IDP IN THE CLOUD a solution to facilitate the access of research - PowerPoint PPT Presentation

IDP IN THE CLOUD a solution to facilitate the access of research communities to collaborative infrastructures Lalla Mantovani <marialaura.mantovani@garr.it> GARR & University of Modena and Reggio Emilia VAMP, Helsinki, 30.09.2013

Agenda  The problem  Who takes charge?  The use case  The solution  Who benefits? 2 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

The Problem  VAMP: to foster the deployment of identity management and collaboration tools within the research community  AAA Study(*): To date, most NRENs in Europe offer federated access for their users. However, the level of deployment, the participation of institutions and the amount of services available via different federations is below the desired level. 3 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

Who can take charge? Someone who:  is aware of identity federations  deals with organizations  deals with scholars’ communities  manages e-infrastructures 4 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

GARR manages IDEM identity federation  41 member organizations (~3 million users)  20 partner organizations  88 SPs and 48 IDPs registered in IDEM  IDEM is a member of eduGAIN 5 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

GARR interconnects organizations  ~500 organizations in Italy are connected to the GARR network  Only 41 of them joined IDEM Federation 6 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

GARR participates in research projects  GARR supports as an e-infrastructure partner researchers and communities in the fields of:  Physics  Health & Bio-medicine  Cultural heritage 7 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

GARR & IDEM are called into action 8 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

The use case: THE NATIONAL BIOMEDICAL RESEARCH DATABASE 1 web-based service(*) (…more in the future…)  15.000 end users belonging to:  80 Home Organizations   (on average each organization manages 200 users => small organizations) Problems: Too many users to manage and to keep up to date by the  service Users want additional services: library resources,  collaboration like videoconference service, large size file sharing outside domain boundaries. 9 (*)http://ricerca.cbim.it/index_en.html Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

The use case: THE COMMUNITY Researchers in the fields of bio-medicine, health, nutrition  Not belonging to Universities, but rather to small Home Organizations  81 Home Organizations, of which:  58 belonging to R&E sector  47 research hospitals (IRCCS)  10 nutrition & health institutes (IZS)  1 National Institute of Health  23 not belonging to R&E sector  Home Organizations need support in ICT  GARR can only support R&E Home Organizations (58/81) 10 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

A possible (traditional) solution:  Make the web service a Service Provider (SP)  Deploy an Identity Provider (IDP) in each organization (58)  Register SP and IDPs to IDEM Federation 11 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

Deploy an IDP in each organization: Why is it difficult?  Home Organizations are small  Their focus is not on IT  They have few resources to manage information systems  They lack motivation to drive organizational changes, as IDM requires 12 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

The Solution: IDP in the Cloud Goal of the project: To make the deployment and  management of the identity providers easy, by minimizing the activities and the complexity for home organizations. GARR provides: IDP as a Service • IDM as a Service • => IDP in the Cloud 13 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

The Solution: not only tech  IDP in the Cloud is only a part of an Agreement between Ministry of Health, 55 Organizations (research hospitals and health institutes), and GARR.  Out of the box “IDP in the Cloud”, hiding tech complexity.  Platform is designed to satisfy IDEM and eduGAIN policy requirements. 14 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

GARR made an agreement with the Ministry of Health GARR designs, implements and manages the high bandwidth network infrastructure for all the national research institutions. In the context of a multi-year framework agreement with the Ministry of Health, GARR offered to the Organizations involved in biomedical research:  a high bandwidth connectivity to GARR-X network  a set of advanced applications and network services, like AAI, distributed storage, large files sharing, High definition Multi Video Conference, etc. 15 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

The technical solution for the platform: GARR Cloud service provides each organization with a Virtual Machines (VM) including: • Shibboleth IDP • • uApprove MySQL • • Custom login page iptables => IDP in the Cloud • • Apache2 rsyslog • • OpenLDAP Nagios • • phpLDAPadmin Collectd phpLDAPadmin web interface to manage openLDAP identities Cloud GARR 16 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

Faced issues How can GARR  deal with the deployment of hundreds of new systems with limited human resources?  deal with the response time when a user requests the IDP?  manage hundreds of systems with limited human resources?  deal with personal data protection (including backup and disaster recovery)? 17 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

GARR Cloud: geographically distributed Each node has 64GB RAM and esa-core CPU with hyper-threading. 18 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

Redundancy & Resilience: Data 19 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

Redundancy & Resilience: Communication 20 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

Optimisation in provisioning VM provisioning & setup 30 minutes 15 minutes (thanks to a cloud Automatized process Infrastructure built Manual process OS install and configuration 60 minutes with OpenStack) 10 minutes Install of SW prerequisites 2 minutes Install of Shibboleth and (thanks to the 15 minutes other software Puppet tool which automatize Configuration of Shibboleth installation and 30 minutes (with LDAP MySQL) configuration of software) Registration of the IDP into the federation Total time Total time > 2 hours and 25 minutes 17 minutes 21 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

Monitoring HOSTS STATUS GRAPHIC HISTORY SERVICES STATUS 22 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

From the IDP request to IDEM & eduGAIN registration Few steps in charge of the Organizations Tutoring on:  Pre-provisioning  Post-provisioning 23 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

Federation issues faced Compliance with:  IDEM requirements  eduGAIN requirements  Attribute harmonization  REFEDS Discovery Guide 24 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

requirements compliance Tutoring the Organization on a simplified joining procedure in order to:  Fill and Sign the «Member Accession Form»  Fill and Sign the «IDP Registration Request»  Provide info for entity Metadata (logo, descriptions, …)  Fill and sign DOPAU (Identity Management Practice Statement (IMPS) i.e. something about LoA declaration) 25 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013