MCNC_NCREN_Blue_Template_MW

Download Report

Transcript MCNC_NCREN_Blue_Template_MW 

Executive Summary of NCTrust
Federated ID Management
Federated ID Management Task Force
DRAFT version 1
November 6, 2009
Motivation
 Many NC institutions desire access protected webbased services across organizational boundaries
 17 UNC system institutions
 115 LEAs, 2,500+ K-12 schools
 58 community colleges
 36 independent colleges / universities
 Plus many other government / educational /
commercial organizations
 Desire is for access to be efficient, cost effective,
quick, secure, and user-friendly. Federated ID
Management technologies enable such access
2
11/06/09
Example - NCLive
 NCLive provides access to eJournals, etc. for
libraries, higher-ed and increasingly K-12
 Want ease of resource accessibility yet must adhere
to licenses of various products being distributed, e.g.
certain content might be allowed only for:
 Students
 K-20 staff
 Chemistry teachers
 etc.
3
11/06/09
Examples - VCL
 NCSU’s Virtual Computing Lab (VCL) is a web service
that allows reservations of a computer with a desired set
of applications, then remote access over the Internet
 You can use applications such as Matlab, Maple, SAS,
Solidworks, and many others. Linux, Solaris and
numerous Windows environments are available
 Due to licensing and resource limitations, access must
be limited to certain user communities
4
11/06/09
Example – Confluence
 Confluence is a web-based wiki service that fosters
collaboration among multiple institutions
 Federated ID Management technologies can alleviate
Confluence host institution’s in-house management of
accounts for outside users – saves time => $
 Each home institution would manage their *own* accounts
5
11/06/09
Benefits of Federated ID
 Prevents system administrators from having to add yetanother account (saves time and $)
 Enables easier scaling of web-based applications to
include multiple additional users/organizations (efficiency,
scalability, saves time and $)
 Prevents users from having to know yet-another password
(security)
 Avoids logins becoming out of date (security)
 Confidence that users are who they say they are, with upto-date accuracy (security)
 Home institutions reliably manage their own user accounts
(security)
6
11/06/09
NCTrust Federation Pilot
NC
DPI
North Carolina
Learning Object Repository
UNC-GA is a “Friend of NCTrust”
? (tbd)
 MCNC and partners have convened the NC Trust Pilot
 We’ve created a Federation to test web resource sharing
among several K-20 organizations within NC
 Adding K-12 into the mix is a unique aspect
 NCTrust utilizes the national InCommon Federation
infrastructure
 Provides a trust mechanism allowing each
organization to certify its operational practices
 We’ve proven the technology and gained experience
11/06/09
7
Demo
 As <UserA>@mcnc.org:
 Access NCLive site
 Can’t get authorized, since MCNC not licensed
 As <UserB>@unc.edu:
 Log onto NCLive, can see all the content
 As <UserC>@rock.k12.nc.us:
 Log onto NCLive, can see only SOME of the content
(the Media collection, which is licensed to K12
members)
8
11/06/09
Key Takeaways
 We believe Federated ID Management can enable more
effective resource sharing among and beyond the North
Carolina community
 Secure
 Efficient
 Scalable
 Accessible
 Saves $
 Not to mention it’s a GREEN technology
 Need to decide on best model of NC-wide federation to
meet the needs of the K-20 community moving forward
 Funding, operations, governance, etc.
9
11/06/09
Thank You
 Also thanks to the many Federated ID Task Force
members from throughout the NCREN community that
are participating with us in the NCTrust pilot project
 Finally thanks to a “Friend of NCTrust”, Steven
Hopper from UNC-GA
 Questions?
10
11/06/09
Rest of Slides
are on Back
Burner
11
11/06/09
Outline
 Motivation
 Example Services
 Benefits
 Underlying Technology
 NCTrust Federation Pilot
 Demo
12
11/06/09
ATM machines - An Early Example
of Federated ID Management
 Thousands of banks - Federated
 Millions of users (bank customers)
 User login (ATM card) and password
(PIN) maintained by the user’s home institution
(Bank)
 Other institutions give service ($) access to remote
users, based on trusting the login and password
that’s maintained by the home institution
 Today we’re doing something similar, only we’re
providing Web-based services rather than $
11/06/09
13
Other Examples
 How about a service for
elementary school kids to access
privately licensed PBS, CSPAN,
and Discovery Learning video
content through the internet?
 How about a service to enable cross-institutional
course registration for access to distance learning
from a different university in the UNC system?
 Federated ID Management technologies can facilitate
resource utilization among and beyond NC community
by enabling these and other web-based services
much more efficiently, saving $ for community
14
members
11/06/09
Underlying Technology: Shibboleth
 Shibboleth is open source
software for web single
sign-on across or within
organizational boundaries
 Allows informed authorization decisions for protected
web service access in a privacy-preserving manner
 Uses Security Assertion Markup Language (SAML) to
provide federated single sign-on and attribute exchange
framework
 Provides extended privacy functionality allowing the
browser user and their home site to control the attributes
released to each application
15
11/06/09
Obligatory Geek Diagram - Simplified
(the only one, we promise ! )
1. Student is
at Starbucks
4. IdP/SP communication via SAML attributes
exchanged through the browser session
2. IdP
is at
his
school
Shibboleth Identity Provider (IdP)
Shibboleth Service Provider (SP)
(mod_shib gets
attributes from
shibd and protects
web apps)
Access to protected
service (web app) is
controlled by shib
gatekeeper
(shibd daemon maintains state)
(IdP is a J2EE app)
LDAP Server
3. Protected
Web Service is
at a university
16
11/06/09
Shibboleth Training Workshops
 1.5 day workshops were hosted by MCNC in October
2008 and February 2009
 Instructors: Shilen Patel and Rob Carter (Duke),
Gonz Guzman (MCNC)
 Approximately 45 participants total
 There’s an excellent video archive of the workshop,
thanks to Bryon Coltrane and Chad Pritchard
17
11/06/09
MOU and InCommon Paperwork in
Various Stages of Completion…
Paperwork is MUCH harder /
slower than technical work!
(though the technical parts are
certainly not trivial)
First demos
starting now!
18
11/06/09
Future Steps
 Recommendations on best model of state-wide
federation to meet the needs of the K-20 educational
community in North Carolina
 To cover funding, operations, governance, etc.
 Pilot runs through December 2009
19
11/06/09
Thank You
 Special thanks to MCNC’s Gonz Guzman, Tom
Throckmorton, Kambiz Aghaiepour, Neal Bullins,
Carole Bruhn, Keith Venters, Chris Caswell, Bryon
Coltrane, Chad Pritchard, and John Moore who all
helped this effort
 Also thanks to the many Federated ID Task Force
members from throughout the NCREN community that
are participating with us in the NCTrust pilot project
 Finally thanks to a “Friend of NCTrust”, Steven
Hopper from UNC-GA
 Questions?
20
11/06/09