Middleware Initiative Information
The Internet2 Middleware Initiative focused on developing interoperable identity and access management infrastructures for research and higher education. The initiative's work had included developing tools, roadmaps, software, practices, standards, and education.
Key projects included:
- COmanage: Collaborative Organization Management
- Scalable Privacy
- NSF SDCI (Software Development for CyberInfrastructure) "Bedrock" Award
To sign up for the Middleware-Announce mailing list, see instructions here.
Identity and access management (IAM) ensures that the right people access the right services. In the past, this was implemented system by system with duplicate identity data distributed across campus. Add another service and you add the identity infrastructure to go with it, as well as the associated management functions, duplication of effort (and duplication of data), and the distributed security issues. The solution is to use the same identity information service for all of your applications. Under the Internet2 identity and access management model, each system or application leverages the same identity and access infrastructure.
Not only is this approach applicable for controlling resources managed by the institution, but the IAM infrastructure can also supply policy-controlled identity data to off-campus service providers, such as external library consortia, course content partners, or discipline-specific grids, through the use of federated identity management systems (such as the Shibboleth Federated Single Sign-on Software).
Benefits of Identity and Access Management
Implementing an Identity and Access Management (IAM) system provides:
Under the Internet2 identity and access management model, each system or application leverages the same identity and access infrastructure. This greatly simplifies the management and maintenance of identity data. When each system -- student information, human resources, course management -- has its own identity data, you end up with duplicate identity information distributed across campus.
As an example, Bob Smith may have accounts in the financial aid system, the course management system, the calendar system, and an academic lab. Without some campus-wide IAM model, Bob may have multiple IDs and passwords and his credentials and authorization data may be duplicated across four separate systems.
The IAM model consolidates identity information and grants access to any application. As Bob moves from prospective student to enrolled student, his status in the student system changes, which triggers the identity management system to provide access to the appropriate applications.
The addition of each new application or service, and its associated identity infrastructure, increases the risk of security breaches. For example, an organization with ten separate systems, each with its own directory (and its own processes, policies, and rules), could require ten user passwords, ten places to provision user accounts, ten sets of policies to keep compliant, and ten log systems to audit for access control.
Such situations significantly increase the risk of security holes and inadvertent data spills. When you plug a hole in one location, you have nine more places to look. A user with multiple passwords to remember -- and perhaps change monthly -- will either place a PostIt note on the monitor or use one easily remembered password for all accounts. And "easy to remember" can mean "easier to crack."
The consolidation of identity information simplifies and improves security. When you move from multiple structures to one, you reduce security headaches, decrease the likelihood of data spills, reduce the number of people managing identity data, and provide users with just one ID and password. In addition, when compliance changes are needed, organizations can make policy updates in one place instead of in each application.
Ease of Collaboration
Consolidated identity information provides increased opportunities for collaboration and greatly simplifies the management of collaboration. Once identity information is consolidated in one location, each user has just one set of data. Collaboration tools can leverage that information for a wide range of applications. Managing groups (for example, by using Grouper), and establishing access based on an individual's role at the institution, becomes much easier -- and can be delegated to those closest to the application. COmanage, the Collaborative Organization Management Platform, provides an infrastructure to use in managing several collaborative applications, including Confluence (wiki), Jira (bug-tracking), Subversion (revision control), Drupal (content management), and Sympa (mailing list manager). The key is to balance control -- making information, processes, and systems available without compromising security.
Imagine setting up a standard collaboration package that includes a group calendar, email list, wiki space, and so on. Campus individuals can set up and then control access for their research study or project group -- all without help-desk intervention. Maintaining accurate and up-to-date membership lists across applications is greatly simplified. Consolidating groups and privileges in the IAM system means that any changes are entered only once and are then pushed out to, or accessed by, the services in the collaboration package.
A properly operated identity and access management system will allow decision-making by those closest to the available resources, systems, and services. Many times, those responsible for resources will be in departments, schools, business offices, and other places on campus. None of these entities should run their own IAM service, but they should be able to leverage the central infrastructure. A department administrator, for example, does not need to worry about populating an IAM, but should have control over access to a specific departmental resource. Appropriate campus decision-makers assign or delegate privileges to individuals, guided by policy rules coded into the system.
A central IAM system, with appropriate tools, keeps the business decisions in the hands of the business owners, access control in the hands of the application owners, and the technology management in the hands of the technologists. Such privilege management can be as granular as campus policy allows. If a department is hosting a meeting and wants the attendees to have access to the wireless network and local online collaboration space, the authorized meeting planner can make that happen.
Providing a single point of management enables consolidated logging and a consistent view of the access rights and requirements of the individuals and systems involved. This approach enables a transparent way of applying, viewing, and implementing policy decisions in the technology infrastructure. It also provides a history of who has granted access to what, and a single place for auditing and reporting of authority-related decisions as well as monitoring for security issues.
Federated Identity Management
More and more, universities, companies, and government agencies are offering and using third-party services and collaborating online with other organizations. In the past, each of these external services required its own ID and password and, for the user, that meant adding another set of credentials to that collection of sticky notes. For the identity-providing institution, closing the security holes and just keeping up with the access changes for the services on- and off-campus presented quite a challenge.
To address these access issues, a model was developed that splits the responsibility. The institution that holds the identity information does the authentication of the individual, confirming the identity of this person and his or her affiliation with the institution. The organization that offers the service or online resource does the authorization.
Setting up a relationship like this requires establishing expectations on both sides. For example, the identity organization shouldn't give accounts to unaffiliated individuals and the service organization shouldn't sell the identity information it receives. A federation provides standard operating principles for both organizations to reduce the overhead of negotiating these rules of engagement for each relationship. For more information on federated identity, see the InCommon Federation and the Shibboleth Federated Single Sign-on Software sites.
See the TIER Initiative to learn about recent activities in trust and identity.
Middleware is software that manages the interaction between an application program, and other software or the network. A key area in this expansive field, particularly as it relates to higher education, is access management and identity management. The Internet2 Middleware Initiative has focused on developing an interoperable Identity and Access Management infrastructure for research and education, which is critical for security and collaboration.
How does the work get done?
The Internet2 Middleware Initiative and MACE initially developed a model for identity and federated identity management. From there, MACE worked with the Internet2 community to define the gaps and address those specific issues by:
- Developing software and tools, such as Grouper and the Shibboleth Federated Single Sign-on Software.
- Collecting the best community practices, then developing roadmaps to help campuses deploy interoperable implementations. Examples include the directory practice papers and related Enterprise Directory Implementation Roadmap
- Participating in standards-setting organizations to address interoperability. Examples include the eduPerson schema and Security Assertion Markup Language (SAML).
- Partnering with others to promote their tools and software.
- Providing educational opportunities for the broader community. Examples include the InCommon Campus Architecture and Middleware Planning (CAMP) workshops.
Since 2001, the Internet2 Middleware Initiative has also led the technical activities of the NSF Middleware Initiative - Enterprise and Desktop Integration Technologies Consortium (NMI-EDIT) of Internet2 and EDUCAUSE to build and promulgate this interoperable infrastructure. (Grant No. OCI-0123937, OCI-0330626, and OCI-0721896)
For more information, contact: firstname.lastname@example.org.