Cuckoo (Graham Mason, Ed Beddows)


Published on

Federated Access: Future Directions, 30 June 2008, Birmingham

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cuckoo (Graham Mason, Ed Beddows)

  1. 1. <ul><li>VIRTUAL ORGANISATIONAL TOOLS </li></ul><ul><li>BY </li></ul><ul><li>GRAHAM MASON </li></ul><ul><li>& </li></ul><ul><li>ED BEDDOWS </li></ul><ul><li>[email_address] </li></ul>Cuckoo Project Cardiff University & Kidderminster College
  2. 2. Introduction <ul><li>What will be covered in this presentation </li></ul><ul><li>Special thanks to Brown University (USA), Bristol University and Newcastle University. </li></ul><ul><li>Project history and collaboration </li></ul><ul><li>Overview of the aims of the CUCKOO Project </li></ul><ul><li>Understanding VO’s </li></ul><ul><li>Project Research </li></ul><ul><li>Technical aspects of VO Tools and their use </li></ul>
  3. 3. Project history and collaboration <ul><li>Cardiff University Lead Partner in the CUCKOO Project </li></ul><ul><li>Kidderminster KC-ROLO Project Team </li></ul><ul><li>VLE Middleware </li></ul><ul><li>Cardiff University and Kidderminster College have been very active over the past 4/5 years in Shibboleth development and research: </li></ul><ul><li>ASMIMA project </li></ul><ul><li>Identity Project </li></ul><ul><li>KC-ROLO Project </li></ul><ul><li>VLE Middleware Shibboleth IdP & SP installations, Single Sign-on and JANET (UK) Training </li></ul>
  4. 4. Aims of the CUCKOO Project <ul><li>Shibboleth 2 </li></ul><ul><li>VO Tools </li></ul><ul><li>Collaboration with other institutions </li></ul><ul><li>Review VO tools and concepts </li></ul><ul><li>investigate good privacy protection for users </li></ul><ul><li>Investigate potential problems & the benefits </li></ul><ul><li>Investigate permission and access control in HE-FE </li></ul><ul><li>Highlight the difficult problems of tool selection, identity management and access control in both Shibboleth 1.3 and Shibboleth 2.0 </li></ul>
  5. 5. Approach <ul><li>Two phased project </li></ul><ul><li>Kept it simple </li></ul><ul><li>More hands-on </li></ul><ul><li>Reviewing existing developments </li></ul><ul><li>Two year project ending April 2009 </li></ul><ul><li>Phase 1: consolidate and review existing national and international tools for the establishment and developments of Virtual Organisations (VO’s) </li></ul><ul><li>Review of current VO Tools and their effect in the HE-FE communities </li></ul><ul><li>Phase 2: Shibboleth 2 and the potential new capabilities within Virtual Organisations </li></ul><ul><li>Installation of Shibboleth 2 Idp and SP </li></ul><ul><li>Test and reporting on how the current VO tool work with Shibboleth 2 </li></ul><ul><li>Report on Signet and Grouper combination and the components with Shibboleth 2 </li></ul>
  6. 6. Project Research <ul><li>What are Virtual Organisations? </li></ul><ul><li>What are VO Toolkit Tools and management? </li></ul><ul><li>Shibb 2 install fest in June/July 2008, mainly for technical developers </li></ul><ul><li>What are Virtual Organisations? </li></ul><ul><li>Collaboration process between institutions/communities that share real resources </li></ul><ul><li>Computing resources, Scientific instruments, Bandwidth, Shared data (medical/research/museum materials), content. </li></ul><ul><li>Members normally have a common interest, size or cluster </li></ul><ul><li>VO’s defined by their permission or access rights </li></ul><ul><li>Underlying commonality between VO’s is the Core Middleware platform that gives the authorisation and access to the resources, which in our case is Shibboleth </li></ul>
  7. 7. Project Research <ul><li>What are Virtual Organisations? </li></ul><ul><li>What are VO Toolkit Tools and management? </li></ul><ul><li>Shibb 2 install fest in June/July 2008, mainly for technical developers </li></ul><ul><li>Research highlighted the lack of use of the Signet privilege tool throughout the in academic community. </li></ul><ul><li>Grouper within FE is more appealing to institutions that have lots of resources </li></ul><ul><li>The benefits were seen when a larger institution could group/manage resources such as: VLE’s (Moodle in most cases), WIKI’s, Library Systems, Repositories and other bespoke web applications. </li></ul><ul><li>Smaller institutions expressed they couldn’t see the use of this tool. </li></ul><ul><li>Most institutions viewed the tools as a LDAP provisioning tool and felt that their ICT Services would manage resources via their Active Directory or the resources itself directly (such as Moodle). Although this approach would lose the group delegation functionally that is found in grouper. </li></ul><ul><li>Managing these resources and ownership was also seen as an issue, as the collaboration between LRC, ICT Services and ILT is not evident in FE. </li></ul><ul><li>In small institutions (or institutions with few resources) view that managing resources at a single point of access can be seen as an overhead and would opt to directly manager the resource. </li></ul>
  8. 8. Grouper/Signet/COmanage <ul><li>OUR PROGRESS SO FAR </li></ul>
  9. 9. So what’s the problem? <ul><li>How many web apps do you have? </li></ul><ul><ul><li>The more apps the more administrative overhead! </li></ul></ul><ul><li>How many groups are you part of? </li></ul><ul><ul><li>The more groups the more administrative overhead! </li></ul></ul><ul><li>How many permissions need to be setup for each app? </li></ul><ul><ul><li>The more permission rules the more administrative overhead! </li></ul></ul><ul><li>How do you delegate access management? </li></ul><ul><ul><li>Delegate management of access to resources to those who need it, and in a friendly way. </li></ul></ul><ul><li>How do you control how external users get access to your resources? </li></ul><ul><ul><li>Resource owners should be in charge of access </li></ul></ul>
  10. 10. Our Goals <ul><li>Provide a way to centrally administer groups </li></ul><ul><li>Provide a way to centrally administer privileges </li></ul><ul><li>Give delegation to the people who actually run the resource </li></ul><ul><li>Provide a mechanism to allow resource management to external users </li></ul>
  11. 11. The tools we’re looking at <ul><li>Grouper </li></ul><ul><li>Signet </li></ul><ul><li>Grouper+Signet=COmanage </li></ul>
  12. 12. What is Grouper? <ul><li>Group management tool </li></ul><ul><ul><li>Central consolidation for management of groups/roles </li></ul></ul><ul><li>Grouper itself can be provisioned by multiple sources </li></ul><ul><li>Provisions existing group data for applications </li></ul><ul><ul><li>Via LDAP, Web Services, command line, Java interfaces, RDMS on the way </li></ul></ul><ul><li>Delegate control back to those in the know </li></ul><ul><ul><li>No more overworked angry network managers!! </li></ul></ul><ul><li>Customisable web interface </li></ul>
  13. 13. What is Signet? <ul><li>Privilege management tool </li></ul><ul><ul><li>Central consolidation for management of privileges </li></ul></ul><ul><li>Signet itself can be provisioned by multiple sources </li></ul><ul><li>Provisions privilege data for applications </li></ul><ul><ul><li>Via LDAP, command line, Java interfaces </li></ul></ul><ul><li>Delegate control back to those in the know </li></ul><ul><ul><li>No more overworked angry network managers!! </li></ul></ul><ul><li>Customisable web interface </li></ul>
  14. 14. Grouper+Signet = Comanage – enabling VO’s <ul><li>Sourced from </li></ul>
  15. 15. Grouper+Signet = Comanage – enabling VO’s <ul><li>Making use of both tools and scripts to create accounts for external users on your local system </li></ul>
  16. 16. Overview <ul><li>Diagram sourced from </li></ul>
  17. 17. Our setup <ul><li>Our applications </li></ul><ul><ul><li>5 Moodle’s – Shib enabled – authN & authZ </li></ul></ul><ul><ul><li>1 Repository – Shib enabled - authN & authZ </li></ul></ul><ul><ul><li>2 Wiki’s – Shib enabled – authN & authZ </li></ul></ul><ul><li>8 separate apps to administer </li></ul><ul><li>On the plus side </li></ul><ul><ul><li>Users are put in course groups at start of term </li></ul></ul><ul><ul><li>Entitlement data is updated each day </li></ul></ul><ul><ul><li>Apps already use a central source for authZ (Shib via LDAP) </li></ul></ul><ul><li>On the down side </li></ul><ul><ul><li>Adhoc role assignments are still made in each separate app </li></ul></ul><ul><ul><li>Only IT staff and automated scripts can assign these values </li></ul></ul>
  18. 18. Our setup - Grouper <ul><li>Test platform </li></ul><ul><ul><li>CentOS 5, Java 1.5, Tomcat 5.5, Apache 2.2, MySQL 5 </li></ul></ul><ul><li>Active Directory as source </li></ul><ul><ul><li>In the real world this would also include MIS systems etc </li></ul></ul><ul><li>Created 10 groups, each representing a real course </li></ul><ul><ul><li>Done through the Grouper UI, in production this would be provisioned by MIS or other user identity databases </li></ul></ul><ul><li>Used LDAPPC to provision Active Directory with group information </li></ul>
  19. 19. Application implementation- Grouper <ul><li>Moodle has built in LDAP enrolment capabilities via groups, but it’s weak! </li></ul><ul><ul><li>Just like shibboleth enabling web apps, some will be harder to “grouper” enable than others </li></ul></ul><ul><ul><li>Grouper more useful in this case not for making simple access decisions, but to use as groupings for privilege data </li></ul></ul><ul><li>Wiki and repository is easy to do with .htaccess, but doesn’t scale very well </li></ul><ul><ul><li>Just ask Cal! </li></ul></ul>
  20. 20. Application implementation- Grouper <ul><li>Cardiff intend to use Grouper as part of their Identity Management </li></ul><ul><li>However, the following weaknesses exist: </li></ul><ul><ul><li>No real time provisioning from eDirectory to Grouper </li></ul></ul><ul><ul><li>No real time provisioning from Grouper to eDirectory </li></ul></ul><ul><ul><li>No ability to override automatic provisioning – e.g. flag a user so they don’t get overridden by a source update </li></ul></ul>
  21. 21. Thoughts so far - Grouper <ul><li>The hardest part of implementing Grouper effectively is ensuring the applications can use the data correctly </li></ul><ul><li>Moodle (or any complex app) requires development time </li></ul><ul><ul><li>Either in Moodle, or the provisioning process </li></ul></ul><ul><li>Is it really going to be useful? </li></ul><ul><ul><li>We think Moodle can do just fine without it! Signet may be another story though </li></ul></ul><ul><ul><li>We already have groups in AD based on MIS, so only becomes useful with adhoc groups </li></ul></ul><ul><li>Non intuitive web user interface </li></ul>
  22. 22. Our setup - Signet <ul><li>Test platform </li></ul><ul><ul><li>CentOS 5, Java 1.5, Tomcat 5.5, Apache 2.2, MySQL 5 </li></ul></ul><ul><li>Active Directory as source </li></ul><ul><li>Used LDAPPC to provision Active Directory with eduPersonEntitlement </li></ul>
  23. 23. Application implementation - Signet <ul><li>Moodle can do Shibboleth enrolment </li></ul><ul><ul><li>We use this already, so no app changes required! </li></ul></ul><ul><li>Tested delegation by allowing VLE champion to assign roles through Signet interface </li></ul><ul><li>Wiki and repository, again, only done with .htaccess so far </li></ul>
  24. 24. Thoughts so far - Signet <ul><li>It’s not used as much as Grouper, so less support and documentation is available </li></ul><ul><ul><li>Luckily it does use a lot of the Grouper prerequisites, e.g. Java, Tomcat, LDAPPC, </li></ul></ul><ul><li>Like Grouper, the Signet interface could be better </li></ul><ul><li>For apps that are able to read ldap or shib attributes this is a great way to add central control and delegation </li></ul>
  25. 25. Thoughts so far - COmanage <ul><li>Work ongoing in this area </li></ul><ul><li>Still duplicates users account in your LDAP store </li></ul><ul><li>Simple to get going (only once you have Grouper and Signet installed!) </li></ul>
  26. 26. Conclusions <ul><li>Both require good identity management in the first place </li></ul><ul><ul><li>Grouper & Signet do not create users </li></ul></ul><ul><li>Federated access is also important </li></ul><ul><li>The more apps you have the more useful it is </li></ul><ul><ul><li>What if you have few apps? </li></ul></ul><ul><li>Is it worth the development time </li></ul><ul><ul><li>For both Grouper/Signet and all your apps </li></ul></ul><ul><li>Lack of real time synchronisation can be a problem for some </li></ul><ul><li>Some may prefer just Grouper, others Signet, or maybe both </li></ul><ul><li>Further work needs to be made on the UI’s of both tools </li></ul><ul><li>Rolling the two apps together would reduce setup time </li></ul>
  27. 27. Questions? <ul><li>More info: </li></ul><ul><li>CUCKOO Project: http:// /cuckoo </li></ul><ul><li>Grouper: </li></ul><ul><li> </li></ul><ul><li>Signet: </li></ul><ul><li> </li></ul><ul><li>COmanage: </li></ul><ul><li> </li></ul>
  28. 28. Thank-you