Good afternoon. I'm Lalla Mantovani from GARR ... - IDEM GARR AAI

IDP IN THE CLOUD

VAMP, Helsinki, 30.09.2013

Good afternoon. I’m Lalla Mantovani from GARR, the Italian Research and Education Network, and I’m the coordinator of IDEM, the Italian Identity Federation for Research and Education. The title of my presentation is «IDP in the Cloud: a solution to facilitate the access of research communities to collaborative infrastructures».

Lalla Mantovani GARR & University of Modena and Reggio Emilia

1

IDP IN THE CLOUD


My presentation will touch the following points: • The description of the problem. • Who is the subject that can take charge of this problem. • A use case, a community of researchers that need to get an answer to this problem. • Then the solution that we offer to the problem and our achievements. • And, at the end, the possibility of reusing our solution by other communities.


2

IDP IN THE CLOUD


The problem is highlighted by the goal declared for this workshop: to foster the deployment of identity management and collaboration tools within the research community. We want to focus on the deployment of identity management tools, because as declared by the AAA study carried out by Terena, together with other partners: “to date, most NRENs in Europe offer federated access for their users. However, the level of deployment, in particular the participation of institutions to federations is below the desired level. The low level of identity providers joined to the federations triggers a vicious cycle, a sort of chicken and egg problem, where services, potential service providers, don’t join the federations because their users don’t hold a federated identity. And organizations don’t join the federations because in the federations there are not the services that users need. We want to exit from this vicious cycle.


3

IDP IN THE CLOUD


So, the problem is: how to lower the barrier for organizations in order to join federations. Who is the subject that can take charge of this problem? We believe this should be someone who: • is aware of identity federations in the Research and education field. • Someone who deals with organizations. • Someone who deals with scholars’ communities. • Someone who manages e-infrastructures.


4

IDP IN THE CLOUD


GARR is the NREN in Italy. GARR already manages IDEM identity federation. To date 41 home organizations have joined IDEM Federation, delivering about 3 million of federated identities. Also 20 partner’s organizations have joined IDEM bringing along their resources. IDEM federation to date counts 88 service providers and 48 identity providers. Moreover IDEM is member of eduGAIN. So we can state that GARR is aware about identity federations.


5

IDP IN THE CLOUD


GARR’s network interconnects about 5 hundred organizations in Italy, so we can state that GARR deals with organizations. The number of 41 organizations that already joined IDEM Federation confirms the low level of identity providers deployment and the amount of work that still has to be done.


6

IDP IN THE CLOUD


GARR participates also in research projects as an e-infrastructure partner, both at national and at international level, so GARR has to deal with research communities, especially in the fields of Physics, Health & Bio-medicine and Cultural heritage.


7

IDP IN THE CLOUD


Taking into account also the recommendations coming from the AAA study, GARR and IDEM, as the Italian identity federation operator, felt to be called into action, and have considered how to offer a ready-to-use solution to Organizations that haven’t joined IDEM yet. The solution should hide technical complexity from the users and also from organizations.


8

IDP IN THE CLOUD


Thanks to collaborations that GARR keeps with the world of biomedical research, we became aware of the National Biomedical Research Database: a web-based service used for the project funds management for biomedical research in Italy. 15 thousand users have access to the database from 80 different organizations. The organizations can be considered small as, on average, we have 2 hundred researchers interested in this service for each organization. This is a classical use case for service providers because from the point of view of the resource there are too many users to manage and keep up to date, and from the point of view of the users, they would like easy access to additional services: like library resources, collaboration tools like Videoconference service, or large size file sharing outside domain boundaries.


9

IDP IN THE CLOUD


Who are the users of the national biomedical research database? How is this users’ community made? They are researchers in the fields of bio-medicine, health and nutrition not all of them belonging to Universities, but rather to different Organizations, like research hospitals. In addition other users are also reviewers of the projects and fund managers. In a total number of 81 Home Organizations: 58 of them belong to the R&E sector, of these: 47 are research hospitals (IRCCS). 10 are nutrition & health institutes (IZS). 1 is the National Institute of Health. 23 don’t belong to R&E sector. Due to the lack of ICT resources, these Home Organizations need service support in ICT Due to access policies, GARR can support only R&E Organizations (58/81) --------------------IZS = they control livestock holdings


10

IDP IN THE CLOUD


If we consider only the 58 Organizations belonging to R&E sector that want to connect to the database, a possible traditional solution could be: To Make the web service a Service Provider. To Deploy an Identity Provider in each organization (58). To Register the SP and the IDPs to IDEM Federation. If the first and the last tasks could be somewhat easy, the second task could be very hard to achieve for these Organizations.


11

IDP IN THE CLOUD


The troubles that these organizations come up against in deploying their own Identity Provider inside the organization are due to the facts that: Home Organizations are small. Or often only a comparatively small number of users in the organization needs to access a certain federated service, thus, in many cases they lack the critical mass which would motivate the setup of an IDP In addition organizations’ focus is not on Information Technology. They have few resources to manage information systems. They lack motivation to drive organizational changes, as the Identity Management requires.


12

IDP IN THE CLOUD


As the goal of the project is to make easy the deployment and management of the identity providers, minimizing the activities and the complexity for home organizations, the solution that we point is a ready-to-use identity management system offered as a service including an identity provider as a service, bundled together. We call this solution IDP in the Cloud.


13

IDP IN THE CLOUD


The solution is not only technical matter. IDP in the Cloud is only a part of an Agreement between the Ministry of Health, 55 Organizations among the total of them (research hospitals and health institutes), and GARR. The technical part of the solution was to build the Out of the box “IDP in the Cloud”, that could hide the technical complexity. Also our aim was to design a platform that satisfies IDEM and eduGAIN policy requirements. So we had to tackle contractual matters, technical matters and policy matters.


14

IDP IN THE CLOUD


The agreement between GARR and the Ministry of health is a multi-year framework agreement where GARR provides the Ministry site and 55 Organizations high bandwidth connectivity to GARR-X network. In the framework agreement GARR provides also a set of advanced applications and network services, distributed storage, large files sharing, High definition Multi Video Conference, etc. Among these advanced applications there is also the provision of one IDP in the Cloud for each organization.


15

IDP IN THE CLOUD


The IDP in the cloud technical solution is an Appliance as a Service, i.e. a virtual machine in the GARR cloud that includes a set of preconfigured services. These services are: Shibboleth IDP, uApprove, A Custom login page, Apache2, OpenLDAP, phpLDAPadmin, MySQL, iptables, rsyslog, Nagios, Collectd The system management of the Virtual Machine is in charge of GARR. From the point of view of the organization, the organization must appoint an internal person that will be in charge of managing identities for the organization itself through a web interface. The interface is made using phpLDAPadmin with appropriate customizations that make easy to fill data of identities to manage. Data are stored in an LDAP directory and used by the IDP, making possible for the end users to get access to resources registered in IDEM and in eduGAIN federations.


16

IDP IN THE CLOUD


We had a lot of issues to be faced How can GARR deal with the deployment of hundreds of new systems with limited human resources? How can GARR deal with the response time when a user requests the IDP? How can GARR manage hundreds of systems with limited human resources? How can GARR deal with personal data protection (including backup and disaster recovery)?


17

IDP IN THE CLOUD


In order to offer a reliable service, with storage located in Italy, for privacy issues, GARR decided to build its own Cloud infrastructure to have a fault tolerant and resilient system where we could offer advanced servers and services in “as a Service” fashion. This infrastructure is made of 12 physical nodes. Each node has 64GB RAM and esa-core CPU with hyper-threading. The nodes are geographically distributed on two distant sites to maximize resilience in case of fault of systems or communication.


18

IDP IN THE CLOUD


The GARR Cloud is built using OpenStack platform on Ubuntu Server distributions. The storage present on the nodes is managed with GlusterFS in the distributed and replicated mode for the volumes. This ensures the data availability and the resilience.


19

IDP IN THE CLOUD


Openstack is configured for using 2 controllers, located in the 2 different sites of the cloud, that control the set of nodes. The image shows the redundancy and resilience also in communications.


20

IDP IN THE CLOUD


The problem of deployment and management of hundreds of potential systems in the cloud was tackled automatizing and optimizing the provisioning process. In this image we see a comparison of times of single steps necessary for the provisioning of the IDP on the left during a manual process and on the right during an automatized process using openstack features and puppet recipes. Thanks to openstack features the time for the first 2 steps for VM provisioning and OS installation and configuration is reduced from one hour and an half to 15 minutes. Thanks to Puppet recipes the time for the next 3 steps: Install of SW prerequisites, Install of Shibboleth and other software, Configuration of Shibboleth (with LDAP and MySQL, and others) is reduced from 55 minutes to 2 minutes. So the provisioning total time of the IDP in the Cloud machine is reduced from 2 hours and 25 minutes to 17 minutes.


21

IDP IN THE CLOUD


This slide just shows some screenshots of the monitoring tools that we use to control the cloud, the hosts provided, and the running services.


22

IDP IN THE CLOUD


This image represents the workflow for the «IDP in the Cloud» provisioning, starting from the request coming from the home organization until the registration in the production IDEM Federation. You all know that registering an entity in a Federation requires an agreement signed by the organization, acceptance of policies, provision of information, descriptions, logos, a lot of stuff, and at the end the compliance audit has to be done by the federation operator. We want to point out that the automated «IDP in the Cloud» VM provisioning, that we described just before, in this workflow is represented here. For the success of the project with this community, to reach the goal of having really working Identity Providers, we realized that we have to focus on customer care both in the preprovisioning phase and in the post-provisioning phase. The workflow is long and complex, but we tried to minimize the points where we ask something to home organizations. These points are indicated with the light blue boxes. While the green boxes represent automated processes. The white boxes represent steps in charge of GARR.


23

IDP IN THE CLOUD


These are some federation issues that we faced, better explained in the next slides.


24

IDP IN THE CLOUD


To obtain the compliance with IDEM requirements we tutor the Organization on a simplified joining procedure in order to: Fill and Sign the «Member Accession Form» Fill and Sign the «IDP Registration Request» Provide info for entity Metadata (logos, descriptions, …) Fill and sign the Identity Management Practice Statement, that is something about LoA declaration In this way we tried also to lower the legal barrier, simplifying the legal stuff offering prefilled documents ready to be signed.


25

IDP IN THE CLOUD


To obtain eduGAIN compliance and enable end users to access eduGAIN services, we create metadata entities and identities attributes that follow the eduGAIN metadata profile and the edugain attribute profile. Pointing on attributes, all eduGAIN recommended attributes are implemented in the LDAP directory and the web form for the IDP administrators helps in filling their values. The controlled vocabulary on Affiliation and OrganizationType is also implemented. Thanks to the ordinary requirements necessary to join IDEM Federation we obtain something more than a basic level of assurance.


26

IDP IN THE CLOUD


Having the IDPs in the Cloud, in some way under our central design, we can ensure a proper attributes harmonization between all the IDPs of the community. For these IDPs we implement all the attributes recommended by IDEM, by eduGAIN and for attributes required by the community like a personal persistent unique identifier we decided for a broad use of the schacPersonalUniqueID attribute. (the value is the unique identifier used for taxation in Italy).


27

IDP IN THE CLOUD


We also wanted to be compliant with refeds discovery guide so the IDP’s metadata are enriched with names and logos to be ready for smart discovery services. Moreover the IDP login page is designed for co-branding with the SP, taking a lot of user interface information from the SP metadata and displaying them on the IDP login page.


28

IDP IN THE CLOUD


The state of the art. We started last November with the announce of the project. And in March we had the HW in place. The deployment of the cloud infrastructure took 3 months. And at the end of June we started deploying the IDPs in the cloud. To date we have 3 organizations that have requested their IDP in the cloud. So to date we have 5 IDPs running in the cloud, 2 for tests, and 3 for the organizations that already requested them. Our cloud infrastructure is designed to host 2 hundred and 50 IDPs, so there is still a lot of space.


29

IDP IN THE CLOUD


At the end we are getting successful results for this use case: THE NATIONAL BIOMEDICAL RESEARCH DATABASE is now a service provider federated in IDEM. Home organizations can now easily obtain IDPs federated in IDEM and eduGAIN for their users. Regarding a Home for the homeless, a dedicated IDP for this community is running. But there are very few people left outside from organizations.


30

IDP IN THE CLOUD


The whole Italian research community in the field of Bio-Medicine and Health will be provided with federated (and inter-federated) identities. This community could be interested to get access to other resources, so we think that there could be resources interested in offering federated access to this community. And other projects could be interested too. We think about the bio banks for example. The availability of a whole community of researchers provided with federated identities could be a good reason to put efforts in connecting resources to federations.


31

IDP IN THE CLOUD


From the communities side. We are looking for more communities that could be interested in the «IDP in the cloud» service. A candidate could be the Digital Cultural Heritage Community. This community in Italy is very spread all over the nation in museums, archives and libraries. They begin to be more and more involved in collaboration projects. So they could be potentially interested.


32

IDP IN THE CLOUD


There could be also other international projects that could be interested in the «IDP in the cloud» offer. Among the others, Garr is involved in two projects whose aim is to foster the usage of interoperable e-infrastructures and services, and which, in our opinion, could greatly benefit from this solution: these projects are Elcira and Chain-reds. The Elcira project aims at coordinating tools and services to enhance collaboration between Europe and Latin America in research activities. Members of the project are RedCLARA, the association of the NRENs in Latin America, DANTE, TERENA and the NRENs of Brazil, Colombia, Italy and Spain. The image on the left highlights the nations that refer to redCLARA. One of the goals of the Elcira project is to set up the national identity federations in Latin America. At the same time the Chain-reds project aims at promoting and supporting technological and scientific collaboration across different e-Infrastructures established and operated in various continents. Among members of Chain-reds project there are the Ubuntu Net Alliance that involves several African countries, and ASREN that coordinates the south Mediterranean and Middle-East NRENs. For Italy the National Institute of Physics is member of this project and GARR is a subcontractor. Both the projects focus on collaboration infrastructures and the way to access the collaboration platforms is a real issue to tackle. We think that the “IDP in the cloud” offer could be a mean to boost collaboration and speed up the rise of national federations in these countries.


33

IDP IN THE CLOUD


Having experience in offering cloud services as IDP in the cloud, that is an IDP as a Service, for GARR becomes natural to offer other kinds of System as a Service, mainly the ones bound to Federations: for example the Resource Registry, the Metadata aggregator and the medatata distribution service, or the Discovery Service. This could become in the near future a Federation as a Service offer.


34

IDP IN THE CLOUD



35

IDP IN THE CLOUD



36