IDP IN THE CLOUD a solution to facilitate the access of research communities to collaborative infrastructures Lalla Mantovani <marialaura.mantovani@garr.it> GARR & University of Modena and Reggio Emilia VAMP, Helsinki, 30.09.2013
Agenda The problem Who takes charge? The use case The solution Who benefits? 2 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
The Problem VAMP: to foster the deployment of identity management and collaboration tools within the research community AAA Study(*): To date, most NRENs in Europe offer federated access for their users. However, the level of deployment, the participation of institutions and the amount of services available via different federations is below the desired level. 3 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
Who can take charge? Someone who: is aware of identity federations deals with organizations deals with scholars’ communities manages e-infrastructures 4 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
GARR manages IDEM identity federation 41 member organizations (~3 million users) 20 partner organizations 88 SPs and 48 IDPs registered in IDEM IDEM is a member of eduGAIN 5 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
GARR interconnects organizations ~500 organizations in Italy are connected to the GARR network Only 41 of them joined IDEM Federation 6 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
GARR participates in research projects GARR supports as an e-infrastructure partner researchers and communities in the fields of: Physics Health & Bio-medicine Cultural heritage 7 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
GARR & IDEM are called into action 8 (*) https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
The use case: THE NATIONAL BIOMEDICAL RESEARCH DATABASE 1 web-based service(*) (…more in the future…) 15.000 end users belonging to: 80 Home Organizations (on average each organization manages 200 users => small organizations) Problems: Too many users to manage and to keep up to date by the service Users want additional services: library resources, collaboration like videoconference service, large size file sharing outside domain boundaries. 9 (*)http://ricerca.cbim.it/index_en.html Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
The use case: THE COMMUNITY Researchers in the fields of bio-medicine, health, nutrition Not belonging to Universities, but rather to small Home Organizations 81 Home Organizations, of which: 58 belonging to R&E sector 47 research hospitals (IRCCS) 10 nutrition & health institutes (IZS) 1 National Institute of Health 23 not belonging to R&E sector Home Organizations need support in ICT GARR can only support R&E Home Organizations (58/81) 10 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
A possible (traditional) solution: Make the web service a Service Provider (SP) Deploy an Identity Provider (IDP) in each organization (58) Register SP and IDPs to IDEM Federation 11 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
Deploy an IDP in each organization: Why is it difficult? Home Organizations are small Their focus is not on IT They have few resources to manage information systems They lack motivation to drive organizational changes, as IDM requires 12 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
The Solution: IDP in the Cloud Goal of the project: To make the deployment and management of the identity providers easy, by minimizing the activities and the complexity for home organizations. GARR provides: IDP as a Service • IDM as a Service • => IDP in the Cloud 13 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
The Solution: not only tech IDP in the Cloud is only a part of an Agreement between Ministry of Health, 55 Organizations (research hospitals and health institutes), and GARR. Out of the box “IDP in the Cloud”, hiding tech complexity. Platform is designed to satisfy IDEM and eduGAIN policy requirements. 14 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
GARR made an agreement with the Ministry of Health GARR designs, implements and manages the high bandwidth network infrastructure for all the national research institutions. In the context of a multi-year framework agreement with the Ministry of Health, GARR offered to the Organizations involved in biomedical research: a high bandwidth connectivity to GARR-X network a set of advanced applications and network services, like AAI, distributed storage, large files sharing, High definition Multi Video Conference, etc. 15 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
The technical solution for the platform: GARR Cloud service provides each organization with a Virtual Machines (VM) including: • Shibboleth IDP • • uApprove MySQL • • Custom login page iptables => IDP in the Cloud • • Apache2 rsyslog • • OpenLDAP Nagios • • phpLDAPadmin Collectd phpLDAPadmin web interface to manage openLDAP identities Cloud GARR 16 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
Faced issues How can GARR deal with the deployment of hundreds of new systems with limited human resources? deal with the response time when a user requests the IDP? manage hundreds of systems with limited human resources? deal with personal data protection (including backup and disaster recovery)? 17 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
GARR Cloud: geographically distributed Each node has 64GB RAM and esa-core CPU with hyper-threading. 18 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
Redundancy & Resilience: Data 19 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
Redundancy & Resilience: Communication 20 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
Optimisation in provisioning VM provisioning & setup 30 minutes 15 minutes (thanks to a cloud Automatized process Infrastructure built Manual process OS install and configuration 60 minutes with OpenStack) 10 minutes Install of SW prerequisites 2 minutes Install of Shibboleth and (thanks to the 15 minutes other software Puppet tool which automatize Configuration of Shibboleth installation and 30 minutes (with LDAP MySQL) configuration of software) Registration of the IDP into the federation Total time Total time > 2 hours and 25 minutes 17 minutes 21 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
Monitoring HOSTS STATUS GRAPHIC HISTORY SERVICES STATUS 22 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
From the IDP request to IDEM & eduGAIN registration Few steps in charge of the Organizations Tutoring on: Pre-provisioning Post-provisioning 23 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
Federation issues faced Compliance with: IDEM requirements eduGAIN requirements Attribute harmonization REFEDS Discovery Guide 24 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
requirements compliance Tutoring the Organization on a simplified joining procedure in order to: Fill and Sign the «Member Accession Form» Fill and Sign the «IDP Registration Request» Provide info for entity Metadata (logo, descriptions, …) Fill and sign DOPAU (Identity Management Practice Statement (IMPS) i.e. something about LoA declaration) 25 Lalla Mantovani <marialaura.mantovani@garr.it> VAMP, Helsinki, 30.09.2013
Recommend
More recommend
