Internet2 Progress Report Middleware Experiments

About This Presentation

Title:

Internet2 Progress Report Middleware Experiments

Description:

Middleware Experiments Renee Woodten Frost Project Manager, Internet2 Middleware Initiative I2 Middleware Liaison, University of Michigan . And an ... – PowerPoint PPT presentation

Number of Views:200

Avg rating:3.0/5.0

Slides: 56

Provided by: educ543

Category:

more less

Transcript and Presenter's Notes

Title: Internet2 Progress Report Middleware Experiments

1
Internet2 Progress ReportMiddleware Experiments

Renee Woodten Frost
Project Manager, Internet2 Middleware Initiative
I2 Middleware Liaison, University of Michigan
. And an ensemble of hundreds

2
Topics

Internet2 Overview
Middleware Overview
Directories
LDAP Recipe
EduPerson
Directory of Directories for Higher Ed
Shibboleth
PKI
Medical Middleware
New Opportunities Video, the Grid, K-12

3
Internet2 Overview

Mission
Develop and deploy advanced network applications
and technologies, accelerating the creation of
tomorrows Internet.
Goals
Enable new generation of applications
Re-create leading edge RE network capability
Transfer technology and experience to the global
production Internet

4
Core Middleware

A layer of software between the network and the
applications
Authentication - how you prove or establish that
you are that identity each time you connect
Identification - the first characteristics of who
you (person, machine, service, group) are
Directories - where the rest of an identitys
characteristics are kept
Authorization - what an identity is permitted to
do
Security - ie, PKI - emerging tools for security
services

5
Activities

Mace - RL Bob Morgan (Washington)
Early Harvest / Early Adopters - Renee Frost
(Michigan)
LDAP Recipe - Michael Gettes (Georgetown)
EduPerson - Keith Hazelton (Wisconsin)
Directory of Directories - Michael Gettes
(Georgetown)
Metadirectories - Keith Hazelton (Wisconsin)
Shibboleth - Steven Carmody (Brown)
PKI Labs - Dartmouth and Wisconsin
HEPKI-TAG and PAG - Jim Jokl (Virginia) and Ken
Klingenstein (Colorado)
HEBCA - Mark Luker (EDUCAUSE)
Medical Middleware - Rob Carter (Duke), Jack
Buchanan (UT, Memphis)
Opportunities - video, the GRID, K-12

6
MACE (Middleware Architecture Committee for
Education)

Purpose to provide advice, create experiments,
foster standards, etc. on key technical issues
for core middleware within higher ed
Membership Bob Morgan (UW) Chair
Steven Carmody (Brown)
Michael Gettes (Georgetown)
Keith Hazelton (Wisconsin)
Paul Hill (MIT)
Jim Jokl (Virginia)
Mark Poepping (CMU)
David Wasley (U California)
Von Welch (NCSA)

7
Early Harvest and Early Adopters

Early harvest in the barn
http//middleware.internet2.edu/best-practices.ht
ml
Early adopters aggressively doing deployments
http//middleware.internet2.edu/earlyadopters
Michigan Tech, U Maryland BC, Johns Hopkins, etc
http//www.colorado.edu/committees/DirectoryServi
ces/

8
LDAP Recipe

How to build and operate a directory in higher ed
1 Tsp. DIT planning 1 Tbsp Schema design 3 oz.
configuration 1000 lbs of data
Good details, such as tradeoffs/recommendations
on indexing, how and when to replicate, etc.
http//www.georgetown.edu/giia/internet2/ldap-reci
pe/

9
LDAP Recipe Contents

Directory Information TreeSchema
DesignDirectory of Directories for Higher
Education (DoDHE) expectationsSchema Design
(continued)Schema How to upgrade it?Password
ManagementBindingseduPerson attribute
discussionsAccess ControlReplicationName
PopulationLDAP filter config file for white
pagestelephoneNumber formattingCHANGELOG

10
eduPerson

A directory objectclass intended to support
inter-institutional applications
Fills gaps in traditional directory schema
For existing attributes, states good practices
where known
Specifies several new attributes and controlled
vocabulary to use as values.
Provides suggestions on how to assign values, but
it is up to the institution to choose.
Version 1.0 now done one or two revisions
anticipated

11
Issues about Upper Class Attributes

eduPerson inherits attributes from person,
iNetOrgPerson
Some of those attributes need conventions about
controlled vocabulary (e.g. telephones)
Some of those attributes need ambiguity resolved
via a consistent interpretation (e.g. email
address)
Some of the attributes need standards around
indexing and search (e.g. compound surnames)
Many of those attributes need access control and
privacy decisions (e.g jpeg photo, email address,
etc.)

12
New eduPerson Attributes

eduPersonAffiliation
eduPersonPrimaryAffiliation
eduPersonOrgDN
eduPersonOrgUnitDN
eduPersonPrincipalName
eduPersonNickname

13
eduPersonAffiliation

Multi-valued list of relationships an individual
has with institution
Controlled vocabulary includes faculty, staff,
student, alum, member, affiliate, employee
Applications that use DoD, white pages

14
eduPersonPrimaryAffiliation

Single-valued attribute that would be the status
put on a name badge at a conference
Controlled vocabulary includes faculty, staff,
student, alum, member, affiliate, employee
Applications that use DoD, white pages

15
eduPersonPrincipalName

userid_at_securitydomain
EPPN may look like an email address but it is
used by different systems.
One must be able to authenticate against the EPPN
used in inter-realm authentication such as
Shibboleth
In some situations, it can be used for access
control lists if used, a site should understand
the reassignment policy.

16
Next Steps

eduPerson 1.0 done, along with FAQ and letter to
implementers
Ties closely to LDAP recipe
Version 2.0 to include attributes for
videoconferencing, additional collaboration
factors, links to Grids, portals, etc.
Check with web site for additional changes
Participate mace-dir_at_internet2.edu

17
A Campus Directory Architecture
Border directory
Metadirectory
Enterprise directory
OS directories (MS, Novell, etc)
Departmental directories
Dir DB
Registries
Source systems
18
A Directory of Directories

An experiment to build a combined directory
search service
To show the power of coordination
Will highlight the inconsistencies between
institutions
Technical investigation of load and scaling
issues, centralized and decentralized approaches
Human interfaces issues - searching large name
spaces with limits by substring, location,
affiliation, etc...
Two different experimental regimes to be tested
centralized indexing and repository with
referrals
large-scale parallel searches with heuristics to
constrain search space
SUN donation of server and iPlanet license
(6,000,000 dns)
Michael Gettes, Georgetown, is the project manager

19
DoD Architecture

Inputs to DoDHE
Inputs Local Site View
Central Deposit Service
DoD Config Directory
Operation
Search Operations
Search Drill Down from a list

20
Inputs
Remote Site Directories
Remote Data Sources
LDAP Oracle Etc
Search
Data Filtering Submit to CDS
DoD Config
Central Deposit Systems (CDS)
21
Inputs Local Site View
Submit final LDIF to CDS using authenticated POST
via HTTPS.
Local Data Source
LDAP
Filter LDIF according to local policy. Generate
new LDIF for submission.
DODHE
Generate LDIF Data
22
Inputs Why this way?

Standardized input is LDIF
Could be XML but few products generate XML now
(01/2001)
Could use Metamerge Integrator as filter and
submission mechanism
Site always submits full dataset. No worry of
reconciling. Easier site participation in the
DoDHE service.
CDS handles reconciliation and controls data
processing. Can provide feedback.

23
Metadirectories Metamerge

www.architech.no is now Metamerge
Higher Education Contact for USA
Keith Hazelton, University of Wisconsin Madison
hazelton_at_doit.wisc.edu
This product is available free of charge to
Higher Ed in USA
Source code will be in escrow. See Keith for
further details.

24
Metamerge Features

GUI development environment
NOT a Meta-Directory, but a tool to build same
functionality
Various Languages JavaScript, Java, Perl, Rexx,
etc
Various Parsers XML, LDIF, CSV, Script
Interface, etc
for input and output
Various Connectors COMport, Files, HTTP,
HTTPserver, FTP, LDAP, JDBC, Oracle and more
The product is ALL Java

25
Shibboleth

A word which was made the criterion by which to
distinguish the Ephraimites from the Gileadites.
The Ephraimites, not being able to pronounce sh,
called the word sibboleth. See --Judges xii.
Hence, the criterion, test, or watchword of a
party a party cry or pet phrase.
- Webster's Revised Unabridged Dictionary
(1913)

26
Shibboleth

An initiative to analyze develop mechanisms
(architectures, frameworks, protocols
implementations) for inter-institutional web
access control
Facilitated by Mace (a committee of leading
higher ed IT architects) and Internet2
Authenticate locally, act globally is the
Shibboleth shibboleth
Oriented towards privacy and complements
corporate standards efforts
Open solution
http//middleware.internet2.edu/shibboleth
Vendor participation - IBM et al

27
Isnt This What PKI Does?

PKI does this and a whole lot more as a
consequence, PKI does very little right now
End-to-end PKI fits the Shibboleth model, but
other forms of authentication do as well
Uses a lightweight certificate approach for
inter-institutional communications - uses the
parts of PKI that work today (server side certs)
and avoids the parts of PKI that dont work today
(eg client certs).
Allows campuses to use other forms of
authentication locally
May actually have benefits over the end-user to
target-site direct interactions...

28
Related Work

Previous DLF work
http//www.clir.org/diglib/presentations/cnis99/s
ld001.htm
OASIS Technical Committee (vendor activity,
kicked off 1/2001)
http//www.oasis-open.org/committees/security/ind
ex.shtml
http//lists.oasis-open.org/archives/security-ser
vices/
UK - Athens and Sparta projects
http//www.jisc.ac.uk/pub00/sparta_disc.html
Spain - rediris project
http//www.rediris.es/app/papi/index.en.html

29
Assumptions

authenticate locally, act globally the
Shibboleth shibboleth
Leverage vendor and standards activity wherever
possible
Disturb as little of the existing campus
infrastructure as possible
Work with common, minimal authorization systems
(eg htaccess)
Encourage good campus behaviors
Learn through doing
Create a marketplace and reference
implementations
We will not be another dead guppy
Protect Personal Privacy!

30
Development Process

Scenarios leading to requirements
Establish model architectures for common services
and scenario-specific services
Develop service and protocol requirements
Identify service options/begin protocol
development
Produce open implementations of missing service
components provide external services as needed

31
Stage 1 - Addressing Three Scenarios

Member of campus community accessing licensed
resource
Anonymity required
Member of a course accessing remotely controlled
resource
Anonymity required
Member of a workgroup accessing controlled
resources
Controlled by unique identifiers (e.g. name)
Taken individually, each of these situations can
be solved in a variety of straightforward ways.
Taken together, they present the challenge of
meeting the user's reasonable expectations for
protection of their personal privacy.

32
Architectural Model

Local Authentication
Local Entity Willing to Create and Sign
Entitlement
Set of assertions about the user (Attribute/value
pairs)
User has control over disclosure
Identity optional
active member of community, Associated with
Course XYZ
Target responsible for Authorization
Rules engine
Matches contents of entitlements against ruleset
associated with target object
Cross Domain Trust
Previously created between origin and target
Perhaps there is a contract (information
providers..)

33
Shibboleth ArchitectureConcepts - High Level
Browser
Pass content if user is allowed
Target Web Server
Authorization Phase
Authentication Phase
First Access - Unauthenticated
Origin Site
Target Site
34
Shibboleth ArchitectureConcepts (detail)
Target Web Server
Browser
Authentication Phase
Authorization Phase
Success!
Entitlements
Attribute Server
Ent Prompt
Req Ent
Second Access - Authenticated
Auth OK
Pass entitlements for authz decision
Web Login Server
Redirect User to Local Web Login
Pass content if user is allowed
Authentication
Ask to Obtain Entitlements
First Access - Unauthenticated
Target Site
Origin Site
35
Shibboleth ArchitectureConcepts 1 (managing
trust)
Club Shib Server (holds certs and contracts)
Attribute Server
Shib htaccess plugin
Target Web Server
Browser
Origin Site
Target Site
36
Internals of the Shibboleth ModelFunctions and
Standards

There are component services that are assumed to
exist already on campuses
There are new functional services that must be
implemented
There are new protocols that must be developed
There are data and metadata definitions that must
be standardized.

37
Internals of the Shibboleth ModelServices,
standards, protocols
Institutional shib key distribution service
Identifier privacy engine
Where from service
Web access control service
Inter-realm information exchange protocols for
authentication and authorization
OASIS XML Standard
Credential Factory
Local authentication service
Web SSO service
Local Shibboleth control point
Local attribute server
38
Descriptions of services

local authentication server - assumed part of the
campus environment
web sso server - typically works with local authn
service to provide web single sign-on
resource manager proxy, resource manager - may
serve as control points for actual web page
access
attribute authority - assembles/disassembles/valid
ates signed XML objects using attribute
repository and policy tables
attribute repository - an LDAP directory, or
roles database or.
Where are you from service - one possible way to
direct external users to their own local authn
service
attribute mapper - converts user entitlements
into local authorization values
PDP - policy decision points - decide if user
attributes meet authorization requirements
SHAR - Shibboleth Attribute Requestor - used by
target to request user attributes

39
Component Relationship Model
TARGET
ORIGIN
40
Campus and Resource Requirements

To Participate in Shibboleth, a site must have
Campus-wide authentication service
Campus-wide identifier space (EPPN)
Implementation of EduPerson objectclass
Ability to generate attributes (eg active member
of the community)

41
Authorization Attributes

Typical Assertions in the Higher Ed Community
EPPNgettes_at_georgetown.edu
active member of the community
active in course X
member of group georgetown.giia
?
Signed by the institution! (optional in OASIS,
required in Shib)

42
Charge -- OASIS Security Services Technical
Committee

Standardize
an XML format for "assertions (authentication,
authorization, authorization decision, access
yes/no)
(maybe) a (stateless ?) request/response protocol
for obtaining assertions
transport bindings for this protocol to HTTP,
S/MIME, RMI, etc.
This will be accompanied by requirements/scenarios
, compliance info, security considerations, etc
Out of Scope
How authentication is done
Defining specific attributes (eg member of
community)
Establishing trust between origin and target
Note..
Inter-product, not explicitly inter-domain

43
Issues

Personal Privacy (reasonable expectation, laws)
Relation to local weblogin (Single Signon)
Portals
Use of Shibboleth framework by services beyond
the web
Grid resources and users

44
Project Status/Next Steps

Requirements and Scenarios document nearly
finished
IBM Mace-Shibboleth refining architecture
evaluating issues
IBM intends to develop an Apache web module
Internet2 intends to develop supporting materials
(documentation, installation, etc) and web tools
(for htaccess construction, filter access
control, remote resource attribute discovery).
Technical design complete - May, 2001
Coding of a prototype begins June 1
Pilot sites start-up - Aug, 2001
Public demo of the prototype by the pilots -
Internet2 Fall Member Meeting 2001

45
Shibboleth, eduPerson, and everything else
Middleware Inputs Outputs
Licensed Resources
Embedded App Security
Grids
JA-SIG uPortal
OKI
Inter-realm calendaring
futures
Shibboleth, eduPerson, Affiliated Dirs, etc.
Enterprise AuthZ
Enterprise Directory
Enterprise Authentication
Legacy Systems
Campus web sso
46
Internet2 PKI Labs

At Dartmouth and Wisconsin in computer science
departments and IT organizations
Doing the deep research - two to five years out
Policy languages, path construction, attribute
certificates, etc.
National Advisory Board of leading academic and
corporate PKI experts provides direction
Catalyzed by startup funding from ATT

47
HEPKI-TAG

Chaired by Jim Jokl, Virginia
Certificate profiles
survey of existing uses
development of standard presentation
identity cert standard recommendation
Mobility options IETF SACRED scenarios
Public domain software alternatives

48
HEPKI-PAG

David Wasley, UCOP, prime mover
Draft certificate policy for a campus
HEBCA certificate policy
FERPA
State Legislatures
Gartner Group Decision Maker software

49
Medical Middleware

Unique requirements - HIPAA, disparate
relationships, extended community, etc.
Unique demands - 7x24, visibility
PKI seen as a key tool
Mace-med recently formed to explore the issues

50
The complex challenges of academic medical
middleware

Intra-realm issues - multiple vendors,
proprietary systems, evolving regulations
Enterprise issues - security, directories,
authorization balance of institutional and
medical enterprises
Inter-realm issues - standards, gateways, common
operational processes and policies, performance
Multiple communities of interest - institutional,
medical center, affiliated hospitals, state and
federal regulatory and certification
organizations, insurance companies, medical
researchers, etc.

51
The applications view of medical upperware
52
The enterprise architect view of medical
middleware
Internet
Research Systems
Hospital Administrative Systems
Medical Administrative Systems
App dir
LAN dir
Border Directory
Peer institutions
Institutional Student Financial Personnel Systems
Enterprise directory
Corporate collaborators
PKI
Federal State Govts
Person registry
Authorization Services
Authentication Services
53
Video