integration Techniques. 2.4 A Schoolbook use case example: SURFgroepen & SURFmedia The combination of SURFgroepen en SURFmedia serves a schoolbook use case example of the requirements of service spanning group management. SURFgroepen is a collaboration environment in which users interact with each other as a group. They share documents, agenda's and media like video's. SURFmedia can protect media via an explicit list of email addresses that can view the content. Ideally, users in a SURFgroepen group are able to see video's that can only be seen by group members without having to supply information about the group members in SURFmedia. 2.5 The SURFnet IdP/SP proxy (ESPEE) Currently, SURFnet provides a translator (proxy) service to streamline federative authentication and guest (or non-federative) logins for SURFnet services. This translator is called ESPEE and serves as a IdP/SP proxy. The proxy momentarily forwards authentication requests coming from the different SP's to the responsible IdP's or the Guest-IdP and is able to add attributes when pushing back the results to the SP. One Auteur : Martin van Es 10/45

application of this 'attribute enrichment' is quota information for the SURFmedia application. This server would be a trivial choice for group management proxy services (see paragraph 3.5). The subject of this document (a service spanning group manager) could very well be positioned beside ESPEE so that any of the solutions mentioned before could easily be implemented. Illustration 2: IdP/SP proxy and service spanning group t l 1: Assertions based, all user information arrives as attributes. 2: Proxy based group attribute collection 3: Federative Authentication, specific user attributes by web services like SOAP or REST. 4: Active provisioning of application specific backend information storages (directly or manual). Auteur : Martin van Es 11/45

3 Integration Techniques As described in the previous chapter, there is a real world use case for service spanning group management, but how can different services be provided with the right information so they would know that certain (federation) members belong to certain groups? A couple of techniques come to mind which can be divided into roughly 2 types: push and pull. In order for these techniques to be useful, both the server and the application (client) need to understand each other. To accomplish this, some standards have been created. Not all applications understand these standards, but if the server and the client are to communicate, it will probably be based on one of these standards. A good example of a "push" standard is SAML (redirect/post profile). Two good "pull" examples would be SOAP and REST. Following are 5 methods that could be used to keep (group) server and clients in sync ordered by preference. In all cases I assume the group-information part to be the required functionality, the way the user is authenticated is regarded of minor importance unless explicitly mentioned. 3.1 Attributes/Assertions based (authorization) To authenticate users coming from other organizations (within the federation) a couple of standard protocols have been devised or evolved from each other. Without explaining too many details, all these protocols share techniques to redirect the user (of a web application) to the web server of the home organization for authentication. As soon as the home server has authenticated the user, she will be redirected to the service combined with the right credentials in such a way that neither the user nor someone else can tamper with the credentials sent along. These credentials are called attributes and are said to "assert" certain statements about the user, ranging from "This user is who she says she is, namely..." to "This user is member of a certain organizational unit". New attributes could be created to assert membership of certain groups ("This user is member of group A, B and F"). In an ideal world, all services would understand an assertions based protocol (for group membership) and all integration efforts would be directed towards deploying an attributes based group manager. Updating or changing applications to work with assertions is probably one of the more difficult routes to follow. Although SAML is suitable to provide a transport mechanism for those attributes, the knowledge about attributes for group membership of SURFnet services is not available at the IdP's and thus needs to be provided or inserted by a third party along the way. 3.2 Webservices (SOAP/REST), LDAP, SQL (pull) The world is not ideal, so there should be some work-arounds for those applications that can not be made to understand assertions as described in 3.1. A first alternative could be active inquiry of group membership information by the application at the group manager via common protocols like SOAP (Simple Object Access Protocol) or REST (Representational State Transfer), LDAP or SQL. This would require quite some work for applications that are not prepared to collect this kind of information from an external source, but if the application source is available and the source is well structured this should be a feasible task. 3.3 Direct, automatic provisioning (push) If an application can't be changed into an application that collects information about group membership from an external source, the group manager could inject the Auteur : Martin van Es 12/45

application information store (either file, database or directory based) actively with group membership information on a regular basis or on each change to the groupmember database. The more open standards are used (e.g. SQL, OpenLDAP) the easier it would be to provision such applications. Proprietary applications that use a proprietary and closed/binary information store would be very hard, if not impossible to provision and thus difficult to connect to the service spanning group manager. Webservices (3.2) are preferable to direct, automatic provisiong because that would guarantee the group membership data to stay in one central repository. Automatic provisioning would immediately evoke the troubles of deprovisioning as well. 3.4 Manual or automated Import/Export (out-of-band) In this scenario an operator exports group membership information from the group manager server and imports this into the application. This is the same as 3.3 except for the fact that it requires human intervention or a hand-crafted export / (translate) / import script that can be executed on a regular basis. 3.5 Proxy server based on any of the above A designated server translates unsupported protocol request types into known web services requests and passes the results back to the applications. This solution could help if the application provides some sort of automation but lacks a common protocol with the server. A proxy solution could in certain cases prove to be easier than changing the application. Of course the protocol used by the client should be well-documented. The idea of having a proxy was born out of the existence of a similar service implemented by SURFnet at the moment (ESPEE, see paragraph 2.5) Auteur : Martin van Es 13/45

4 Products This chapter will discuss the products that were considered. The products will primarily be evaluated on interoperability. Setup and maintainability are deducted from documentation where possible. Lack of documentation, poor websites, or no reaction from the creators is deemed poorly maintainable. 4.1 COmanage/Grouper From the Grouper FAQ (Wiki): "How do I get group information out of Grouper and into my operational systems? With the 1.0 release, Grouper includes an XML import and export tool that can be used for episodic or periodic provisioning of group info to other contexts. The GrouperShell can likewise be used to load and retrieve group information. With the release of Ldappc 1.0 (the LDAP Provisioning Connector) we now have a near-real-time "provisioning connector" that can update LDAP directories or other run-time security infrastructure services. See LDAP Provisioning Connector for more information. With the release of Grouper 1.2.0 there is also a Web Services interface to Grouper. See https://wiki.internet2.edu/confluence/display/grouperwg/grouper+product for more information." Grouper points of integration: Auteur : Martin van Es 14/45

LDAP Provisioning Connector: https://wiki.internet2.edu/confluence/display/i2micommon/ldappc "Ldappc will not create or delete person entries in LDAP. That's presumed to be the province of the existing IdM operation. As such, a LDAP source containing users that are members of the Grouper groups should already be in place." Webservices: Verdict: https://wiki.internet2.edu/confluence/display/grouperwg/grouper+web+services CoManage Grouper scores high on all fields: very good interoperability, standards compliant, good documentation and close contact with developers. See also: G-FIV-O and CUCKOO. 4.2 IAMSuite Illustration 3: Grouper interoperability (points of integration) http://www.mams.org.au/confluence/display/iam/iamsuite "IAMSuite (Identity and Access Management Suite) is a secure access and collaboration environment. IAMSuite: Auteur : Martin van Es 15/45

supports Shibboleth-based authentication and Single Sign-On (SSO); facilitates a "mini" trust federation (also know as a VO Federation), which accepts commercial certificates, issues trial certificates, manages mutually trusted [IdPs] and SPs, and generates metadata for those [IdPs] and SPs; provides service integration that allows protected services (or collaborative tools: such as Confluence Wiki, JIRA, Fedora Repository, DSpace,...) to be integrated into IAMSuite for SSO and attribute-based authorization; provides a Virtual Organization (VO) infrastructure that supports user selection via email invitations and/or People Picker integration with [IdPs], group management, and attribute-based service access authorization; provides a collaborative environment that supports management of hierarchical goal-oriented workspaces incorporating tools for managing content and service access and role-based access control; and supports Grid access via SLCS plus [MyProxy]" Verdict: IAMSuite only cooperates with tightly integrated and Shibbolized applications without support for active provisioning or a web services based interface and is therefore not a very likely candidate for the SURFnet environment. Documentation and contact with developers was good. UABgrid http://uabgrid.uab.edu/ "UABGrid is the campus infrastructure for computation and collaboration in the Grid environment. The Grid is a ground breaking effort at building an integrated collaboration environment: a computer that is always on and always where you are. It's a collection of resources that makes high performance computing and collaboration environments available to everyone." Verdict: UABgrid does not seem to be what SURFnet is looking for. The "GRID" seems to be hardware and/or computational services oriented. Documentation about setup and technical details was not (easily) available. 4.3 MyVocs https://spaces.internet2.edu/display/gs/myvocs Verdict: "myvocs is a virtual organization collaboration system (VOCS) developed at the University of Alabama at Birmingham funded by NSF ANI-0330543 "NMI Enabled Open Source Collaboration Tools for Virtual Organizations". Basically, myvocs is a SAMLIdPProxy, a bridge between a federation of Shibboleth IdPs and a federation of Shibboleth SPs. Using myvocs, the SPs (called VO SPs) may be aggregated into virtual organizations (VOs). We think of VOs as people, and the aggregated SPs as a federated set of distributed applications. It is an important feature of myvocs that a single VO SP may serve multiple VOs." Auteur : Martin van Es 16/45

MyVocs seems to fill the gap that ESPEE (the SURFnet SP/IdP proxy) has been built for, and thus has not much added value in this scouting project. Of course, a usable and actively maintained alternative for in-house software is always valuable. 4.4 SWITCH GMT (Group Management Tool) http://www.switch.ch/aai/support/tools/gmt.html Verdict: "The Group Management Tool (GMT) is an easy to install PHP web application that can be used to create and manage groups of Shibboleth users with custom roles in order to use them for access control and authorization. By automatically generating Apache.htaccess files and/or Shibboleth XMLAccessControl files, the GMT can restrict access to web server directories or locations on the same host based on the unique ID of a Shibboleth user. Group, role and user information can also be queried by other hosts via PHP, Perl or Java modules coming with the GMT. This allows other applications to integrate the GMT's easy and straight-forward user management functions. No database is needed because the GMT stores all the information in easy to edit flat text files." At first glance GMT looks promising but uses a flat-file storage and e-mail address based identification, which does not make it very suitable for SURFnet's needs. 4.5 Imanami Group Management Solutions Imanami offers 3 tools for AD based group management: http://www.imanami.com/products/groupmanagement.aspx Verdict: "Directory Transformation Manager ((de-)provisioning) SmartDL Once Active Directory becomes accurate, (DTM) allows organization to synchronize different directories and databases with Active Directory ensuring that information makes into (and out of) every necessary data source in your infrastructure. Automatically create and maintain distribution lists based on directory attributes and turn hours of repetitive work into a few simple clicks! SmartDL, the number one tool for distribution list management! Web Based Directories WebDir is a simple, yet powerful, web-based directory and group management solution that can immediately reduce administrative costs and increase the accuracy of Active Directory. Providing self-service, WebDir enables end users to update their own directory information, access a read-only corporate phonebook and change their own passwords based on controls the administrator sets." Since this product is AD based I do not foresee a big future at SURFnet as SURFnet is trying to move away from AD and other proprietary systems as much as possible. 4.6 VOMS Virtual Organization Membership Service Auteur : Martin van Es 17/45

http://edg-wp2.web.cern.ch/edg-wp2/security/voms/voms.html "Virtual Organization Membership Service provides information on the user's relationship with her Virtual Organization: her groups, roles and capabilities. single login using voms-proxy-init only at the beginning of the session (was gridproxy-init) expiration time: the authorization information is only valid for a limited period of time as the proxy certificate itself backward compatibility: the extra VO related information is in the user's proxy certificate, which can be still used with non VOMS-aware services multiple VOs: the user may "log-in" into multiple VOs and create an aggregate proxy certificate, which enables her to access resources in any of them Verdict: The service is basically a simple account database, which serves the information in a special format (VOMS credential). The VO manager can administrate it remotely using command line tools or a web interface." The project seems promising (although the only functionality that makes is stand out from Grouper is a change history) but looks deserted and is probably no longer maintained. 4.7 UVOS http://uvos.chemomentum.org/index.html Verdict: "UNICORE VO System (UVOS) is a client-server system, used as an additional tool for other large and generally distributed systems. Grid systems and especially UNICORE grid middleware are the mainspring of the UVOS. UVOS is a part of the Chemomentum project." On examining the documentation and Wiki of UVOS it looks like it's almost on par with Grouper, except for the fact that it lacks the active LDAP provisioning interface and hooks/triggers that could make up for this deficiency. On the other hand UVOS has a swing client interface. However, after a lengthy mail conversation with one of the developers, the conclusion is that for the moment Grouper would probably be the best bet for SURFnet despite the fact that UVOS would be "easier to install and maintain". 4.8 SymLABS Federated Identity Suite: People Service Server http://symlabs.com/products/federated-identity-suite/people-service-server Verdict: "Symlabs People Service (PS) Server is the component of Symlabs Federated Identity Suite that delivers a full, ready to deploy, Liberty People Service Web Services Provider. It enables secure, cross-principal, online interactions between users and friends in a social context or between users and job roles in a professional context - all with full respect for privacy." Symlabs is the only commercial party in this list. After some extensive e-mails it turned out Symlabs did not have a stock solution for what SURFnet is looking for but was willing to implement any custom application required for the job. Costs were not discussed at that point. Auteur : Martin van Es 18/45

4.9 Homebrew Since the requirements for the group management application are quite simple and an IdP proxy exists (ESPEE) this server could well serve all necessary requirements to provide a simple yet powerful group management service based on simple building blocks like OpenLDAP and Perl or Python scripts. The most complex part would be the selfservice interface. But since the needed actions are limited (subscribe/unsubscribe) this could probably be demonstrated to work (PoC) within the contraints of a limited time and budget. On top of that, ESPEE already manages certain group attributes for extra quota privileges in the SURF media application. 4.10 Other projects worth mentioning 4.10.1 G-FIV-O http://gfivo.ncl.ac.uk/ From the G-FIV-O website: "G-FIV-O [Grouper to support Federated Identity for Virtual Organizations] is a JISC funded project based at Newcastle University to investigate the use of next generation access management tools to support the use of collaborative tools for distributed organizations." G-FIV-O is a well-documented investigation in federative access and groups management, like this one. One very interesting accomplishment seems to be a.net and php API to manage Grouper. Apart from that, the findings do not add much to the investigations done so far. See also: COManage/Grouper. 4.10.2 CUCKOO http://www.kidderminster.ac.uk/cuckoo/ "The aim of the project is to research implement/demonstrate Shibboleth Virtual Organizations (VO s) and on-line collaboration tools. Building on and incorporating work already done, such as attribute release policies mapping (ShARPE) and MyVOCS. The project will research into how Shibboleth 2.0 will affect these tools and solutions. Within Virtual Organization creating, managing, and supporting groups can be challenging. Open source toolkit such as Grouper is designed to function as the core element of a common infrastructure for managing group information across integrated applications and repositories. The project will research and report on these authorization and service provisioning decisions, issues such as allowing portals to personalize content and provide role information to applications. The CUCKOO project has not released any (relevant) documents yet." Despite best intentions expressed in mails, I never received answers to the questions I mailed. See also: COManage/Grouper. 4.11 Conclusion In this conclusion I summarize the above findings in one matrix. Please refer to the discussion above for clarification on omissions or question marks concerning certain Auteur : Martin van Es 19/45

information. Product/Source License Integration In Integration Out Technology COmanage/ Grouper Apache 2.0 XML import/export Webservices (SOAP+REST) XML import/export LDAP (automatic provisioning) Webservices (SOAP+REST) Java eg Tomcat AIMSuite Apache 2.0 Java API? Shibboleth Java API? Tomcat GridSphere UABgrid???? myvocs? SAML SAML? SWITCH GMT BSD WebGUI E-mail (invitation/pwd) PHP/PERL/JAVA lib API (REST-like) Shibboleth XML authconf.htaccess files PHP flat-file Imanami commercial ODBC compliant AD.net 2.0 VOMS? SOAP LDAP SOAP Tomcat UVOS open source Webservices? Webservices via SAML2.0 Java UNICORE? SymLABS PSS commercial??? Homebrew open Source??? Auteur : Martin van Es 20/45