Download presentation
Presentation is loading. Please wait.
Published byAudrey Scott Modified over 8 years ago
1
THE USE CASE FOR THE INTERNATIONAL COLLABORATIONS OF THE US NATIONAL INSTITUTE OF ALLERGY AND INFECTIONS DISEASES Connecting Research Collaborators to Applications Using COmanage Heather Flanagan and Benn Oshrin presenting; TNC 2015 Heather Flanagan and Benn Oshrin presenting; TNC 2015
2
Acknowledgements With many thanks to Scott Koranda (Spherical Cow Group) and Chris Whalen (International Program Manager of the Office of Cyberinfrastructure and Computational Biology, NIAID/NIH)
3
Office of Cyberinfrastructure and Computational Biology 3 ▪National Institute of Allergy and Infectious Diseases – NIAID One of 27 institutes of the NIH whose mission is to conduct and support basic and applied research to better understand, treat, and ultimately prevent infectious, immunologic, and allergic diseases ▪OCICB – IT service desk, infrastructure, Software Development, and computational bioscience consulting and support ▪OCICB International Program began in 1998 to support scientific collaborations of the NIAID to support malaria research in West Africa
4
Overview: Virtual Research Organizations 1.The core services of a network supporting scientists 2.Importance of collaborative networks in life sciences 3.Increasing and changing data types 4.The International Centers of Excellence for Research 5.Changing network and support topologies for International science 6.Using Trust Federations for service delivery 7.The Virtual Research Organization 8.Using COmanage as a tool to support VROs
5
Core Network Services for Life Science (and any organization) 5 User authentication verification and identity email File Sharing Voice over IP Video Conferencing Data Transfer Patch management Anti-malware management Intrusion Detection Firewall Access to services – journals, databases, workflows
6
Globalization of Research 6 Sample Sequencing: Boston High Performance Computing: Chicago Specimen collected and logged: Bamako Patient (volunteer) demographics and labs: Bethesda Data Management and Validation: Kampala Bioinformaticians: Cape Town
7
Globalization of Research 7 Sample Sequencing: Boston High Performance Computing: Chicago Specimen collected and logged: Bamako Patient (volunteer) demographics and labs: Bethesda Data Management and Validation: Kampala Bioinformaticians: Cape Town Investigators: Oxford, Boston, Bethesda, Chicago, Bamako
8
Challenges: Research Data Formats and Tools ▪Text – patient demographics, lab results, GPS, etc. ▪Genomics Next Generation Sequencing ▪Medical Imaging CT/PET/CT, HRCT Ultrasound ▪Proteomics ▪High Performance Computing Tools ▪Flow Cytometry ▪Audit Trails 8
9
Challenges: Science Supporting Tools Provided by the “Cloud” ▪Asana, Redbooth, and others for project management ▪Dropbox, Google Drive, Box, and others for data synchronization ▪Skype, Hangouts, Jabber, WebEx, GotoMeeting, etc. for voice and video ▪Amazon Web Services, Rackspace, Azure, are examples of Infrastructure for HPC and other uses to support science ▪Communication and collaboration – from email and IM to Social – Facebook, YouTube, Vimeo, Twitter, 9
10
Distributed Services: the LAN... inside-out ▪Cloud platform offers many of the services Network Infrastructure Management Tools Project Management Service Desk Service monitoring Anti-malware Application and Operating system patch management File Sharing Communications 10
11
The Problem with Moving Services from the LAN to the Cloud: Identity and Groups ▪Every cloud service has its own user database and directory Network Infrastructure Management Tools Project Management Service Desk Service monitoring Anti-malware Application and Operating system patch management File Sharing Communications ▪External collaborators need an account in each application they use as well 11
12
Identity Aggregation and Grouping ▪Many applications now provide single-sign-on using Facebook, Google, Twitter, and other identity providers some problems with private IdPs include commercial ownership and less assurance of credentials and PRIVACY ▪Academic and Research institutions have created Trust Federations InCommon Canarie EduGAIN 12
13
Solution: Leverage Trust Federations ▪Most researchers are based at institutions that are members of a Academic and Research Trust federation, such as InCommon and EduGAIN (inter-federation) ▪Use this solution for multiple services to build a collaboration platform at the ICER (Service Providers = SP) ▪NIH sponsored the two African ICERs (International Centers for Excellence) into InCommon so we can make each of them an Identity Provider (IdP) to other federated institutions and service providers 13
14
Collecting Identities into Collaborative Organizations ▪SAML to federate in Academic and Research world ▪SAML uses attributes ▪InCommon does not require IdPs release any attributes to SPs ▪International Research and Scholarship Attributes Email Name eduPPN eduPSA (scope affiliation) eduPTI targeted ID [unique ID] 14
15
Creating Virtual Research Organizations (VROs) 15
16
African VRO Requirements ▪Need to use the VRO infrastructure to provide organizational grouping for COTS software solutions Sharepoint, Aspera, & SlipStream ▪Use for Bioinformatics HPC applications (Galaxy and command line) ▪The Mali and Uganda ICER Data Centers have specific challenges Connectivity – Frequent ISP service interruptions – Low Bandwidth Basic infrastructure – Cooling – Power – Emergency power 16
17
Phase 1 VRO Default Configuration Includes SharePoint Site – Versioning (Backups) and AntiVirus –Document Library –Image Library –Scientific Participant Directory (email, IM, SIP URI, phone, etc.) –Calendar –Wiki Mailing List (Sympa) File Replication Sync using Aspera Audit logging 17
18
VRO Identity Lifecycle 18
19
What is a Collaboration Management Platform? ●A collection of applications and identity services to support a collaboration ●Based on federated identity and/or social identity 19
20
What is COmanage? ●An effort to design and build a Collaboration Management Platform ○Technology ○Reference Materials ○Best Practices ●Funded out of the NSF “Bedrock” SDCI grant for 3 years (ending soon) 20
21
COmanage Domain ●Federated and Social Identity ●Identity Lifecycle Management ●Onboarding and Offboarding Workflows ●Attribute Management ●Group Management ●Provisioning / Application Integration 21
22
COmanage Registry ●An Open Source (Apache 2 licensed) Identity Registry for VOs and Collaborations ●One component of and Identity Management System designed specifically for collaboration across boundaries ●Internationally aware, I18n capable 22
24
COmanage: Supporting NIAID Research Center 24
25
Problem: One Researcher Multiple Identities One researcher may have multiple identities ▪Grad students become postdocs become faculty ▪Postdocs move from institution to institution ▪Faculty may have joint appointments Different campuses assert different identifiers to services Researcher needs to be “seen” as the same individual by the service 25
26
Solution: Single Project Identifier for Services ▪Leverage COmanage to create VO specific identities VO identity can be linked to multiple external identities COmanage autogenerates project identifier during enrollment –Configurable “recipes” for identifier details COmanage provisions project identifier to LDAP person record –Person record indexed by one or more campus identifiers ▪SAML Attribute Authority (AA) uses LDAP as data store ▪Services consume the unique VO or project identifier(s) 26
28
28 Solution: Single Project Identifier for Services Camp us 1 Service COmanage Registry LDAP SAML Attribute Authority Camp us 2 ePPN VO identifier ePPN
29
Problem: IdP Won’t Release Name or Email 29 Research applications often require more than opaque identifier ▪Different than library or journal access ▪Researchers want record of with whom they are collaborating ▪Legacy application integrations often need name and email 106 InCommon IdPs support R&S entity category ▪106 is great! ▪106 of 395 is not so great! ▪World class research happening everywhere
30
Problem: IdP Won’t Release Name or Email International collaboration and attribute release still less uncertain ▪In general EU release outside of EU not currently possible ▪Sweden and Switzerland support for REFEDs R&S ▪UK support is coming quickly ▪Still evolving in Australia, Japan, others… eduGAIN “only” supports exchange of metadata ▪Critically important piece of full solution ▪But requires more policy and technology layers ▪Much work still to be done to support international collaboration 30
31
Solution: Collect Attributes During Enrollment COmanage supports flexible enrollment or onboarding ▪Multiple enrollment flows per VO (or VO unit) ▪Point and click configuration ▪Collect name, email, most any other attribute VO needs Usually user asserted Flows can include email verification ▪Invitation, self-service, conscription flows all supported Expose the attributes to applications via LDAP and SAML AA ▪Use ePPN as key to index the user 31
33
Solution: Collect Attributes During Enrollment Not all SAML SPs can leverage SAML (secondary) attribute query ▪Shibboleth SP makes it easy ▪SimpleSAMLphp makes it easy ▪ADFS does not… SharePoint is important target application ▪Best when federation managed by ADFS (as opposed to Shib) ▪Build custom “shim” between ADFS and Shibboleth SP to accomplish the secondary attribute query ▪Working to be able to open source that code... (Thanks to Chris Phillips from CANARIE for consultation on shim design) 33
34
Problem: Hard Service Requirement on Identifier Research applications often have identifier constraints ▪Legacy applications especially difficult ▪No notion of mapping external identifiers to internal representation ▪“Domesticating” these applications difficult and time consuming Command line and UNIX applications still greater challenge ▪Bioinformatic apps often need terminal session ▪Gateways and portals not always available or rejected by users ▪SlipStream Appliance from BioTeam is hybrid Galaxy web front end for some apps Terminal session for others 34
35
Solution: Per-application Per-person Custom Identifiers COmanage offers extensible, customizable identifiers Same functionality supporting VO or project identifier May be (usually is) auto-generated Sequential or random Minimum, maximum ranges Uniqueness or not May use name information as input Include prefixes, suffixes, … ICER_kora_7368 35
36
Solution: SSH Key Management and Provisioning COmanage supports SSH key management & related provisioning ▪Users upload one or more public SSH keys First authenticate using federated identity(ies) ▪Provision keys to LDAP ▪SSH server configured to read SSH keys from LDAP ▪Also includes “home directory” provisioner (experimental) management of uid, gid, homeDirectory One of a suite of COmanage provisioner plugins ▪LDAP, Grouper, Changelog, GitHub, Homedir,... 36
38
Problem: Remote sites, low bandwidth, unreliable circuits Researchers at Mali and Uganda sites ▪Shibboleth IdPs local to each site ▪Some services local to each site ▪Need access even if local site becomes disconnected ▪Requires SPs/services be able to query for attributes 38
39
Solution: Replicate LDAP and Attribute Authority (See diagram on next slide) 39
41
Problem: Some services integrate with one IdP only Often seen with hosted services and COTS products ▪Assume contract maps to one and only one security realm ▪Consume SAML but only provide for integration with one login server ▪Research projects cross organizational boundaries ▪Still want to leverage federated identity 41
42
42 Solution: IdP/SP Proxy or Bridge
43
Problem: IdP won’t release global identifier 43 Common persistent non-targeted identifier is eduPersonPrincipalName ▪Not all IdPs will release ePPN ▪Usually released by REFEDs Research & Scholarship IdPs Some only provide per-SP targeted persistent identifier ▪Goal is to prevent correlation across SPs and protect privacy ▪Admirable goal when SPs are unrelated ▪Research projects have collections of SPs ▪Correlation is collaboration and is essential!
45
45 ▪VOs can greatly benefit from leveraging federated identity ▪Higher Ed federations especially attractive That’s where the users often are Trust model with many, many years of relationship building ▪Barriers to adoption remain Wrong balance between privacy and fostering collaboration Assumptions about the relationship between IdP and SP All SPs are not vendor SPs nor campus SPs Promise of Higher Ed identity federations to transform research and scholarship collaboration is enormous! Virtual Organizations and Federated Identity
46
Additional Acknowledgements Michael Tartakovsky - CIO NIAID Jeff Erickson - IAM Manager NIH Ann West, Tom Scavo, John Krienke & InCommon Ken Klingenstein & Internet2 Matthew Economou – Net eSolutions Corp. 46
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.