IDP IN THE CLOUD a solution to facilitate the access of research - - PowerPoint PPT Presentation

idp in the cloud
SMART_READER_LITE
LIVE PREVIEW

IDP IN THE CLOUD a solution to facilitate the access of research - - PowerPoint PPT Presentation

Sep 01, 2022 375 likes •746 views

IDP IN THE CLOUD a solution to facilitate the access of research communities to collaborative infrastructures Lalla Mantovani <marialaura.mantovani@garr.it> GARR & University of Modena and Reggio Emilia VAMP, Helsinki, 30.09.2013

slide-1
SLIDE 1

VAMP, Helsinki, 30.09.2013 Lalla Mantovani <marialaura.mantovani@garr.it>

IDP IN THE CLOUD

a solution to facilitate the access

  • f research communities to

collaborative infrastructures

GARR & University of Modena and Reggio Emilia

slide-2
SLIDE 2

Agenda

  • The problem
  • Who takes charge?
  • The use case
  • The solution
  • Who benefits?

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

2

slide-3
SLIDE 3

The Problem

  • VAMP: to foster the deployment of identity

management and collaboration tools within the research community

  • AAA Study(*): To date, most NRENs in Europe
  • ffer federated access for their users. However,

the level of deployment, the participation of institutions and the amount of services available via different federations is below the desired level.

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

(*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page 3

slide-4
SLIDE 4

Who can take charge?

Someone who:

  • is aware of identity federations
  • deals with organizations
  • deals with scholars’ communities
  • manages e-infrastructures

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

4

slide-5
SLIDE 5

GARR manages IDEM identity federation

  • 41 member organizations (~3 million users)
  • 20 partner organizations
  • 88 SPs and 48 IDPs registered in IDEM
  • IDEM is a member of eduGAIN

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

5

slide-6
SLIDE 6

GARR interconnects organizations

  • ~500 organizations in

Italy are connected to the GARR network

  • Only 41 of them joined

IDEM Federation

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

6 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page

slide-7
SLIDE 7

GARR participates in research projects

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

7

  • GARR supports as an e-infrastructure

partner researchers and communities in the fields of:

  • Physics
  • Health & Bio-medicine
  • Cultural heritage
slide-8
SLIDE 8

GARR & IDEM are called into action

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

8 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page

slide-9
SLIDE 9

The use case: THE NATIONAL BIOMEDICAL RESEARCH DATABASE

  • 1 web-based service(*) (…more in the future…)
  • 15.000 end users belonging to:
  • 80 Home Organizations
  • (on average each organization manages 200 users => small
  • rganizations)

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

Problems:

  • Too many users to manage and to keep up to date by the

service

  • Users want additional services: library resources,

collaboration like videoconference service, large size file sharing outside domain boundaries.

(*)http://ricerca.cbim.it/index_en.html 9

slide-10
SLIDE 10

The use case: THE COMMUNITY

Researchers in the fields of bio-medicine, health, nutrition

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

10

  • Not belonging to Universities, but rather to

small Home Organizations

  • 81 Home Organizations, of which:
  • 58 belonging to R&E sector
  • 47 research hospitals (IRCCS)
  • 10 nutrition & health institutes (IZS)
  • 1 National Institute of Health
  • 23 not belonging to R&E sector
  • Home Organizations need support in ICT
  • GARR can only support R&E

Home Organizations (58/81)

slide-11
SLIDE 11

A possible (traditional) solution:

  • Make the web service a Service Provider (SP)
  • Deploy an Identity Provider (IDP) in each
  • rganization (58)
  • Register SP and IDPs to IDEM Federation

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

11

slide-12
SLIDE 12

Deploy an IDP in each organization: Why is it difficult?

  • Home Organizations are small
  • Their focus is not on IT
  • They have few resources to manage

information systems

  • They lack motivation to drive organizational

changes, as IDM requires

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

12

slide-13
SLIDE 13

The Solution: IDP in the Cloud

Goal of the project:

  • To make the deployment and

management of the identity providers easy, by minimizing the activities and the complexity for home organizations.

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

GARR provides:

  • IDP as a Service
  • IDM as a Service

=> IDP in the Cloud

13

slide-14
SLIDE 14

The Solution: not only tech

  • IDP in the Cloud is only a part of an Agreement

between Ministry of Health, 55 Organizations (research hospitals and health institutes), and GARR.

  • Out of the box “IDP in the Cloud”, hiding tech

complexity.

  • Platform is designed to satisfy IDEM and

eduGAIN policy requirements.

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

14

slide-15
SLIDE 15

GARR made an agreement with the Ministry of Health

GARR designs, implements and manages the high bandwidth network infrastructure for all the national research institutions. In the context of a multi-year framework agreement with the Ministry of Health, GARR offered to the Organizations involved in biomedical research:

  • a high bandwidth connectivity to GARR-X network
  • a set of advanced applications and network services,

like AAI, distributed storage, large files sharing, High definition Multi Video Conference, etc.

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

15

slide-16
SLIDE 16

The technical solution for the platform:

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

Cloud GARR

phpLDAPadmin web interface to manage identities

  • penLDAP
  • Shibboleth IDP
  • uApprove
  • Custom login page
  • Apache2
  • OpenLDAP
  • phpLDAPadmin
  • MySQL
  • iptables
  • rsyslog
  • Nagios
  • Collectd

GARR Cloud service provides each organization with a Virtual Machines (VM) including:

=> IDP in the Cloud

16

slide-17
SLIDE 17

Faced issues

How can GARR

  • deal with the deployment of hundreds of new

systems with limited human resources?

  • deal with the response time when a user

requests the IDP?

  • manage hundreds of systems with limited

human resources?

  • deal with personal data protection (including

backup and disaster recovery)?

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

17

slide-18
SLIDE 18

GARR Cloud: geographically distributed

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

18

Each node has 64GB RAM and esa-core CPU with hyper-threading.

slide-19
SLIDE 19

Redundancy & Resilience: Data

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

19

slide-20
SLIDE 20

Redundancy & Resilience: Communication

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

20

slide-21
SLIDE 21

VM provisioning & setup OS install and configuration Install of SW prerequisites Install of Shibboleth and

  • ther software

Configuration of Shibboleth (with LDAP MySQL) Registration of the IDP into the federation

30 minutes 60 minutes 10 minutes 15 minutes 30 minutes Total time 2 hours and 25 minutes

>

Manual process Automatized process

15 minutes (thanks to a cloud Infrastructure built with OpenStack)

Total time 17 minutes

2 minutes (thanks to the Puppet tool which automatize installation and configuration

  • f software)

Optimisation in provisioning

VAMP, Helsinki, 30.09.2013 Lalla Mantovani <marialaura.mantovani@garr.it>

21

slide-22
SLIDE 22

Monitoring

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

HOSTS STATUS SERVICES STATUS GRAPHIC HISTORY

22

slide-23
SLIDE 23

From the IDP request to IDEM & eduGAIN registration

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

Few steps in charge of the Organizations

Tutoring on:

  • Pre-provisioning
  • Post-provisioning

23

slide-24
SLIDE 24

Federation issues faced

Compliance with:

  • IDEM requirements
  • eduGAIN requirements
  • Attribute harmonization
  • REFEDS Discovery Guide

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

24

slide-25
SLIDE 25

requirements compliance

Tutoring the Organization on a simplified joining procedure in order to:

  • Fill and Sign the «Member Accession Form»
  • Fill and Sign the «IDP Registration Request»
  • Provide info for entity Metadata (logo,

descriptions, …)

  • Fill and sign DOPAU (Identity Management

Practice Statement (IMPS) i.e. something about LoA declaration)

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

25

slide-26
SLIDE 26

eduGAIN requirements compliance

Enable IDP’s users to access eduGAIN services

  • Metadata Profile satisfied (thanks to customer care and Puppet)
  • Attribute Profile: all recommended attributes are implemented
  • [displayName, common name (cn), mail, eduPersonAffiliation and

eduPersonScopedAffiliation, eduPersonPrincipalName, SAML2 Persistent NameID (eduPersonTargetedID), schacHomeOrganization, schacHomeOrganizationType]

  • Attribute Profile: controlled vocabularies on
  • eduPersonAffiliation and eduPersonScopedAffiliation
  • schacHomeOrganizationType
  • Attribute Profile: unique identifiers
  • Identity Providers support SAML2 Persistent Identifier
  • Attribute release (can be configured in order to)
  • Attribute release based on entity-category
  • Attribute release based on CoC
  • SAML 2.0 WebSSO Profile (SAML2int) supported
  • Basic+ Level of Assurance(*)

(*) https://refeds.terena.org/index.php/LOA_for_RANDE_Federations

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

26

slide-27
SLIDE 27

Attribute harmonization

to ensure consistency in semantics

  • IDEM attributes
  • Standard (sn, givenName, cn, mail, …)
  • eduPerson (eduPersonScopedAffiliation(*), eduPersonTargetedID,

eduPersonPrincipalName, eduPersonEntitlement, eduPersonOrgDN, eduPersonOrgUnitDN)

  • SCHAC (schacPersonalPosition)
  • eduGAIN attributes
  • Standard (displayName)
  • SCHAC (schacHomeOrganization, schacHomeOrganizationType(*))
  • Community attributes
  • SCHAC (schacDateOfBirth, schacPlaceOfBirth,

schacPersonalUniqueID)

(*) with controlled vocabulary: http://www.terena.org/activities/refeds/docs/ePSAcomparison_0_13.pdf https://refeds.terena.org/index.php/SchacHomeOrgType_usage

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

27

slide-28
SLIDE 28

Compliant to REFEDS Discovery Guide

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

28

IDP Metadata ready for Discovery Service <mdui:UIInfo> from SP used on IDP login page Co–branding IDP-SP

  • n login page
slide-29
SLIDE 29

State of the art

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

29

slide-30
SLIDE 30

Successful results for the use case

  • THE NATIONAL BIOMEDICAL RESEARCH

DATABASE is now federated in IDEM

  • Home organizations can now easily obtain IDPs

federated in IDEM and eduGAIN for their users

  • Home for the homeless (very few people left)

IDP is running

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

30

slide-31
SLIDE 31

Who benefits?

  • The whole Italian research community in the

field of Bio-Medicine and Health will be provided with federated (and inter-federated) identities

  • Are there Projects interested (e.g. BBMRI,

ELIXIR, EuroBioimaging) ?

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

31

slide-32
SLIDE 32

Other candidate communities:

Digital Cultural Heritage Community in Italy(*):

  • 99 National Museums (of 4.739 in total)
  • 110 National Archives (> of 59.000 in total)
  • 46 National Libraries (of 12.388 in total)
  • 6 main Institutes of the Cultural Heritage

Ministry

  • ~21.000 units of personnel of the ministry
  • 383.000 people in the Cultural Heritage

sector

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

(*) Figures from http://www.abbracciamolacultura.it/doc/DossierBeniCulturali.ppt 32

slide-33
SLIDE 33

Other projects that could be interested

GARR is ready to offer «IDP in the Cloud» to interested projects, for example: ELCIRA and CHAIN-REDS projects

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

RedC dCLARA RA

33 ELCIRA: http://www.elcira.eu CHAIN-REDS: http://www.chain-project.eu

slide-34
SLIDE 34

From «IDP_aaS» to «Federation_aaS»

Having experience in offering cloud services as IDP in the cloud, for GARR becomes natural to

  • ffer hosting also for:
  • Resource Registry,
  • Metadata Aggregator and Metadata Distribution

Service,

  • Discovery Service.

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

34

slide-35
SLIDE 35

Acknowledgements

This work and its results were made possible thanks to:

  • Andrea Biancini, Massimo Carboni,

Fabio Farina, Marco Malavolti, Pasquale Mandato, Luca Prete, Sabrina Tomassini, Cristiano Valli

Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013

35

slide-36
SLIDE 36

Thank you

Q&A

Lalla Mantovani <marialaura.mantovani@garr.it>

36

VAMP, Helsinki, 30.09.2013