Post on 29-Mar-2015
Access management: challenges and approaches
James DalzielAdjunct Professor and Director
Macquarie E-learning Centre of Excellence james@melcoe.mq.edu.au
www.melcoe.mq.edu.au
Overview
• COLIS and access management
• Access management challenges
• MAMS
• MAMS and other projects
• Access management framework
COLIS and access management
• Demonstrator project based on open standards– IMS CP, IMS DRI, IMS LRM, ODRL
• Five universities and five vendors– Many different conceptions of the problem
– Language difficulties
• The COLIS Demonstrator is not “the solution”– Work in progress to help uncover practical issues
– Functioning Demonstrator for discussion
Systems Chunks in COLIS Learning Space Application Integration
Content Management
Library E-Services
E-Reserve
E-Journals
Integration
Services
Learning Management
Digital Rights Management
Directory Services
Learning Content
Management
COLIS and access management
• Access management requirements– No modification to target systems
– SSO “Deep linking”
– Support multiple windows
• Different approaches to solving access management– Large scale “corporate” solution
– Small scale pragmatic approach, legacy systems
SS
O P
roxy +
Scrip
ting
COLIS SSO Model
User BrowserUser hasn’t
logged in
Application URL
Ap
plicatio
n W
eb S
erve
r
Authentication Challenge
Login Form
Authentication
Token
Web Page 1User has logged in
User hasn’t logged in
LDAP
Authentication
Authorisation DBase
Access management challenges
• Need for practical, incremental solutions• Recognition of education systems environment
– Many legacy systems, impractical to change/remove
• No single solution will be sufficient– Need more than one way of accessing targets– “Multi-modal Single Sign On”
• Intra-institutional and inter-institutional needs• Role of identity management
– Directories, unique identifiers, extensible attributes
MAMS
• MAMS - “Meta Access Management System”• An umbrella system with numerous modules for
access to different systems as required• Inter-institutional communication between MAMS
• Originally a proposal to DEST SII in 2002• Now a consortium bid for ARIIC 2003 common
technical services Demonstrator
Current University Access Management Challenge
Access System (eg, Portal)
One type of SSO mechanism(eg, Kerberos)
ApplicationA
(requiresscripting)
ApplicationB
(requiresreverseproxy)
ApplicationC
(requiresIP addressrestriction)
ApplicationD
(requiresKerberos)
x x x
? Directories
Meta Access Management System (MAMS) Architecture
Access System (eg, Portal)
Local MAMS
ApplicationA
(requiresscripting)
ApplicationB
(requiresreverseproxy)
ApplicationC
(requiresIP addressrestriction)
ApplicationD
(requiresKerberos)
Scriptingmodule
Reverseproxy
modules
IP addressrestriction
module
Kerberosmodule
Other Institution
MAMS
Directories
Example MAMS Implementation (Type 4)
Access System
LibraryPremiumDatabases(Kerberosenabled)
Digital RightsManagement
System(Kerberosenabled)
KerberosCertificate
system
UniversityA
MAMS
University B MAMS
LDAPX.500Access System
LearningManagement
System(scriptingenabled)
LearningObject
ManagementSystem
(reverse proxyenabled)
LibraryPremiumDatabases
(IP restrictionsenabled)
MAMS and other projects• MAMS has liaisons with:
– COLIS partners (MQ, UNE, USQ, Tas, Newcastle)• Indirect liaison to OTEN and WestOne from IIS&R project
– WALAP partners (UWA, Curtin, EC, Murdoch, ND)
– Telstra Research Labs, National Library of Australia, education.au
– Vendors: Sun, Microsoft, Novell
– Internet2/MACE Shibboleth project (US)
– Open Knowledge Initiative (OKI) (US)
– Various JISC/CETIS projects (UK)
– University of Ulster/Athens (UK)
– National Library of New Zealand (NZ)
MAMS and other projects• MAMS open standards research covers:
– Security Assertion Markup Language (SAML)– eXtensible Access Control Markup Language (XACML)– Directory Assertion Markup Language (DAML)– Service Provisioning Markup Language (SPML)– Various components of the Web Services family of standards (WS-*)– EduPerson Directory Schema– Open Archives Initiative Protocol for Metadata Harvesting (OAI PMH)– Dublin Core (DCMI)– Australian Government Locator Service (AGLS)– IMS Learning Resource Metadata (IMS LRM)– IEEE Learning Object Metadata (IEEE LOM)– Metadata Encoding and Transmission Standard (METS)– Open Digital Rights Language (ODRL)– MPEG Rights Expression Language (MPEG REL)– Open Grid Services Architecture (OGSA)– Open Knowledge Initiative Open Service Interface Definitions (OSID)– ISO 2146 Collection Agencies Directory Standard– Z39.50 (ISO 23950) Search protocol– IMS Digital Repository Interoperability (IMS DRI)
MAMS and Shibboleth
• Shibboleth is an Internet2/MACE project– Best practice at cross-authentication for education
• Standards basis to Shibboleth, especially SAML• Common elements
– MAMS umbrella and Shibboleth
– Shibboleth “resource handlers” and MAMS modules
– Shibboleth inter-institutional federation
• Crucial importance of anonymity and privacy within foundation architectural model
Example MAMS Implementation (Type 4) + Recent Projects overlay
Access System
LibraryPremiumDatabases(Kerberosenabled)
Digital RightsManagement
System(Kerberosenabled)
KerberosCertificate
system
UniversityA
MAMS
University B MAMS
LDAPX.500Access System
LearningManagement
System(scriptingenabled)
LearningObject
ManagementSystem
(reverse proxyenabled)
LibraryPremiumDatabases
(IP restrictionsenabled)
MAMS (Resource Handlers) PKI or other Digital Certificates
Shibboleth
WALAP WALAP
A Framework for Access Management
• The following slides provide a high level, (very) crude framework for thinking about different components of access management
Sophistication of component
Breadth of access management solution
Authen-tication
Author-isation
Single Sign On
Identity &Attributes
(Directories)
FederatedTrust
Breadth of access management solution
Authen-tication
Identity &Attributes
Sample PKI approach
Sophistication of component
Breadth of access management solution
Authen-tication Single
Sign On
Identity &Attributes
COLIS approach
Sophistication of component
Integrated, federated access and identity management infrastructure
Breadth of access management solution
Authen-tication
Author-isation
Single Sign On
Identity &Attributes
FederatedTrust
MAMS goals
Sophistication of component
Conclusion
• Access management as a key element of research and education infrastructure
• Need for Demonstrator, incremental development, recognition of current education sector realities
• No one SSO method will be sufficient• Importance of open standards• Architectural challenge of privacy and anonymity• Common ground between MAMS and VET