The Collaboration Game Niels van Dijk, Technical Product Manager - - PowerPoint PPT Presentation

The Collaboration Game

Niels van Dijk, Technical Product Manager SURFnet

Topics

• Identity federations 2010
• The Collaboration Game
• A distributed landscape
• Enter Domestication
• The future of Domestication

Identity federations 101

Source: David Simonsen, WAYF

Identity federations

Source: David Simonsen, WAYF

Identity federations

Source: David Simonsen, WAYF

Identity federations

Source: David Simonsen, WAYF

Federations 2010

By now Identity Federations in edu have become mature:

• 27 federations (EU, US, Asia)
• Interfederation (Kalmar, eduGAIN, REFEDs)
• Interdomain (US, Denmark)
• SAML 2 (Shibboleth, SimpleSAMLphp)
• Vendor supported (Microsoft, Google, Cisco,

Atlassian) and many OpenSource products

Stuff federations provide

Or they will, shortly ;)

• Is that your “staff” attribute?
• Level of assurance (LOA)
• Get interfederation working!
• WAYF
• Getting the GUI sorted out

Core building block for trusted relations

Mature?

Source: http://xkcd.com/806/

The Collaboration game

Modern universities are developing towards loose conglomerates of (inter)discipline expertise → Collaboration is therefor core business Collaboration involves people in multiple institutions in multiple countries Collaboration is about using shared resources People + resources = Virtual Organization

Collab usecases - 1

“Student Thesis”

• Group of students
• University staff
• Employee at Commercial Company

Tools

• Generic collaboration tools

Example

• Every university campus

Collab usecases - 2

Sharing 'data'

• Groups of (inter)discipline scientists in several

countries

• Staff at multiple universities
• Employees at multiple commercial companies

Tools

• (Webbased) generic collaboration tools
• (Webbased) shared data resources

Examples

• Lifewatch, Clarin, Knowledge Exchange, Terena

Collab usecases - 3

Sharing (expensive) eScience infrastructures

• VERY Large groups of international scientists
• Staff at multiple universities

Tools

• generic collaboration tools
• Shared infrastructure & data resources

Examples

• LHC, LIGO, LOFAR, eVLBI

LOFAR: distributed low frequency array

• A distributed multibeam array for radioastronomy
• Large number of very simple antennas, with very

high bandwidth connections

E-VLBI: a global radiotelescope

LHC Computing Grid and LHCOPN

A distributed landscape

Modern science combines eScience resources from multiple sources with generic collaboration

• The core resources are within the R&E domain
• Some activities already moving off campus

(MyExperiment, Mendeley) Collaboration is already in 'the cloud' Twitter, Facebook, Linkedin, Wikis, Blogs →

(C) 2009 SURFnet B.V. 18

COIN vision

Dealing with a distributed landscape

NRENs can play a vital role as trusted third parties:

• Provide collaboration services

SURFgroepen →

• Provide 'putty'

the COIN Project → What is our putty made off?

• Trust framework
• Attributes
• Externalized Groups
• Roles and Rights
• Coherence

Applying putty

• Trust framework

Identity Federations →

• Attributes

Identity Federations + aggregation →

• Groups

Group management tools →

• Roles and Rights

? →

• Coherence

VO Platfoms → Domestication is the process of applying putty to applications and services

Domestication

• Domestication can be described as the process of

externalizing authentication, authorization and group management from services

• Domestication fits nicely in the Service Oriented

Architecture paradigm where a platform is created for reusable services and service components

• It becomes easier to share (generic) information

among services and to replace similar services

• It is only useful in multi-domain collaboration or

enterprise environments, hence (delegation of) trust is a point of concern

Domestication (2)

• Domesticated applications enable single sign-on

features for users, as well as the ability to share group context between multiple applications

• Main Candidates
• Identity and access control
• Group management
• Events like presence and activities
• Perhaps Monitoring and Reporting and

messaging?

End User Perspective

• Pro
• Single Sign On
• One password (and identity) for multiple

services

• Cons
• WAYF – where are you from
• Service might ask again and again your profile

information etc.

Organizational Perspective

• Pros
• In control – one set of credentials for all

services

• Happy and secure users
• Cons
• None?
• Prerequisites
• Get your Identity Management on track
• Get organized – convince service providers to

become domesticated

Service Provider Perspective

• Pros
• Validated and up-to-date (user) information
• Focus on core business
• Reduction of administrative overhead – no more “I

lost my password”

• Economy of scale (after initial investment – adding

new organizations is easy

• Cons
• Most services already provide a solution for the

generic functionality (needs to combined with legacy generic functionality)

• Invest in APIs in an unknown technology territory

NREN Strategy

• Create economy of scale to create a valid

business case for Service Providers

• Do it yourself (maintainable?!)
• Need for standardized interfaces, APIs and

availability of libraries

• Need to deal with trust

Doing it yourself

Doing it yourself -2

External systems - AuthN

Authentication SAML →

• Use an already SAML enabled application
• Modify an application to handle SAML based

authentication (Shibboleth, SimpleSAMLphp, OIOsaml, etc)

• Use a 'proxy' if the

application has an API

External systems - Attributes

Getting Attributes

• SAML assertion

Often a SAML assertions contains → attributes, which are mostly standardized (eduPerson, SCHAC)

• SAML Attribute Query

not widely implemented →

• Attribute Query

via other means, e.g. LDAP, → Webservice API

• Let user fill in missing attributes

External systems - Groups

Getting Groups – Nothing here yet....

• SAML assertion

Only at login, cumbersome at IdP →

• SAML Attribute Query

not widely implemented →

• Attribute Query

LDAP, SPML, Webservice API → What if an application needs group memberschip before login?

External systems - Roles

Getting Roles – Again, nothing here yet....

• SAML assertion

Only at login, cumbersome at IdP →

• SAML Attribute Query

not widely implemented →

• Attribute Query

LDAP, SPML, Webservice API → (Ab)using groups as roles? What if an application needs to set roles before login?

Provisioning

Provisioning is application specific

• Preferably done by the vendor
• Else, use APIs
• Or hack the app...

The amount of effort, and the most optimum way of provisioning depends on the functional requirements of the application. See: Provisioning scenarios in identity federations

Deprovisioning

• This page was intentionally left blank -

The Future of Domestication

Standardize

• Settle on standards
• Reduce and standardize the number of

implementations What other stuff would we like externalized

• Events
• Messaging
• Monitoring and Reporting

How will domestication beyond the web?

Domestication Wiki

https://wiki.surfnetlabs.nl/display/domestication

Questions? Niels.vanDijk@SURFnet.nl