Facilitating Scientific Collaborations by Delegating Identity Management

Reducing Barriers and Roadmap for Incremental Implementation

Robert Cowles, Craig Jackson, Von Welch (PI)

May 7th, 2015

NLCIO Meeting

2

Our Goal

Increase productivity of open DOE science through improved

understanding of identity management (IdM) and relevant

institutional risk.

3

IdM is Critical to Science• Control of unique instruments• Ability to QA data• Access to pre-publication data• Membership and structure of collaboration• Names on papers• Etc.

However, scientists don’t use IdM’s nomenclature!

4

Virtual Organization Identity Management

A number of approaches have been tried:

VOMS, Glide-ins, Science gateways,COManage, Community/group

accounts, etc.

We have 15 years of applied experimentation in virtual organization (VO) IdM.

5

Twenty+ Interviews

VOs•Atlas•BaBar •Belle-II•CMS•Darkside•Engage•Earth System Grid•Fermi Space Telescope•LIGO•LSST/DESC

Resource Providers•Atlas Great Lakes T2•FermiGrid•GRIF•U. Nebraska (CMS)•LCLS•RAL•GRIF/LAL•LLNL•NERSC•Blue Waters

6

Some Big Picture Observations…

7

Contradictory Demands

• Current Processes and Policies• Strong identification, authentication, and

authorization of user communities

• User communities• Large scale with dynamic membership• Span multiple resource providers• Desire ease-of-use (e.g. single sign-on)• Self management

8

Shared IdM Responsibilities

• Sharing of IdM between Labs and VOs has benefits.• Similar to outsourcing of

authentication to another org via federated identity.

• Sharing is not “all or nothing” – it lives on a spectrum related to risk and trust.

Brokered

Transitive

9

Our Products

• Understanding of motivations and barriers to IdM responsibility sharing.

• Guidance for addressing barriers.• Technical scheme for representing VO

IdM sharing.

These products are freely available, we're happy to help with their application:

http://cacr.iu.edu/collab-idm/

10

Drivers and Benefits of Sharing

• Allows scaling of scientists, Labs.• Centralized management of VO policies.• Places effort where most appropriate.• Avoid unneeded duplication of IdM data.• Eases collaboration inside of and across

VOs.• Improves ease of use through better

integration with science workflows.

11

Identified Barriers

• Historical Inertial• Risk Aversion• Compliance and Assurance

Requirements• Technology Limitations

12

Identified Mitigations for Barriers

• Sandboxes (VMs, limited APIs, etc.)

• User traceability (OSG)

• Site-VO agreements

13

DOE Policy analysis

Robert Cowles, Craig Jackson and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers & Roadmap for Incremental Implementation• http://cacr.iu.edu/sites/cacr.iu.edu/files/FSCbyDIM0408.pdf

•Will be presented at CLHS 15 in June 2015

Discusses Deemed Export, Unclassified Foreign Visits, and shift to risk-based security to overcome inertia.

Data-centric Model for IdM SharingOffers a common language and

graphical representation to complex IdM requirements/implementation

Goal: Facilitate communication between scientists, IdM, CSO.

Functionalityauthentication authorization

allocation/schedulingaccounting

auditinguser support

incident response

Model IdM Data(1)User identifier(2)User contact info(3)VO membership/role

15

Thank you. Questions?

Von Welch (vwelch@iu.edu)

http://cacr.iu.edu/collab-idm

We thank the Department of Energy Next-Generation Networks for Science (NGNS) program (Grant No. DE-FG02-12ER26111) for

funding this effort.

The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the

sponsors or any organization.

16

Full List of XSIM Products

Robert Cowles, Craig Jackson, and Von Welch. Identity Management Factors for HEP Virtual Organizations. 20th International Conference on Computing in High Energy and Nuclear Physics (CHEP2013), 2013

https://iopscience.iop.org/1742-6596/513/3/032022

17

Develop Model and ValidateRobert Cowles, Craig Jackson, and Von Welch. Identity Management for Virtual Organizations: An Experience-Based Model. eScience 2013, 2013

http://www.computer.org/csdl/proceedings/escience/2013/5083/00/5083a278-abs.html

Robert Cowles, Craig Jackson, Von Welch, and Shreyas Cholia. A Model for Identity Management in Future Scientific Collaboratories International Symposium on Grids and Clouds (ISGC) 2014, 2014

http://pos.sissa.it/archive/conferences/210/026/ISGC2014_026.pdf

18

Develop GuidanceVon Welch, Robert Cowles, and Craig Jackson. XSIM OSG IdM Guidance OSG-doc-1199, July 2014

http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1199

Robert Cowles, Craig Jackson, and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers and Roadmap for Incremental Implementation.  March, 2015.

http://cacr.iu.edu/sites/cacr.iu.edu/files/FSCbyDIM0408.pdf