Presentation is loading. Please wait.

Presentation is loading. Please wait.

Revamping IdP in the Cloud pilot activities

Published byRoy McDonald Modified over 6 years ago

Similar presentations

Presentation on theme: "Revamping IdP in the Cloud pilot activities"— Presentation transcript:

1 Revamping IdP in the Cloud pilot activities
Proposal for the forthcoming months Mario Reale, Maria Laura Mantovani, Davide Vaghetti, Marco Malavolti AARC JRA1, SA1, NA2 GARR AARC All Hands F2F CERN Geneva November 30, 2016

2 IdP in the Cloud in the Blueprint Architecture
Agenda IdP in the Cloud as an answer for AARC Requirements and Policy assurance IdP in the Cloud in the Blueprint Architecture The current existing solution - Proposal for a new implementation Required developments for the pilot Estimated efforts and timeline Outcome

3 Requirements addressed by IdP in the Cloud
Availability of well-configured, secure and schema compliant IDPs in the federation SIRTFI enforcement (Operational Security, Incident Response, Traceability, Participant Responsibilities) Entity Category (R&S, CoCo) support/Attribute release enforcement Ease the implementation of predefined assurance profiles (LoA) Reduce required effort to interface additional components possibly needed by SPs in the Federation Attribute Authorities Step-Up Authentication Provisioning of IDPs to poorly skilled/attended Home Organizations Enrollment of new identities in the Federation (guest users zero target) Best Practices Step-up AuthN Attribute Release Persistent Unique Id Attribute Aggregation Levels of Assurance Incident Response User Managed Information Guest Users

4 IdP in the Cloud in the Blueprint Architecture

5 Proposal for improvement of current GARR IdP in the Cloud (1/2)
IdP in the Cloud Features version 1 (current) version 2.0 (pilot) version X (evolution) Cloud Infrastructure Openstack Any docker-enabled cloud infrastructure Openstack (private cloud) Public cloud (Azure, AWS, etc.) Cloud Infrastructure integration manual Juju, Vagrant Container support (none) Docker (with persistent storage for DB, custom config, and logs) Kubernetes Deploy management Puppet Ansible OpSys Ubuntu Debian (latest) Ubuntu CentOS IdP SW Shibboleth v3.2.1(latest) Shibboleth v3.3.x (latest) Flavours IdP only IdP + IDM IdM+Directory+IdP

6 Proposal for improvement of current GARR IdP in the Cloud (2/2)
IdP in the Cloud Features version 1 (current) version 2.0 (pilot) version X (evolution) IdM OpenLDAP+phpLDAPadmin (mySQL) OpenLDAP+phpLDAPadmin OpenLDAP+PERUN OpenLDAP+midPoint OpenLDAP+Apache Syncope System monitoring Nagios, collectd Zabbix System security - Fail2ban or alternatives Statistics and accounting PHP script based on loganalysis script Added values Entity category support Managed Attribute filter Federation integration Managed LoA

7 Pilot tasks breakout Setup docker environment
Development of Ansible playbooks to Create the HomeOrg IdP including all required customizations Spawn and management of IdPs through Docker containers Support for english and local language (according to partners’ participation) We will evaluate other container types (e.g. LXC/LXD) and other Linux distributions (e.g. Ubuntu, CentOS) if of interest for pilot participants/community Set up of a testbed, possibly involving different infrastructures / hosting environments We encourage the participation of 1-2 AARC additional partners to the pilot Publish ansible playbooks and Docker recipes on public repos Publish the Docker image on Docker Hub

8 Draft estimated effort and timeline
Setup of required clusters at the sites (0.5 week , 2 persons) Creation of test Docker environment (0.5 week, 2 persons) Writing Ansible playbooks to carry out required tasks (4 weeks, 2 persons) Including local language support Tests against test SP-instances (1 week, 1 person) Writing comprehensive guide for providers, in collaboration with NA (2 weeks , 1 person) Writing Leaflet for HO, in collaboration with NA2 (1 week, 1 person) Showcasing everything on the SA1 wiki / Cockpit panel (2 weeks, 1 person) Timeline: Start : January 1, End: March 31, 2017

9 Outcome Demonstrate feasibility and effectiveness of providing IdP in the Cloud via containers deployable, possibly on different cloud infrastructures Production of an handbook for Cloud providers in order to offer the service Leaflet for Home Organizations about needs and benefits of the IdP in the Cloud solution

10 AARC vs GN4-2 approach in supporting IdP deployment
AARC NA2/SA1 proposed activities GN4-2 JRA3 Task 1 planned / ongoing activities Demonstrate feasibility for IdP in the Cloud Howto handbook for Cloud providers Leaflet for Home Organizations about needs and benefits of the IdP in the Cloud solution On-going survey on NRENs/Feds requirements around IdPs and level of appreciation for a Cloud-based solution Cost-Benefit Analysis to be provided for a Campus IdP platform .Its goal is supporting a GEANT decision on future transition to service for a Deployment toolkit NREN/GEANT hosted Cloud IdP platform Sketching an initial design for a comprehensive platform aimed at Providing IdP MD management Spawning IdPs on Containers Plugging private cloud infrastructures

11

Download ppt "Revamping IdP in the Cloud pilot activities"

Similar presentations

Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS.

Cancún - Mexico, Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS.
AAF Middleware update February16 2012 Presented by Terry Smith Technical Manager and Heath Marks Manager.

AAF Middleware update February Presented by Terry Smith Technical Manager and Heath Marks Manager.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Connect communicate collaborate GÉANT3plus Enabling Users Pilots Lukas Hämmerle Task Leader Enabling Users

Connect communicate collaborate GÉANT3plus Enabling Users Pilots Lukas Hämmerle Task Leader "Enabling Users"
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.

Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Niels van Dijk AARC General Meeting Authentication and Authorisation.

Authentication and Authorisation for Research and Collaboration Niels van Dijk AARC General Meeting Authentication and Authorisation.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.

Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.

Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t CERN IT Monitoring and Data Analytics Pedro Andrade (IT-GT) Openlab Workshop on Data Analytics.

CERN IT Department CH-1211 Genève 23 Switzerland t CERN IT Monitoring and Data Analytics Pedro Andrade (IT-GT) Openlab Workshop on Data Analytics.

Similar presentations

Ads by Google