1 / 12

Identity Management for IRIS

Identity Management for IRIS. Thomas Dack Science and Technology Facilities Council. But what is IRIS?. A coordinating body for the provision of STFC eInfrastructure Collaboration between STFC, its eInfrastructure providers, and science activity representatives

kmerrifield
Download Presentation

Identity Management for IRIS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identity Management for IRIS Thomas Dack Science and Technology Facilities Council

  2. But what is IRIS? • A coordinating body for the provision of STFC eInfrastructure • Collaboration between STFC, its eInfrastructure providers, and science activity representatives • IRIS does not provide computing services directly to users • It has no means to do so: it is not a computing project • Instead funds partners, and others, to provide hardware to meet the needs of user activities • Identity management is required for IRIS resources to function as a coherent infrastructure

  3. IRIS Partner Examples • IRIS Science Activity examples: • The Diamond Light Source • The ISIS Neutron Source • The Central Laser Facility • The LHC and its experiments (ATLAS,CMS,LHCb,ALICE) • The Square Kilometre Array • The LIGO Gravitational Wave detector • The Cherenkov Telescope Array • The DUNE and HyperK neutrino and other particle physics experiments • IRIS Provider Entity examples: • STFC Scientific Computing Department • STFC Hartree Centre • STFC Ada Lovelace Centre • DiRAC • GridPP • The DLS Computing Department • CCFE computing

  4. The IRIS Identity Project • Funded as an IRIS digital asset • INDIGO IAM selected for use due to existing capabilities and support • Aims of the IRIS IAM: • provide users with a consistent authorization experience across IRIS services • Provide group management capability for the various science communities

  5. IRIS IAM Deployment & Config • Hosted at: https://iris-iam.stfc.ac.uk • INDIGO IAM v1.5.0.rc6-SNAPSHOT deployed via Docker • This is a pre-release version to work-around an issue in the v1.4.0 stable release • Hosted on a virtual machine managed by the RAL Tier 1 • Has its own ticketing queue within the Tier 1 • Monitoring of host and service health via Iciniga • Backend DB managed by SCD Database Services

  6. Challenges and Issues • NameID format • Default NameID in IAM v1.4.0 is “persistent” • This is not supported by many IdPs – including STFC’s • AUP formatting • Currently AUP is contained as a single line of text with no newline/formatting support • Due to be changed in IAM v1.5.0 • Currently set up to be as readable as possible - right

  7. Current Status • Recently registered as a service provider within the UK Access Management Federation • Registration and authentication with Edugain now in use • Asserting SIRTFI, R&S and Code of Conduct • IAM v1.4.0 has an issue with its default NameID policy, meaning most UK IdPs fail. This is fixed in v1.5.0, provisionally due Sept. • Configured as a auth option for the STFC OpenStack cloud • Policy work – draft Privacy and Acceptable Usage Policies in place and hosted alongside IAM • Completed as part of the IRIS Trust Framework digital asset

  8. IRIS IAM Demo Video

  9. Phases to Production • Provide documentation to IRIS services, detailing steps to register with IAM • On-board IRIS Services • This includes both standard Oauth connections and investigating more specific use cases – such as via SSH for DiRAC • Configure groups within IAM to handle authz • This is to be refined with the planned IAM 2.0

  10. Next Steps • Move installation to IAM v 1.5.0 when released • Finalise documentation for administration and service configuration • Ongoing work to support AuthN/Z with other IRIS services. • Starting with Dynafed and MISP – this will involve utilising IAM’s CLI flows • Develop group configuration within IAM for AuthZ

  11. Thanks for listening Any questions?

More Related