MACE-paccman Face-to-Face Session 26-Apr-2010

MACE-paccman Working Group Face-to-Face Session

Internet2 Spring Member Meeting, Arlington, VA

Monday, 26-Apr-2010

*Overview*

Tom Dopirak, working group chair, presented an introduction and overview.

http://www.internet2.edu/presentations/spring10/20100426-mace-dopirak.pdf

History and future of access management.

Started from username and password managed inside application; each application has separate access management.
Today -- Phase 2: username and password managed outside application (single sign-on), but access management is performed within the application.
Federated Identity -- Phase 3: access management still resides within application, but can handle authentication from different domains
Federated Authentication -- Phase 4: federated username and password and federated access management all handled outside of applications
OR, another scenario is that a privilege, role and group metastore is used to feed into an authorization service, a directory of attributes and application-based authorization.

*MACE-paccman Accomplishments So Far*

MACE-paccman working group possible outcomes are listed in the MACE-paccman charter at http://middleware.internet2.edu/paccman/

• A nice glossary and comparative taxonomy

https://spaces.internet2.edu/display/macepaccman/MACE-paccman-glossary

• A library of use cases

https://spaces.internet2.edu/display/macepaccman/Use+Cases

• Ideas how to implement/solve the use cases using: perMIT, Grouper, and Kuali Rice KIM

https://spaces.internet2.edu/display/macepaccman/Selected+Use+Cases

• Some engagement with important applications in Higher Education and research

*Next Steps for MACE-paccman*

Publish referenceable use cases
Examine the problems of federated access management
Publish access Management for Mortals
Clarity of attributes vs groups vs privileges
Standard APIs for asking authorization questions?
Anything commercial worth examining?

*Questions*

Q: Are there standard APIs for asking authorization questions?

A: Right now, not really. LDAP has an API, Grouper has an API, perMIT has an API

Q: Has anyone in the audience used Oracle Entitlement Service or XACML Engines for access management?

A: no

*Advance CAMP*

Everyone is encouraged to attend Advance CAMP: The Second Identity Services Summit, June 23-25, 2010, Raleigh, North Carolina

https://spaces.internet2.edu/display/ACAMPIdSummit2010/Home

*The perMIT System*

Paul Hill of MIT presented on the perMIT system.

http://www.internet2.edu/presentations/spring10/20100426-mace-hill.pdf

MIT Roles has been in used since at least 1998
perMIT is the next generation
END of FY10 - perMIT and Roles will coexist. Roles will act as the master
perMIT's data model is based on the ASPEC = subject + function + qualifier (aka scope)
UI allows scoped identifiers to be used as subjects for searching
perMIT is in use at MIT by over 30 applications
6258 people have the ability to grant privileges (10/2009)
Growing interest from areas such as physical security, door access, parking, certiciate authority, backup system, travel/reservations
perMIT code will be released as open source

Q: Do you provision services outside of MIT?

A: Yes, for example Concur for travel

Q: How do you express permissions if you go to a federated model?

A: This is done with Concur, using the web service interface

*SURFnet Authorization Strategy*

Harold Teunissen of SURFnet presented on steps towards collaborations without boundaries.

http://www.internet2.edu/presentations/spring10/20100426-vo-platform-lajoie.pdf

A major goal is to support e-science collaborations. SURFnet's plan is:
Start-off with federated access control and multi-domain Lightpath services in 2010
Work to create a unified resource composition platform (cloud resources, instruments, etc.) in 2011, and make sure this gets standardized
Continue towards Collaborative Infrastructures and Workflow environments, in 2012
Work with the research community to tap into new ideas of usage and technical contribution

*VOs and SWITCH*

Chad La Joie of Itumi presented on a VO Platform developed for SWITCH

http://www.internet2.edu/presentations/spring10/20100426-vo-platform-lajoie.pdf

VO collaboration platform solution was needed at SWITCH
Goal was for users from different universities to work together and use online service tools for centralized media streaming, wiki, file hosting, etc.
A particular use case involved Swiss libraries using a centrally aggregated user file (custom extensions to Ex Libris Aleph)
Assumptions: VO services will work in the federation and all users will have a federated user account
Solution included using two new SAML-standard, Shib features: attribute aggregation and affiliation-targeted persistent name identifiers
VO platform consisted of
registration service
data store
attribute authority (IdP without authentication)

Resources:
https://spaces.internet2.edu/display/~lajoie@idp.protectnetwork.org/VOPlatform
https://spaces.internet2.edu/download/attachments/9731/vodesign.odt

Next MACE-paccman WG Call: Thursday, 13-May-2010 at 1pm ET