Mantovani IDP IN THE CLOUD - TERENA · VAMP, Helsinki, 30.09.2013 Lalla Mantovani IDP IN THE CLOUD...

VAMP, Helsinki, 30.09.2013

Lalla Mantovani <[email protected]>

IDP IN THE CLOUD a solution to facilitate the access of research communities to collaborative infrastructures

GARR & University of Modena and Reggio Emilia

Agenda

The problem

Who takes charge?

The use case

The solution

Who benefits?

Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013

2

The Problem

VAMP: to foster the deployment of identity management and collaboration tools within the research community

AAA Study(*): To date, most NRENs in Europe offer federated access for their users. However, the level of deployment, the participation of institutions and the amount of services available via different federations is below the desired level.


(*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+

Who can take charge?

Someone who:

is aware of identity federations

deals with organizations

deals with scholars’ communities

manages e-infrastructures


4

GARR manages IDEM identity federation

41 member organizations (~3 million users)

20 partner organizations

88 SPs and 48 IDPs registered in IDEM

IDEM is a member of eduGAIN


5

GARR interconnects organizations

~500 organizations in Italy are connected to the GARR network

Only 41 of them joined IDEM Federation


6 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page

GARR participates in research projects


7

GARR supports as an e-infrastructure partner researchers and communities in the fields of:

Physics

Health & Bio-medicine

Cultural heritage

GARR & IDEM are called into action


8 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page

The use case: THE NATIONAL BIOMEDICAL RESEARCH DATABASE

1 web-based service(*) (…more in the future…)

15.000 end users belonging to:

80 Home Organizations

(on average each organization manages 200 users => small organizations)


Problems:

Too many users to manage and to keep up to date by the service

Users want additional services: library resources, collaboration like videoconference service, large size file sharing outside domain boundaries.

(*)http://ricerca.cbim.it/index_en.html 9

The use case: THE COMMUNITY Researchers in the fields of bio-medicine, health, nutrition


10

Not belonging to Universities, but rather to small Home Organizations

81 Home Organizations, of which:

58 belonging to R&E sector

47 research hospitals (IRCCS)

10 nutrition & health institutes (IZS)

1 National Institute of Health

23 not belonging to R&E sector

Home Organizations need support in ICT

GARR can only support R&E Home Organizations (58/81)

A possible (traditional) solution:

Make the web service a Service Provider (SP)

Deploy an Identity Provider (IDP) in each organization (58)

Register SP and IDPs to IDEM Federation


11

Deploy an IDP in each organization: Why is it difficult?

Home Organizations are small

Their focus is not on IT

They have few resources to manage

information systems

They lack motivation to drive organizational

changes, as IDM requires


12

The Solution: IDP in the Cloud

Goal of the project:

To make the deployment and management of the identity providers easy, by minimizing the activities and the complexity for home organizations.


GARR provides: • IDP as a Service • IDM as a Service => IDP in the Cloud

13

The Solution: not only tech

IDP in the Cloud is only a part of an Agreement between Ministry of Health, 55 Organizations (research hospitals and health institutes), and GARR.

Out of the box “IDP in the Cloud”, hiding tech complexity.

Platform is designed to satisfy IDEM and eduGAIN policy requirements.


14

GARR made an agreement with the Ministry of Health

GARR designs, implements and manages the high bandwidth network infrastructure for all the national research institutions.

In the context of a multi-year framework agreement with the Ministry of Health, GARR offered to the Organizations involved in biomedical research:

a high bandwidth connectivity to GARR-X network

a set of advanced applications and network services, like AAI, distributed storage, large files sharing, High definition Multi Video Conference, etc.


15

The technical solution for the platform:


Cloud

GARR

phpLDAPadmin web

interface to manage

identities

openLDAP

• Shibboleth IDP

• uApprove

• Custom login page

• Apache2

• OpenLDAP

• phpLDAPadmin

• MySQL

• iptables

• rsyslog

• Nagios

• Collectd

GARR Cloud service provides each organization with a Virtual Machines (VM)

including:

=> IDP in the Cloud

16

Faced issues

How can GARR

deal with the deployment of hundreds of new systems with limited human resources?

deal with the response time when a user requests the IDP?

manage hundreds of systems with limited human resources?

deal with personal data protection (including backup and disaster recovery)?


17

GARR Cloud: geographically distributed


18

Each node has 64GB RAM and esa-core CPU with hyper-threading.

Redundancy & Resilience: Data


19

Redundancy & Resilience: Communication


20

VM provisioning & setup

OS install and configuration

Install of SW prerequisites

Install of Shibboleth and other software

Configuration of Shibboleth (with LDAP MySQL)

Registration of the IDP into the federation

30 minutes

60 minutes

10 minutes

15 minutes

30 minutes

Total time

2 hours and 25 minutes >

Manual pro

cess

Auto

matiz

ed p

rocess

15 minutes

(thanks to a cloud

Infrastructure built

with OpenStack)

Total time

17 minutes

2 minutes

(thanks to the

Puppet tool which

automatize

installation and

configuration

of software)

Optimisation in provisioning

VAMP, Helsinki, 30.09.2013 Lalla Mantovani <[email protected]>

21

Monitoring


HOSTS STATUS

SERVICES STATUS

GRAPHIC

HISTORY

22

From the IDP request to IDEM & eduGAIN registration


Few steps in

charge of the

Organizations

Tutoring on:

Pre-provisioning

Post-provisioning

23

Federation issues faced

Compliance with:

IDEM requirements

eduGAIN requirements

Attribute harmonization

REFEDS Discovery Guide


24

requirements compliance

Tutoring the Organization on a simplified joining procedure in order to:

Fill and Sign the «Member Accession Form»

Fill and Sign the «IDP Registration Request»

Provide info for entity Metadata (logo, descriptions, …)

Fill and sign DOPAU (Identity Management Practice Statement (IMPS) i.e. something about LoA declaration)


25

eduGAIN requirements compliance

Enable IDP’s users to access eduGAIN services Metadata Profile satisfied (thanks to customer care and Puppet) Attribute Profile: all recommended attributes are implemented

[displayName, common name (cn), mail, eduPersonAffiliation and eduPersonScopedAffiliation, eduPersonPrincipalName, SAML2 Persistent NameID (eduPersonTargetedID), schacHomeOrganization, schacHomeOrganizationType]

Attribute Profile: controlled vocabularies on eduPersonAffiliation and eduPersonScopedAffiliation schacHomeOrganizationType

Attribute Profile: unique identifiers Identity Providers support SAML2 Persistent Identifier

Attribute release (can be configured in order to) Attribute release based on entity-category Attribute release based on CoC

SAML 2.0 WebSSO Profile (SAML2int) supported Basic+ Level of Assurance(*) (*) https://refeds.terena.org/index.php/LOA_for_RANDE_Federations


26

Attribute harmonization to ensure consistency in semantics

IDEM attributes Standard (sn, givenName, cn, mail, …) eduPerson (eduPersonScopedAffiliation(*), eduPersonTargetedID,

eduPersonPrincipalName, eduPersonEntitlement, eduPersonOrgDN, eduPersonOrgUnitDN)

SCHAC (schacPersonalPosition)

eduGAIN attributes Standard (displayName) SCHAC (schacHomeOrganization, schacHomeOrganizationType(*))

Community attributes SCHAC (schacDateOfBirth, schacPlaceOfBirth,

schacPersonalUniqueID)

(*) with controlled vocabulary: http://www.terena.org/activities/refeds/docs/ePSAcomparison_0_13.pdf https://refeds.terena.org/index.php/SchacHomeOrgType_usage


27

Compliant to REFEDS Discovery Guide


28

IDP Metadata ready

for Discovery Service

<mdui:UIInfo>

from SP used on

IDP login page

Co–branding IDP-SP

on login page

State of the art


29

Successful results for the use case

THE NATIONAL BIOMEDICAL RESEARCH DATABASE is now federated in IDEM

Home organizations can now easily obtain IDPs federated in IDEM and eduGAIN for their users

Home for the homeless (very few people left) IDP is running


30

Who benefits?

The whole Italian research community in the field of Bio-Medicine and Health will be provided with federated (and inter-federated) identities

Are there Projects interested (e.g. BBMRI, ELIXIR, EuroBioimaging) ?


31

Other candidate communities:

Digital Cultural Heritage Community in Italy(*):

99 National Museums (of 4.739 in total)

110 National Archives (> of 59.000 in total)

46 National Libraries (of 12.388 in total)

6 main Institutes of the Cultural Heritage Ministry

~21.000 units of personnel of the ministry

383.000 people in the Cultural Heritage sector


(*) Figures from http://www.abbracciamolacultura.it/doc/DossierBeniCulturali.ppt 32

Other projects that could be interested

GARR is ready to offer «IDP in the Cloud» to interested projects, for example:

ELCIRA and CHAIN-REDS projects


RedCLARA

33 ELCIRA: http://www.elcira.eu CHAIN-REDS: http://www.chain-project.eu

http://www.elcira.eu/

http://www.elcira.eu/

http://www.chain-project.eu/




From «IDP_aaS» to «Federation_aaS»

Having experience in offering cloud services as IDP in the cloud, for GARR becomes natural to offer hosting also for:

Resource Registry,

Metadata Aggregator and Metadata Distribution Service,

Discovery Service.


34

Acknowledgements

This work and its results were made possible thanks to:

Andrea Biancini, Massimo Carboni, Fabio Farina, Marco Malavolti, Pasquale Mandato, Luca Prete, Sabrina Tomassini, Cristiano Valli


35

Thank you

Q&A

Lalla Mantovani <[email protected]>

36

VAMP, Helsinki, 30.09.2013

Mantovani IDP IN THE CLOUD - TERENA · VAMP, Helsinki, 30.09.2013 Lalla Mantovani IDP IN THE CLOUD...

Documents

Transcript of Mantovani IDP IN THE CLOUD - TERENA · VAMP, Helsinki, 30.09.2013 Lalla Mantovani IDP IN THE CLOUD...