What s New and What s Next

Transcription

1 Trust and Identity in Education and Research (TIER) What s New and What s Next Jim Jokl Keith Hazelton Bill Thompson Tom Jordan Kevin Morooney Ann West Steve Zoppi (University of Virginia), Chair/TIER Packaging Working Group (University of Wisconsin-Madison), Chair/TIER API and Data Structures Working Group (Lafayette College/Unicon), Lead/Grouper Documentation Project (University of Wisconsin-Madison), Architect, (Reference Architecture) (Internet2), Vice President/Trust and Identity (Internet2), Associate Vice President/Trust and Identity (Internet2), Associate Vice President/Services Integration and Architecture [ 1 ]

2 Introduction Ann West [ 2 ]

3 Foundation Principles (TIER Program) SUSTAIN Integrate ENHANCE EXTEND #1 Requirement: Integration Define a a of DevOps a consistently environment Environment Sustainability configured which supports enables and and deployed continuous campuses and environment for rapid adoption Standardization integration, community enhancement contributors to and and reliable/consistent extend ease of current upgrade/update. functionality configuration in validation/release. the context of a self-contained Federation fabric. Sustain Integrate Enhance Extend [ 3 ]

4 [ 4 ]

5 General Principles Support Campus and Software Engineering Best Practices Abstract Provided Components Define Stable Interfaces for Campuses Provide Firm Foundation for Future Development Leverage Existing Work Wherever Possible Narrow The Toolsets Utilize Virtual Machine Images and Containers Fortify the Federation s Operation [ 5 ]

6 Groundwork Amazon Web Services (Deployment Target) Community Forum (Vanilla Forums) Contact Management Systems (SalesForce) Defect and Feature Tracking Systems(JIRA) Financial and Accounting Systems (NetSuite/Zuora/Salesforce) Mail List Managers (Sympa / 21 lists and community groups) [ 6 ]

7 Groundwork Project Management (Web Portal/Web2Project) Service Management (ServiceNow) Source Management (GitHub - Enterprise) Support Databases and Reporting Systems (Various) Document Management (Confluence) Packaging and Container Generation (Packer and Docker) [ 7 ]

8 The Foundations of TIER Infrastructure RESTful APIs are the primary interfaces between TIER IAM Components and between TIER Components and External Systems TIER-defined Resources are shared and manipulated by RESTful APIs The API first approach is a key element supporting campus autonomy If you want to keep your identity registry, just expose its functionality as implementations of TIER APIs, it will then plug and play with other TIER components Supports selective adoption of TIER components and hybrid infrastructure models [ 8 ]

9 Consequential Early Choices Swagger 2 as the Primary TIER API Tool Used for both Design and documentation of APIs The language in which TIER APIs will be formally specified SCIM 2 as the anchor point for TIER API Style New IETF standard (RFCs 7642, 7643 and 7644) Provisioning and de-provisioning are the design center for SCIM, and a high priority for potential TIER adopters It doesn t cover all IAM functional needs, so TIER will end up defining new APIs: IdMatch is a good example A potential common language for higher education and commercial SaaS [ 9 ]

10 Release: Progress Report Ann West Steve Zoppi [ 10 ]

11 T&I Program/Community-Requested Solutions Categories Timing / Status 1 Application Programming Interfaces / Campus Near-Term / In Progress 2 VO De/Provisioning and Invitation Svcs (Comanage) Near-Term / In Progress 3 Student Applicant Identity Provider (CommIT) Beta / Suspended 4 Community IdP (Identity Provider of Last Resort) Community Solution / External 5 Entity Registry (Person and Object Registry) Near-Term / In Progress 6 Group Management and Group Administration Near-Term / In Progress 7 InCommon Federation Operations and Management Near-Term / In Progress 8 Component Packaging and Deployment Near-Term / In Progress 9 Component and Operations Security and Audit Near-Term / Recommendations 10 Scalable Consent Services Near-Term / Grant-Funded 11 Identity Provider and Service Provider (Shibboleth) Near-Term / In Progress 12 Community Training and TIER Program Mid-Term / Under Evaluation [ 11 ]

12 In Our Last Episode (Global Summit 2016) Proposed Milestones q Backbone usage scenario (BUS) proof of concept q An open IAM testbed based on the proof of concept q A containerized version of the IAM testbed for local experimentation q Well-instrumented code that can reveal behavior and health of the IAM infrastructure components and their interactions q First edition of a living guidebook: architectural patterns for IAM integration [ 12 ]

13 Today (TechEx 2016) Actual Progress q Backbone usage scenario (BUS) proof of concept q An open IAM testbed based on the proof of concept q A containerized version of the IAM testbed for local experimentation q Well-instrumented code that can reveal behavior and health of the IAM infrastructure components and their interactions q First edition of a living guidebook: architectural patterns for IAM integration In Progress POC Ready Ready Requirements Gathering Grouper Outline In Dev [ 13 ]

14 In Our Last Episode (Global Summit 2016) Proposed Milestones Testing and enhancement of the container/vm distributions Exploring Instrumentation Prioritize usability enhancements Setup automation and preconfiguration Campus metadata etc., etc. Build on the packaging foundation Automate the container and VM builds Operationalize the build process; produce regularly scheduled updates Start the process of automating testing Complete the work with the initial components [ 14 ]

15 Today (TechEx 2016) Actual Progress Testing and enhancement of the container/vm distributions In Progress Exploring Instrumentation POC Ready Prioritize usability enhancements Setup automation and preconfiguration CAMPUS PENDING Campus metadata ADOPTION etc., etc. Build on the packaging foundation Automate the container and VM builds THIS RELEASE Operationalize the build process; produce regularly scheduled updates NEXT PHASES Start the process of automating testing NEXT PHASES Complete the work with the initial components THIS RELEASE [ 15 ]

16 DevOps Model: Enabling Autonomy Workbench Path 1: Development and Iteration / Ideation Workbench Path 2: UAT/QA/Security Audit/Performance Assessment/Release [ 16 ]

17 Lessons Learned The community can accomplish a lot Dedicated set of volunteers Weekly calls Problem space evaluation Survey development and analysis Technical packaging strategy and prototyping Initial testbed If you have interest in this space, please join us Significant software development requires dedicated resources The foundational work done by volunteers Engaged commercial firm to build packaging [ 17 ]

18 Lessons Learned The Data Structures and APIs WG, along with the Entity Registry WG, attracted talented people from higher education institutions across the land (well over 120 on the mailing lists) The WG members will show up, work hard together and deliver what the WG charters asked for (our meeting notes alone amount to nearly 200 pages) Institutions will share their experience, their documents and their code: Penn State just released their Apache 2-licensed SCIM server and client libraries, significantly accelerating the API work. [ 18 ]

19 Lessons Learned Institutions with significant IAM projects underway have skin in the game and will make sure the Working Groups stay focused on essentials [ 19 ]

20 From Architecture to Construction and Back Again

21 TIER DELIVERABLES ARCHITECTURE : REFERENCE ARCHITECTURE REFERENCE IMPLEMENTATIONS INTEGRATION : API S AND EVENT MESSAGING DATA MODELS DOCUMENTATION : BEST PRACTICES DOCUMENTATION DEPLOYMENT GUIDES IMPLEMENTATION : DEMO WORKBENCH PRODUCTION WORKBENCH [ 21 ]

22 APIs [ 22 ]

23 Event-Driven Messaging [ 23 ]

24 Data Models, Schema, Resources { "username": "keith", "name": { "middlename": D", "givenname": "Keith", "familyname": "Hazelton", "displayname": "Keith Hazelton", "formatted": "Keith D Hazelton" }, "role": [ { "value": "member@testbed.tier.internet2.edu" }, { "value": "employee@testbed.tier.internet2.edu" }, { "value": "faculty@testbed.tier.internet2.edu" } ], "externalid": "hazelton@wisc.edu", " s": [ { "value": "keith@testbed.tier.internet2.edu" } ], "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:user" ] } [ 24 ]

25 Demo WorkBench: Backbone Usage Scenario From onboarding of a new faculty or student to providing them access to an LMS [ 25 ]

26 Demo WorkBench: Backbone Usage Scenario From onboarding of a new faculty or student to providing them access to an LMS [ 26 ]

27 Demo WorkBench: Backbone Usage Scenario From onboarding of a new faculty or student to providing them access to an LMS [ 27 ]

28 Demo WorkBench: Backbone Usage Scenario From onboarding of a new faculty or student to providing them access to an LMS [ 28 ]

29 Demo WorkBench: Backbone Usage Scenario From onboarding of a new faculty or student to providing them access to an LMS [ 29 ]

30 Demo WorkBench: Backbone Usage Scenario From onboarding of a new faculty or student to providing them access to an LMS [ 30 ]

31 Demo WorkBench: Backbone Usage Scenario From onboarding of a new faculty or student to providing them access to an LMS [ 31 ]

32 Inception of metrics and instrumentation [ 32 ]

33 Devops and Packaging

34 TIER Development Model [ 34 ]

35 Preferences for TIER Software Installation [ 35 ]

36 Docker for Production Services [ 36 ]

37 VM Appliance for Production Services [ 37 ]

38 Strategy for TIER Packaging Component teams retain traditional installers These will continue to be needed well into the future Provide additional release types for the components Docker containers Virtual machine images to run the containers Focus on automation tools Build containers and VMs Automate testing Over time, goal of weekly builds Identify and deploy tooling that is able to deliver multiple formats Keep pace as technology changes [ 38 ]

39 Component Packaging Status Initial Release April 2016 First-look version of the packaged components Tightly coupled to the TIER testbed Current Release September/October 2016 Focus on production service capability Configuration management Virtual Machine images Docker container build environment Docker operations Shibboleth nearing release testing status COmanage and Grouper following [ 39 ]

40 Dual Function VMs: Build and Operate Build Environment Shibboleth configuration tree Simple tooling for initial IdP configuration Docker container build Scripting for operations Operational Environment Docker Tomcat ShibIdp_0 Docker Tomcat ShibIdp_1 Docker HAproxy [ 40 ]

41 Next Steps for Packaging Shibboleth IdP release COmanage and Grouper releases Tools Campus metadata management Shibboleth ease of configuration tooling Docker versions of the other TIER components Integration management Start on production build releases [ 41 ]

42 How you can help Testing For production use Real world scenarios Adoption Schools with active Docker efforts first We d like to hear from you if you are not already engaged What else should we be doing? [ 42 ]

43 Reference Architecture

44 TIER Reference Architecture A model for considering relationships between functional IAM components Audiences Business / Executive context setting Technical architects / implementers A set of narrative walkthroughs Illustrating specific business functions (enrollment, hire, job change, etc) Describing interactions between components A component glossary Defining each component and how it relates to others [ 44 ]

45 Grouper Deployment Guide TIER Grouper Deployment Guide 1.0 TIER Grouper Deployment Guide Proposal Expand the Columbia Grouper Deployment Guide to cover TIER recommendations Work with the TIER community on shared vocabulary, practice and strategies Distill community best practices from Community Contributions into specific guidance Expand IAM capabilities/use cases Timeline/Milestones TIER working group charter and community team formation - Aug draft outline TIER Grouper Deployment Guide - Sep 25, Internet2 Technical Exchange presentation/discussion/feedback - Sep 25-28, draft release Dec draft release and final comments period Feb-Mar final release Internet2 Summit Apr 2017 [ 45 ]

46 Grouper Deployment Guide Discussion at TechEx Grouper BOF - Tue Bayfront B ACAMP Session Find me in the hall :) Discussions after TechEx Grouper Deployment Guide Work - TIER Program NIST ABAC Columbia Grouper Deployment Guide What do you wish you knew before you started your Grouper deployment? What is missing from an initial deployment perspective? What should we work on in the way of recommended / best practices? Grouper wiki examples (folders, community examples, etc) Good examples of use cases? Good presentation/format? [ 46 ]

47 TIER Demos at 2016 Technology Exchange To see TIER Demos, stop by the TIER Demo Booth Biscayne Ballroom on the second level During your breaks and lunch through Wednesday. [ 47 ]

48 Staying Informed About TIER Join the TIER-Discussion list To subscribe: with the subject (case insensitive): subscribe tier-discussion Sign up to receive the TIER Newsletter Follow the TIER Working Groups from this wiki page oups+home Visit the Tech-Ex TIER Community Library hex2016tierc ommunitylibrar y [ 48 ]

49 Questions and Answers TIER Release Team [ 49 ]