taking care of our core business: managing collaborations dr. ken klingenstein, senior director,...
TRANSCRIPT
Taking Care of Our Core Business:Managing Collaborations
Dr. Ken Klingenstein,
Senior Director,
Internet2 Middleware and Security
Presenter’s Name
Topics
• Internet identity
• The bloom of collaboration tools
• Collaboration management platforms
• Domesticated applications
• Use by virtual organizations
• Next step issues
Presenter’s Name
Types of Internet identity• Federated • Leveraging enterprise identity for inter-realm purposes• Authentication, entitlements and attributes are the
common payloads• Privacy, security and trust are the critical issues
• P2P• Originally PGP, now Infocard, OpenId, etc.• Need trust fabrics - may be coupled with reputation
systems for trust – and privacy mechanisms• Both are growing at exponential rates
Presenter’s Name
Federated Identity
• Enterprises exchanging assertions about users• Real time exchanges of standardized attribute/value
pairs• Often identity based but can preserve privacy through
the use of attributes• Basis for trusting the exchanged assertions via common
policies, legal agreements, contracts, laws, etc.• Federations offer a flexible and largely scalable privacy
preserving identity management infrastructure
Presenter’s Name
Another Internet identity - P2P Identities
• Provides tokens for interpersonal trust, but not trust (needs reputation systems, etc)
• Easy for application developers to incorporate• Use cases include blogs and wikis, file and photo sharing,
some encrypted email, etc.• Layered space – Cardspace by MS, Higgins and the
Bandits, OpenId, etc.• Rapidly growing but starting to hit the hard issues:• Revocation• Delegation and transitive trust• Privacy
Presenter’s Name
Collaboration and Federated Identity
• Two powerful forces being leveraged• the rise of federated identity• the bloom in collaboration tools, most particularly in the
Web 2.0 space but including file shares, email list procs, etc
• Collaboration management platforms provide identity services to “well-behaved” collaboration applications
• Results in user and collaboration centric identity, not tool-based identity
Presenter’s Name
A Bloom of Collaboration Tools
• An over-abundance of new tools that provide rich and growing collaboration capabilities (aka Web 2.0)
• Do you• Wiki, blog, moodle, sakai, IM, Chat, videoconference,
audioconference, calendar, flikr, netmeeting, access grid, dimdim, listserv, webdav, etc
• Share files among workgroups, access Elsevier, work with the IEEE, etc
• No uber-app – limits invention and community of users• 3 - 4 is fine, but many per user is hard to manage• Leads to the need to manage the collaborations and its tools
Presenter’s Name
Collaboration management examples
• Wiki access control, email list, IM, etc synchronization• Adding a graduate student hired by a VO subgroup to a set
of services• Can manage the lists, manage access controls for the lab doors,
manage the VO wiki, have course management privileges, join the VO chat room, schedule audioconferences…
• Goal is for the end user or their collabmin to manage these authorizations in an easy and sustainable way
• Providing access to scholarly material for a class• The content lifecycle from research to instruction, for both
external content and locally generated content
Presenter’s Name
Collaboration Management Platforms
Goal is to develop a “platform” for handling the identity management aspects of many different collaboration tools• Platform includes a framework and model, specific
running code that implements the model, and applications that take advantage of the model• This space presents possibilities of improving the
overall unified UI as well as UI for specific applications and components.
Presenter’s Name
COmanage
• A collaboration management platform, supported in part by a NSF OCI grant, being developed by the Internet2 community, with Stanford as a lead institution
• Well-behaved applications externalize their identity management dimensions to an general identity/group/privilege/etc repository (LDAP, MySQL, etc.)
• Users manage IdM in a collaboration-centric way, not in a tool-centric way
• Uses Shibboleth, Grouper, and Signet• Open source, open protocol
Presenter’s Name
Domesticated applications
• Applications that externalize their identity management dimensions
• Domestication typically goes in stages – first identity, then group and privilege management, perhaps then provisioning
• Domestication relative to the external access protocols used (SAML, LDAP, MySQL, web services, etc.)
• Applications done or being targeted• Sympa, Confluence, Asterisk (open-source IP audioconferencing),
Dim-Dim (open-source web meeting), Bedeworks (federated open-source calendar), Subversion, JIRA, Al fresco
• Finally domain science resources – Instrument, Grids
FederatedWiki
Domain Science
Grid
Domain Science
Instrument
University A University B Laboratory X
CollaborationManagement
Platform
CollaborationTools/ Resources
ApplicationAttributes
Home Org & Id Providers/
Sources ofAuthority
AttributeEcosystem
Flows
Attribute/Resource Info Data Store
Collaboration Management Platform (CMP)and the Attribute Ecosystem
Sources of Authority
CoAuthorization –
Group InfoAuthorization –Privilege Info
AuthenticationPeoplePicker
OtherFunctions
manage
File Sharing
CalendarPhone/Video
Conference
Email List
Manager
Presenter’s Name
Some general COmanage comments
• A limited number of consoles present the basic identity services; can move directly between services as a standard workflow
• Early in the development; the GUI is particularly primitive• Underlying store is an LDAP directory; alternatives include
MySQL db, RTF store, etc.• COmanage can be deployed by a campus, a department,
a VO, a VO service center; COmanage instances communicate with each other by the “attribute ecosystem” voodoo
• It is plumbed; hence it is sustainable, secure, flexible.
Presenter’s Name
The major COmanage consoles
• Applications – a growing list• Identity
• View basic local stored data• Privacy management, using Shib
• My Groups – manages collaboration groups across the full variety of applications, using Grouper
• My Privileges – manages permissions that you have and that you assign to others and groups, currently using Signet
• Once set up, COmanage automatically maintains and updates the applications, reflecting group changes from source feeds, aging privileges, etc.
Presenter’s Name
Relative Roles of Signet & Grouper
Grouper Signet
RBAC (role-based access control) model• Users are placed into groups
(aka “roles”)
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to effectively bestow privileges
• Grouper manages, well, groups
• Signet manages privileges
• Separates responsibilities for groups & privileges
Presenter’s Name
Two types of application enablement
• “domesticated” apps draw their entitlements, attributes and roles from the CMP directory or db or… (something external to the app)
• Other apps can have information from COManage pushed into them• Static or dynamic provisioning• Connectors could be X.509 certs, SAML assertions,
etc.
Presenter’s Name
COmanage specifics
• Wiki, dev and users being set up
• Beta release in June, 1.0 in August, OpenLDAP as the data store.
• Debian VMware
• Domesticated apps in bundle where licenses permit
• Testing in several venues and VO’s
• GUI issues, modularity of components issues
Presenter’s Name
COmanage next steps
• Growing the community• Of apps and developers• Of users
• Web services, API’s for tools within COmanage
• Leveraging federations
• Interactions with other CMP – Myworks, IAMSuites, G5PO, etc
Presenter’s Name
Co
Co
CoCo
Co
How Collaboration Management Platforms (CMP) Communicate
Campus
Virtual OrganizationVirtual
OrganizationServiceCenter
Federation
Linked Identities
SAML
Batch
AttributeEcosystem
Key
COmanage CMP
Other CMP
Co
Presenter’s Name
Virtual Organizations
• An increasing artifact of the landscape of scientific research, largely from the cost complex nature of the new instruments and growing data sets
• Always inter-institutional, frequently international• Having a “mission” in teaching and a need for administration• Tend to cluster around unique global scale facilities and
instruments• Heavily reflected in agency solicitations and peer review
processes• Being seen now in the arts and humanities
Presenter’s Name
Virtual Organization Characteristics
• Distributed across space
• Distributed across time
• Dynamic management structures
• Collaboratively enabled
• Computationally enhanced
Presenter’s Name
Building Effective Virtual Organizations
• A workshop run by NSF in January 2008 to give many newly minted VO’s the wisdom of the ages
• Cross directorate with OCI catalytic
• A few very insightful talks
• Was intended to cover the complex social and economic issues as well as some common technical issues, but veered towards collaboration chaos…
• http://www.ci.uchicago.edu/events/VirtOrg2008/
Presenter’s Name
Collaboration and Virtual Organizations
• VOs are first collaborative organizations• General collaboration tools – listservs, wikis,
audioconferencing, videoconferencing, shared calendars, etc.• Academic collaboration tools – grant proposal and
administration management, paper development and publication
• Many support components for such activities can also meet needs in the domain science management
Presenter’s Name
Two specimen VO’s
• LIGO-GEO-VIRGO (www.ligo.org)
• Ocean Observing Initiative (http://www.joiscience.org/ocean_observing)
• Interests include federated identity, COmanage, and domain science use
• Both have international characteristics
Presenter’s Name
Next Steps and Issues
• Feedback from virtual organizations• Enterprise and VO deployments• Leverage federations• Inter-federation peering• Virtual organization support centers• The attribute ecosystem
Presenter’s Name
Lessons Learned
• Collaborate externally; compete internally
• Time zones are hell
• Big turf issue of the local VO sysadmin
• Many of the instruments are black-boxes
• Physical access controls matter
• Scientific accomplishments and egos