Post on 20-Jan-2017
Implementing Federated Identity Across Our Science-as-a-Service
PlatformJoe Stubbs, PhD
Texas Advanced Computing CenterUniversity Of Texas, Austin
Powering discoveries...
Hurricane Prediction
Storm surge, flooding, evacuation routes, damage assessment, predicted path, impact areas.
Powering discoveries...
Earthquake Prediction
Predicting frequency of damaging earthquakes in California for the latest Uniform California Earthquake Rupture Forecast (UCERT3)
Powering discoveries...
A Link Between Alzheimer’s and Cancer
Computational systems biology approach found a link between Alzheimer’s and GBM, one of the most aggressive forms of brain cancer.
What Does TACC Do?Mission: To enable discoveries that advance science and society through the application of advanced computing technologies.● High performance computing (HPC)● Cloud & high throughput computing ● Data intensive computing● Visualization● Software development & optimization● Apps & APIs● Life sciences ● Training & outreach● Consulting & professional services
What Can Agave Do?● Run application codes
your own or community provided codes● ...on HPC, HTC, and cloud resources
your own, shared, or commercial systems● ...and manage your data
reliable, multi-protocol, async data movement● …in a collaborative way
fine grain ACL for working securely with others● ...from the web
webhooks, rest, json, cors, oauth2● ...and remember how you did it
deep provenance, history, and reproducibility built in
An Identity Crisis
● Each portal maintains a separate database of users.● Users have to be vetted manually each time.● Users have to remember separate credentials.● No single sign-on.● No way for share platform assets (apps, jobs, metadata).
TACC Identity Service
● Create central identity service for entire center.● Core of the service is WSO2 IS.● Leverage campus identity providers.
Federated Identity Via InCommon
Nearly 600 Universities
200 government agencies and
partnersSAML based trust
fabric
Architecture
TACC Identity Service
(WSO2 IS)
InCommon
University IDP University
IDPUniversity
IDP
University IDP
Discovery Portal
Discovery Portal
Discovery Portal
TenantAPIM
TenantAPIM
TenantAPIM A
A
AA
A
Agave APIsDomain-Specific Applications
Identity Server and APIM
● Internal accounts mapped and managed by IS.○ Self-service reconciliation, password management.
● SSO across web apps now possible.● Implicit trust between IS <-> APIM.● Clients use OAuth2 SAML Bearer Assertion.
○ Exchange SAML assertion for bearer token.● Still working on the IS <-> InCommon trust.
Status And Timeline
● In production with APIM.● Working on InCommon membership and IS deployment.● Goal is to be in prod with first tenant by summer 2016.● New tenants will be built leveraging the TACC IS.● Existing tenants will convert over time, if applicable.