Notes in progress -- NOT COMPLETE
Comanage Working Group
2010 FMM, 1-Nov-2010
Atlanta
Overview
Heather welcomed the group.
Since Internet2 Spring Member Meeting, the Internet2 Middleware Initiative was awarded an NSF grant. This will serve to fund some of the COmanage efforts for the next three years.
The grant is titled "SDCI Sec Improvement: Building from Bedrock: Infrastructure Improvements for Collaboration and Science"
http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=1032468
Specific VOs to be addressed first under the grant include LIGO and iPlant
Other VOs include Neon and OOI, whose needs will be addressed when they are ready to move forward.
The COmanage wiki and website have recently been revamped.
A lot of info going on there . on a regular basis
New use case library
Structure
Help from SteveO, greatly appreciated
Links at end of slides
LIGO and iPlant will be looking to hire identity architects for the VO
This isn't a service offering et. People are interested in it.
Question of where would it be housed exactly and what would the service model be.
But more important is to get things working for LIGO and iPlant.
Concept started 3-4 ears ago on hwo do we build a collab platform to tie in MACE products, Shib Grouper etc as well as other tools researchers use to collaboration
Started and tried different things
Michael gettes set up mockup instance
Great proof of concept, won't be what we run with
Treid to work out a VM , downloadable instance
Became a sys admin problem rather than a collab problem
Problem too big for what we had resources to do. We are a ways away from that.
Today we are focusing on a thing that groups like LIGO can stand up at their own institutions
We have defined it into products people at home could figure out if the have clue
We have now been developing use case library
Heather would love to have feedback.
Diagram Reference Architecture
Benn started working w Comanage 5-6 mos ago.
Has been doing IdM stuff for a long time
Spent time tring to figure out what COmanage is.
Mockups and
Terminolog battele , can create ambiguity
Reference architecture
Has some standardized terminology
Benn will clarify a few terms
Identti management for Collaborative Orgs or VO's
How does it fit. The center part
User is at bottom in diagram.
User just sees piece down there
User wants it to work.
Collaborative applications, mailing lists, wikis
Groupe management
Directory stuff
IdM system for Cos
Collab systems for Collab applications
They need IdM to make the other stuff work
Behind the scenes plumbing
It's like your IdM system, but taken to the CO level
Instead of a physical organization
Termilogy
It's a brand not a product
Gears: the technical piece , dealing w Grouper and SAML, channeling thru a portal
Could be the shared applications or the Idm aspecates (attribute management)
Pieces Heather was talking about
Other under brand
Domestication
.....
Integration ...
As part of the process, made mockups
Gears - Conseole
Conveys what we are trying to accomplish
Don't enision this being something
Provide portal also? Google using opensocial
½ dozen apps
the user cares about.
Mailing lists = separate entity
Pull up a couple of
Pretry front end to groups, using LDAP groups
Create ad hoc groups
Latest version of COmanage is taking an agnostic approach to identifiers and
Use cases:
I have a SAML idp at my institution
Except some folks don't have affiliation and use gmail.
Use open ID that's a handle into handles under the hood.
Lots os consumer identitiers. Only one speaks only opened.
Google uses abother authentication tehcnolog
COMMENT: it's unforuntati that has to be done within the ...
Collab platform
Agreed
This is the idea of attribution aggregation
Some attributes from home institution
Role in institution has attributes attafhed
Might have an email address w home institution
And another one
Pulled this out of ldap server . this is what we let you fill in
Rules on what you can make public.
3 levels of authorization that Comanage cares about
?
random user
Collab mi
COmanage admin
So COLLAB min can do things. They have different functionality
Inviting someone new into the ----- invite problem - invite b email.typical CO may have some known institutions from which you could prepopulate
In this mockup, prepopulate group memberships
Rest is straighforwards
Go to roles
3 roles specified within the instatnce
project developer automatically can add additional groups to this roel
GOING thru the mockups
These are the univisiies we know about
3 levels of roles ....
Running this as a service
2 define which applications available in the system
Heather: question - some of us are part of a campus or a VO, or a campus like VO
Is this kind of thing go on target ? Is this what you are looking for.
Looks like a solution to a problem a lot of us have
Specific use cases need to be sorted out: Heather
Use Case Library
Smaller VO's--- their biggest concerns - they want to make sure the domain applications actually work
It's about the whole profile the ? may have
Iplant has researchers that have the profiles
Profiles says I'm a researcher with these interests.
I want automatic access to data sets on topic X
Data One wants this too
OSG wants this too
Are you hearing that back at home
Steven: the model where I define my profile and expect any dataset..
That's a different access control model than I'm used to.
Automatically being granted because I've self asserted
Heather: but it makes sense.. a researcher will want data to be filtered
Immediate access to stuff you want is facilitating collaboration
It's a notification problem
Could still be an access control problem
Depends on how that data set is handled
What do the researchers need to make collab happen?
Ken: Single profile: as NSF and others motivate data centric organbziation
9 differet orgs want to build profiles. To broker access to the data set
How much should we include profile mnagement and data management.
We don't go thru ontology wars
The want tools to help mnage those ontologies
Ken: related issue: author IDs and disambiguation of authors
It's being pushed by NIH and schooarly fields
Will say these are all published by same person even though they went thru name change
ORCHID is one effort in this space.
Orchid ID versus SSN
Benn: ask the audience... if there's a package to download the mockups and they work
What sort of technical expertise will folks who download it have
?
Answer : all of the above
Lay of the land
Does it skew one way or the other
Who are the consumers and what do they need?
Do we present these according to the platforms we understand
Or opensocial platform
FRIENDS and THUMBS UP and THUMBS DOWN
Question: who is the target audience? What do the users want it to look like.
VOs and collaborations don't want to provision another server and have software on it.
They want to go to GOOGLE apps
Management of underlying systems - want to be able to pass it off to someone else
Back when Google apps was perking up. Researchers were suspicious.
BUT Google are not about to do DOMAIN apps
Do we need mechanisms outside of google apps to handle authentication?
Starts w email and collab and building a group to do email back and forth.
Google apps does that well
But then to extract later is hard
Diagram misses the majority of applications - the DOMAIN application.
ADD IN THE DOMAIN apps.
Researchers want to get their science done
They want it to be efficient and quick
They will run around what's not efficient.
Not worried about google apps
More wirried about domain level apps
ScottK representes the hard science community
StevenC: in some areas the domain apps don't have to be king
Such as writing.
Where there is already a portal
That's a domain app but not as hard as the LIGO domain aps
A lot these projects have a front door.
When it becomes very easy to build a front door on to Google apps, then this is
KEN: Use of Google apps, is that generic or is it just Google apps?
Is there another vendor doing what Google does
She had an LMS built on top of Google sites?
She was brining in apps built way outside of Google
She had a front end thru which she was able to
Amazon EC2?
JUST GOOGLE in answer to Ken's question
Google APPS plus Cloud in general
Ken: there is a question of how far we go w this
Integration?
Do we want to include the admin of research?
Fast Lane?
Difference ..
Some people afraid of identitiy getting out. Spectrum out. Single sign on raises that concern.
Better authenticiation is needed.
Ken feeds from student info sstem into the VO
Some part of that will be COmanage.
Some will be ? back into student info sstems
Do we hae a use case for that?
Be;ond getting students to log in.
Attributes that get carried along with that
FERPA
STUDENT groups establishing themselves on facebook : Michael Pelikan
1.5 hands saying there is a case for this?
We have talked about the big picture.
The large group, large VO question, lke what Scott has a t LIGO
But for Internet Society, Lincoln talk about what is going on
We are at the beginning. Lincoln wants to understanding.
Using SAML for single sign-on. Want to become an IdP to become part of a
Fedeation.
Heather: how many groups are you trying to pull together?
Lncoln: haven't begun defining groups
At Lincoln I hope to learn at Grouper WG
ISOC is starting at same point
A lot of use cases centered around higher ed.
How can higher ed filter down to ISOC>
Heather: interesting how to filter down?
ISOC won't have the student problem
But what problems wil ISOC have that higher ed doesn't
How to line up attributes from disparate organizations and make them line up with...
The institutions are undefined as to who might be interested in joingin the federation
Ken: How important is it to include other forms of idenitt:
Facebook , facebook connect and Open ID
How much d o poepole want those
At univ of Iowa, interinstitutionsla research effort. Many people have IDs at AOL.
A fairly small population uses IDs from institatuiosn that are incommon members.
We'd have to make it possible for people to access with other IDs
Bamboo is interested in managed Identities and others, OAUTH?
Ken: VOs who take their outreach mission seriously need to rely on other identity sources