Development and deployment of integrated attribute based access - - PowerPoint PPT Presentation

development and deployment of integrated attribute based
SMART_READER_LITE
LIVE PREVIEW

Development and deployment of integrated attribute based access - - PowerPoint PPT Presentation

Feb 17, 2024 228 likes •370 views

Development and deployment of integrated attribute based access control for collaboration Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual

slide-1
SLIDE 1

Development and deployment of integrated attribute based access control for collaboration

slide-2
SLIDE 2

kjk@internet2.edu

Collaborations and Virtual Organizations

  • IdM is a critical dimension of collaboration, crossing many

applications and user communities

  • Virtual organizations represent critical communities of

researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world.

  • Lots of activities in domesticating applications to work in a

federated world, moving from tool-based identity to collaboration-centric identity.

slide-3
SLIDE 3

kjk@internet2.edu

Collaboration Platform

  • Integrated set of collaboration apps (wikis, listprocs, CVS,

file share, calendaring, etc)

  • Integration of at least identity and access control via group

memberships

  • Integration with domain science apps
  • Integration of content and meta-data is harder
  • Repackages successful approaches for a collaborative/

project/VO setting

  • Federated identity, group management, directories, and security

token services (aka credential convertors)

slide-4
SLIDE 4

kjk@internet2.edu

Collaboration Infrastructure (COIN)

  • Dutch National Collaboration Infrastructure
  • Domesticated tools -Adobe Connect; Alfresco; Foodle;

Filesender; Confluence; WSO2 mashup server; OpenFire; Drupal; KnowledgeTree, Sympa and Limesurvey

  • Domesticated services -Google Apps; MyExperiment.org;

Twitter; PubMed

  • Integration across VO, institution and third-party domains
  • Workflow
  • Grid integration
slide-5
SLIDE 5

kjk@internet2.edu

Domestication of applications

  • The work of re-factoring applications to use the emergent

identity services infrastructure

  • Begins with federated identity and authentication, use of

directories; gains a lot from group management for access control, etc

  • Needs a fine grain set of authorization tools down the road
  • Domesticated apps can receive IdM attributes via LDAP,

SAML, X.509, SQL, Kerberos PAC, and maybe all of the above

slide-6
SLIDE 6

kjk@internet2.edu

Typical activities in collaboration management

  • Add or remove people from groups
  • Create new subgroups, identify overlapping memberships,

etc.

  • Permit or deny access control to wiki pages, calendars,

computing resources, version control systems, etc

  • Add people to mailing lists, wikis, etc
  • Create and delete/archive users, accounts, keys
  • Identify group membership on a given date
slide-7
SLIDE 7

kjk@internet2.edu

COManage Elements

Dashboard Shib SP Grouper STS Shib IdP LdapPC Including provisioning

Applications

Data Store

slide-8
SLIDE 8

kjk@internet2.edu

What’s in a COmanage data store

Enterprise Attributes Project/VO attributes Federated Id PI groups Enrolled classes Wiki editing permissions Display name Instrument permissions Citizenship VO certificates Enterprise affiliation …

slide-9
SLIDE 9

kjk@internet2.edu

Grouper

  • A general purpose, extensible, open-source group

management tool

  • In production at many institutions in the US and overseas
  • Core national infrastructure service in several countries
  • Manages groups of things – people, devices, processes
  • Has GUI, people picker, group math, inheritance,

delegation, provisioning and deprovisioning, etc.

  • Stores values in LDAP directory
  • Aimed at spectrum from power user to collabmin,

sysadmin and enterprise IdM.

slide-10
SLIDE 10

kjk@internet2.edu

Security Token Service

  • Converts the form of an existing credential or packs a set
  • f attributes into a new credential
  • Presents external security information to an application or

service in the lingua of the app/service

  • Conversions – SAML into X.509, SAML into Kerberos,

SAML to LDAP, etc.

  • Mythical in a single comprehensive package; legion in

individual instances

slide-11
SLIDE 11

kjk@internet2.edu

What forms does COmanage take?

  • Usually as an assembled set of services
  • A dashboard, directory product, Shibboleth IdP and SP,

Grouper, and a set of applications provisioned on other servers

  • On an enterprise level to serve its collaborations and

VO’s, within a large VO, or at a federation level to serve a national community

  • Can also be a VM, a VM in the cloud, or a service with the

applications in the cloud.

  • Can be embedded in a science portal or gateway
slide-12
SLIDE 12

kjk@internet2.edu

Flows of attributes - 1

Enterprise

Data Store

Project comanage

Relying Party

Enterprise

slide-13
SLIDE 13

kjk@internet2.edu

Use cases it enables

  • A student adds a class and is immediately enabled to use

the VO wiki; a student drops the class and is immediately disabled from using the VO instruments

  • A resource prohibited from use by foreign nationals is

protected

  • International privacy laws are adhered to
  • Anonymous access is enabled but limited to those

authorized to participate

  • Security is commensurate with the risks