Releases
Software | Schema | Practices | Architectures | Policies | Services
NMI-EDIT components are grouped in the following categories:
- Software that supports a wider variety of desktop-security, video, and enterprise uses.
- Directory Schema that are pieces of movable code that facilitate the federated model of directory-enabled, inter-realm authentication and authorization. (Click here for more information.)
- Conventions and Practices that capture the lessons learned from campuses which have implemented middleware.
- Architecture Documents that summarize current thinking about middleware issues involved in collaborative applications.
- Policies that provide guidance on how an institution can manage certificates, including legal liabilities and limitations, standards on contents of certificates and actual campus practices.
- Services to support resource registration, testing, discovery, and use.
Software
- Certificate Profile Maker (CPM) is a CGI-program package for
making a certificate profile in XML format.
- End-to-end Diagnostic DiscoverY Developers Toolkit (EDDY) defines
a common form for data encapsulation and a method for efficient
transport of native event information from sensors to data managers to
analyzers for the purposes of assisting with infrastructure management
and problem diagnosis.
- GridShib is a software package that enables interoperability
between the Globus Toolkit and the Shibboleth Federating and Single Sign-on
software.
- Grouper (TM) is an open source
toolkit for managing groups.
- KX.509 and KCA provide
a bridge between a Kerberos and PKI infrastructure.
- The LDAP Operational ORCA "K"ollector (Look) is a utility written in Perl which gathers LDAP
performance data at periodic intervals and generates
a file of summary results in a format compatible with
the open-source, ORCA web-graphing product
(available at http://www.orcaware.com/).
- Nexus Provisioning System is a system for coordinating the management of
user accounts across a collection of heterogeneous systems.
- OpenMetaDir (OM) provides for the extraction, reconciliation,
and application of business rules to identity-related
data as well as provisioning it to applications and
publishers of identity information.
- OpenSAML
is a set of open-source libraries in Java and C++ which
can be used to build, transport, and parse SAML messages.
- PERMIS Authorization Infrastructure is an open-source
policy-controlled privilege-management infrastructure
(PMI) which is fully integrated with Globus Toolkit,
Apache and Shibboleth.
- Shibboleth Attribute Release Policy Editor (ShARPE) allows IdP administrators and users to easily manage their release attribute policy in a way that conforms to their privacy and satisfaction of users in gaining the services that they want (on service provider end).
- Autograph is a personal privacy manager and makes privacy in a Shibboleth federation transparent and manageable, by enabling members of an Identity Provider (e.g. students of a university) to configure their own Attribute Release Policy, or, in Autograph terms, their own idCards.
- Shibboleth®
Single Sign-on and Federating Software implements the OASIS SAML specification, provides a federated Single-Sign-on and attribute exchange framework, and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
- Signet (TM) is a privilege management system.
- Simple Policy Control Protocol (SPOCP) is a rule-based authorization engine that can be used to
control access to any type of resouces, netbased or not.
- Sympa is mailing list management software.
- Web Initial Sign-on (WebISO)
NMI-EDIT offers several web initial sign-on systems and recommends that you research options and choose the one that's best for your needs.
Directory Schema
To facilitate the federated model of directory-enabled inter-realm authentication and authorization, NMI-EDIT has developed several directory schema for use in the R&E community.
- eduPerson provides a common list of attributes and definitions for building general-purpose institutional directories.
- eduMember specifications expres membership
in groups in LDAP and in SAML assertions.
- eduCourse specifies how to express relations between people
& courses in LDAP directories.
- eduOrg contains institutional attributes, including account management policies,
security policies, contacts for key services, etc.
- H.350 (formerly known as commObject) represents video and voice over IP conferencing
endpoints in LDAP directories, enabling portal searching, white pages, and
centralized user management.
- MACE-Dir SAML Attribute Profiles address the recommended use of attribute definitions from the Internet2 MACE-Dir Working Group with the SAML 1.x and SAML 2.0 specifications.
Conventions and Best Practices
- Middleware Integration
with Existing Applications: Current Design Issues, with a Focus on Mailing
Lists
is intended as a guide for leveraging middleware technologies within a mailing list system environment.
- Local Domain Person
Object Class Study - Survey Results describes how institutions are using locally-defined person object
classes or attributes in their enterprise LDAP directories.
- Practices in Directory Groups offers recommendations to the person or persons at institutions
embarking on the implementation of groups.
- LDAP Recipe is intended to be a discussion point and guide toward the development
of common directory deployments within the Higher Education community.
- Metadirectories Best Practices outlines a set of metadirectory issues that
should be considered in the deployment of enterprise directories and offers
accompanying best practices for higher education.
- Enterprise Directory Implementation
Roadmap is a web-based structure of
documentation and related resources that institutions can draw on to help
deploy and use NMI-released tools and components pertaining to enterprise
directories.
- Enterprise
Authentication Implementation Roadmap
outlines a process and checklist institutions can use to help deploy enterprise authentication and credential levels of assurance.
- ViDe H.350 Cookbook: Directory Services Middleware for Multimedia Conferencing (formerly known as "Video Middleware Cookbook - Directory Services for Multimedia Conferencing") provides an understanding of the theory and use of middleware for videoconferencing and voice over IP.
Architecture Documents
- Middleware End-to-End Diagnostics:
An Introduction includes a draft whitepaper and three recent presentations
outlining the approach and direction of this work.
- Group Tools Architecture presents a high level architecture, an associated data model,
behavioral descriptions of the elements of the architecture, and high level
specification of APIs.
- Shibboleth Specifications define the current scope of the Shibboleth technical architecture and the rules implementations must follow to claim compatibility with it.
Policies
- Campus Certificate Policy for use at the Higher Education Bridge Certification
Authority defines the terms and conditions under
which a Certificate Authority (CA), issuing Public Key Certificates (PKC)
that reference the policy object identifier (OID) for the HEBCA CP, MUST operate.
- Lightweight Campus Certificate
Policy and Practice Statement (aka PKI-Lite) focuses on employing PKI technology for standard assurance applications
that already have established and implemented requirements for initial user
authentication and overall system security.
Services
- LDAP Analyzer determines the compliance of an LDAP directory server
implementation with various object class definitions such as inetOrgPerson,
eduPerson, eduOrg, eduMember, eduCourse, H.350 (formerly known as commObject) and the Grid Laboratory
Universal Environment (GLUE) schema, as well as the recommendations outlined
in the LDAP Recipe and other best practice documents.
- Certificate Profile Registry holds profiles for standard certificate
formats for the community and offers an institutional root certificate service to
provide a functional way for certificate path construction to be done within
the community.
