Possibilities for Grouper in a
cross/inter organizational use
Andrea Biancini, Consortium GARR
[email protected]
GN3+ F-2-F meeting
Stockholm, April 29th, 2014
Agenda
Subtask definition and goals
Major subtask activities
Plan and advancements
Involvement
Connect | Communicate | Collaborate
2
Subtask definition and goals
Within this task we will evaluate the introduction of Grouper for a
cross/inter organizational use.
Grouper will be used to manage in a centralized way (yet eventually
permitting delegation):
Groups of users
Authorization attributes for users
It provides a web interface, a CLI and a webservices interface (that
has, just discovered, a VOOT plugin)
Grouper will be studied in conjunction with other tools to implement
advanced features in group management: for instance Grouper could
be integrated with COmanage to delegate the management of
authorization aspects.
Connect | Communicate | Collaborate
3
Major subtask activities
The main activities for this subtask will be:
1. Better definition of the possibilities for an authorization process
within different services and communities.
2. Realization of a PoC to prove possible integrations of existing
services with Grouper.
3. Documentation and dissemination of results achieved.
Connect | Communicate | Collaborate
4
Authorization processes
So far authorization in Identity Federations has been managed in
either one of two opposite ways:
SP based authorization: where the SP is responsible to maintain
all information to be used for authorization;
IdP based authorization: where the IdP is responsible to maintain
the information to be used for authorization and to pass them to the
SP for enforcement.
A different approach may be followed (leveraging Attributes Authorities
and implementing tools like Grouper) where authorization is
delegated to specific systems designed for that purpose.
Connect | Communicate | Collaborate
5
Proof of Concept
To prove real use cases, three SPs will be integrated with Grouper in a
Proof of Concept:
A wiki application: Grouper will manage user groups for
read/write access;
A moodle application: Grouper will provide course list and
manage students/teachers enrolment to courses;
A custom application (GARRbox): Grouper will provide user
groups and other authorization attributes specific to the service.
Connect | Communicate | Collaborate
6
Dissemination
During the activities a set of documents will be produced and shared.
These documents will permit to share common visions and ideas thus
easing the dissemination of results achieved.
JRA3T1-321 Feasibility Study
(due 05/14)
JRA3T1-322 Architecture for discovery
(due 09/14)
JRA3T1-323 PoC documentation
(due 12/04)
JRA3T1-324 Deliverables for dissemination
(due 03/15)
Connect | Communicate | Collaborate
7
Plan and advancements
1. Study
3. Design
2. Feasibility
5.Finalize
4. Build
1. Study (started 03/2014): finalized at gaining knowledge on the tools and
processes to be implemented.
2. Feasibility (end 05/2014): will produce the first deliverable and introduce the
context of authorization processes.
3. Design (end 09/2014): will produce the architectural design and describe the
technical choices that will be tested in the PoC.
4. Build (end 12/2014): will realize the PoC with the integration of the three SPs.
5. Finalize (end 05/2015): will produce dissemination material.
Connect | Communicate | Collaborate
8
Involvement
The subtask would *really* appreciate the involvement in the different
activities of the following groups:
Groups with experience on Grouper / COmanage to help in the
installation and configuration of the group and attribute
management system.
Groups interested in experiencing the PoC and helping the
definition of technical aspects and problems.
Groups interested in sharing views about real authorization
problems by contributing to the deliverables.
Connect | Communicate | Collaborate
9
Thank you!
Connect | Communicate | Collaborate
www.geant.net
www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv
Connect | Communicate | Collaborate
10