/
TIER Stories from the Field: Harvesting Early Adopter Experiences TIER Stories from the Field: Harvesting Early Adopter Experiences

TIER Stories from the Field: Harvesting Early Adopter Experiences - PowerPoint Presentation

garboardcola
garboardcola . @garboardcola
Follow
351 views
Uploaded On 2020-06-19

TIER Stories from the Field: Harvesting Early Adopter Experiences - PPT Presentation

James Jokl University of Virginia Janemarie Duh Lafayette College Shilen Patel Duke University Keith Wessel University of Illinois UrbanaChampaign 2016 Internet2 Overview TIER Release History ID: 781340

tier internet2 shibboleth 2016 internet2 tier 2016 shibboleth idp docker comanage duke environment current incommon university production image lafayette

Share:

Link:

Embed:

Download Presentation from below link

Download The PPT/PDF document "TIER Stories from the Field: Harvesting ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

TIER Stories from the Field: Harvesting Early Adopter Experiences

James Jokl University of VirginiaJanemarie Duh Lafayette CollegeShilen Patel Duke UniversityKeith Wessel University of Illinois - Urbana-Champaign

© 2016 Internet2

Slide2

OverviewTIER Release HistoryTIER Release One - April 2016TIER Production Candidate Release - December 2016TIER Production Release - April 2017

The TIER program depends on our “tire kickers” and early adopters.Thanks to all who have shared early impressions and experiences on the list TIER-adopters@internet2.edu.

© 2016 Internet2

Slide3

Today’s session features TIER early adopter stories from:Lafayette College, Janemarie DuhDuke University, Shilen PatelUniversity of Illinois, Keith Wessel

Slide4

Lafayette College TIER Story: COmanage for Sponsored AccountsJanemarie DuhIdentity Management Systems Architect, Lafayette College

Slide5

OverviewInstitutional backgroundIAM, InCommon, and TIER Affiliates: IdM process gapsCapabilities of COmanage

Three key benefits

© 2016 Internet2

Slide6

Institutional SketchLafayette College (Easton, PA)

© 2016 Internet2

Slide7

IAM, InCommon, and TIERIAMCustom-engineered IdMSMature programShibboleth IdP for federationGrouper for access policies

InCommon ParticipantTIER investor campus

© 2016 Internet2

Slide8

Affiliates: IdM process gapsManagement via the custom IdMS wasn’t a good fitAdditional burden placed on HR and Office of the ProvostLack of timely access removalEnd dates weren't known for some affiliates A process to extend access wasn’t in place

© 2016 Internet2

Slide9

Capabilities of the third TIER componentCOmanage is a person registry that stores informationCOmanage provisions to LDAP and sends notices to enrolleesExpiration dates are set on identity records COmanage sends automated expiration noticesRequests for renewals are easily handled

© 2016 Internet2

Slide10

COmanage delivered three key benefitsIt ensured that each sponsored account has an L number for the purpose of identity matchingThere is a known and tracked sponsor for each enrolleeThe entire identity lifecycle of affiliates is managed

© 2016 Internet2

Slide11

TIER Stories from the Field:COmanage for Sponsored AccountsJanemarie Duhduhj@lafayette.edu

Subtitle (if any)

© 2016 Internet2

COmanage

blog post:

http

://www.internet2.edu/blogs/detail/13546

Slide12

Duke TIER Story - Focus on Shibboleth

Shilen Patel

IdM Architect & Team Lead, Duke University

Slide13

Duke - OverviewBackground of Shibboleth at Duke

Current Shibboleth environment

Issues with our current environmentTIER packaging evaluation

Next steps

© 2016 Internet2

Slide14

Background of Shibboleth at DukeRunning Shibboleth IdP in production since ~ 2004.

Eventually replaced our locally developed Web SSO system.

Upgraded to Shibboleth IdP v3 in 2015 with Docker.Currently more than 2700 locally registered SPs.

© 2016 Internet2

Slide15

Current Shibboleth Environment at Duke© 2016 Internet2

Slide16

Current Shibboleth Environment at Duke© 2016 Internet2

Slide17

Current Shibboleth Environment at Duke – The Issues

No build environment.Deployment is very manual – basically building images on each of our 10 VMs individually and swapping out containers.

No automated tests to confirm builds.Shibboleth IdP config/software checked into subversion and checked out on all VMs.

The entire /opt/shibboleth is a volume in Docker.

© 2016 Internet2

Slide18

TIER Packaging Evaluation and DukeTIER released production candidate versions of Grouper, Shibboleth, and COmanage in December.

Since

Duke is undergoing some major changes to our Shibboleth environment this Summer, Shibboleth was the first place to start.© 2016 Internet2

Slide19

TIER Shibboleth VM - DukeTIER provided a VM that could be run using VirtualBox.

VM contains scripts to setup/install/configure the IdP.

VM contains 3 Docker images2 instances of ShibbolethAn HA ProxyDefault configuration as recommended by TIER/InCommon.e.g. automatically loading the InCommon metadata.

VM contains various scripts to rebuild and restart the containers.

All IdP software and configuration are stored within the image making it trivial to rollback to the state of the IdP at a previous point in time.

© 2016 Internet2

Slide20

Initial Issues Encountered at DukeNot clear what TIER’s vision is for how the VMs should be deployed in a production environment.

Not clear how one would customize the VM and Docker images and maintain those customizations after upgrading to the next TIER Shibboleth VM.

HA Proxy seemed odd at the beginning.© 2016 Internet2

Slide21

Changes to Allow Quicker TIER Adoption at DukeA Docker image for Shibboleth without a VM.

A method of externalizing configuration.

Documentation on what deployers should expect and how they should be using the packages. An explanation of the pros/cons of each approach.© 2016 Internet2

Slide22

The University of Illinois at Urbana-Champaign (UIUC)Shibboleth, TIER, and the CloudA Short-Term Forecast

Keith Wessel

Identity and Access Management Team, University of Illinois at Urbana-Champaign

Slide23

Current Conditions at UIUCIdP nodes running on local virtual machines

Global load balancing: primary cluster on campus, hot spare cluster remote

MySQL cluster for consent storageAuthentication and attribute stores from AD and IBM LDAPAll dependencies globally load balanced© 2016 Internet2

Slide24

Send in the Clouds - UIUCOrganization-wide effort to move to cloud-hosted services or AWS-hosted infrastructure

AWS hosting using Elastic Beanstalk, Amazon’s version of Docker

Hey, Tier’s packaging using Docker!Elastic Beanstalk adds tremendous scalabilityDeploy new IdP version with no outageAutomate builds using DroneAutomate deployments using AWS CodePipeline

Dynamically scale IdP cluster size based on load

Geographically distributed? We’ve got ‘ya covered.

Amazon RDS replaces our consent storage database cluster

© 2016 Internet2

Slide25

Raindrops Keep Falling on my Head - UIUC

We’re ready for TIER, it’s not ready for usCumbersome to maintain a build VM

Images pulled from Dockerhub aren’t currently meant to be used directlyUpdating the TIER package for IdP upgrades and security fixes?Lots of pieces to still think about for DockerizingLogging: Splunk?

Secrets like private keys and passwords

Data sealer key generation and distribution

Off-topic: same challenges with the TIER-packaged Grouper

Goodbye Tomcat, hello Jetty. No, wait, hello Tomcat.

© 2016 Internet2

Slide26

The Sun Will Come Out Tomorrow - UIUCMoving forward for now with another Docker image, but ready to switch to TIER ASAP

TIER’s plans include the option to build directly from a Dockerhub image

TIER also plans on increasing the frequency of image updatesWe also eventually hope to see:Drop-in configurations for specific vendor SP partnershipsTIER recommendations for logging and storage challenges mentioned previouslyTIER’s packages should be a good fit for AWS, and these perks will add value for InCommon deployers

© 2016 Internet2

Slide27

Sharing your TIER Stories/FeedbackThanks to our presenters today. The success of the TIER program depends on the community’s testing and feedback.Please share your own TIER stories, question, feedback on the list tier-adopters@internet2.eduTo subscribe:

email sympa@internet2.edu with the subject: subscribe tier-adopters

Slide28

Questions / Discussion

Slide29

Subtitle (if any)

© 2016 Internet2Thank you for attending.