Title: Middleware Planning and Deployment 101: Setting the Stage
1Middleware Planning and Deployment 101
Setting the Stage
- Keith Hazelton, University of Wisconsin-Madison/In
ternet2 - Renee Woodten Frost, Internet2/University of
Michigan
2Agenda
- Introductions
- Middleware What and Why?
- Concepts and Architectures
- Discussion
- Break
- Building a Business Case
- Discussion
- Research and Resources
3MW 101 Outcomes
- Understand what middleware is
- Recognize the value of a common middleware
architecture - Begin planning for your own business case
4 5 - Dr. Alice Agnew has just been hired to Chair the
Dept. of Physiology and is very anxious to get
access to campus IT resources such as e-mail,
calendar, web services and the mainframe and
cannot wait for the requisite 3-5 business days
it takes to get the accounts setup. Since IT
already knows of her through the HR system, she
can use a self-service interface to accomplish
this goal. And because her new institution has
her new credentials, she does not need to give
her research consortium new credentials.
6Dr. Alice Agnew
- Self-registration
- Minimal time delay for enabling services
- Administrative data flows to research
applications - Administrative and security services integration
- Privacy trust
- Inter-organizational impact
- University vouches for and acts on behalf of
Alice
7 - Mary has been reported to the Dean of Students
for plagiarism. Through the campus portal, the
Dean with authorization, accesses the Student
Information System, where he searches for Marys
record. He places an electronic hold on it and
sends an e-mail to Mary requesting her presence
at a preliminary discipline hearing. Minutes
later, Mary cannot check out library books, enter
restricted labs, use the student health
facilities, or access her computer files. After
reviewing Marys case, the Dean finds the
accusation in error and removes the hold,
restoring Marys access within minutes.
8Mary
- Decision maker performs action
- Integration of services
- Increased security
- Status change affects service offerings
- Short-time to disable and enable services
- Suite of services
9- Sam is taking a class in genetics at Alpha U
and needs to do some research for a paper. At
lunch, he goes online to access a restricted
EBSCO database AU shares with Beta U. A window
pops up in the browser asking if its okay for AU
to give EBSCO information about his status ---
only students from subscribing institutions can
access the database. He clicks ok, knowing that
only his status is passed, not his name or
contact information. The browser then loads the
restricted website.
10Sam
- Privacy trust
- Sam controls personal information flow
- Administrative and security services integration
- Inter-campus access
- University vouches for and acts on behalf of Sam
11What is IT being asked to do?
- One stop for university services (portal)
integrated with course management systems - Email-for-life
- Automatic creation and deletion of computer
accounts - Submission and/or maintenance of information
online - Privacy protection
12More on the to do list
- Multi-campus scanning electron microscopes
- Integrated voicemail, email, and faxmail for
Advancement staff - Secure PDA and wireless support
- All-campus email announcements (spam)
- Expensive library databases shared with other
schools by joint agreement - Browser or desktop preferences follow you
13What questions are common to these scenarios?
- Are the people using these services who they
claim to be? - Are they a member of our campus community?
- Have they been given permission?
- Is their privacy being protected?
- What is the answer?
14- Enterprise Middleware Definitions
15Middleware
- Specialized networked services that are shared by
applications and users - A set of core software components that permit
scaling of applications and networks - Tools that take complexity out of application
integration - A second layer of the IT infrastructure, sitting
above the network - A land where technology meets policy
- The intersection of what networks designers and
applications developers each do not want to do
16Map of Middleware Land
17What is middleware?
- Suite of campus-wide security, access, and
information services - Integrates data sources and manages information
about people and their contact locations - Establishes electronic identity of users
- Uses administrative data to assign affiliation
and gives permission to use services based on
that role
18Definitions Identifiers
- Identifiers your electronic identification
- Multiple names and corresponding information in
multiple places - Single unique identifier for each authorized user
- Names and information in other systems can be
cross-linked to it - Admin systems, library systems, building systems
19Definitions Authentication
- Authentication maps the physical you to an
electronic identifier - Password authentication most common
- Security need should drive authentication method
- Distance learning and inter-campus applications
20Definitions Authorization
- Authorization services allowing you access to
data and services - Affiliated with the school (role)
- Permitted to use the services based on that role
21Definitions Enterprise Directory Services
- Enterprise Directory services - where your
electronic identifiers are reconciled and basic
characteristics are kept - Very quick lookup function
- Machine address, voice mail box, email box
location, address, campus identifiers
22Underlying Concepts Architecture
23What IT needs to do
- Determine who you are
- Determine what resources you can use
24What IT needs to do
- Possible ways it might do that
- Ask you to login and look up info in its own
database. - Ask you to login in and look up info in a common
database. - Trust some other source to assert needed info
(and other source might ask you to login). - Examples
- Videoconference current network address
- Video for course enrolled in the course
- Email or calendar University username
- Library resource current member of the set of
licensees
25Pause for some terminology
- Identity set of attributes.
- Attributes specific information stored about
you. - Authentication process used to prove your
identity. Often a login process. - Authorization process of determining if policy
permits an intended action to proceed. - Customization presentation of user interface
(UI) tailored to users identity.
26Three service architectures1 Stovepipe (or
Silo)
- Service performs its own authentication. Consults
own database for authorization and customization
attributes.
service
authN
attrs
27 1 Stovepipe (or Silo) Architecture
Characteristics
- Stovepipes authentication and attribute services
are run by separate offices. - Environment is more challenging to users, who may
need to contact each office to arrange for
service. - No automated life cycle management of resources.
- Per-service identifiers and security practices
make it more difficult to achieve a given level
of security across the enterprise.
28 Three service architectures2 Integrated
- Service refers authentication to and obtains
attributes for authorization and customization
from enterprise infrastructure services.
authentication service
service1
service2
attribute service
An Organization
29 2 Integrated Architecture Characteristics
- Enterprise authentication and attribute services
are run by a central office. - All attributes known by the organization about a
member can be integrated and made available to
services. - Automated life cycle resource management is
possible across the enterprise. - Common identifiers across integrated services
make an easier and more secure user environment.
30Three service architectures3 Federated
- Service refers authentication to and obtains
attributes for authorization and customization
from possibly external infrastructure services.
authentication service
service
attribute service
Organization 1
Organization 2
31 3 Federated Architecture Characteristics
- Federated authentication and attribute services
rely on participating organizations enterprise
services. - Inter-organizational applications such as Grids
and digital-library content provision are
integrated with and facilitated by enterprise
services.
32Middleware Initiative Objective
- Help prepare campuses to implement core
middleware for an integrated and ultimately a
federated architecture.
authentication service
service1
service2
attribute service
An Organization
33Core middleware for an integrated architecture
34 35Vignette analysis
- Set of vignettes portray
- Seamlessness of transitions between services
- Independence of location of service or user
- Suites of services designed to support activities
of different constituencies - Absence of need to make prior arrangement for
resources required to enable services - Services rendered in airport waiting areas
remotely
36- Provisioning Vignette Dr. Alice Agnew begins as
department chairltto modelgt
authN
Metadirectory
HRS
attrs
Acct Init Service
37- Integrated Services Vignette Mary accused of
plagiarismltto modelgt
Mailbox
Lib Proxy
authN
Files
attrs
Building access
Health Facilities
38- Federated/Restricted Resources Vignette Sam
using remote, online database ltto architecturesgt
Database1
Content Provider
Federation
? University
Database 2
? University
39 40Building the Business Case
41Business Case Components
- By definition, middleware cannot be effective
unless it maps closely to an institutions
business policies and practices. In this
context, a strong business case will - Outline the Institution-specific Drivers
- Articulate the Opportunities Challenges
- Define the Benefits
- Enumerate the Costs
42Groups to Consider
- Business case audience
- Select stakeholders and possible champions
- Stakeholders
- Executive Leadership
- Business and Finance VPs
- HR Directors and Registrars
- CIOs
- IT staff
- Program Directors and Data Stewards
- Auditors and Risk Managers
- Faculty
- Staff
- Students
43Institution-specific Drivers
- Internal Drivers
- Specific application(s)
- Financial
- User expectations
- External Drivers
- Federal/state legislation
- E-enterprise functions
- Inter-institutional collaboration
44Opportunities
- Legislative pressure to reduce paperwork, secure
information, and deploy electronic services
(grants, financial aid, HIPAA, etc.) - Interdisciplinary and inter-institutional
research and collaboration - Changing needs of teaching and learning
- User expectations of access to technology
- Budgetary pressures
45Benefits to the Institution
- Economies for central IT - reduced account
management, tighter network security - Economies for distributed IT - reduced
administration, access to better information,
easier integration of depart. applications... - Improved services for students and faculty -
access to scholarly information, control of
personal data, reduced legal exposures... - Participation in future shared environments -
Grids, videoconferencing, digital libraries, etc. - Participation in new collaborative initiatives -
Shibboleth, Inter-institutional resource sharing
46Benefits Specifically . .
- Achieves Economies for Central and Distributed IT
organizations - Access to primary user identity sources such as
HR, Payroll, SIS, and secondary sources such as
library, parking, alumni assoc., etc. can be more
effectively managed by fewer people saving time
and money - Access to any one of these services can be
enabled or disabled more readily - Access to a range of services can be accomplished
more quickly and in a more coordinated manner - Deployment time for new applications is reduced
47Benefits Specifically . .
- Enhanced Security
- A secure enterprise directory can
- Be used to manage access to multiple
apps/services (web, remote access, etc.) to the
entire institutional community - Facilitate differential access to wireless ports,
restricted content, restricted listservs, etc. - Allow identity management to be administered by
fewer staff - Simplified Network and on-line service access
- A common middleware infrastructure can enable
single sign-on access to a larger range of
customized and personalized services
48Challenges
- Investing the time and effort for planning,
review and negotiation - Surviving the politics of reviewing/revising data
stewardship policies and procedures - Resource reallocation People and !
- Covering up-front costs
- Finding to build/maintain data feeds from
authoritative data sources to central directory - Potential legal risk WRT publishing personal data
in white pages
49Expected Costs to the Institution
- Modest increases in capital equipment and
staffing requirements for central IT - Considerable time and effort to conduct campus
wide planning and vetting processes - One-time costs to retrofit some applications to
new central infrastructure - One-time costs to build feeds from legacy source
systems to central directory services - The political wounds from the reduction of
duchies in data and policies
50Enterprise Directory Costs
- Phase 1 Building the Enterprise Directory
- Hire new staff vs. Repurpose current staff
- New equipment/software vs. Use of existing
resources - Phase 2 Deploying Applications
- Application dependent, but ROI is high
considering - Cost Savings
- Lost Productivity
- Increased Opportunity
- Increased Security
51- Where are you in your business case process?
52Research and Resources
53Research Community
- Expert, diverse leadership and collaborators
- Broad participation and review
- MACE and related working groups
- NSF catalytic grants
- Early Adopters
- Higher Education Partners
- campuses, CNI, CREN, GRIDS, NACUBO, NACUA
- Government Partners
- NSF, NIH, NIST, fPKI TWG
- Corporate Partners
- Liberty Alliance, IBM, Sun, WebCt, Radvision,
- International communities
- Standards bodies
- IETF, ITU, OASIS
54NSF Middleware Initiative
- NSF award for middleware integrators to
- GRIDS Center
- Globus (NCSA, UCSD, University of Chicago, USC/
ISI, and University of Wisconsin) - NMI-EDIT Consortium
- Internet2, EDUCAUSE, and SURA
- Separate awards to academic pure research
components - Build on the successes of the Globus project and
Internet2/MACE initiative - Multi-year effort
- A practical (deployment) activity that
necessitates some research - Releases occur every six months, roughly May and
October
55ResearchWorking Groups/Projects
- Directories
- Group Utilities
- Directory Management Utilities
- Practice Papers and Implementation Roadmap
- Directory Schema
- Shibbolet Inter-institution web access
- PKI HEPKI-TAG PAG, S/MIME, PKI Labs
- Middleware for Video VC, Video on Demand
- Medical Middleware
56Enterprise Middleware Resources Available
- NMI-EDIT Release Components
- Software
- Directory Object Classes
- Conventions and Practices
- Recommended Practices
- White Papers
- Policies
- Services
-
57Enterprise MiddlewareEducational Opportunities
- Workshops
- Pre-conference Seminars at EDUCAUSE Regional
Meetings - (Like this one)
- Campus Architectural Middleware Planning
Workshops - CAMP June 4-6, 2003
- Management and Technical staff
- Campuses beginning implementations
- Advanced CAMP July 9-11, 2003
- Highly technical
- Research topics
- Campuses with mature directory and authentication
infrastructures
58On-line Resources Available
- Introductory Documents
- Sample Middleware Business Case and corresponding
Writers Guide - Identifiers, Authentication, and Directories
Best Practices for Higher Education - Identifier Mapping Template and Campus Examples
- See resource list
59Websites and Discussion Lists
- Websites
- http//middleware.internet2.edu
- http//www.nmi-edit.org
- Look for the Enterprise Implementation
Directory Roadmap Coming in April! - Middleware information and discussion lists
- http//mw-announce_at_internet2.edu
- http//mw-discuss_at_internet2.edu
- NMI lists (see websites)
- EDUCAUSE Constituency Group on Middleware
Coming Soon!
60Contacts
- Keith Hazelton
- University of Wisconsin-Madison/Internet2
- hazelton_at_doit.wisc.edu
- Renee Woodten Frost
- Internet2/University of Michigan
- rwfrost_at_internet2.edu