James Jokl University of Virginia Janemarie Duh Lafayette College Shilen Patel Duke University Keith Wessel University of Illinois UrbanaChampaign 2016 Internet2 Overview TIER Release History ID: 781340
Download The PPT/PDF document "TIER Stories from the Field: Harvesting ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
TIER Stories from the Field: Harvesting Early Adopter Experiences
James Jokl University of VirginiaJanemarie Duh Lafayette CollegeShilen Patel Duke UniversityKeith Wessel University of Illinois - Urbana-Champaign
© 2016 Internet2
Slide2OverviewTIER Release HistoryTIER Release One - April 2016TIER Production Candidate Release - December 2016TIER Production Release - April 2017
The TIER program depends on our “tire kickers” and early adopters.Thanks to all who have shared early impressions and experiences on the list TIER-adopters@internet2.edu.
© 2016 Internet2
Slide3Today’s session features TIER early adopter stories from:Lafayette College, Janemarie DuhDuke University, Shilen PatelUniversity of Illinois, Keith Wessel
Slide4Lafayette College TIER Story: COmanage for Sponsored AccountsJanemarie DuhIdentity Management Systems Architect, Lafayette College
Slide5OverviewInstitutional backgroundIAM, InCommon, and TIER Affiliates: IdM process gapsCapabilities of COmanage
Three key benefits
© 2016 Internet2
Slide6Institutional SketchLafayette College (Easton, PA)
© 2016 Internet2
Slide7IAM, InCommon, and TIERIAMCustom-engineered IdMSMature programShibboleth IdP for federationGrouper for access policies
InCommon ParticipantTIER investor campus
© 2016 Internet2
Slide8Affiliates: IdM process gapsManagement via the custom IdMS wasn’t a good fitAdditional burden placed on HR and Office of the ProvostLack of timely access removalEnd dates weren't known for some affiliates A process to extend access wasn’t in place
© 2016 Internet2
Slide9Capabilities of the third TIER componentCOmanage is a person registry that stores informationCOmanage provisions to LDAP and sends notices to enrolleesExpiration dates are set on identity records COmanage sends automated expiration noticesRequests for renewals are easily handled
© 2016 Internet2
Slide10COmanage delivered three key benefitsIt ensured that each sponsored account has an L number for the purpose of identity matchingThere is a known and tracked sponsor for each enrolleeThe entire identity lifecycle of affiliates is managed
© 2016 Internet2
Slide11TIER Stories from the Field:COmanage for Sponsored AccountsJanemarie Duhduhj@lafayette.edu
Subtitle (if any)
© 2016 Internet2
COmanage
blog post:
http
://www.internet2.edu/blogs/detail/13546
Slide12Duke TIER Story - Focus on Shibboleth
Shilen Patel
IdM Architect & Team Lead, Duke University
Slide13Duke - OverviewBackground of Shibboleth at Duke
Current Shibboleth environment
Issues with our current environmentTIER packaging evaluation
Next steps
© 2016 Internet2
Slide14Background of Shibboleth at DukeRunning Shibboleth IdP in production since ~ 2004.
Eventually replaced our locally developed Web SSO system.
Upgraded to Shibboleth IdP v3 in 2015 with Docker.Currently more than 2700 locally registered SPs.
© 2016 Internet2
Slide15Current Shibboleth Environment at Duke© 2016 Internet2
Slide16Current Shibboleth Environment at Duke© 2016 Internet2
Slide17Current Shibboleth Environment at Duke – The Issues
No build environment.Deployment is very manual – basically building images on each of our 10 VMs individually and swapping out containers.
No automated tests to confirm builds.Shibboleth IdP config/software checked into subversion and checked out on all VMs.
The entire /opt/shibboleth is a volume in Docker.
© 2016 Internet2
Slide18TIER Packaging Evaluation and DukeTIER released production candidate versions of Grouper, Shibboleth, and COmanage in December.
Since
Duke is undergoing some major changes to our Shibboleth environment this Summer, Shibboleth was the first place to start.© 2016 Internet2
Slide19TIER Shibboleth VM - DukeTIER provided a VM that could be run using VirtualBox.
VM contains scripts to setup/install/configure the IdP.
VM contains 3 Docker images2 instances of ShibbolethAn HA ProxyDefault configuration as recommended by TIER/InCommon.e.g. automatically loading the InCommon metadata.
VM contains various scripts to rebuild and restart the containers.
All IdP software and configuration are stored within the image making it trivial to rollback to the state of the IdP at a previous point in time.
© 2016 Internet2
Slide20Initial Issues Encountered at DukeNot clear what TIER’s vision is for how the VMs should be deployed in a production environment.
Not clear how one would customize the VM and Docker images and maintain those customizations after upgrading to the next TIER Shibboleth VM.
HA Proxy seemed odd at the beginning.© 2016 Internet2
Slide21Changes to Allow Quicker TIER Adoption at DukeA Docker image for Shibboleth without a VM.
A method of externalizing configuration.
Documentation on what deployers should expect and how they should be using the packages. An explanation of the pros/cons of each approach.© 2016 Internet2
Slide22The University of Illinois at Urbana-Champaign (UIUC)Shibboleth, TIER, and the CloudA Short-Term Forecast
Keith Wessel
Identity and Access Management Team, University of Illinois at Urbana-Champaign
Slide23Current Conditions at UIUCIdP nodes running on local virtual machines
Global load balancing: primary cluster on campus, hot spare cluster remote
MySQL cluster for consent storageAuthentication and attribute stores from AD and IBM LDAPAll dependencies globally load balanced© 2016 Internet2
Slide24Send in the Clouds - UIUCOrganization-wide effort to move to cloud-hosted services or AWS-hosted infrastructure
AWS hosting using Elastic Beanstalk, Amazon’s version of Docker
Hey, Tier’s packaging using Docker!Elastic Beanstalk adds tremendous scalabilityDeploy new IdP version with no outageAutomate builds using DroneAutomate deployments using AWS CodePipeline
Dynamically scale IdP cluster size based on load
Geographically distributed? We’ve got ‘ya covered.
Amazon RDS replaces our consent storage database cluster
© 2016 Internet2
Slide25Raindrops Keep Falling on my Head - UIUC
We’re ready for TIER, it’s not ready for usCumbersome to maintain a build VM
Images pulled from Dockerhub aren’t currently meant to be used directlyUpdating the TIER package for IdP upgrades and security fixes?Lots of pieces to still think about for DockerizingLogging: Splunk?
Secrets like private keys and passwords
Data sealer key generation and distribution
Off-topic: same challenges with the TIER-packaged Grouper
Goodbye Tomcat, hello Jetty. No, wait, hello Tomcat.
© 2016 Internet2
Slide26The Sun Will Come Out Tomorrow - UIUCMoving forward for now with another Docker image, but ready to switch to TIER ASAP
TIER’s plans include the option to build directly from a Dockerhub image
TIER also plans on increasing the frequency of image updatesWe also eventually hope to see:Drop-in configurations for specific vendor SP partnershipsTIER recommendations for logging and storage challenges mentioned previouslyTIER’s packages should be a good fit for AWS, and these perks will add value for InCommon deployers
© 2016 Internet2
Slide27Sharing your TIER Stories/FeedbackThanks to our presenters today. The success of the TIER program depends on the community’s testing and feedback.Please share your own TIER stories, question, feedback on the list tier-adopters@internet2.eduTo subscribe:
email sympa@internet2.edu with the subject: subscribe tier-adopters
Slide28Questions / Discussion
Slide29Subtitle (if any)
© 2016 Internet2Thank you for attending.