View
219
Download
3
Category
Preview:
Citation preview
TIER:MovingtheCommunitytoAdoptionandProductionUniversityofIllinois:KeithWesselUniversityofWisconsin-Madison:
JamesBabb,KeithHazelton,TomJordanUniversityofVirgina:JimJoklInternet2:PaulCaskey,AnnWest,SteveZoppi
[ 3 ]
What is TIER all about?
• Sustain software that we've developed together.
• Fill the gaps by providing a set of integrated components that addresses IAM as a whole.
• Address community requirements across the components.
• Developing, maintaining community and corporate partnerships
[ 8 ]
TIERCoreAdditions• ComponentPackaging• APIandDataStructures• Extensibility• EntityRegistry• CommunityTestandDevelopmentEnvironment
• ResearchFunctionality
TIERDevelopmentProcess
• Opensource• Iterativedev,test,review• Assumescollaboration&tightintegrationwithcampusteams
CommunityDeveloped
Specifications
Internet2ContractedSoftware
Development
Internet2AutomatedTesting
CampusFunctionalReview&Testing
CommunityWorkshopuse
cases/requirements
[ 10 ]
What is TIER all about … TODAY• Fulfill / Complete the “sustainability plan”
• Adjust velocity and course to match the end of investment funding and the spending profile of the base on-going funding
• Harmonize community requirements across the components(blending original Investor-validated requirements with the New Needs of Research Community.)
• Focus on EXISTING commercial and professional partnerships. (Develop a FEW, strategic or vital New Relationships if needed)
[ 11 ]
FromSpring: PuttingitAllTogether• TIERmustlookforwardANDfitdiverseoperationstoday
• TIERprogressingonstableintegratedplatform
• APIandRegistryComponentstobedeliveredinfall
• Providefeedbacktoworkinggroupstospeeddeliveryoffunctionality
[ 12 ]
SinceSpring:TIERandTestingAdoption• CampusSuccessProgram
• PostSpringSurvey• 10schoolsdeployingoneormoreTIERcontainerizedcomponents.
• LessonsLearnedsharedalongtheway
• Contributingguidancedocumentsandpresentationdeliverablesbacktoyou!!
• CalltoAction• AchievingTIERGoalsRequirestheCommunitytoHelpItself
• OperationsEnvironment• TIERDevelopmentCycle• ReviewingTIERandProvidingFeedback
• StartingDiscussionsonCampus• www.internet2.edu/media/cms_page_media/3614/Testing-and-adopting-TIER.pdf
[ 13 ]
ThankstotheCampusSuccessParticipants!• ColoradoSchoolofMines• ColoradoStateUniversity• GeorgiaTech• OregonStateUniversity• LafayetteCollege
• RiceUniversity• UniversityofCalifornia,Merced• UniversityofIllinois• UniversityofMaryland- BaltimoreCounty
• UniversityofMichigan
Formoreinformation,seespaces.internet2.edu/x/oQrABg
AndThanksto theTIERInvestorSchools...ArizonaStateUniversity*BostonUniversity*CarnegieMellonUniversity*CaseWesternReserveUniversity*DukeUniversity*HarvardUniversity*IndianaUniversity*LafayetteCollege*LouisianaStateUniversity*NewYorkUniversity*NorthwesternUniversity*TheOhioStateUniversity*OldDominionUniversity*OregonStateUniversity*PurdueUniversity- MainCampus*RiceUniversity*UniversityofArizona*UniversityofCalifornia- Berkeley*UniversityofCalifornia- Merced*UniversityofChicago*UniversityofFlorida*UniversityofHawaii- Manoa *UniversityofIllinois- Urbana-Champaign*UniversityofMaryland- BaltimoreCounty*UniversityofMaryland- CollegePark*UniversityofMiami*UniversityofMichigan- AnnArbor*UniversityofMissouri- Columbia*UniversityofNebraska- Lincoln*UniversityofNorthCarolina- ChapelHill*UniversityofNotreDame*UniversityofVirginia*UniversityofWisconsin- Madison*WashingtonUniversity- SaintLouis
[ 17 ]
TIERPackagingBackground
• Earlydiscussionsaboutmultiplepossiblecomponentdeliverymechanisms
• DecisionforTIERPackagingtofocusonDocker
[ 18 ]
CurrentTIERComponentPackaging
• VirtualMachineImages• Effectivelybuildapplicationappliances• Dockerinternally,butDockermostlyhiddenfromthesysadmin
• Additionaloperationssupport• ContainerstunedfortheVMs
• Excellentforgreenfieldandevaluation• Notreallydesignedtosupportmigrationfrominstalledbase• Howwehandledsecretslimitshowthesystemsareplacedintoproduction• Highavailabilityisdifficult• Questionsfromadoptersonhowtomoveforward
• WearenotyetleveragingmuchofwhatDockercando
[ 19 ]
RecentWork:ServicesforLargeScaleProductionWorkloads
• Focusonadoption• WhatisneededtomigrateproductionworkloadstoTIERpackagedcomponents?
• Productioninfrastructuresupport• Loadbalancing&highavailability• Solutionsforbettersecretprotectionanddistribution• Configurationmanagementandproductupgrades• Interconnection:howtowirethepiecestogether• Scaling&supportforgeographicdiversity• Security&easeofuse
[ 20 ]
DockerSwarm
• NetworkEncryption• SecretsandConfigs
• Auto scaling• Eases geographic diversity
• Part of Docker– Everyone has it
Ref:Docker
[ 21 ]
ShibbolethSP
SATOSAProxy
OpenLDAP
COmanageApplication
MariaDB
OpenLDAP
SATOSAProxy
LoadBalancer
ShibbolethSP
DemoAppMediaWiki
Shib Plugin MariaDB
FederationIdP
COmanageOutline
[ 22 ]
MariaDB
LoadBalancer
Grouper
MariaDB
GrouperWebServices
ShibSP Apache
Outline
GrouperWebServices
ShibSP Apache
GrouperUI
ShibSP Apache
GrouperLoader
Java
GrouperLoader
Java
GrouperUI
ShibSP Apache
[ 23 ]
ShibbolethIdPOutline
ShibbolethIdP
Java Tomcat
ShibbolethIdP
ShibSP Apache
…ShibbolethIdP
Java Tomcat
LoadBalancer
ExternalLDAP
DockerRegistry
SetupTooling
[ 24 ]
GettingInvolved
• IfyouarefamiliarwithDocker• WecoulduseyourhelpwithPackaging
• Ifyouarefamiliarwithanythecomponents• WecoulduseyourhelpwithPackaging
[ 26 ]
TIER-Shib IdP
• What'sbeendone?• Phase1:VM/container
• Phase2:Standalonecontainer• Linux• Windows
• SolutionsforHAoperation• gen1/HAproxy• gen2/Dockerswarm
[ 27 ]
TIER-Shib IdP
• Howcanyourunit?• PubliccontainerslocatedinDockerHub
• RunononeormoreDockercontainerservers(Linux+Docker)
• Oruseanothercontainerorchestrationsolution• AmazonECS• Kubernetes• Rancher
[ 28 ]
TIER-Shib IdP
• Howdoesitwork?• Configuration
• New:ConfigBuilder microservice• Existing:usebuild/run-timeparameterstopointtoyourconfig files
• DockerSwarm• distributedaccess(anynode)• needELB• Canusesecrets
• AWSECS• nosecrets(allisburned-in)• EC2autoscaling iscool
• shooting old and misbehaving nodes in the head is lots of fun
[ 29 ]
ShibbolethIdP RelyingPartyGUIUpdate
• Originalrequirementsdoc:• https://spaces.internet2.edu/display/TPWG/Shibboleth+Relying+Party+Configuration+GUI
• Willallowforbasicconfigurationofroutinerelying-partyitems
• Unicon ismakinggreatprogressontheUI
• Phase1ison-scheduletobereadyinDecember!
PROVISIONINGBESTPRACTICESTHEBIGTENACADEMICALLIANCE
PresentedbyKeithWessel
University of Illinois at Urbana-Champaign
[ 32 ]
Who Are We?
• The Big Ten Academic Alliance• Formerly the CIC• A consortium of the Big Ten schools and the University of Chicago• Better together: combined research and collaboration
[ 33 ]
Why provisioning?
• No widely used standards• A ‘wild west’• Hard to scale federation if we can't scale provisioning• Different definitions of provisioning: identities, credentials, services• De-provisioning might never happen
[ 34 ]
Sowhatareyougoingtodoaboutit?
• Plannedtostartwithproductevaluations• Gottangledupinterminology
• TakeII:surveyofcurrentpracticesandneeds• Usesurveyresultstoidentifytrends• Documentbestpracticesbasedonthosetrendsandexperiences
[ 35 ]
Surveytopics
• Generalinformation• Auditingandreporting• Targetsystems• Rolesandgroups• Digitalidentities• Credentials
[ 36 ]
Surveygoals
• Learnwhatsoftwareschoolsareusingandwhattheylike/dislikeaboutit
• Getanideaofschools’futureplans• Findthingsthatschoolswouldliketodobutcan’tduetotechnologylimitations
• We'vefoundseveralinterestingtrendsandconceptsintheresults.
[ 37 ]
Whatwelearned-- generalinfo
• Mostfolksareneutraltomoderatelypleasedwiththeirprovisioningsoftware
• Event-drivenandmessagingiscommonlyusedandliked,batchprocessingcanbeslowandisdisliked
• Manywouldlikeeasierconnectorframeworkforon-boardingnewservices
• Commercialproductsdobetterwiththisthanin-housecreations,notsurprisingly
[ 38 ]
Whatwelearned-- auditingandreporting
• Mostmemberschoolsarereactive,notproactive,onauditingandreporting
• Withinatargetsystem,easytograntaccess,hardtoknowwhohasaccessorshould
• Someschoolspointoutthatauditingpoliciesareapoliticalproblem,notatechnicalone
• Productscapableofauditingoftenlicenseperidentitywhichcanbeexpensive
• PotentialNet+engagementwithproductvendorstolowercost?
[ 39 ]
Whatwelearned-- targetsystems
• Noteveryonedefinesatargetsystemthesame:directoryvs.service• Mostschoolshavealimitednumberofdownstreamtargetsthattheyprovision:mostofthosetargetsaredirectories
• Severalschoolsdoon-requestserviceprovisioning,differentfromJIT,butmostusecustomsolutions
• De-provisioningidentitiesishard:howdoyoudefineaninactiveuser?• Surveydidn’taskaboutwhohandlesserviceprovisioning
• ThiscanbethecentralIAMgrouportheserviceowner
• MostschoolsrepresentedintheWGfeelthisissueismainlypolitical
[ 40 ]
Whatwelearned-- rolesandgroups• MostschoolsareusingGroupertohandlethisinvaryingdegrees• ManyschoolshavetighterconfigurationsinGrouperregardingwhocancreategroupsthathandleauthorizationfunctions
• NotmanyschoolsusingeduPersonAffiliation forauthorizationpurposesinternally
• Manyschoolsfacechallengeswith• Lackofallignment betweenbusinessandtechnicalprocesses• Userswithmultipleroles• Userswithmultiplejobtitles
[ 41 ]
Whatwelearned-- digitalidentities
• Moreschoolsareauto-generatingusernamesratherthanallowinguserstomaketheirown
• Usernamegenerationrulesdifferbetweenschools• Evensplitforfirst-timeloginbetweenOTPandbio/demoquestions
• Inmostcases,identitymatchinghandledoutsideofthecentralIdM system
• StronginterestinsocialIDsforguestidentities
[ 42 ]
Whatwelearned-- credentials
• Respondingschoolshaveavarietyofpasswordrequirements• Alotofcommonthemeswithlength,characterclasses,history• NIST800-63-3mightbeafactorforpasswordcomplexityinthenearfuture
• Regardless,anyrecommendedprovisioningenginethathandlespasswordsmusthaveflexibleruledefinitions
• TheWGwondersifMFAmighthelptorelaxpasswordexpirationorcomplexityguidelines
[ 43 ]
Currentwork
• Identifyingbestpractices• Identifyingastructureforawrite-up• Documentedpracticesshouldstartfallingintoplaceoncewehaveanoutline
• Stillbrainstormingadditionaldeliverables
[ 44 ]
Potentialdeliverables
• Write-upofrecommendedbestpractices• CatalogofSCIMschemas• Grouperrecipes• Productevaluations
[ 47 ]
TIERProvisioning/Deprovisioning
• Latentprovisioningin(andaround)TIER:• Grouper• COManage• Midpoint
• TIERProvisioningPhilosophies• Functionaloverlapisok– lookforbestfitintheenvironment• Bepluggableandlooselycoupled• Beevent/interfacedriven• Lookatauthorizationasgroupingfunction• Keepprovisioninglightweight(andviastandardswherepossible)
[ 48 ]
TIER– Data-DrivenAuthorizationandProvisioning
CourseRepository
PersonRepository
Data-DrivenGroups
InstitutionallyMeaningfulCohorts
EnterpriseAccessControlPolicy
CS101
CS102
ACCT101
ACCT102
MATH100
MATH102
AllStudents
CSStudents
CS101Students
Includes
AllFaculty
CSFaculty
CS101Faculty
Includes
CanvasStudents
CanvasCSStudents
CanvasCS101Students
CanvasFaculty
CanvasCSFaculty
CanvasCS101Faculty
CanvasInstance
CS101CourseStudentsFaculty
basis:courses ref:affiliations app:canvas
[ 49 ]
TIERProvisioningDemo– SIStoCanvasviaGrouperandMessaging
RabbitMQ
CanvasProvisioner
SIS GrouperStudent/CourseData
GrouperLoader
Shib IdP
AMQPMessages:• Groupchanges• Membershipchange
Changeevents
Canvas
LDAP
PortalDynamicaccesscontrolviamemberOfattributes
Users,coursesandenrollmentspopulatedviaRESTAPI
GrouperRESTWebServiceQueries
Shib SP
Shib SP
RESTAPI
SAMLAttributeReleaseAuthentication
memberOf query
[ 50 ]
TIERReferenceArchitecture– CanvasProvisioningDemo
Guest/Self Registration
Identity Sources
Sponsored/Invited Accounts
Guest/Self Registration
Campus Systems
Entity Registry Authentication & Federation Services
MasterPersonStore
AttributeResolver
Person Match / Deduplication
Unique Identifier Creation
PersonRegistrationAnd Update
ServiceSAML Idp
SSO AuthN
Oauth Idp
Consent Service
Automatically Maintained Groups
Groups Service
ResourceCatalog
Midpoint
Provisioning Service
Group Based Provisioning
Request Based Provisioning
Identity Consumers
Cloud Providers
ResearchPartners
OperatingSystems
EnterpriseDirectories
CampusApplications
StudentHRAlumniAffiliate
Demographic DataAffiliation DataContact DataAccount Information
RelyingParty Data
AKA Metadata
Approval WorkflowMidpoint
Provisioning ConnectorsMidpoint
Manually Maintained Groups
GroupsDataStore
Messaging
Messaging ConnectorRabbit MQ
GrouperToMidpoint Class
AMQP
AMQP
Maintain Person
AMQP AMQP
Post Group(s)
Post Registry
Post Person
TIER Reference Architecture with Integration Detail
Integration Services
2017-10-04, whc, base version
AMQP
Registry
SCIM
SCIM
SIS
Grouper CanvasProvisioner
Shibboleth
Canvas
[ 51 ]
Tryitathome!
• 2017TechEx DemoAvailableHere:• https://github.internet2.edu/TIER/canvas-demo-techex17
• 2017GlobalSummitDemoAvailableHere:• https://github.internet2.edu/TIER/gs17-provisioning-demo
• Moredemosthroughoutthedayinthegardenrooms(behindthebar—leftofthesponsorbooths)
Recommended