TIER:MovingtheCommunitytoAdoptionandProductionUniversityofIllinois:KeithWesselUniversityofWisconsin-Madison:

JamesBabb,KeithHazelton,TomJordanUniversityofVirgina:JimJoklInternet2:PaulCaskey,AnnWest,SteveZoppi

[ 2 ]

Topics for Today

• Overview • Packaging• Provisioning

[ 3 ]

What is TIER all about?

• Sustain software that we've developed together.

• Fill the gaps by providing a set of integrated components that addresses IAM as a whole.

• Address community requirements across the components.

• Developing, maintaining community and corporate partnerships

[ 4 ]

ShibbolethGrouper

Comanage/MidPoint

Grouper

[ 7 ]

The TIER Architecture

[ 8 ]

TIERCoreAdditions• ComponentPackaging• APIandDataStructures• Extensibility• EntityRegistry• CommunityTestandDevelopmentEnvironment

• ResearchFunctionality

TIERDevelopmentProcess

• Opensource• Iterativedev,test,review• Assumescollaboration&tightintegrationwithcampusteams

CommunityDeveloped

Specifications

Internet2ContractedSoftware

Development

Internet2AutomatedTesting

CampusFunctionalReview&Testing

CommunityWorkshopuse

cases/requirements

[ 10 ]

What is TIER all about … TODAY• Fulfill / Complete the “sustainability plan”

• Adjust velocity and course to match the end of investment funding and the spending profile of the base on-going funding

• Harmonize community requirements across the components(blending original Investor-validated requirements with the New Needs of Research Community.)

• Focus on EXISTING commercial and professional partnerships. (Develop a FEW, strategic or vital New Relationships if needed)

[ 11 ]

FromSpring: PuttingitAllTogether• TIERmustlookforwardANDfitdiverseoperationstoday

• TIERprogressingonstableintegratedplatform

• APIandRegistryComponentstobedeliveredinfall

• Providefeedbacktoworkinggroupstospeeddeliveryoffunctionality

[ 12 ]

SinceSpring:TIERandTestingAdoption• CampusSuccessProgram

• PostSpringSurvey• 10schoolsdeployingoneormoreTIERcontainerizedcomponents.

• LessonsLearnedsharedalongtheway

• Contributingguidancedocumentsandpresentationdeliverablesbacktoyou!!

• CalltoAction• AchievingTIERGoalsRequirestheCommunitytoHelpItself

• OperationsEnvironment• TIERDevelopmentCycle• ReviewingTIERandProvidingFeedback

• StartingDiscussionsonCampus• www.internet2.edu/media/cms_page_media/3614/Testing-and-adopting-TIER.pdf

[ 13 ]

ThankstotheCampusSuccessParticipants!• ColoradoSchoolofMines• ColoradoStateUniversity• GeorgiaTech• OregonStateUniversity• LafayetteCollege

• RiceUniversity• UniversityofCalifornia,Merced• UniversityofIllinois• UniversityofMaryland- BaltimoreCounty

• UniversityofMichigan

Formoreinformation,seespaces.internet2.edu/x/oQrABg

AndThanksto theTIERInvestorSchools...ArizonaStateUniversity*BostonUniversity*CarnegieMellonUniversity*CaseWesternReserveUniversity*DukeUniversity*HarvardUniversity*IndianaUniversity*LafayetteCollege*LouisianaStateUniversity*NewYorkUniversity*NorthwesternUniversity*TheOhioStateUniversity*OldDominionUniversity*OregonStateUniversity*PurdueUniversity- MainCampus*RiceUniversity*UniversityofArizona*UniversityofCalifornia- Berkeley*UniversityofCalifornia- Merced*UniversityofChicago*UniversityofFlorida*UniversityofHawaii- Manoa *UniversityofIllinois- Urbana-Champaign*UniversityofMaryland- BaltimoreCounty*UniversityofMaryland- CollegePark*UniversityofMiami*UniversityofMichigan- AnnArbor*UniversityofMissouri- Columbia*UniversityofNebraska- Lincoln*UniversityofNorthCarolina- ChapelHill*UniversityofNotreDame*UniversityofVirginia*UniversityofWisconsin- Madison*WashingtonUniversity- SaintLouis

Thanks!!

TIERPACKAGINGUPDATES

JimJokl (UniversityofVirginia)

[ 17 ]

TIERPackagingBackground

• Earlydiscussionsaboutmultiplepossiblecomponentdeliverymechanisms

• DecisionforTIERPackagingtofocusonDocker

[ 18 ]

CurrentTIERComponentPackaging

• VirtualMachineImages• Effectivelybuildapplicationappliances• Dockerinternally,butDockermostlyhiddenfromthesysadmin

• Additionaloperationssupport• ContainerstunedfortheVMs

• Excellentforgreenfieldandevaluation• Notreallydesignedtosupportmigrationfrominstalledbase• Howwehandledsecretslimitshowthesystemsareplacedintoproduction• Highavailabilityisdifficult• Questionsfromadoptersonhowtomoveforward

• WearenotyetleveragingmuchofwhatDockercando

[ 19 ]

RecentWork:ServicesforLargeScaleProductionWorkloads

• Focusonadoption• WhatisneededtomigrateproductionworkloadstoTIERpackagedcomponents?

• Productioninfrastructuresupport• Loadbalancing&highavailability• Solutionsforbettersecretprotectionanddistribution• Configurationmanagementandproductupgrades• Interconnection:howtowirethepiecestogether• Scaling&supportforgeographicdiversity• Security&easeofuse

[ 20 ]

DockerSwarm

• NetworkEncryption• SecretsandConfigs

• Auto scaling• Eases geographic diversity

• Part of Docker– Everyone has it

Ref:Docker

[ 21 ]

ShibbolethSP

SATOSAProxy

OpenLDAP

COmanageApplication

MariaDB

OpenLDAP

SATOSAProxy

LoadBalancer

ShibbolethSP

DemoAppMediaWiki

Shib Plugin MariaDB

FederationIdP

COmanageOutline

[ 22 ]

MariaDB

LoadBalancer

Grouper

MariaDB

GrouperWebServices

ShibSP Apache

Outline

GrouperWebServices

ShibSP Apache

GrouperUI

ShibSP Apache

GrouperLoader

Java

GrouperLoader

Java

GrouperUI

ShibSP Apache

[ 23 ]

ShibbolethIdPOutline

ShibbolethIdP

Java Tomcat

ShibbolethIdP

ShibSP Apache

…ShibbolethIdP

Java Tomcat

LoadBalancer

ExternalLDAP

DockerRegistry

SetupTooling

[ 24 ]

GettingInvolved

• IfyouarefamiliarwithDocker• WecoulduseyourhelpwithPackaging

• Ifyouarefamiliarwithanythecomponents• WecoulduseyourhelpwithPackaging

TIERSHIBBOLETHUPDATE

PaulCaskey (Internet2)

[ 26 ]

TIER-Shib IdP

• What'sbeendone?• Phase1:VM/container

• Phase2:Standalonecontainer• Linux• Windows

• SolutionsforHAoperation• gen1/HAproxy• gen2/Dockerswarm

[ 27 ]

TIER-Shib IdP

• Howcanyourunit?• PubliccontainerslocatedinDockerHub

• RunononeormoreDockercontainerservers(Linux+Docker)

• Oruseanothercontainerorchestrationsolution• AmazonECS• Kubernetes• Rancher

[ 28 ]

TIER-Shib IdP

• Howdoesitwork?• Configuration

• New:ConfigBuilder microservice• Existing:usebuild/run-timeparameterstopointtoyourconfig files

• DockerSwarm• distributedaccess(anynode)• needELB• Canusesecrets

• AWSECS• nosecrets(allisburned-in)• EC2autoscaling iscool

• shooting old and misbehaving nodes in the head is lots of fun

[ 29 ]

ShibbolethIdP RelyingPartyGUIUpdate

• Originalrequirementsdoc:• https://spaces.internet2.edu/display/TPWG/Shibboleth+Relying+Party+Configuration+GUI

• Willallowforbasicconfigurationofroutinerelying-partyitems

• Unicon ismakinggreatprogressontheUI

• Phase1ison-scheduletobereadyinDecember!

PROVISIONINGBESTPRACTICESTHEBIGTENACADEMICALLIANCE

PresentedbyKeithWessel

University of Illinois at Urbana-Champaign

[ 32 ]

Who Are We?

• The Big Ten Academic Alliance• Formerly the CIC• A consortium of the Big Ten schools and the University of Chicago• Better together: combined research and collaboration

[ 33 ]

Why provisioning?

• No widely used standards• A ‘wild west’• Hard to scale federation if we can't scale provisioning• Different definitions of provisioning: identities, credentials, services• De-provisioning might never happen

[ 34 ]

Sowhatareyougoingtodoaboutit?

• Plannedtostartwithproductevaluations• Gottangledupinterminology

• TakeII:surveyofcurrentpracticesandneeds• Usesurveyresultstoidentifytrends• Documentbestpracticesbasedonthosetrendsandexperiences

[ 35 ]

Surveytopics

• Generalinformation• Auditingandreporting• Targetsystems• Rolesandgroups• Digitalidentities• Credentials

[ 36 ]

Surveygoals

• Learnwhatsoftwareschoolsareusingandwhattheylike/dislikeaboutit

• Getanideaofschools’futureplans• Findthingsthatschoolswouldliketodobutcan’tduetotechnologylimitations

• We'vefoundseveralinterestingtrendsandconceptsintheresults.

[ 37 ]

Whatwelearned-- generalinfo

• Mostfolksareneutraltomoderatelypleasedwiththeirprovisioningsoftware

• Event-drivenandmessagingiscommonlyusedandliked,batchprocessingcanbeslowandisdisliked

• Manywouldlikeeasierconnectorframeworkforon-boardingnewservices

• Commercialproductsdobetterwiththisthanin-housecreations,notsurprisingly

[ 38 ]

Whatwelearned-- auditingandreporting

• Mostmemberschoolsarereactive,notproactive,onauditingandreporting

• Withinatargetsystem,easytograntaccess,hardtoknowwhohasaccessorshould

• Someschoolspointoutthatauditingpoliciesareapoliticalproblem,notatechnicalone

• Productscapableofauditingoftenlicenseperidentitywhichcanbeexpensive

• PotentialNet+engagementwithproductvendorstolowercost?

[ 39 ]

Whatwelearned-- targetsystems

• Noteveryonedefinesatargetsystemthesame:directoryvs.service• Mostschoolshavealimitednumberofdownstreamtargetsthattheyprovision:mostofthosetargetsaredirectories

• Severalschoolsdoon-requestserviceprovisioning,differentfromJIT,butmostusecustomsolutions

• De-provisioningidentitiesishard:howdoyoudefineaninactiveuser?• Surveydidn’taskaboutwhohandlesserviceprovisioning

• ThiscanbethecentralIAMgrouportheserviceowner

• MostschoolsrepresentedintheWGfeelthisissueismainlypolitical

[ 40 ]

Whatwelearned-- rolesandgroups• MostschoolsareusingGroupertohandlethisinvaryingdegrees• ManyschoolshavetighterconfigurationsinGrouperregardingwhocancreategroupsthathandleauthorizationfunctions

• NotmanyschoolsusingeduPersonAffiliation forauthorizationpurposesinternally

• Manyschoolsfacechallengeswith• Lackofallignment betweenbusinessandtechnicalprocesses• Userswithmultipleroles• Userswithmultiplejobtitles

[ 41 ]

Whatwelearned-- digitalidentities

• Moreschoolsareauto-generatingusernamesratherthanallowinguserstomaketheirown

• Usernamegenerationrulesdifferbetweenschools• Evensplitforfirst-timeloginbetweenOTPandbio/demoquestions

• Inmostcases,identitymatchinghandledoutsideofthecentralIdM system

• StronginterestinsocialIDsforguestidentities

[ 42 ]

Whatwelearned-- credentials

• Respondingschoolshaveavarietyofpasswordrequirements• Alotofcommonthemeswithlength,characterclasses,history• NIST800-63-3mightbeafactorforpasswordcomplexityinthenearfuture

• Regardless,anyrecommendedprovisioningenginethathandlespasswordsmusthaveflexibleruledefinitions

• TheWGwondersifMFAmighthelptorelaxpasswordexpirationorcomplexityguidelines

[ 43 ]

Currentwork

• Identifyingbestpractices• Identifyingastructureforawrite-up• Documentedpracticesshouldstartfallingintoplaceoncewehaveanoutline

• Stillbrainstormingadditionaldeliverables

[ 44 ]

Potentialdeliverables

• Write-upofrecommendedbestpractices• CatalogofSCIMschemas• Grouperrecipes• Productevaluations

ContactMeKeithWesselkwessel@Illinois.edu

OrHelpNowFeedback? Comments? Questions?

Want to help?

TIERPROVISIONING/DEPROVISIONING

PresentedbyJamesBabbandTomJordan

University of Wisconsin - Madison

[ 47 ]

TIERProvisioning/Deprovisioning

• Latentprovisioningin(andaround)TIER:• Grouper• COManage• Midpoint

• TIERProvisioningPhilosophies• Functionaloverlapisok– lookforbestfitintheenvironment• Bepluggableandlooselycoupled• Beevent/interfacedriven• Lookatauthorizationasgroupingfunction• Keepprovisioninglightweight(andviastandardswherepossible)

[ 48 ]

TIER– Data-DrivenAuthorizationandProvisioning

CourseRepository

PersonRepository

Data-DrivenGroups

InstitutionallyMeaningfulCohorts

EnterpriseAccessControlPolicy

CS101

CS102

ACCT101

ACCT102

MATH100

MATH102

AllStudents

CSStudents

CS101Students

Includes

AllFaculty

CSFaculty

CS101Faculty

Includes

CanvasStudents

CanvasCSStudents

CanvasCS101Students

CanvasFaculty

CanvasCSFaculty

CanvasCS101Faculty

CanvasInstance

CS101CourseStudentsFaculty

basis:courses ref:affiliations app:canvas

[ 49 ]

TIERProvisioningDemo– SIStoCanvasviaGrouperandMessaging

RabbitMQ

CanvasProvisioner

SIS GrouperStudent/CourseData

GrouperLoader

Shib IdP

AMQPMessages:• Groupchanges• Membershipchange

Changeevents

Canvas

LDAP

PortalDynamicaccesscontrolviamemberOfattributes

Users,coursesandenrollmentspopulatedviaRESTAPI

GrouperRESTWebServiceQueries

Shib SP

Shib SP

RESTAPI

SAMLAttributeReleaseAuthentication

memberOf query

[ 50 ]

TIERReferenceArchitecture– CanvasProvisioningDemo

Guest/Self Registration

Identity Sources

Sponsored/Invited Accounts

Guest/Self Registration

Campus Systems

Entity Registry Authentication & Federation Services

MasterPersonStore

AttributeResolver

Person Match / Deduplication

Unique Identifier Creation

PersonRegistrationAnd Update

ServiceSAML Idp

SSO AuthN

Oauth Idp

Consent Service

Automatically Maintained Groups

Groups Service

ResourceCatalog

Midpoint

Provisioning Service

Group Based Provisioning

Request Based Provisioning

Identity Consumers

Cloud Providers

ResearchPartners

OperatingSystems

EnterpriseDirectories

CampusApplications

StudentHRAlumniAffiliate

Demographic DataAffiliation DataContact DataAccount Information

RelyingParty Data

AKA Metadata

Approval WorkflowMidpoint

Provisioning ConnectorsMidpoint

Manually Maintained Groups

GroupsDataStore

Messaging

Messaging ConnectorRabbit MQ

GrouperToMidpoint Class

AMQP

AMQP

Maintain Person

AMQP AMQP

Post Group(s)

Post Registry

Post Person

TIER Reference Architecture with Integration Detail

Integration Services

2017-10-04, whc, base version

AMQP

Registry

SCIM

SCIM

SIS

Grouper CanvasProvisioner

Shibboleth

Canvas

[ 51 ]

Tryitathome!

• 2017TechEx DemoAvailableHere:• https://github.internet2.edu/TIER/canvas-demo-techex17

• 2017GlobalSummitDemoAvailableHere:• https://github.internet2.edu/TIER/gs17-provisioning-demo

• Moredemosthroughoutthedayinthegardenrooms(behindthebar—leftofthesponsorbooths)