Transcript MCNC_NCREN_Blue_Template_MW
What is Federated ID Management and Why Should You Care?
Tim Poe & Steve Thorpe {tpoe, thorpe}@mcnc.org
MCNC All-Staff Meeting March 19, 2009
Outline
Motivation
Example Services
Benefits
Underlying Technology
NCTrust Federation Pilot
Demo
{tpoe,thorpe}@mcnc.org
3/19/09 2
Connecting North Carolina’s Future Today
Motivation
Many NC institutions desire access to remote protected web-based services 17 UNC system institutions 115 LEAs, 2,500+ K-12 schools 58 community colleges 36 independent colleges / universities Plus many other government / educational / commercial organizations Desire is for access to be efficient, cost effective, quick, secure, and user-friendly. Federated ID Management technologies enable such access
{tpoe,thorpe}@mcnc.org
3/19/09 3
Connecting North Carolina’s Future Today
ATM machines - An Early Example of Federated ID Management
Thousands of banks - Federated Millions of users (bank customers) User login (ATM card) and password (PIN) maintained by the user’s home institution (Bank) Other institutions give service ( $ ) access to remote users, based on trusting the login and password that’s maintained by the home institution Today we’re doing something similar, only we’re providing Web-based services rather than $
{tpoe,thorpe}@mcnc.org
4
Connecting North Carolina’s Future Today
3/19/09
Example – Confluence
Confluence is a web-based wiki service that fosters collaboration among multiple institutions Federated ID Management technologies can alleviate MCNC’s current need for in-house management of accounts for outside users Each home institution would manage their *own* accounts
{tpoe,thorpe}@mcnc.org
5
Connecting North Carolina’s Future Today
3/19/09
Example - NCLive
NCLive provides access to eJournals,
etc.
for libraries, higher-ed and increasingly K-12 Want ease of resource accessibility yet must adhere to licenses of various products being distributed ,
e.g.
certain content might be allowed only for: Students K-20 staff Chemistry teachers
etc.
{tpoe,thorpe}@mcnc.org
6
Connecting North Carolina’s Future Today
3/19/09
Examples - VCL
NCSU’s Virtual Computing Lab (VCL) is a web service that allows reservations of a computer with a desired set of applications, then remote access over the Internet You can use applications such as Matlab, Maple, SAS, Solidworks, and many others. Linux, Solaris and numerous Windows environments are available Due to licensing and resource limitations, access must be limited to certain user communities
{tpoe,thorpe}@mcnc.org
3/19/09 7
Connecting North Carolina’s Future Today
Other Examples
How about a service for elementary school kids to access privately licensed PBS, CSPAN, and Discovery Learning video content through the internet?
How about a service to enable cross-institutional course registration for access to distance learning from a different university in the UNC system?
Federated ID Management technologies can facilitate resource utilization across NCREN by enabling these and other web-based services much more efficiently, saving $ for MCNC and the NCREN community
{tpoe,thorpe}@mcnc.org
3/19/09 8
Connecting North Carolina’s Future Today
Benefits of Federated ID
Prevents users from having to know yet-another password Prevents system administrators from having to add yet another account Avoids logins becoming out of date Enables easier scaling of web-based applications to include multiple additional users/organizations Confidence that users are who they say they are, with up-to-date accuracy Home institutions reliably manage their own user accounts
{tpoe,thorpe}@mcnc.org
9
Connecting North Carolina’s Future Today
3/19/09
Underlying Technology: Shibboleth
Shibboleth is open source software for web single sign-on across or within organizational boundaries Allows informed authorization decisions for protected web service access in a privacy-preserving manner Uses Security Assertion Markup Language (SAML) to provide federated single sign-on and attribute exchange framework Provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application
{tpoe,thorpe}@mcnc.org
3/19/09 10
Connecting North Carolina’s Future Today
Obligatory Geek Diagram - Simplified
(the only one, we promise
! )
1. Student is at Starbucks 2. IdP is at his school 4. IdP/SP communication via SAML attributes exchanged through the browser session Shibboleth Identity Provider (IdP) 3. Protected Web Service is at a university Shibboleth Service Provider (SP) ( mod_shib gets attributes from shibd and protects web apps) Access to protected service (web app) is controlled by shib gatekeeper ( IdP is a J2EE app)
{tpoe,thorpe}@mcnc.org
LDAP Server 3/19/09 ( shibd daemon maintains state) 11
Connecting North Carolina’s Future Today
NCTrust Federation Pilot
NC DPI North Carolina Learning Object Repository
UNC GA is a “Friend of NCTrust” MCNC and partners have convened the NC Trust Pilot ? (tbd) Goal: create a Federation to test web resource sharing among several K-20 organizations within NC Adding K-12 into the mix is a unique aspect NCTrust utilizes the national InCommon Federation infrastructure Provides a trust mechanism allowing each organization to certify its operational practices MCNC is helping partners with tech / installation support 12
{tpoe,thorpe}@mcnc.org
3/19/09
Connecting North Carolina’s Future Today
Shibboleth Training Workshops
1.5 day workshops were hosted by MCNC in October 2008 and February 2009 Instructors: Shilen Patel and Rob Carter (Duke), Gonz Guzman (MCNC) Approximately 45 participants total There’s an excellent video archive of the workshop, thanks to Bryon and Chad 13
Connecting North Carolina’s Future Today {tpoe,thorpe}@mcnc.org
3/19/09
MOU and InCommon Paperwork in Various Stages of Completion…
Paperwork is MUCH harder / slower than technical work!
(though the technical parts are certainly not trivial) First demos starting now!
{tpoe,thorpe}@mcnc.org
3/19/09 14
Connecting North Carolina’s Future Today
Demo
As
: Access Internet2’s Confluence site Log onto test service, to see attributes As
: Log onto NCSU’s VCL site, check for images As
: Log onto NCSU’s VCL site, check for images and see a different list based on my NCSU status 15
Connecting North Carolina’s Future Today {tpoe,thorpe}@mcnc.org
3/19/09
Future Steps
Connect services among the NCTrust community VCL NCLive MCNC’s confluence site is a likely candidate Others?
Integrate with the recently created UNC Federation Recommendations on best model of state-wide federation to meet the needs of the K-20 educational community in North Carolina To cover funding, operations, governance, etc.
Pilot runs through December 2009
{tpoe,thorpe}@mcnc.org
3/19/09 16
Connecting North Carolina’s Future Today
Key Takeaways
We believe Federated ID Management can enable more effective resource sharing among the NCREN community Secure Efficient Scalable Accessible Saves $ Not to mention it’s a GREEN technology Fostering adoption of FIM technologies is another way of
Connecting North Carolina’s Future Today
17
Connecting North Carolina’s Future Today {tpoe,thorpe}@mcnc.org
3/19/09
Thank You
Special thanks to MCNC’s Gonz Guzman, Tom Throckmorton, Kambiz Aghaiepour, Neal Bullins, Carole Bruhn, Keith Venters, Chris Caswell, Bryon Coltrane, Chad Pritchard, and John Moore who all helped this effort Also thanks to the many Federated ID Task Force members from throughout the NCREN community that are participating with us in the NCTrust pilot project Finally thanks to a “Friend of NCTrust”, Steven Hopper from UNC-GA Questions?
{tpoe,thorpe}@mcnc.org
3/19/09 18
Connecting North Carolina’s Future Today