Widely Distributed Access Management Tom Barton University of Chicago
Widely Distributed Access Management Tom Barton University of Chicago.
Dec 22, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Widely Distributed Access Management
Tom BartonUniversity of Chicago
An Everyday Problem
• People would like to use the collaboration tools available to them to collaborate with whom they choose– Can we do better than email
attachments?
Email as Collaboration Platform
• Pros– Connects arbitrary sets of collaborators– Shares any type of file (ok, some limits)– Self access management
• Cons– Insecure– Limited capabilities– Reduces productivity more than pot-
smoking
Campus Collaboration Scenario
• UC faculty/staff self-initialize collaboration space to work with others internal & external to UC on focused activities– Email list; protected file share; private wiki
or web space; specialized compute or data services
– Initiator-identified collaborators– Both campus and external participants
administer shared collaboration resources
Requirements for Campus Collaboration Scenario
• Authenticate campus and external participants
• Self-creation of collaboration group by authorized campus people
• Delegation of selective admin privileges to campus & non-campus people
• Integration of collaboration services with above (centrally operated & not)
Service Provider Scenario
• An organization provides collaboration services to a population of users– Think Internet2 and its working groups– Or a Science Gateway
• Additional requirement: An initial delegation step, since self-initialization may not be appropriate
Solution Elements
• Distributed access management tools (Grouper & Signet)
• A DB for housing identifiers, memberships & privileges for collaboration participants
• Single locus at which to configure federated SSO (support for internal + external authentication)
• Architecture that adds collaboration attributes (identifiers, memberships, privileges) to authentication context and passes along to collaboration services
Collaboration Connector
• An integration architecture with all solution elements
• Proxy IdP– “IdP” = “Identity Provider” ala SAML and
Shibboleth– Provides SSO and Attributes to integrated
services– “Proxy” because collaboration attributes
must be added to externally-sourced ones
1
2
3
4
6
5,7
Examples
• MyVocs + GridShib– My Virtual Organization Collaboration Service– Improvement of user registration, access
management, service registration needed
• Dorian + Grid Grouper– caBIG’s caGrid security infrastructure– Needs adaptation to be more generally
deployable
• Almost all needed elements exist to be integrated into a “Collaboration Connector in-a-box”
Is it Better Than Email? Pros
Email• Connects arbitrary
sets of collaborators• Shares any type of
file (ok, some limits)
• Self access management
Collaboration Connector
• Yes, with federated authentication
• Yes, whatever the collaboration services provide
• Yes
Is it Better Than Email? Cons
Email• Insecure• Limited capabilities• Reduces
productivity more than pot-smoking
Collaboration Connector
• Secure• Specialized
capabilities• We’ll have to do a
study!
Related Documents
