Changes between Version 5 and Version 6 of GeniIdentityAndAttributes

08/24/11 16:47:08 (13 years ago)



  • GeniIdentityAndAttributes

    v5 v6  
    13= Identity and Attributes =
    35GENI requires a way of positively identifying experimenters and granting them access to tools and resources. Current control frameworks either maintain their own database of users or explicitly outsource this task to an identity provider. In addition to identifying experimenters, GENI needs information about attributes like institutional affiliation, project role, etc.
    5 == GEC10 Authorization Engineering Meeting ==
     7= GEC11 Engineering Meeting =
     8At GEC11 there was an [wiki:GEC11Identity identity engineering meeting] which discussed progress towards incorporating external identity providers in GENI.
     10== Meeting Summary ==
     11'''Tom Mitchell''' discussed the goals of the Identity Management effort within GENI and provided an update since GEC 10. Briefly:
     12 * !InCommon membership took longer than expected, but the GENI Project Office became !InCommon members in July, shortly before GEC 11
     13 * A prototype identity portal has been built. It uses Shibboleth single sign on so it will be compatible with !InCommon.
     14 * The prototype identity portal was federated with ProtoGENI to demonstrate the ability to create slices and allocate resources from an operational GENI aggregate manager.
     16Tom gave a brief demonstration of the prototype identity portal that showed the creation of a GENI certificate, a slice and associated slice credential, and then using the GENI certificate and slice credential to list resources via Flack at ProtoGENI's Utah site. Tom's slides are available on the session wiki page.
     18'''Ken Klingenstein''' discussed the state of federated identity management today and what's coming on the horizon for federated identity management in general, and !InCommon in particular. Some of the key topics included Social2SAML gateways, attribute release and consent, non-web apps (SAML ECP), and collaboration management platforms. Ken also talked about implications for GENI: federated identity and ABAC, levels of assurance, and incident handling. Ken's slides are available on the session wiki page. Specifically, Ken made the point that GENI will probably have to confront these issues as it moves forward with federated identity management. Ken posed questions like:
     19 * What level of assurance will GENI aggregates and slice authorities require from identity providers?
     20 * How will GENI handle incident response?
     21 * How will attributes from identity providers be used in authorization decisions?
     22 * What attributes will be used for authorization, and who will be trusted to make this assertions?
     24== Proposed Next Steps ==
     25 * Continue to push !InCommon membership forward
     26  * Publish Participant Operational Practices (POP)
     27  * Publish Service Provider Metadata
     28  * Negotiate For Attributes From A Few Institutions
     29 * Continue to develop the prototype identity portal
     30  * Proper certificate management
     31   * Protected signing key
     32   * Certificate Revocation List (CRL)
     33  * Programmatic access to some functions
     34  * Management/Operations integration
     35  * Integration with Federation/Clearinghouse concepts
     38= GEC10 Engineering Meeting =
    740At GEC10 there was an [wiki:GEC10IdentityAndAttributes identity and attributes engineering meeting] which discussed a proposal by Ken Klingenstein (Internet2) and Tom Mitchell (BBN) to incorporate external identity providers in GENI. Specifically, an !InCommon compatible GENI portal was proposed to allow new GENI experimenters to authenticate using their existing institutional accounts. The meeting also discussed standardizing a set of identity attributes required for resource manipulation within GENI. Jeff Chase (Duke, ORCA) and Rob Ricci (Utah, Emulab/ProtoGENI) gave their perspectives on the proposal based on their experience as GENI control framework developers.
    2659  * Pending group evaluation, expand this portal to other institutions and aggregates
    28 == Getting Involved ==
     61= Getting Involved =
    2962If you have questions or comments on the status of the authorization work, please email the GENI developers list (dev at or Tom Mitchell (tmitchell at