Notes in progress -- NOT COMPLETE
Comanage Working Group
2010 FMM in Atlanta, 1-Nov-2010
http://events.internet2.edu/2010/fall-mm/agenda.cfm?go=session&id=10001467&event=1159
Overview
Heather Flanagan, Working Group Chair, welcomed the group.
In August, the Internet2 Middleware Initiative was awarded an NSF grant, which started Sept 1, 2010. This grant will serve to fund much of the COmanage efforts for the next three years. The grant is titled "SDCI Sec Improvement: Building from Bedrock: Infrastructure Improvements for Collaboration and Science"http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=1032468
Specific VOs to be addressed first under the grant include LIGO and iPlant.
Other VOs involved in the grant include Neon and OOI. Their needs will be addressed when they are ready to move forward.
The COmanage wiki and website have recently been revamped. Heather thanked Steve Olshansky for his help.
There is new use case library at https://spaces.at.internet2.edu/display/COmanage/Use+Case+Library
The COmanage service offering isn't going to be available in the short-term. There is some interest in it, but there are questions around where it would be housed and what would the service model be.
The emphasis will be on getting collaboration infrastructure working for LIGO and iPlant.
Background on COmanage
The concept for COmanage started 3-4 years ago to answer the question of how to build a collaboration platform to tie together MACE products (Shibboleth, Grouper etc.) as well as other tools researchers use for collaboration.
Michael Gettes set up mockup instance. That was a great proof of concept.
There was an attempt to develop a VM , downloadable COmanage instance. This became a sys admin challenge rather than a collab solution. Too big a problem for the available resources.
Today the focus is on solutions that groups like LIGO can stand up at their own institutions.
Benn's Overview
Benn Oshrin started working with the COmanage project 5-6 mos ago.
Benn has developed COmanage mockups of the COmanage COnsole. This would be a UI for managing collaboration platform users, permissions, etc. The mockups are linked from the COmanage Gears section of the wiki:
https://spaces.at.internet2.edu/display/COmanage/Home
Reference architecture is seen on the wiki:
https://spaces.at.internet2.edu/display/COmanage/Reference+Architecture
Benn has also worked on a glossary to standardize terminology:
https://spaces.at.internet2.edu/display/COmanage/Glossary
Under the COmanage brand, the space has been divided into several products:
- COmanage Gears - the technical piece dealing with identity management, including Grouper for group management, SAML (or OpenID) for authentication etc., possibly channeling thru a portal.
- Domestication of Applications
- Integration
There are 3 roles/levels of authorization in COmanage:
Random participant - generally just access the applications
Collaboration admin ("Collabmin") - can invite a new participant
COmanage admin - can initiate a new collaboration
Details on the roles and their capabilities are found here:
https://spaces.at.internet2.edu/display/COmanage/Roles
Discussion (led by Heather)
Q: Is the work that Benn has described on target ? Is this the kind of thing you are looking for?
Comment: Looks nice, looks like a solution to a problem a lot of us have.
Heather noted that specific use cases still need to be documented. Contributions to the use case library are encouraged.
Use Case Library:
- The generalized top level use case for COmanage deals with multi-institutional collaboration
Heather has talked w smaller VO's--- their biggest concerns - they want to make sure the domain applications actually work, it's not just about single sign on.
It's about the whole profile they already have for interested parties.
Iplant has researchers that have the profiles
and DataOne and OSG
Researchers want certain data set sent to them authomatically
Profiles says I'm a researcher with these interests.
I want automatic access to data sets on topic X
Data One wants this too
OSG wants this too
Are you hearing that back at home
Steven: the model where I define my profile and expect any dataset that gets aded to the collection w attributes that match my interests to be sent to me automatically, that's a different access control model than I'm used to.
Automatically being granted because I've self asserted
Heather: but it makes sense.. a researcher in a large collaborative org. will want data to be filtered
Immediate access to stuff you want is facilitating collaboration
So, It's a notification problem?
Heather: It could still be an access control problem. Depends on how that data set is handled
What do the researchers need to make collab happen?
Ken: Single profile: As NSF and others motivate data centric virtual organiziation
9 differet data organizations want to build profiles and expect researchers to maintain those. To broker access to the data set
How much should we include profile mnagement and identity management. and taxonomy management
We don't go thru ontology wars'
The want tools to help mnage those ontologies
Ken: related issue: author IDs and disambiguation of authors
It's being pushed by NIH and schooarly fields
Will say these are all published by same person even though they went thru name change
ORCHID is one effort in this space.
Orchid ID versus SSN
Benn: ask the audience... if there's a package to download the mockups and they work
What sort of technical expertise will folks who download it have
?
Answer : all of the above
Lay of the land
Does it skew one way or the other
Who are the consumers and what do they need?
Do we present these according to the platforms we understand
Or opensocial platform
FRIENDS and THUMBS UP and THUMBS DOWN
Question: who is the target audience? What do the users want it to look like.
VOs and collaborations don't want to provision another server and have software on it.
They want to go to GOOGLE apps
Management of underlying systems - want to be able to pass it off to someone else
Back when Google apps was perking up. Researchers were suspicious.
BUT Google are not about to do DOMAIN apps
Do we need mechanisms outside of google apps to handle authentication?
Starts w email and collab and building a group to do email back and forth.
Google apps does that well
But then to extract later is hard
Diagram misses the majority of applications - the DOMAIN application.
ADD IN THE DOMAIN apps.
Researchers want to get their science done
They want it to be efficient and quick
They will run around what's not efficient.
Not worried about google apps
More wirried about domain level apps
ScottK representes the hard science community
StevenC: in some areas the domain apps don't have to be king
Such as writing.
Where there is already a portal
That's a domain app but not as hard as the LIGO domain aps
A lot these projects have a front door.
When it becomes very easy to build a front door on to Google apps, then this is
KEN: Use of Google apps, is that generic or is it just Google apps?
Is there another vendor doing what Google does
She had an LMS built on top of Google sites?
She was brining in apps built way outside of Google
She had a front end thru which she was able to
Amazon EC2?
JUST GOOGLE in answer to Ken's question
Google APPS plus Cloud in general
Ken: there is a question of how far we go w this
Integration?
Do we want to include the admin of research?
Fast Lane?
Difference ..
Some people afraid of identitiy getting out. Spectrum out. Single sign on raises that concern.
Better authenticiation is needed.
Ken feeds from student info sstem into the VO
Some part of that will be COmanage.
Some will be ? back into student info sstems
Do we hae a use case for that?
Be;ond getting students to log in.
Attributes that get carried along with that
FERPA
STUDENT groups establishing themselves on facebook : Michael Pelikan
1.5 hands saying there is a case for this?
We have talked about the big picture.
The large group, large VO question, lke what Scott has a t LIGO
But for Internet Society, Lincoln talk about what is going on
We are at the beginning. Lincoln wants to understanding.
Using SAML for single sign-on. Want to become an IdP to become part of a
Fedeation.
Heather: how many groups are you trying to pull together?
Lncoln: haven't begun defining groups
At Lincoln I hope to learn at Grouper WG
ISOC is starting at same point
A lot of use cases centered around higher ed.
How can higher ed filter down to ISOC>
Heather: interesting how to filter down?
ISOC won't have the student problem
But what problems wil ISOC have that higher ed doesn't
How to line up attributes from disparate organizations and make them line up with...
The institutions are undefined as to who might be interested in joingin the federation
Ken asks: How important is it to include other forms of idenity:
Facebook , facebook connect and Open ID
How much d o poepole want those
At univ of Iowa, interinstitutionsla research effort. Many people have IDs at AOL.
A fairly small population uses IDs from institatuiosn that are incommon members.
We'd have to make it possible for people to access with other IDs
Bamboo is interested in managed Identities and others, OAUTH?
Ken: VOs who take their outreach mission seriously need to rely on other identity sources