11-July-2011, SURFnetHeather Flanagan, COmanage Project Coordinator

Benn Oshrin, COmanage DeveloperScott Koranda, U. Wisconsin – Milwaukee and LIGO

COmanage is:• A Collaboration Management Platform (CMP) that consists of:

• An identity management system specifically designed for virtual organizations focused on collaboration (aka, a collaborative organization)

• Domesticated applications to encourage collaboration• A template for federations to create their own service instances

• Attributes– Identifying bits of information that can be used for access control or to

inform an application• Collaboration Management Platform (CMP)

– COmanage, SURFconext• Domesticated Applications

– Apps that can externalize authentication, group management, and authorization, and otherwise use the attributes provided by the infrastructure• When the application needs to know more than identity (just groups,

affiliations, other) and accepts the data from an external source, then we’re talking about domestication

• Federation– “Authenticate locally, act globally”

• Virtual Organization– A group of individuals from multiple institutions that share common

resources primarily via internet-enabled technologies.

Definitions

Domestication of applications• Why?

• Ease of use experience• Ease of user management

• Obvious targets: wikis, mailing lists• Domain science targets: SSH, non-web apps• Specific requests from engaged VO

• Foswiki: http://foswiki.orgMoin: http://moinmo.in/DokuWiki: http://www.dokuwiki.org/dokuwikiRT: http://bestpractical.com/rt/DocDB: http://docdb-v.sourceforge.net/

Authentication• Federated authentication is fundamental to any collaboration

management platform (CMP)• No new wheels here – use the information back at the home

institution for authentication and other information• By using federated authentication tools, you get more than just

single sign on – attributes may come along to help inform group management

Group management• Use of groups is a powerful tool in collaboration and access control• Groups may be created by an admin or a researcher – what do you

need?• Groups may be automatically populated based on certain criteria• Automatic deprovisioning out of groups is required

Provisioning and De-provisioning

• Goal: use the information as managed by each home institution to indicate whether a researcher is still there, or not, and provision, or deprovision, from that information

• No waiting for X.509 certificate expiration• Profiles are starting to come in to play

• Is this researcher interested in a particular area of research? If it is in his or her profile, then provide automatic access to the data

Quick History of COmanage

• Project started about 4 years ago• First iteration = very very simple, proof of concept• Second iteration = less simple, but created without significant VO

input• Third iteration = CMP in a Box! Nice idea, difficult to implement• Current iteration = built on actual requirements from actual VO

Why Does a VO need an CMP?

• Provides a platform to consolidate the identity information of VO participants from the various home institutions, and

• Links identity back to the collaboration tools (mailing lists, wikis, domain science apps) automatically.

• The burden of tracking identity and authorization is off the researchers… but they can still easily report on it back to their granting agencies.

• With a full set of domesticated apps in the CMP, provisioning and deprovisioning happen with little to no effort on the part of the researcher or even their IT staff.

Challenges reported from VO

• The attribute problem – what’s automatically available?– Enter in: InCommon, SURFfederatie, and other

federations• Social identity and LoA– Different VO want to treat people differently

based on how they are authenticating, and yet, technically the LoA is not different (LoA 1)

Cont’d

• Domesticating applications– “the nice thing about standards…”– Broader VO issues around who can license

software for the VO– Need more than just web-based tools

https://wiki.surfnetlabs.nl/display/domestication/Overview

One more…

• CMP across federations– Should federation be a requirement?– Does a CMP have to be an IdP?– Should there be a common VO schema?– What metadata needs to be shared between

CMP?

VO use cases

• LIGO– Large VO with collaborators and partner VO

around the world– Goal is hard science, focused on results from a set

of large instruments– A poster child for challenging identity

management– Already seeing improvements in collaboration and

research interaction thanks to tools that know who they are without them having to ask

VO use cases, cont’d

• iPlant Collaborative– Large VO with collaborators around the world– Focus are several “Grand Challenges” around plant

biology, with a continuing theme of community outreach

– Expect thousands of participants, but how they are authenticated and registered in the system dictate what data they can see and use

– Domesticated app, especially storage, is a Big Deal

Role of the Federation

• Can the federation assist with the licensing problem?

• Can the federation mandate attribute release policies?

• Is the CMP a good service offering for federations to provide to their constituency?

Things we have learned

• Domesticated technologies are good– But researchers are still learning about them

• Federations are good– But researchers are still learning about them

• CMP are good– But researchers are still learning about them

• Researchers don’t want to talk to IT – how to bridge that gap?

How to reach out to research?

• Start with a single research group, work with them closely– Researchers will gossip in their field, and fields

overlap• Don’t surprise central IT– Keep getting the word out to central IT players;

they will know what to do when Dr. Brilliant demands a CMP for his VO by tea time

Roadmap

• Roadmap regularly updated in Jira– https://bugs.internet2.edu/jira/browse/CO

• Highlights:– Next 12 months includes releases .2 through .6• Enrollment workflows• Group and profile management• Identity Provider “of last resort”

The 80/20 rule

• 80% of the work comes out of 20% of the use cases– Cannot count on VO members being part of a federation– Cannot suggest, dictate, require or even strongly hint that

a VO should follow any particular enrollment process– Cannot suggest, dictate, etc etc etc, what apps a VO should

limit themselves to– The nature of VO interaction influences the nature of

collaboration, incl. dictating where and under what name the collaboration can be housed – making every VO unique

Conclusion

• CMP are hugely useful to helping a collaboration meet their goals

• Still many areas associated with policy and politics need to be worked out

• Next – info directly from a VO