Post on 01-Apr-2015
The Rest of the World, in 75 minutes…
Ken Klingenstein
Director, Internet2 Middleware and Security
Topics
Directory Activities:
Eduperson, CourseID, Entitlements, others…
Shibboleth Update:
Core Code, Federations, GUI’s, Project Management
Grids:
GGF and EGA, Campus Grids, Integration with enterprises
PKI:
HEBCA, USHER, TACAR and EuroPMA
Diagnostics:
Middleware diagnostics, performance and security diagnostics, the SURFnet Detective
Directory activities
Eduperson• Entitlements and TargetID• Affiliate vs Member
Localperson
CourseID
Shibboleth Today
V1.2 on the streets, v1.3 in development
Software still is “simple” but getting increasingly complex. Software is still early.
Identified as the national R&E federation technology in the US, the UK, Australia, Switzerland, Finland, and perhaps others…
Increasingly “at” Burton, Catalyst, DigitalID Conferences
Interoperability discussions and commitments being made among federating software developers
Core software development
V1.0 April 2003, v 1.2 May 2004
V1.3 targeted for fall; priorities include portal support, perhaps artifact SAML profile
SAML 2.0, OpenSAML 2.0 and the meaning of Shibboleth
WS-Fed interoperability
Shib as WebISO
SOAP and SAML –interim and long-term
Whole-grain Shib
Refactoring into core and module for long-term management
Integrated documentation and install guides
SAML 2.0
Historic relationship of SAML and Shib
Contributions from both Liberty and Shibboleth to spec.
TC under OASIS, with contributing editor S. Cantor, Individual
Largely done, perhaps final committee work by end of August, then approval by Nov or IBM…
Refactors a lot, in Shib and vendor products – how quickly will vendors adopt?
OpenSAML 2.0 will happen…
Coordination of Shib development
Development now taking place in several countries, with significant investments outside the original development crew.
A reasonable re-layering of architecture and code might be helpful
Management role models:• Likely: OpenLDAP, Apache• Less likely: GGF
Alignment of licensing and copyright could be challenging
Federations
Seem to be happening. InQueue has > 50. InCommon is nearing completion of policies, pricing, membership decisions. Ten phase 1 participants doing the lifting
Shib R&E feds in UK, Australia, Switzerland, Finland, others; non-Shib FEIDE in Norway
Federations in business still bilateral, nonpersistent
International federation peering in UK in October
Some activity in US federal gov
Other efforts, such as Salsa-NetAuth, plan to leverage federations
Coupled systems
The major GUI’s – SysAdmin, Autograph, PRM
Other AA backend plug-ins
Alternative WAYF approaches• Interim• Long-term
Other trust fabrics
GUI’s to manage Shibboleth
SysPriv ARP GUI
A tool to help administrators (librarians, central IT sysadmins, etc) set attribute release policies enterprise-wide
• For access to licensed content• For linking to outsourced service providers• Has implications for end-user attribute release manager
(Autograph)
GUI design now actively underway, lead by Stanford
Plumbing to follow shortly
End-user attribute release manager(Autograph)
Intended to allow end-users to manage release policies themselves and, perhaps, understand the consequences of their decisions
Needs to be designed for everyone even though only 3% will use it beyond the defaults.
To scale, must ultimately include extrapolation on settings, exportable formats, etc.
Privacy Management Systems
Personal Resource Manager
Grids
GGF and EGA – two standards organizations, no standards…
Enterprise Grids – a developing approach
The Terrorgrid – of integration and security
Integration with enterprises – leveraging enterprise infrastructure and R&E federations
PKI
HEBCA
USHER
TACAR and EuroGrid PMA
Buy a global higher ed root
Virtual Organizations
Geographically distributed, enterprise distributed community that shares real resources as an organization.
Examples include team science (NEESGrid, HEP, BIRN, NEON), digital content managers (library cataloguers, curators, etc), life-long learning consortia, etc.
On a continuum from interrealm groups (no real resource management, few defined roles) to real organizations (primary identity/authentication providers)
Want to leverage enterprise middleware and external trust fabrics
Virtual Organizations
Some things seem consistent across almost all VO’s• The need to manage and delegate VO authorizations• Unique naming, and managed resource discovery• A set of collaboration tools, including a list manager, calendar,
shared web content management, etc that are seamlessly integrated into users’ everyday environment
• A need to factor in, and leverage, local domain requirements and capabilities
Some things are specific to each VO• The members and the resources being managed• Requirements for advanced services, such as Grids and instrument
management
Virtual organizations
Need a model to support a wide variety of use cases• Native v.o. infrastructure capabilities, differences in enterprise
readiness, etc.• Variations in collaboration modalities• Requirements of v.o.’s for authz, range of disciplines, etc
JISC in the UK has lead; builds on NSF NMI
Tool set likely to include seamless listproc, web sharing, shared calendaring, real-time video, privilege management system, etc.
Leveraging V.O.s Today
VO
Target Resource
User
Enterprise
Federation
Leveraged V.O.s Tomorrow
VO
Target Resource
User
Enterprise
Federation
Collaborative Tools Authority Systemetc
Middleware DiagnosticsProblem Statement
• The number and complexity of distributed application initiatives and products has exploded within the last 5 years
• Each must create its own framework for providing diagnostic tools and performance metrics
• Distributed applications have become increasingly dependent not only on the system and network infrastructure that they are built upon, but also each other
• Middleware diagnostics need to integrate with network performance diagnostics and security diagnostics
Goals
• Create an event collection and dissemination infrastructure that uses existing system, network and application data (Unix/WIN logs, SNMP, Netflow©, etc.)
• Establish a standardized event record that normalizes all system, network and application events into a common data format
• Build a rich tool platform to collect, distribute, access, filter, aggregate, tag, trace, probe, anonymize, query, archive, report, notify, perform forensic and performance analysis
Cisco NetFlow Events
RMON Events
Event Record Standard
• Normalization of each diagnostic data feed type (SHIB, HTTP, Syslog, RMON, etc.) into a common event record
• The tagging of specific events to help downstream correlation processes
DB Access Log
SHIB log
HTTP Access log
GRID Application Log
NormalizationAnd EventTagging
NETFLOW:TIME:SRC:DST:…RMON:HOST:TIME:DSTPORT..DB:TIME:HOST:REQ:ASTRONSHIB:TIME:HOST:UID…HTTP:TIME:HOST:URL…GRIDAPP:TIME:HOST:UID:…
Variable Star Catalog DBApplication
Diagnostic Data Pipelining
Data flows can be constructed to provide the desired function and policy within a enterprise or federation
Filter
C-4
Network Events
ArchiveDBAnonimizationTagging AggregationNormalization
C-3
C-1
P-1C-2
P-2
P-3
P-4
P-5
C-* Collection Module HostP-* Processing Module Host
Host or Security Events
Event Record
Event Descriptor Meta Field
Event Descriptor
• Version Number• Observation Description Pointer• ID – unique event identifier• Time - start/stop• IP Address(es) – source/(destination)• Source Class – application, network, system, compound, bulk, management• Event Name Tag – Native language ID, user defined• Status – normal, informational, warning, measurement, critical, error, etc. • Major Source Name – filename, Netflow, Syslogd, SNMP, shell program, etc.• Minor Source Name – logging process name (named), SNMP variable name, etc.• Raw Data Encoding Mechanism – Binary, ASN1, ASCII, XML, etc.• Raw Event Data Description Pointer
Raw Event Data
A context for diagnostics
SURFnet detective
Integrated I2 diagnostic efforts