Tim Poe & Steve Thorpe {tpoe, thorpe}@mcnc.org MCNC All-Staff Meeting March 19, 2009 What is...
-
Upload
dominic-ball -
Category
Documents
-
view
220 -
download
0
Transcript of Tim Poe & Steve Thorpe {tpoe, thorpe}@mcnc.org MCNC All-Staff Meeting March 19, 2009 What is...
Tim Poe & Steve Thorpe{tpoe, thorpe}@mcnc.org
MCNC All-Staff MeetingMarch 19, 2009
What is Federated ID Management and Why Should You Care?
What is Federated ID Management and Why Should You Care?
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
OutlineOutline
Motivation
Example Services
Requirements
Underlying Technology
NCTrust Federation Pilot
Demo
2
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
MotivationMotivation Many NC institutions desire access to remote protected
web-based services
17 UNC system institutions
115 LEAs, thousands of K-12 schools
58 community colleges
36 independent colleges / universities
Plus many other government / educational / commercial organizations
Desire is for access to be efficient, cost effective, quick, secure, and user-friendly. Federated ID Management technologies enable such access
3
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
ATM machines - An Early Example of Federated ID Management
ATM machines - An Early Example of Federated ID Management
Thousands of banks - Federated
Millions of users (bank customers)
User login (ATM card) and password (PIN) maintained by the user’s home institution (Bank)
Other institutions give service ($) access to remote users, based on trusting the login and password that’s maintained by the home institution
Today we’re doing something similar, only we’re serving Web-based services rather than $
4
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
Example – Confluence Example – Confluence
Confluence is a web-based wiki service that fosters collaboration among multiple institutions
Federated ID Management technologies can alleviate MCNC’s current need for in-house management of accounts for outside users
Each home institution would manage their *own* accounts
5
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
Example - NCLiveExample - NCLive
NCLive provides access to eJournals, etc. for libraries, higher-ed and increasingly K-12
Want ease of resource accessibility yet must adhere to licenses of various products being distributed, e.g. certain content might be allowed only for:
Students K-20 staff Chemistry teachers etc.
6
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
Examples - VCLExamples - VCL
NCSU’s Virtual Computing Lab (VCL) is a web service that allows reservations of a computer with a desired set of applications, then remote access over the Internet
You can use applications such as Matlab, Maple, SAS, Solidworks, and many others. Linux, Solaris and numerous Windows environments are available
Due to licensing and resource limitations, access must be limited to certain user communities
7
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
Other ExamplesOther Examples
How about a service to enable cross-institutional course registration for access to distance learning from a different university in the UNC system?
Federated ID Management technologies can facilitate resource utilization across NCREN by enabling these and other web-based services much more efficiently, saving $ for MCNC and the NCREN community
8
How about a service for elementary school kids to access privately licensed PBS, CSPAN, and History Channel video content through the internet?
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
RequirementsRequirements Prevent users having to know yet-another password
Prevent system administrators having to add yet-another account
Avoid logins becoming out of date
Enable easier scaling of web-based applications to include multiple additional users/organizations
Must know people are who they say they are, with up-to-date accuracy
With potentially hundreds of thousands of people involved, need the home institutions to be responsible for account administration
9
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
Underlying Technology: ShibbolethUnderlying Technology: Shibboleth
10
Shibboleth is open source software for web single sign-on across or within organizational boundaries
Allows informed authorization decisions for protected web service access in a privacy-preserving manner
Uses Security Assertion Markup Language (SAML) to provide federated single sign-on and attribute exchange framework
Provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
11
Shibboleth Identity Provider (IdP) Shibboleth Service Provider (SP)
(IdP is a J2EE app) (shibd daemon maintains state)
(mod_shib gets attributes from
shibd and protects web apps)
Access to protected service (web app) is controlled by shib gatekeeper
LDAP Server
Obligatory Geek Diagram - Simplified(the only one, we promise ! )
Obligatory Geek Diagram - Simplified(the only one, we promise ! )
1. Student is at Starbucks
2. IdP is at
his school
3. Protected Web Service is at a university
4. IdP/SP communication via SAML attributes exchanged through the browser session
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
NCTrust Federation PilotNCTrust Federation Pilot
MCNC and partners have convened the NC Trust Pilot
Goal: create a Federation to test web resource sharing among several K-20 organizations within NC
Adding K-12 into the mix is a unique aspect
NCTrust utilizes the national InCommon Federation infrastructure
Provides a trust mechanism allowing each organization to certify its operational practices
MCNC is helping partners with tech / installation support 12
NCDPI
North CarolinaLearning Object Repository ? (tbd)
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
Shibboleth Training WorkshopsShibboleth Training Workshops
1.5 day workshops were hosted by MCNC in October 2008 and February 2009
Instructors: Shilen Patel and Rob Carter (Duke), Gonz Guzman (MCNC)
Approximately 45 participants total
There’s an excellent video archive of the workshop, thanks to Bryon and Chad
13
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
MOU and InCommon Paperwork in Various Stages of Completion…
MOU and InCommon Paperwork in Various Stages of Completion…
First demos starting now!
Paperwork is MUCH harder / slower than technical work!
(though the technical parts are certainly not trivial)
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
As [email protected]: Log onto test service, to see some attributes
Access Internet2’s Confluence site
As [email protected]: Log onto NCSU’s VCL site, check for images
As [email protected]: Log onto NCSU’s VCL site, check for images and see
a different list based on my NCSU status
15
DemoDemo
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
Future StepsFuture Steps
Connect services among the NCTrust community VCL
NCLive
MCNC’s confluence site is a likely candidate
Others?
Recommendations on best model of state-wide federation to meet the needs of the K-20 educational community in North Carolina
To cover funding, operations, governance, etc.
Pilot runs through December 2009
16
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
Key TakeawaysKey Takeaways
We believe Federated ID Management can enable more effective resource sharing among the NCREN community Secure
Efficient
Scalable
Accessible
Saves $
Not to mention it’s a GREEN technology
Fostering adoption of FIM technologies is another way of Connecting North Carolina’s Future Today
17
{tpoe,thorpe}@mcnc.org Connecting North Carolina’s Future Today3/19/09
Thank YouThank You
Special thanks to MCNC’s Gonz Guzman, Tom Throckmorton, Kambiz Aghaiepour, Neal Bullins, Carole Bruhn, Keith Venters, Chris Caswell, Bryon Coltrane, and Chad Pritchard who all helped this effort
Also thanks to the many Federated ID Task Force members from throughout the NCREN community that are participating with us in the NCTrust pilot project
Questions?
18