Presentation is loading. Please wait.

Presentation is loading. Please wait.

THE USE CASE FOR THE INTERNATIONAL COLLABORATIONS OF THE US NATIONAL INSTITUTE OF ALLERGY AND INFECTIONS DISEASES Connecting Research Collaborators to.

Published byAudrey Scott Modified over 8 years ago

Similar presentations

Presentation on theme: "THE USE CASE FOR THE INTERNATIONAL COLLABORATIONS OF THE US NATIONAL INSTITUTE OF ALLERGY AND INFECTIONS DISEASES Connecting Research Collaborators to."— Presentation transcript:

1 THE USE CASE FOR THE INTERNATIONAL COLLABORATIONS OF THE US NATIONAL INSTITUTE OF ALLERGY AND INFECTIONS DISEASES Connecting Research Collaborators to Applications Using COmanage Heather Flanagan and Benn Oshrin presenting; TNC 2015 Heather Flanagan and Benn Oshrin presenting; TNC 2015

2 Acknowledgements With many thanks to Scott Koranda (Spherical Cow Group) and Chris Whalen (International Program Manager of the Office of Cyberinfrastructure and Computational Biology, NIAID/NIH)

3 Office of Cyberinfrastructure and Computational Biology 3 ▪National Institute of Allergy and Infectious Diseases – NIAID One of 27 institutes of the NIH whose mission is to conduct and support basic and applied research to better understand, treat, and ultimately prevent infectious, immunologic, and allergic diseases ▪OCICB – IT service desk, infrastructure, Software Development, and computational bioscience consulting and support ▪OCICB International Program began in 1998 to support scientific collaborations of the NIAID to support malaria research in West Africa

4 Overview: Virtual Research Organizations 1.The core services of a network supporting scientists 2.Importance of collaborative networks in life sciences 3.Increasing and changing data types 4.The International Centers of Excellence for Research 5.Changing network and support topologies for International science 6.Using Trust Federations for service delivery 7.The Virtual Research Organization 8.Using COmanage as a tool to support VROs

5 Core Network Services for Life Science (and any organization) 5 User authentication verification and identity email File Sharing Voice over IP Video Conferencing Data Transfer Patch management Anti-malware management Intrusion Detection Firewall Access to services – journals, databases, workflows

6 Globalization of Research 6 Sample Sequencing: Boston High Performance Computing: Chicago Specimen collected and logged: Bamako Patient (volunteer) demographics and labs: Bethesda Data Management and Validation: Kampala Bioinformaticians: Cape Town

7 Globalization of Research 7 Sample Sequencing: Boston High Performance Computing: Chicago Specimen collected and logged: Bamako Patient (volunteer) demographics and labs: Bethesda Data Management and Validation: Kampala Bioinformaticians: Cape Town Investigators: Oxford, Boston, Bethesda, Chicago, Bamako

8 Challenges: Research Data Formats and Tools ▪Text – patient demographics, lab results, GPS, etc. ▪Genomics Next Generation Sequencing ▪Medical Imaging CT/PET/CT, HRCT Ultrasound ▪Proteomics ▪High Performance Computing Tools ▪Flow Cytometry ▪Audit Trails 8

9 Challenges: Science Supporting Tools Provided by the “Cloud” ▪Asana, Redbooth, and others for project management ▪Dropbox, Google Drive, Box, and others for data synchronization ▪Skype, Hangouts, Jabber, WebEx, GotoMeeting, etc. for voice and video ▪Amazon Web Services, Rackspace, Azure, are examples of Infrastructure for HPC and other uses to support science ▪Communication and collaboration – from email and IM to Social – Facebook, YouTube, Vimeo, Twitter, 9

10 Distributed Services: the LAN... inside-out ▪Cloud platform offers many of the services Network Infrastructure Management Tools Project Management Service Desk Service monitoring Anti-malware Application and Operating system patch management File Sharing Communications 10

11 The Problem with Moving Services from the LAN to the Cloud: Identity and Groups ▪Every cloud service has its own user database and directory Network Infrastructure Management Tools Project Management Service Desk Service monitoring Anti-malware Application and Operating system patch management File Sharing Communications ▪External collaborators need an account in each application they use as well 11

12 Identity Aggregation and Grouping ▪Many applications now provide single-sign-on using Facebook, Google, Twitter, and other identity providers some problems with private IdPs include commercial ownership and less assurance of credentials and PRIVACY ▪Academic and Research institutions have created Trust Federations InCommon Canarie EduGAIN 12

13 Solution: Leverage Trust Federations ▪Most researchers are based at institutions that are members of a Academic and Research Trust federation, such as InCommon and EduGAIN (inter-federation) ▪Use this solution for multiple services to build a collaboration platform at the ICER (Service Providers = SP) ▪NIH sponsored the two African ICERs (International Centers for Excellence) into InCommon so we can make each of them an Identity Provider (IdP) to other federated institutions and service providers 13

14 Collecting Identities into Collaborative Organizations ▪SAML to federate in Academic and Research world ▪SAML uses attributes ▪InCommon does not require IdPs release any attributes to SPs ▪International Research and Scholarship Attributes Email Name eduPPN eduPSA (scope affiliation) eduPTI targeted ID [unique ID] 14

15 Creating Virtual Research Organizations (VROs) 15

16 African VRO Requirements ▪Need to use the VRO infrastructure to provide organizational grouping for COTS software solutions Sharepoint, Aspera, & SlipStream ▪Use for Bioinformatics HPC applications (Galaxy and command line) ▪The Mali and Uganda ICER Data Centers have specific challenges Connectivity – Frequent ISP service interruptions – Low Bandwidth Basic infrastructure – Cooling – Power – Emergency power 16

17 Phase 1 VRO Default Configuration Includes SharePoint Site – Versioning (Backups) and AntiVirus –Document Library –Image Library –Scientific Participant Directory (email, IM, SIP URI, phone, etc.) –Calendar –Wiki Mailing List (Sympa) File Replication Sync using Aspera Audit logging 17

18 VRO Identity Lifecycle 18

19 What is a Collaboration Management Platform? ●A collection of applications and identity services to support a collaboration ●Based on federated identity and/or social identity 19

20 What is COmanage? ●An effort to design and build a Collaboration Management Platform ○Technology ○Reference Materials ○Best Practices ●Funded out of the NSF “Bedrock” SDCI grant for 3 years (ending soon) 20

21 COmanage Domain ●Federated and Social Identity ●Identity Lifecycle Management ●Onboarding and Offboarding Workflows ●Attribute Management ●Group Management ●Provisioning / Application Integration 21

22 COmanage Registry ●An Open Source (Apache 2 licensed) Identity Registry for VOs and Collaborations ●One component of and Identity Management System designed specifically for collaboration across boundaries ●Internationally aware, I18n capable 22

23

24 COmanage: Supporting NIAID Research Center 24

25 Problem: One Researcher Multiple Identities One researcher may have multiple identities ▪Grad students become postdocs become faculty ▪Postdocs move from institution to institution ▪Faculty may have joint appointments Different campuses assert different identifiers to services Researcher needs to be “seen” as the same individual by the service 25

26 Solution: Single Project Identifier for Services ▪Leverage COmanage to create VO specific identities VO identity can be linked to multiple external identities COmanage autogenerates project identifier during enrollment –Configurable “recipes” for identifier details COmanage provisions project identifier to LDAP person record –Person record indexed by one or more campus identifiers ▪SAML Attribute Authority (AA) uses LDAP as data store ▪Services consume the unique VO or project identifier(s) 26

27

28 28 Solution: Single Project Identifier for Services Camp us 1 Service COmanage Registry LDAP SAML Attribute Authority Camp us 2 ePPN VO identifier ePPN

29 Problem: IdP Won’t Release Name or Email 29 Research applications often require more than opaque identifier ▪Different than library or journal access ▪Researchers want record of with whom they are collaborating ▪Legacy application integrations often need name and email 106 InCommon IdPs support R&S entity category ▪106 is great! ▪106 of 395 is not so great! ▪World class research happening everywhere

30 Problem: IdP Won’t Release Name or Email International collaboration and attribute release still less uncertain ▪In general EU release outside of EU not currently possible ▪Sweden and Switzerland support for REFEDs R&S ▪UK support is coming quickly ▪Still evolving in Australia, Japan, others… eduGAIN “only” supports exchange of metadata ▪Critically important piece of full solution ▪But requires more policy and technology layers ▪Much work still to be done to support international collaboration 30

31 Solution: Collect Attributes During Enrollment COmanage supports flexible enrollment or onboarding ▪Multiple enrollment flows per VO (or VO unit) ▪Point and click configuration ▪Collect name, email, most any other attribute VO needs Usually user asserted Flows can include email verification ▪Invitation, self-service, conscription flows all supported Expose the attributes to applications via LDAP and SAML AA ▪Use ePPN as key to index the user 31

32

33 Solution: Collect Attributes During Enrollment Not all SAML SPs can leverage SAML (secondary) attribute query ▪Shibboleth SP makes it easy ▪SimpleSAMLphp makes it easy ▪ADFS does not… SharePoint is important target application ▪Best when federation managed by ADFS (as opposed to Shib) ▪Build custom “shim” between ADFS and Shibboleth SP to accomplish the secondary attribute query ▪Working to be able to open source that code... (Thanks to Chris Phillips from CANARIE for consultation on shim design) 33

34 Problem: Hard Service Requirement on Identifier Research applications often have identifier constraints ▪Legacy applications especially difficult ▪No notion of mapping external identifiers to internal representation ▪“Domesticating” these applications difficult and time consuming Command line and UNIX applications still greater challenge ▪Bioinformatic apps often need terminal session ▪Gateways and portals not always available or rejected by users ▪SlipStream Appliance from BioTeam is hybrid Galaxy web front end for some apps Terminal session for others 34

35 Solution: Per-application Per-person Custom Identifiers COmanage offers extensible, customizable identifiers  Same functionality supporting VO or project identifier  May be (usually is) auto-generated  Sequential or random  Minimum, maximum ranges  Uniqueness or not  May use name information as input  Include prefixes, suffixes, … ICER_kora_7368 35

36 Solution: SSH Key Management and Provisioning COmanage supports SSH key management & related provisioning ▪Users upload one or more public SSH keys First authenticate using federated identity(ies) ▪Provision keys to LDAP ▪SSH server configured to read SSH keys from LDAP ▪Also includes “home directory” provisioner (experimental) management of uid, gid, homeDirectory One of a suite of COmanage provisioner plugins ▪LDAP, Grouper, Changelog, GitHub, Homedir,... 36

37

38 Problem: Remote sites, low bandwidth, unreliable circuits Researchers at Mali and Uganda sites ▪Shibboleth IdPs local to each site ▪Some services local to each site ▪Need access even if local site becomes disconnected ▪Requires SPs/services be able to query for attributes 38

39 Solution: Replicate LDAP and Attribute Authority (See diagram on next slide) 39

40

41 Problem: Some services integrate with one IdP only Often seen with hosted services and COTS products ▪Assume contract maps to one and only one security realm ▪Consume SAML but only provide for integration with one login server ▪Research projects cross organizational boundaries ▪Still want to leverage federated identity 41

42 42 Solution: IdP/SP Proxy or Bridge

43 Problem: IdP won’t release global identifier 43 Common persistent non-targeted identifier is eduPersonPrincipalName ▪Not all IdPs will release ePPN ▪Usually released by REFEDs Research & Scholarship IdPs Some only provide per-SP targeted persistent identifier ▪Goal is to prevent correlation across SPs and protect privacy ▪Admirable goal when SPs are unrelated ▪Research projects have collections of SPs ▪Correlation is collaboration and is essential!

44

45 45 ▪VOs can greatly benefit from leveraging federated identity ▪Higher Ed federations especially attractive That’s where the users often are Trust model with many, many years of relationship building ▪Barriers to adoption remain Wrong balance between privacy and fostering collaboration Assumptions about the relationship between IdP and SP All SPs are not vendor SPs nor campus SPs Promise of Higher Ed identity federations to transform research and scholarship collaboration is enormous! Virtual Organizations and Federated Identity

46 Additional Acknowledgements Michael Tartakovsky - CIO NIAID Jeff Erickson - IAM Manager NIH Ann West, Tom Scavo, John Krienke & InCommon Ken Klingenstein & Internet2 Matthew Economou – Net eSolutions Corp. 46

Download ppt "THE USE CASE FOR THE INTERNATIONAL COLLABORATIONS OF THE US NATIONAL INSTITUTE OF ALLERGY AND INFECTIONS DISEASES Connecting Research Collaborators to."

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Network Systems Sales LLC

Network Systems Sales LLC
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Do More In Less Time Will Schoen Microsoft Corporation April 12, 2011 Realize the future of government productivity with online and.

Do More In Less Time Will Schoen Microsoft Corporation April 12, 2011 Realize the future of government productivity with online and.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
CONNECT as an Interoperability Platform - Demo. Agenda Demonstrate CONNECT “As an Evolving Interoperability Platform” –Incremental addition of features.

CONNECT as an Interoperability Platform - Demo. Agenda Demonstrate CONNECT “As an Evolving Interoperability Platform” –Incremental addition of features.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.

Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.
BfB: Supporting Collaboration with Infrastructure.

BfB: Supporting Collaboration with Infrastructure.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
11-July-2011, SURFnet Heather Flanagan, COmanage Project Coordinator Benn Oshrin, COmanage Developer Scott Koranda, U. Wisconsin – Milwaukee and LIGO.

11-July-2011, SURFnet Heather Flanagan, COmanage Project Coordinator Benn Oshrin, COmanage Developer Scott Koranda, U. Wisconsin – Milwaukee and LIGO.
Gee, I could have had a VO: Cloud- based COmanage Chris Hubing and Jim Leous.

Gee, I could have had a VO: Cloud- based COmanage Chris Hubing and Jim Leous.
SECURITY & THE UNIVERSITY INCLUDING A HOSPITAL October 3, 2008 Doyle Friskney Chief Technology Officer University of Kentucky.

SECURITY & THE UNIVERSITY INCLUDING A HOSPITAL October 3, 2008 Doyle Friskney Chief Technology Officer University of Kentucky.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Similar presentations

Ads by Google