Federated Identity Access Management
Connected by global research networks and federation, colleges and universities around the world often join together to share data and resources, provide access to specialized computing, and collaborate in their mission to support research and scholarship. “While individual institutions and research labs may compete for resources, faculty, and students, we find common ground in our commitment to drive research and innovation that benefits society and humankind,” says Tom Barton, Senior Consultant for Cybersecurity and Data Privacy, University of Chicago. “I refer to this shared mission as The Academy, where we can connect freely and trust one another to share information as we search for solutions to common, worldwide problems. Federated identity and access management (IAM) enables use of cyberinfrastructure by researchers to collaborate across campuses and countries.”
Access to Shared Services & Data
Providing secure and easy access to data, intellectual property, instruments, analytical tools, and computation can be accomplished with identity federation. To securely share information and resources, federated IAM allows research participants to collaborate with their colleagues, whether they’re in the same institution or in another part of the world. “An identity federation—also referred to as federated identity or federated access—provides a common platform or global infrastructure that allows an institution to extend their campus authentication to services operated by another organization,” explains Barton. “Identity federations occur in over seventy countries, enabling data and resource sharing and high performance computing (HPC)—providing a great value to research and scholarly collaboration.”
Enabling institutions to form an identity federation to allow users access to shared services and data for a particular project, a federation operator registers identity providers and service providers. Organizations can share resources without giving each individual a user name and password for every application. “Faculty, researchers, and students use their home credentials and that identity is federated using the platform,” says Barton. Federation technologies and platforms enable users to use the same credential to access systems, networks, or data across different organizations. Two main types of uses for federated access technology are enterprise and research. “Enterprise use is all about providing services to campus, while research use focuses on providing access to collaborators of various research projects,” says Barton.
A System of Trust
Providing researchers and educators with seamless access to academic collaboration and cloud services allows them to tap in to a worldwide source of information and insight. The InCommon® Federation provides higher education and their commercial and non-profit partners with a common trust framework for secure single sign-on access to online resources and cloud-based services. As a gateway to global research collaborations, InCommon helps over 1,000 educational institutions and organizations to interconnect in new and exciting ways.
The shared services model created by federations can help remove barriers and open the door to unique collaborative opportunities, but like any endeavor, challenges can arise. “When discussing shared services, there are a couple things to keep in mind,” says Barton. “First, are they necessary? Creating a federation to unite organizations for research and scholarly use, for example, is a good reason for shared services. Second, you must establish trust among individuals and institutions, and this is not always easy. If organizations don’t trust the concept or each other, they will not use the federation. In addition, if outsourcing services to the Cloud, trying to put predictability around the cost can also be difficult. Plus, commercial providers are not part of The Academy, and do not typically share in the mission to forward research and scholarship. These are the biggest issues I find in operating these global infrastructures where the change management problem is across dozens of countries and thousands of organizations.”
Putting the Access Management in Federated IAM
Barton led a development project for several years that created Grouper, a solution that simplifies access management and allows users to set up groups, roles, and permissions for a variety of purposes. “We were inspired to develop Grouper because there wasn’t a solution available in the enterprise access management space that could match the environment and number of roles that research universities and other complex organizations require,” explains Barton. “Grouper is now used all over the world and integrates with almost any access management infrastructure. This tool can help manage group access to resources; displaying different features to users based on their group membership.”
An integrated identity and access management platform known as CILogon was designed to help address the federated access management needs of research projects by enabling researchers to log on to cyberinfrastructure. As a research and scholarship service provider in the InCommon federation, CILogon supports over 4,000 identity providers worldwide and combines federated identity management with collaborative organization management. “Led by Jim Basney, Principal Research Scientist, National Center for Supercomputing Applications (NCSA), CILogon is a Swiss army knife that helps address the diverse needs of research projects,” explains Barton. “Researchers often need access to specialized HPC centers, telescopes, or gravitational-wave observatories, for example. Embedding these resources in identity federations is rather complicated, but CILogon acts as an adapter or proxy. This solution brings federated access to these environments and identifies and solves the right problems.”
Extending the Reach of Research
Organizations like the Eastern Regional Network (ERN) are helping to advance research and education by enabling resource sharing and creating a network for collaboration. Their mission is to provide layered and transparent access to shared data, computing, testbeds, and other core facilities for research projects at a wide variety of campuses, large and small. “Dr. Forough Ghahramani at Edge is quite a presence at the ERN, and has helped raise awareness about the importance of expanding the reach of research resources to more institutions,” shares Barton. “Getting the most mileage out of the resources we have across all of our organizations will help advance research and scholarship and broaden the depth of discovery. I think the ERN will take the idea of federation and add even more dimensions beyond identity and access; expanding the collaboration opportunities between a greater number of institutions, research facilities, and organizations.”
As a community-designed identity and access management platform for education and research, InCommon connects people with the services and tools they need to conduct collaborative research. “InCommon allows us, as a community, to come together and offer a flexible way of securely providing access to services,” says Ann West, Associate Vice President, Trust & Identity, Internet2. “Sometimes anonymous access is appropriate, as with some library services. A research collaboration, however, needs to know some basic information about the individual. InCommon’s Identity and Access Management technologies provide a single sign-on gateway to local services, cloud services, and shared services around the world.”
InCommon grew out of Internet2’s work in trusted access to resources, which has been underway since 1998. “The Internet2 community initially came together to establish a network; then later, as a natural outgrowth of that network, found a way for small groups to share services,” explains West. “Our first use cases fell into three areas: library access, research access, and access to Software as a Service (SaaS). While the terms ‘SaaS’ and ‘cloud computing’ didn’t exist at the time, it was the same concept. We knew research collaborations had services they wanted to make available to others in many organizations. Internet2 designed a mechanism that enabled the researcher to access federation-approved services using a policy that was approved by the community and fell under our research and scholarship definition. This allows for approved access to services without the need for IT intervention.”
NIH contacted us about making access to their services easier for researchers. InCommon has a program to help with that.” West continues, “We reviewed their request per our policy and assigned a “Research and Scholarship” (R&S) tag to their services in our registry. When a researcher from an R&S participating institution clicks on the service, they now get instant federated single sign-on access to all R&S approved services (including NIH’s services) without the need for IT to intervene.”
Seamless Access to Research
The InCommon Federation is designed to seamlessly integrate federated policies with an institution’s local policies. “Our approach is to provide as much leeway to the local organization as possible, so an individual campus can decide on the technology to run for authentication,” explains West. “The federation provides the policy and standard communications mechanism for members. Let’s use multi-factor authentication (MFA) as an example. A researcher submitting a grant to the NIH uses the electronic research administration (eRA) portal, which soon will require MFA. Behind the scenes, NIH uses a federation standard, the REFEDS MFA Profile, to signal to the university the need for authentication with a second factor. After logging with MFA, the researcher is passed back to NIH to do their work; providing a pretty seamless process for the researcher.”
Active Community Involvement
InCommon is governed by the InCommon Steering Committee, consisting of members from participating institutions. Two key advisory groups, the InCommon Technical Advisory Committee (TAC) and the Community Trust and Assurance Board (CTAB), provide technical and policy recommendations. CTAB, for example, has led the community to adopt Baseline Expectations for Trust in Federation, which call for adherence to policies that improve both security and interoperability.
InCommon advisory groups have the ability to charter working groups, which coalesce around a topic or unit of work that needs to be accomplished. This approach is unique in comparison to other solution providers, tapping the community to determine software and service specifications, recommended practices, and requirements.
“The working groups are our community engine that make this all go,” says West. “InCommon convenes more than 150 people every month. Our services are heavily informed by community requirements and needs, and we use working groups’ recommendations and insight to determine how to keep the InCommon platform evolving in a positive way.”
InCommon also plays a key role in convening the international community. Since collaboration services and tools are hosted around the world, federation now knows no borders. “Every year, we host a conference where people from our international community come together and build an agenda onsite,” shares West. “Attendees are predominantly technical architects who understand the business needs and research requirements and are interested in making InCommon work better for the community. This event is all about helping each other, because we all agree that driving progress within education and collaboration happens in an environment of trust. Our goal is to create an atmosphere of personal trust, levity, and fun, while delivering the most impact.”
A Community of Learning
To introduce new organizations to InCommon and provide ongoing education and support, the InCommon Academy offers workshops, conferences, and training. An event called InCommon BaseCAMP is designed for those new to identity management and a group of open-source identity-software components called the InCommon Trusted Access Platform. “We will also be coming out with InCommon-specific federation training this year and launching a corporate program that will allow institutions, particularly smaller ones, to outsource all or part of their InCommon infrastructure to trusted partners,” shares West.
As a proponent for research and education regional networks like Edge, West says InCommon’s role in providing a community resource for identity and access management is a natural fit. “Having a suite of collaboration tools and the InCommon Federation in the middle is very beneficial to institutions and research organizations. We continue to look for ways that we can partner with regional networks to share services and provide their members with IAM resources and services.”
Born at the National Center for Supercomputing Applications in 2010, CILogon enables researchers to securely log on to cyberinfrastructure (CI) using their home organization identities. As a member of the InCommon federation, the CILogon Service supports over 4,000 identity providers, including GitHub, Google, ORCID, and campus identity providers. “Federated identity and access management enables research collaboration that spans departments, campuses, and multiple countries,” says Jim Basney, Principal Research Scientist, Cybersecurity Division, National Center for Supercomputing Applications, University of Illinois at Urbana-Champaign. “The federated logon allows campus researchers to access supercomputers and other cyberinfrastructure that is needed for their research. The role of CILogon is to aid the success of these research projects by providing seamless federated IAM, meaning researchers can log on with their existing campus credentials, rather than creating multiple user names and passwords.”
A person’s role and membership in a research project are managed consistently across the different cyberinfrastructure systems and services, so whether the researchers need Jupyter Notebooks, Wikis, data archives, or Secure Shell (SSH) to log into supercomputers, for example, separate accounts for each system are not required. “CILogon provides federated IAM as a service by running open-source software from the InCommon Trusted Access Platform,” explains Basney. “The software can often be complicated to operate, especially for smaller research projects. Since this platform is based in the Cloud, researchers do not have to run the software themselves; they can just plug into our platform, connect all their services, and manage the IAM for their project. Researchers get a plug-and-play solution that allows them to collaborate within a vast ecosystem of universities, colleges, and research institutions.”
CILogon grew out of an effort to support InCommon login to the National Science Foundation (NSF) TeraGrid project, an e-Science grid computing infrastructure combining resources at eleven partner sites. “Once creating the secure login capability was successful, we wanted to offer a service that could make federated login possible and easier for other cyberinfrastructures,” shares Basney. “From here, we first proposed the CILogon project and began our operations in 2010. Our focus in the beginning was supporting researchers logging in with their InCommon identity to get an X.509 certificate, which many cyberinfrastructures required for authentication at the time. Over the years, we’ve expanded the platform to support other types of cyberinfrastructure capabilities.”
In 2011, CILogon added OAuth support, a valuable benefit to researchers who wish to connect with science gateways. A year later, CILogon made the first connections with the Globus platform to enable researchers to connect their federated identities to the Globus service for data transfers between science DMZ nodes. “In 2013, we had our first connection with the Laser Interferometer Gravitational-Wave Observatory (LIGO), which detects and studies cosmic gravitational waves. We then celebrated a couple of large milestones in 2016, including going international with the InCommon Federation to connect with international identity providers and service providers. This was the year we also began our collaboration with the Spherical Cow Group, who are the lead developers of the COmanage software, which provides the collaboration management capability of CILogon. Last year, we added support for Grouper, another component of the InCommon Trusted Access Platform, and also joined the InCommon Catalyst Program, to better connect with the needs of the InCommon community.”
Supporting Research Success
CILogon combines federated identity management with collaborative organization management to provide an integrated open-source identity and access management platform for research collaborations. “Seamless IAM for researchers is the main goal of CILogon, so the minute someone in a research group joins a project, they can be productive right away,” explains Basney. “Collaboration organization management creates one simple enrollment process for a researcher to get access to all of the different applications and data services, rather than having to coordinate with various system administrators. We want to make it simple and straightforward for new members joining a project to bring fresh ideas and spark new research avenues right out of the gate.”
CILogon empowers researchers to self-organize and manage the roles for their collaboration, through custom enrollment forms for new members and group enrollment management forms for changing group memberships and roles in the collaboration. “Access to the applications, data, and other resources in the collaboration is often based on the researchers’ role in the collaboration, rather than their roles on campus,” says Basney. “For instance, access is based upon a person’s involvement with a NSF-funded grant, instead of the fact that he or she is in a specific department on a particular campus. In addition, CILogon gives the ability to distribute the responsibility for managing those attributes, groups, and policies across the collaboration, especially those spanning departments and campuses. Each professor can manage enrollment of his or her students and postdocs in their lab, rather than having one person responsible for enrolling everyone. The distributed control allows quick and seamless access to resources.”
Along with the benefits and convenience IAM brings to researchers, the service also helps the cyberinfrastructure engineers who are responsible for maintaining the security of the computing infrastructure that the research projects are using. “CI engineers do not need to worry about another password database or the strength of authentication,” says Basney. “Instead, they can rely on campus identity providers to follow good security practices, like multifactor authentication.”
New Collaboration Opportunities
As the software at the center of CILogon, COmanage operates the entire lifecycle of collaboration, including enrollment workflows and interfaces for managing attributes, groups, and roles for members of the research collaboration. “Beginning with onboarding, COmanage provides flexible and customizable enrollment flows to bring people and their federated identities onto the platform and creates a collaborative organization (CO),” explains Basney. “We build all of the CILogon service components on open-source software, and since COmanage is part of the InCommon Trusted Access Platform, the software has the whole InCommon community behind it. Plus, the COmanage team has a long history of working with research projects and understands the unique identity and access management needs of the research community.”
Operating federated IAM and collaboration management services on campus can often be challenging, especially with the complexity of the technology and the requirement to support a variety of use cases due to varying research collaborations. “Research and education networks (REN), like Edge, can partner with InCommon and play a valuable role in offering training and helping campuses adopt the Trusted Access Platform,” says Basney. “Also, organizations like the Campus Champions, Open Science Grid, Trusted CI, and XSEDE can help researchers securely connect to cyberinfrastructure which introduces them to a whole new world of opportunity.”
Edge aims to lower the barrier for access to advanced cyberinfrastructure resources for research collaboration through participation in communities such as the ERN, in supporting federated shared services models, facilitating sharing computational and data resources across the region, especially for smaller, less-resourced schools. To expand your connections with local, regional, and national research platforms, join the EdgeDiscovery community. Learn how at njedge.net/edge-discovery.
For more information about Identity and Access Management Services, visit: