Internet2: building and using an advanced network environment for research, teaching and learning

APRU CIO Forum, 23 March 2007

Heather Boyles, heather@internet2.eduKeith Hazelton, hazelton@doit.wisc.edu Ann Doyle, adoyle@internet2.edu

Outline

• Internet2 Overview– Brief introduction: Overview of developments, services,

activities of the Internet2 community– International R&E network connectivity overview - especially

related to APRU institutions, Pacific Rim infrastructure and opportunities for collaboration

• Identity Management for Inter-institutional collaboration– Campus identity management developments in the Internet2

community– Identity management federations and their relationship to

networked collaboration– Federation developments in the APRU community and

opportunities for international cooperation

An Asset for the Community

Universities

Researchers

Regional Networks

K-12

Industry

International

An Asset for the Community

Universities

Researchers

Regional Networks

K-12

Industry

International

Internet2 Activities

Internet2 Network

• Hybrid optical and IP network

• Dynamic and static wavelength services

• Fiber, equipment dedicated to Internet2; Level 3 maintains network and service level

• Platform supports production services and experimental projects

Internet2 Network - Layer 1Internet2 Network - Layer 1

Internet2 Network Optical Switching Node

Level3 Regen Site

Internet2 Redundant Drop/Add Site

ESnet Drop/Add Site

NREN organizations and networks serving APRU institutions

Australia AARNET

Canada CANARIE – CA*net

Chile REUNA

China CERNET, CSTNet

Taiwan TWAREN

Indonesia ITB*

Japan SINET, JGN2

Korea KOREN, KREONET2

Malaysia MYREN

Mexico CUDI

New Zealand REANNZ - KAREN

Philippines PREGINET

Russia RBnet, RUNNET

Singapore SingAREN

Thailand UNINET, ThaiSARN (ThaiREN)

USA Internet2, NLR

Pacific Rim R&E Networking

• Trends in global R&E networking– Increasing interconnectedness

• Number of countries connected, including lesser-developed

• Number of connections, bandwidth– Regionalization

• TEIN2 network in Southeast Asia• CLARA in Latin America

– Hybrid network capabilities• Beyond best-efforts shared IP• Dedicated circuits to support major global science

collaborations

Current AARNet3 Footprint

T

R

A

N

S

P

A

C

2

Topology

Internet2 Activities

Internet2 Middleware Goals

• Much as at the network layer, create a ubiquitous common, persistent & robust core middleware infrastructure for the R&E community

• In support of inter-institutional & inter-realm collaborations, provide tools & services (e.g. registries, bridge PKI components, root directories) as required

Inter-institutional Collaboration is the Driver• One institution hosting course-content for another• Students at one college taking an on-line course from

another college• Libraries purchasing licenses for multiple vendors

with specific access policies• Researchers making resources available to project

members at other schools (e.g. grid resources)• Schools in state systems or articulation relationships

that require mutual access to services

What questions are common to these scenarios?• Are the people using these services

who they claim to be?

• Are they a member of our campus community?

• Have they been given permission?

• Is their privacy being protected?

Identity Management (IdM)

• “Hi! I’m Lisa.” (Identity)• “…and here’s my NetID / password to prove it.”

(Authentication)• “I want to do some E-Reserves reading.”

(Authorization : Allowing Lisa to use theservices for which she’s

authorized)• “And I want to change my grade in last semester’s

Physics course.”(Authorization : Preventing her from doing

things she’s not supposed to do)

Federated Approach to support inter-institutional collaboration

• Federated Identity & Access Management– Rely on the Identity Management infrastructure of

institutions– To authenticate and pass authorization-related

information to service providers or resource hosts– Via institution-to-provider agreements– Facilitated by common membership in a federation

(like InCommon)

• Shibboleth is a way to move the authNZ info between parties

What is Shibboleth?(federating software system)• An initiative to develop an architecture and policy

framework supporting the sharing – between domains -- of secured web resources and services

• A framework built on a “Federated” model• A project delivering an open source implementation

of the architecture and framework• Deliverables: open-source, standards-based, privacy-

preserving federating software– Software for identity providers = campuses (origins)– Software for resource providers (targets)– Operational Federations (scalable trust)

What are Federations?

• An association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.

• Uses common policy, technology, and business practices to establish trust

• Access services from (or provide services to) other institutions, corporate partners, government organizations

• A contractual arrangement

Identity Federations

• Enroll locally

• Authenticate locally

• Assign attributes locally

• Act federally

Identity Federations

• Simplified usability for all collaborations

• Home organizations carefully manage the release of personal information

• On-line resource providers focus on the protection and authorization of use of their on-line resources

• A federation of higher education, by higher education, for higher education (in US)

InCommon Federation• Created to support US Higher Education and

its research and business partners• Federation operator is an LLC operated by

Internet2• Builds on existing campus identity

management and single sign-on systems• Makes use of open industry standards

(SAML) and open source federating software (Shibboleth)

InCommon Members 2/27/07Case Western Reserve University Clemson University Cornell University Dartmouth Duke University Florida State University Georgetown University Miami University New York University Ohio University Penn State Stanford University Stony Brook University SUNY Buffalo The Ohio State University The University of Chicago University of Alabama at Birmingham University of California, Irvine University of California, Los Angeles University of California, Merced University of California, Office of the President University of California, Riverside University of California, San Diego

University of MarylandUniversity of Maryland Baltimore CountyUniversity of Maryland, Baltimore University of Rochester University of Southern California University of Virginia University of Washington University of Wisconsin - Madison Cdigix EBSCO Publishing Elsevier ScienceDirect Houston Academy of Medicine - Texas Medical

Center Library Internet2 JSTOR Napster, LLC OCLC OhioLink - The Ohio Library & Information Network ProtectNetwork Symplicity Corporation Thomson Learning, Inc. Turnitin WebAssign

InCommon Uses

• Access control to content– Popular content – Napster, CDigix, etc– Scholarly content – Google, OCLC WorldCat– Downloads – Microsoft

• Access to external services– Student travel, charitable giving, web learning and testing,

plagiarism testing service, etc.– Allure for alumni services and other internal businesses– Student loans, student testing, graduate school admissions,

etc.• Access to national services

– The National Science Digital Library– The Teragrid pilot: building on Shibboleth and GridShib

GridShib

• “Integrating federated authorization infrastructure (Shibboleth) with Grid technology (the Globus Toolkit) to provide attribute-based authorization for distributed scientific communities”

• http://gridshib.globus.org/

GridShib - from Von Welch

• Allow the Grid to scale by leveraging existing campus identity management (IdM)– Consider Shibboleth as the interface to campus IdM systems– Get out of identity management game

• Making joining the Grid as easy as possible for users– No separate long-term credential for Grid access to manage– No new passwords, certificates, etc

• Allow campuses attributes and VO attributes to be aggregated and used by the Grid for authorization– Allow for scalability in user base through attribute-based

authorization - I.e. know groups of users instead of individual users

Research and Education Federations around the world• Growing national federations

– UK, France, Germany, Switzerland, Australia, Netherlands, Norway, Spain, Denmark, etc.

– Many (most) operated by National Research and Education Network (NREN) organizations

– Many are Shib-based; all speak Shib on the outside…

• US Federations– InCommon (Internet2)– State-based

• Texas, UCOP, Maryland, etc.

Federation activities in APRU countries

Australia Federation in formation

Canada Federating activity going on

Chile

China CERNET experimenting with Shibboleth

Taiwan

Indonesia

Japan UPKI initiative of 7 national universities

Korea

Malaysia

Mexico

New Zealand Pilot activity

Philippines

Russia

Singapore

Thailand

USA InCommon Federation up and running

Ways to engage in national identity federation work

• Internet2 working groups• TERENA (Europe) EMC2 working group• APAN middleware working group• TestShib

– Open to non-US institutions– An opportunity to try out Shib

implementation

Thanks!

• www.internet2.edu

• heather@internet2.edu