120 likes | 136 Views
Understand how IRIS collaborates with partners to provide hardware for scientific activities, utilizing INDIGO IAM for group management and authorization across services. Explore challenges and progress in deployment, such as the NameID format and AUP formatting issues, and upcoming plans for IAM v1.5.0 integration and service onboarding. Stay informed about IRIS's efforts to support AuthN/Z with various services and its Trust Framework digital asset.
E N D
Identity Management for IRIS Thomas Dack Science and Technology Facilities Council
But what is IRIS? • A coordinating body for the provision of STFC eInfrastructure • Collaboration between STFC, its eInfrastructure providers, and science activity representatives • IRIS does not provide computing services directly to users • It has no means to do so: it is not a computing project • Instead funds partners, and others, to provide hardware to meet the needs of user activities • Identity management is required for IRIS resources to function as a coherent infrastructure
IRIS Partner Examples • IRIS Science Activity examples: • The Diamond Light Source • The ISIS Neutron Source • The Central Laser Facility • The LHC and its experiments (ATLAS,CMS,LHCb,ALICE) • The Square Kilometre Array • The LIGO Gravitational Wave detector • The Cherenkov Telescope Array • The DUNE and HyperK neutrino and other particle physics experiments • IRIS Provider Entity examples: • STFC Scientific Computing Department • STFC Hartree Centre • STFC Ada Lovelace Centre • DiRAC • GridPP • The DLS Computing Department • CCFE computing
The IRIS Identity Project • Funded as an IRIS digital asset • INDIGO IAM selected for use due to existing capabilities and support • Aims of the IRIS IAM: • provide users with a consistent authorization experience across IRIS services • Provide group management capability for the various science communities
IRIS IAM Deployment & Config • Hosted at: https://iris-iam.stfc.ac.uk • INDIGO IAM v1.5.0.rc6-SNAPSHOT deployed via Docker • This is a pre-release version to work-around an issue in the v1.4.0 stable release • Hosted on a virtual machine managed by the RAL Tier 1 • Has its own ticketing queue within the Tier 1 • Monitoring of host and service health via Iciniga • Backend DB managed by SCD Database Services
Challenges and Issues • NameID format • Default NameID in IAM v1.4.0 is “persistent” • This is not supported by many IdPs – including STFC’s • AUP formatting • Currently AUP is contained as a single line of text with no newline/formatting support • Due to be changed in IAM v1.5.0 • Currently set up to be as readable as possible - right
Current Status • Recently registered as a service provider within the UK Access Management Federation • Registration and authentication with Edugain now in use • Asserting SIRTFI, R&S and Code of Conduct • IAM v1.4.0 has an issue with its default NameID policy, meaning most UK IdPs fail. This is fixed in v1.5.0, provisionally due Sept. • Configured as a auth option for the STFC OpenStack cloud • Policy work – draft Privacy and Acceptable Usage Policies in place and hosted alongside IAM • Completed as part of the IRIS Trust Framework digital asset
Phases to Production • Provide documentation to IRIS services, detailing steps to register with IAM • On-board IRIS Services • This includes both standard Oauth connections and investigating more specific use cases – such as via SSH for DiRAC • Configure groups within IAM to handle authz • This is to be refined with the planned IAM 2.0
Next Steps • Move installation to IAM v 1.5.0 when released • Finalise documentation for administration and service configuration • Ongoing work to support AuthN/Z with other IRIS services. • Starting with Dynafed and MISP – this will involve utilising IAM’s CLI flows • Develop group configuration within IAM for AuthZ
Thanks for listening Any questions?