mantovani idp in the cloud - terena · vamp, helsinki, 30.09.2013 lalla mantovani idp in the cloud...
TRANSCRIPT
VAMP, Helsinki, 30.09.2013
Lalla Mantovani <[email protected]>
IDP IN THE CLOUD a solution to facilitate the access of research communities to collaborative infrastructures
GARR & University of Modena and Reggio Emilia
Agenda
The problem
Who takes charge?
The use case
The solution
Who benefits?
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
2
The Problem
VAMP: to foster the deployment of identity management and collaboration tools within the research community
AAA Study(*): To date, most NRENs in Europe offer federated access for their users. However, the level of deployment, the participation of institutions and the amount of services available via different federations is below the desired level.
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
(*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page 3
Who can take charge?
Someone who:
is aware of identity federations
deals with organizations
deals with scholars’ communities
manages e-infrastructures
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
4
GARR manages IDEM identity federation
41 member organizations (~3 million users)
20 partner organizations
88 SPs and 48 IDPs registered in IDEM
IDEM is a member of eduGAIN
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
5
GARR interconnects organizations
~500 organizations in Italy are connected to the GARR network
Only 41 of them joined IDEM Federation
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
6 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page
GARR participates in research projects
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
7
GARR supports as an e-infrastructure partner researchers and communities in the fields of:
Physics
Health & Bio-medicine
Cultural heritage
GARR & IDEM are called into action
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
8 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page
The use case: THE NATIONAL BIOMEDICAL RESEARCH DATABASE
1 web-based service(*) (…more in the future…)
15.000 end users belonging to:
80 Home Organizations
(on average each organization manages 200 users => small organizations)
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
Problems:
Too many users to manage and to keep up to date by the service
Users want additional services: library resources, collaboration like videoconference service, large size file sharing outside domain boundaries.
(*)http://ricerca.cbim.it/index_en.html 9
The use case: THE COMMUNITY Researchers in the fields of bio-medicine, health, nutrition
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
10
Not belonging to Universities, but rather to small Home Organizations
81 Home Organizations, of which:
58 belonging to R&E sector
47 research hospitals (IRCCS)
10 nutrition & health institutes (IZS)
1 National Institute of Health
23 not belonging to R&E sector
Home Organizations need support in ICT
GARR can only support R&E Home Organizations (58/81)
A possible (traditional) solution:
Make the web service a Service Provider (SP)
Deploy an Identity Provider (IDP) in each organization (58)
Register SP and IDPs to IDEM Federation
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
11
Deploy an IDP in each organization: Why is it difficult?
Home Organizations are small
Their focus is not on IT
They have few resources to manage
information systems
They lack motivation to drive organizational
changes, as IDM requires
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
12
The Solution: IDP in the Cloud
Goal of the project:
To make the deployment and management of the identity providers easy, by minimizing the activities and the complexity for home organizations.
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
GARR provides: • IDP as a Service • IDM as a Service => IDP in the Cloud
13
The Solution: not only tech
IDP in the Cloud is only a part of an Agreement between Ministry of Health, 55 Organizations (research hospitals and health institutes), and GARR.
Out of the box “IDP in the Cloud”, hiding tech complexity.
Platform is designed to satisfy IDEM and eduGAIN policy requirements.
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
14
GARR made an agreement with the Ministry of Health
GARR designs, implements and manages the high bandwidth network infrastructure for all the national research institutions.
In the context of a multi-year framework agreement with the Ministry of Health, GARR offered to the Organizations involved in biomedical research:
a high bandwidth connectivity to GARR-X network
a set of advanced applications and network services, like AAI, distributed storage, large files sharing, High definition Multi Video Conference, etc.
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
15
The technical solution for the platform:
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
Cloud
GARR
phpLDAPadmin web
interface to manage
identities
openLDAP
• Shibboleth IDP
• uApprove
• Custom login page
• Apache2
• OpenLDAP
• phpLDAPadmin
• MySQL
• iptables
• rsyslog
• Nagios
• Collectd
GARR Cloud service provides each organization with a Virtual Machines (VM)
including:
=> IDP in the Cloud
16
Faced issues
How can GARR
deal with the deployment of hundreds of new systems with limited human resources?
deal with the response time when a user requests the IDP?
manage hundreds of systems with limited human resources?
deal with personal data protection (including backup and disaster recovery)?
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
17
GARR Cloud: geographically distributed
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
18
Each node has 64GB RAM and esa-core CPU with hyper-threading.
Redundancy & Resilience: Communication
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
20
VM provisioning & setup
OS install and configuration
Install of SW prerequisites
Install of Shibboleth and other software
Configuration of Shibboleth (with LDAP MySQL)
Registration of the IDP into the federation
30 minutes
60 minutes
10 minutes
15 minutes
30 minutes
Total time
2 hours and 25 minutes >
Manual pro
cess
Auto
matiz
ed p
rocess
15 minutes
(thanks to a cloud
Infrastructure built
with OpenStack)
Total time
17 minutes
2 minutes
(thanks to the
Puppet tool which
automatize
installation and
configuration
of software)
Optimisation in provisioning
VAMP, Helsinki, 30.09.2013 Lalla Mantovani <[email protected]>
21
Monitoring
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
HOSTS STATUS
SERVICES STATUS
GRAPHIC
HISTORY
22
From the IDP request to IDEM & eduGAIN registration
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
Few steps in
charge of the
Organizations
Tutoring on:
Pre-provisioning
Post-provisioning
23
Federation issues faced
Compliance with:
IDEM requirements
eduGAIN requirements
Attribute harmonization
REFEDS Discovery Guide
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
24
requirements compliance
Tutoring the Organization on a simplified joining procedure in order to:
Fill and Sign the «Member Accession Form»
Fill and Sign the «IDP Registration Request»
Provide info for entity Metadata (logo, descriptions, …)
Fill and sign DOPAU (Identity Management Practice Statement (IMPS) i.e. something about LoA declaration)
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
25
eduGAIN requirements compliance
Enable IDP’s users to access eduGAIN services Metadata Profile satisfied (thanks to customer care and Puppet) Attribute Profile: all recommended attributes are implemented
[displayName, common name (cn), mail, eduPersonAffiliation and eduPersonScopedAffiliation, eduPersonPrincipalName, SAML2 Persistent NameID (eduPersonTargetedID), schacHomeOrganization, schacHomeOrganizationType]
Attribute Profile: controlled vocabularies on eduPersonAffiliation and eduPersonScopedAffiliation schacHomeOrganizationType
Attribute Profile: unique identifiers Identity Providers support SAML2 Persistent Identifier
Attribute release (can be configured in order to) Attribute release based on entity-category Attribute release based on CoC
SAML 2.0 WebSSO Profile (SAML2int) supported Basic+ Level of Assurance(*) (*) https://refeds.terena.org/index.php/LOA_for_RANDE_Federations
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
26
Attribute harmonization to ensure consistency in semantics
IDEM attributes Standard (sn, givenName, cn, mail, …) eduPerson (eduPersonScopedAffiliation(*), eduPersonTargetedID,
eduPersonPrincipalName, eduPersonEntitlement, eduPersonOrgDN, eduPersonOrgUnitDN)
SCHAC (schacPersonalPosition)
eduGAIN attributes Standard (displayName) SCHAC (schacHomeOrganization, schacHomeOrganizationType(*))
Community attributes SCHAC (schacDateOfBirth, schacPlaceOfBirth,
schacPersonalUniqueID)
(*) with controlled vocabulary: http://www.terena.org/activities/refeds/docs/ePSAcomparison_0_13.pdf https://refeds.terena.org/index.php/SchacHomeOrgType_usage
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
27
Compliant to REFEDS Discovery Guide
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
28
IDP Metadata ready
for Discovery Service
<mdui:UIInfo>
from SP used on
IDP login page
Co–branding IDP-SP
on login page
Successful results for the use case
THE NATIONAL BIOMEDICAL RESEARCH DATABASE is now federated in IDEM
Home organizations can now easily obtain IDPs federated in IDEM and eduGAIN for their users
Home for the homeless (very few people left) IDP is running
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
30
Who benefits?
The whole Italian research community in the field of Bio-Medicine and Health will be provided with federated (and inter-federated) identities
Are there Projects interested (e.g. BBMRI, ELIXIR, EuroBioimaging) ?
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
31
Other candidate communities:
Digital Cultural Heritage Community in Italy(*):
99 National Museums (of 4.739 in total)
110 National Archives (> of 59.000 in total)
46 National Libraries (of 12.388 in total)
6 main Institutes of the Cultural Heritage Ministry
~21.000 units of personnel of the ministry
383.000 people in the Cultural Heritage sector
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
(*) Figures from http://www.abbracciamolacultura.it/doc/DossierBeniCulturali.ppt 32
Other projects that could be interested
GARR is ready to offer «IDP in the Cloud» to interested projects, for example:
ELCIRA and CHAIN-REDS projects
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
RedCLARA
33 ELCIRA: http://www.elcira.eu CHAIN-REDS: http://www.chain-project.eu
From «IDP_aaS» to «Federation_aaS»
Having experience in offering cloud services as IDP in the cloud, for GARR becomes natural to offer hosting also for:
Resource Registry,
Metadata Aggregator and Metadata Distribution Service,
Discovery Service.
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
34
Acknowledgements
This work and its results were made possible thanks to:
Andrea Biancini, Massimo Carboni, Fabio Farina, Marco Malavolti, Pasquale Mandato, Luca Prete, Sabrina Tomassini, Cristiano Valli
Lalla Mantovani <[email protected]> VAMP, Helsinki, 30.09.2013
35