university of chicago university of illinois indiana university university of iowa university of...
TRANSCRIPT
University of ChicagoUniversity of IllinoisIndiana UniversityUniversity of IowaUniversity of MarylandUniversity of MichiganMichigan State UniversityUniversity of MinnesotaUniversity of Nebraska-LincolnNorthwestern UniversityOhio State UniversityPennsylvania State UniversityPurdue UniversityRutgers UniversityUniversity of Wisconsin-Madison
Lowering Barriers for Distributed Service Integration
The Cloud Cookbook Project
By the CIC ID Management Research CI Working GroupPresenters: Keith Wessel, Mark Nye, Keith Brautigam
What is the CIC?
Founded in 1958, the Committee on Institutional Cooperation is an academic consortium of top-tier research universities, including members of the Big Ten Conference and the University of Chicago.
CIC members collaborate to advance their academic missions, generate unique opportunities for students and faculty, and serve the common good by sharing expertise, leveraging campus resources, and creating innovative programming.
The work of the CIC is carried out in two ways:
1) through targeted project partnerships that meet three primary criteria: addresses member university needs; creates new opportunities through the aggregation of resources; and would not be possible by a university acting alone; and 2) through communities of peers that meet together to address common issues, share best practices, and diffuse innovation throughout the network of universities.
Building Collaboration Infrastructure
PURPOSE
Why a Cloud Services Cookbook?
Lower cost and effort in federating with a cloud service.
Reduce need for schools to regularly consult for vendors.
Help vendors understand IAM in higher education.
Reduce duplicated efforts among CIC schools.
PROGRESS
The story so far …
The Cookbook is in the process of being
written Developing a recipe for success Integration template for federated cloud
services Best practices for cloud integration Complement to Internet2 NET+ initiative
PROCESS
The Cloud Cookbook is a consensus-driven project!
Thus far, we’ve …
Surveyed CIC schools on the experience of implementing various cloud services.
Combined survey results with common knowledge to create a document outline.
Documented best practices for identity providers as well as service providers.
Plan to produce both school- and vendor-facing documents.
FORMAT
What will the Cloud Services Cookbook look like?
“Do” and “don’t” best practice statements with concise explanations.
No verbose expositions and definitions; that content is already available elsewhere.
Where a recommendation isn't fully supported by all CIC schools, it will be included as a consideration instead of a definite do or don't.
TOPICS
High-level Cloud Cookbook Topics:
Authentication Identifiers Authorization Provisioning and Deprovisioning Trust Frameworks Operational Agility User Experience Policy and Compliance
best practice #1TRUST FRAMEWORKS
“If you want to scale, DO define a process for maintaining SAML Service Provider metadata.”
SAML is an accepted standard. If trust isn't an issue, allow for anonymous
services. Self-published SP metadata and email
exchanges don't scale well. Your best option is the use of a federation.
best practice #2TRUST AND OPERATIONAL AGILITY
“DO register SAML metadata with the InCommon Federation.”
Joining InCommon takes care of many best practices:
Leverages an existing trust framework. Provides for validated SAML and sound
operational practices. Ensures daily metadata refresh. Automatically handles certificate and endpoint
changes without service disruption. Automate security issues such as cert
revocation.
best practice #3IDENTIFIERS
“Re-defining attributes is painful, so DON’T call a Foo a Bar!”
Resist the temptation to force something you have into something you need.
In federated contexts, standard attribute definitions are important.
Carefully consider what's available before creating a new attribute.
If the available attributes won't do, create something new instead of misusing a known attribute.
best practice #4IDENTIFIERS
“CONSIDER the relationship between eduPersonPrincipalName
and mail.” It's hard to enroll for most cloud services without
a standard enterprise email address. University email environments aren't as well-
controlled as in the corporate world. Higher Ed email can be multi-valued, and often
is. Services want an identifier for three purposes:
unique ID, email address, and scope
best practice #5IDENTIFIERS
“DON'T be afraid of eduPersonTargetedID.”
Continues to identify a user, even when their
name or email address changes.
Might sound intimidating, but is simple to set up.
Requires a unique and unchanging identifier.
Because it's computed with a salt, it's opaque
but unique to the SP.
best practice #6AUTHORIZATION
To avoid trouble later …“DO authentication at the campus,
but authorize at the service.”
Remember, it's the SP's job to do authorization .
The IDP can make authorization decisions, but
this doesn't scale.
Service authorization changes are easier when
the SP is interpreting the identity data.
eduPersonEntitlement is an entitlement class,
not an authorization decision.
best practice #7PROVISIONING / DEPROVISIONING
“DO practice ‘defensive programming’
when setting up provisioning services.” Be warned! Vendor service provisioning docs are
often incomplete or inaccurate.
Campus should test error conditions and
unhandled failures and identify work-arounds.
Service reliability under load can fluctuate.
Schools need to plan for these issues.
CONCLUSION
We want your help!
You have an opportunity to shape the Cloud Cookbook Project. If you have feedback to share or you would like to get involved, please contact Keith, Keith, or Mark.
1819 South Neil Street, Suite D, Champaign, IL 61820-7271www.cic.net • 217.333.8475 • [email protected]
Preview the Cloud Cookbook working draft at:
https://carmenwiki.osu.edu/x/nLdCAg
This is a CIC project, and your feedback and input is welcome!
Keith Wessel - [email protected] Nye - [email protected]
Keith Brautigam - [email protected]