Virtual Organisation Management

1
Virtual Organisation Management

• Erik Vullings, James Dalziel
• Macquarie E-Learning Centre of Excellence
  (MELCOE)
• Macquarie University

2
Overview

• System Requirements
• System Architecture System Design
• Demo

3
Zen and the Art of Motorcycle Maintenance

• Car mechanics need
• A workshop or garage with their tools
• Locks on the workshop to secure the tools and
  work
• Only necessary tools at hand
• Some tools require special treatment, e.g. need
  electricity, or are only for specialists
• Freedom in organizing their tools
• Sharing tools and solutions should be easy

4
VO Requirements

• eResearchers need
• A workspace with their tools
• Locks on the workspace to secure the tools and
  work
• Only necessary tools at hand
• Some tools require special treatment, e.g. need
  PKI certificates, or authorization
• Potential for central authorization management
• Freedom in organizing their tools
• Distributed tools distributed management
• Easy data service sharing

5
VO Architecture

• eResearchers need
• A workspace with their tools
• Locks on the workspace to secure the tools and
  work
• Tools at hand
• Some tools require special treatment, e.g. need
  PKI certificates
• Every eResearcher has his own way to organize his
  tools
• Distributed tools distributed management
• Potential for central authorization management
• Data exchange between tools

• IAM Suite (inside AHERTF)
• GridSphere JSR168 portal
• Protected via Shibboleth Trust Federation
• Grouping tools in workspaces
• Using Shibboleth to retrieve MyProxy proxy
  certificates (convert SAML to proxy cert)
• Default portal functionality, configuring
  workspaces
• VO has internal Shibboleth VO-AA to authN to
  tools
• RBAC-based on Shibboleth attributes (eP
  entitlements)
• DSpace, Fedora, Wiki, Plone (SRB std. data
  formats)

6
Architecture View
Manages trustbetween parties. Auditing?
Provides services to internaland external users
via the web. Want to focus on core business
avoid risks of managing users confidential info.
Manages trustbetween parties. Auditing Hosted
by AARNet
Service Provider
Identity Provider
Attribute Authority manages and asserts(to
trusted SPs) users attributes securely.
Have privacy concerns. Want transparent but
secure SSO.
7
Typical SAML Access Scenario
User wants to access SP
Service Provider
Identity Provider
8
Typical SAML Access Scenario
Shibboleth Apache filter intercepts
Service Provider
Identity Provider
9
Typical SAML Access Scenario
User is redirected and selects IdP Where Are You
From
Service Provider
Identity Provider
10
Typical SAML Access Scenario
User is redirected to IdP and logs in
Service Provider
Identity Provider
11
Typical SAML Access Scenario
IdP uses Attribute Release Policy for SAML
assertion
Service Provider
Identity Provider
12
Typical SAML Access Scenario
User is redirected to SP with SAML handle
Service Provider
Identity Provider
13
Typical SAML Access Scenario
SP uses SAML handle to retrieve user attributes
Service Provider
Identity Provider
14
Typical SAML Access Scenario
Shibboleth validates assertion and maps user to
SP role
Service Provider
Identity Provider
15
Federation Status (700,000 ID)
16
Shibbolized Applications
Can use SRB in the background
17
(No Transcript)
18
MAMS Shibboleth Add-onsShARPE Autograph

• What personal attributes am I willing to share
  with others

19
Recall this
SP uses SAML handle to retrieve user attributes
Service Provider
Identity Provider
20
Attribute Release Policies

• When I visit an SP, how do I present myself?

Reference 123456 Staff at Macquarie Uni
Erik Vullings Staff at Macquarie Uni
Who am I?
MQ
21
Different cards open different doors
Attributes give access to Features
22
Admin tool ShARPE
23
ShARPE attribute mapping
24
Download via NSFsNational Middleware Initiative
(NMI) release
25
DEMO

• Autograph in the Shib cycle, releasing your
  preferred language to the AuthN Federated Search
  SP
• https//sp-afs.mams.org.au/afs/

26
Different cards open different doors Services
Service Level
27
Different cards open different doors Services
Service Level
28
Adding Personal Attributes
Other examples Accessibility info (colorblind,
blind)
29
Autograph in the Shibboleth-Cycle(mockup)
Accept once
Accept always
Deny
30
ShibJIM Shibbolized Jabber Instant Messaging

• http//sourceforge.net/projects/shibjim/

31
Online Librarian

• MQ/Murdoch students can chat with librarian (use
  time-zone difference to offer longer service
  hours)
• One librarian at a time
• Public MSN account (SPIM-able)
• No user AuthN (you could talk to anyone)
• Requires intake questions
• where are you from, which courses, which year,
  etc.

32
ShibJIM

• First contact is Jabber Agent, authN via
• Shib-protected Java IM web client
• IM client and browsing to Shib-protected URL
• Jabber agent receives user attributes
• User can still be anonymous, while releasing
  intake attributes
• Rules to prioritise and direct users to librarian
• Accommodate multiple operators
• Allow transferring of conversations
• Frequently asked questions, Answering machine
  or instructions out of hours, Usage statistics,
  Multiple networks
• Also for IT or Federation Helpdesk
• Source http//sourceforge.net/projects/shibjim

33
ShibJIM Sequence Diagram
34
Flash DEMO

• Online Librarian

35
Virtual Organisation Management

• Identity Access Management IAM Suite

36
IAM Suite Managing VOs

• All research projects are different, but most
  project infrastructures are more equal than not
• All projects require
• Collaboration between project members
• Collaboration with external people
• Dissemination of research results
• Authentication Authorisation (whats public,
  whats not)

37
IAM Suite Managing VOs

• Scope
• A platform for eResearch Projects and Dept.,
  wishing to leverage Federated ID for accessing
  data, resources and generic collaboration tools
  over the grid, but excl. research-specific tools.
• Setting up a VO should be similar to when you go
  to your ISP and ask for a web page, email, forum
  etc.Tick the box and you are ready to run

38
Possible MiddlewareHE Infrastructure for
Collaboration
Federation Services
WAYF
ltltSPgtgt MyProxy server
Federation Level

IAM Suite
IdP1_at_UQ
IdP2_at_UTS
IdPn_at_MQ

ltltSPgtgt IR
Institutions Level
ltltSPgtgt CMS
ltltSPgtgt VO Portal
MyProxy Client
SP Forum
GTK Grid
Virtual Org. Level(intra-institution, eResearch
project)
VO-AA
SP Wiki
GTK HPC
SP CMS
GTK Store
39
IAM Suite
Federation
Login via IdP
Search
Receive assertions
Federation SP
VO-WAYF
AFS adaptor
GridSphere
VO-IdP
Fedora (internal or external, e.g. IR)
GroupModule
ShARPE
AuthN IM
Autograph
FedoraWeb
Receive assertions
MyProxy
Receiveproxy cert.
Presence
VO-SP
VO-SP
GTK
GTK
PeoplePicker
Forum
Wiki
Storage
Cluster
Calendar
AuthZ Mgnr
VO-SP
VO-SP
GTK
GTK
LMS
Etc.
Specific tools
Equipm.
40
(No Transcript)
41
RBAC within IAM Suite

• New member is invited to join (by email)
• VO-Role is set
• Provisioning
• Automatic based on VO-Role
• Automatic based on VO-Group membership
• Manually added to VO-SP-Role

42
Example of RBAC
VO-SP AzMan
Data store
Forum
Wiki
Readers
PeoplePicker portlet
GS-RoleGuest
Who are you looking for? Current
selection ? Your buddy Carol
?
Editors
Within Federation
GS-RoleMember John Doe_at_MQ Alice_at_ANU
Select your buddy
?
Member/group/role
Managers
GS-RoleAdministrator Bob_at_Monash
?
43
VO Architecture

• eResearchers need
• A workspace with their tools
• Locks on the workspace to secure the tools and
  work
• Tools at hand
• Some tools require special treatment, e.g. need
  PKI certificates
• Every eResearcher has his own way to organize his
  tools
• Distributed tools distributed management
• Potential for central authorization management
• Data exchange between tools

• IAM Suite (inside AHERTF)
• GridSphere JSR168 portal
• Protected via Shibboleth Trust Federation
• Grouping tools in workspaces
• Using Shibboleth to retrieve MyProxy proxy
  certificates (convert SAML to proxy cert)
• Default portal functionality, configuring
  workspaces
• VO has internal Shibboleth VO-AA to authN to
  tools
• RBAC-based on Shibboleth attributes (eP
  entitlements)
• DSpace, Fedora, Wiki, Plone (SRB std. data
  formats)

44
Demo
45
Summary

• IAM Suite
• Leverages primary IdP for authentication
  identity
• VO-AA manages VO-specific (group, authZ)
  attributes
• VO-WAYF manages trusted IdPs
• Any Shibbolized Web App can be plugged in
• JSR168 Portlets can be plugged into GridSphere
• Shibbolized MyProxy server creates proxy
  certificates for access to the Grid
• Next step Implementation (not more research)
• Integrating eResearch tools from across the
  sector (building on open source platform)