Identity and Access Management in the Bamboo Ecosystem

Created by SM
Last updated: Jun 20, 2011Version comment

The diagram below is a quick sketch – not meant to be a canonical rendering of what Bamboo is up to – but one that helps to illustrate where the Bamboo Ecosystem will offer support for authentication and identity (who's who), as well as groups and policy (who can do what).

Any application built atop a framework or platform – including environments such as Work Spaces – works best if it leverages built-in support for identifying and tracking users (authentication) and applying access permissions or policies (authorization). That built-in support is almost invariably integrated closely with the platform's core functionality.

Project Bamboo Work Spaces are client environments through which a researcher/scholar/user interacts with the larger Bamboo Ecosystem. Platforms that are the basis for Work Spaces – HUBzero and Alfresco ECM – are no exception to the general rule about leveraging built-in support for authentication and authorization. Each of the platforms being used as the basis for Work Spaces development in the current phase of the Bamboo Technology Project has rich, built-in support for Identity and Access Management (IAM) that supports core functionality, such as content management and service/tool/script execution.

That said, there are a number of responsibilities that are being externalized from Work Spaces:

  1. maintaining a distinct set of user credentials (user IDs and passwords); instead, Work Spaces will rely on credentials that an individual maintains through her institution (e.g., a university or college) and/or social media providers in which she is active (e.g., Google);
  2. mapping the user IDs presented by an external Identity Provider (IdP) -- such as Google or a university -- to a Bamboo person, who maintains her identity in the ecosystem independent of how or where she logs in;
  3. maintaining group memberships that cross the boundaries of client environments -- i.e., groups that are synchronized across multiple Work Space instances and/or other virtual environments;
  4. storing, determining, and serving permissions and other policy that applies across the boundaries of client environments -- e.g., policy about which affiliates of which institutions are permitted to access subscription-restricted digital content.

These externalized responsibilities will be integrated or synchronized with the native capabilities of the HUBzero and Alfresco ECM platforms.

Bamboo as a Virtual Organization

The second item in the numbered list above touches on the concept of a virtual organization or collaborative organization. A VO or CO is one that is made up of participants whose principal affiliation is with some more permanent organization (such as the institution by which they are employed), and which is formed in order to facilitate interaction and collaboration across the boundaries of those more permanent organizations. Project Bamboo maps to the "virtual organization" concept because it is a collaboration among ten partner institutions in Phase One of the Bamboo Technology Project, and among a larger set of institutions that participated in the Bamboo Planning Phase and/or are moving toward partnership or affiliation in Phase Two of the BTP or through a future Project Bamboo consortium.

Here's how the Internet2 COmanage project introduces the concept of collaborative organizations, and its intersection with authentication by institutional identity providers:

[...] a set of capabilities that allow collaborative organizations (COs) to meet their objectives using key collaboration tools in a secure and effective framework. By leveraging external (federated) identity management services, authentication and authorization of group members are handled in a single, efficient process that feeds from each member's home organization into the various applications [...]

Imagine researchers and administrators working together on a groundbreaking research effort while being based at numerous different universities and research institutes. [...] They [...] need to utilize an authentication infrastructure not tied to any of their home institutions, so individuals can log in to a neutral location and work together. But that starts to go well outside the larger need to move ahead with their research. Their focus needs to be on the collaboration, not the technology.

In the Bamboo Ecosystem, externalizing authentication will include provision for login through institutional and/or through social media identity providers. This is a complex problem from the point of view of evaluating identity in a trustworthy and secure manner, and has been the topic of discussion, demonstrations, and evolution of best practice advisories through an Internet2-hosted collaboration in which Bamboo has played a significant part; visit the Social Identity wiki space for notes, use cases, and documentation that are coming together out of conversations among a couple of dozen universities and commercial organizations in the U.S. and Europe. The authentication infrastructure used in the Bamboo Ecosystem, represented in the diagram included above by the "Authorization Gateway" circled in red, is evolving from technology demonstrated and reviewed in the course of the Social Identity discussions. Within the community of BTP partners, credit is due to Keith Hazelton of U. Wisconsin (Madison), co-chair of the Internet2 MACE-Dir working group, for helping to convene and facilitate the Social Identity discussions along with Steve Carmody of Brown University.

Role of the Bamboo Services Platform in Ecosystem IAM

What role, then, does the Bamboo Services Platform play in Identity and Access Management that governs a user's experience of content management and research environments such as Work Spaces?

Services on the BSP offer multiple instances of each of these environments a chance to understand who's who both 'at home' and 'abroad,' and what any person is permitted to do or access. Here's how:

  • A Bamboo Person service will maintain a logical notion of a Bamboo Person independent of which environment (e.g., Work Space) she is using, and independent of the Identity Provider she uses to log in (authenticate). Professor Lee is the same person whether she logs in through her University's single-sign-on infrastructure, or whether she presents her Google ID credentials to identify herself.
  • A Bamboo Group service will allow Work Spaces to understand and share membership of groups with other Work Spaces, or with other virtual research environments: the 'master copy' of group data, including memberships of Bamboo Persons, is maintained by the "integration broker" (Bamboo Services Platform), and user environments such as Work Spaces are able to synchronize to the 'master.' That means that a group of Shakespearean scholars formed by Professor Lee in a Work Space environment hosted at U. Wisconsin can be understood and used to share data by Professor Smith's Work Space hosted by Indiana University, or Professor Jones' Work Space hosted at Berkeley.
  • A Bamboo Policy service will permit environments such as Work Spaces to ask whether members of Professor Lee's group of Shakespeareans are allowed to see the results of Professor Smith's syntactic annotation of Henry IV Part I, independent of where those results are stored, and of which Work Space (or other content management or research environment) is being used by the scholars who request access to Professor Smith's work. The Policy Service will also inform Collections Interoperability services whether a faculty member whose affiliation is proven by her login via an institutional Identity Provider is eligible to access subscription-restricted content, such as the TCP texts or material hosted by the HathiTrust.

Conclusion

Implementation of ecosystem-wide IAM – as well as identity, group, and policy services – is an area of active BTP design and development, primarily among participants from U. Wisconsin (Madison) and UC Berkeley. As services and infrastructure becomes available in proof-of-concept implementations over the summer and early fall, they will be integrated with Work Spaces and emerging scholarly services deployed to the Bamboo Services Platform.


Thanks to Bruce Barton for his contribution to this post, and particularly for refining the included diagram.