Implementing Federated Identity Across Our Science-as-a-Service

PlatformJoe Stubbs, PhD

Texas Advanced Computing CenterUniversity Of Texas, Austin

What is TACC?

“What starts here changes the world” “Powering discoveries that change the world”

Galaxy evolution modeled

Now we know why stars form

Powering discoveries...

Powering discoveries...

Hurricane Prediction

Storm surge, flooding, evacuation routes, damage assessment, predicted path, impact areas.

Powering discoveries...

Earthquake Prediction

Predicting frequency of damaging earthquakes in California for the latest Uniform California Earthquake Rupture Forecast (UCERT3)

Powering discoveries...

A Link Between Alzheimer’s and Cancer

Computational systems biology approach found a link between Alzheimer’s and GBM, one of the most aggressive forms of brain cancer.

What Does TACC Do?Mission: To enable discoveries that advance science and society through the application of advanced computing technologies.● High performance computing (HPC)● Cloud & high throughput computing ● Data intensive computing● Visualization● Software development & optimization● Apps & APIs● Life sciences ● Training & outreach● Consulting & professional services

From Command Line to the Web

What Can Agave Do?● Run application codes

your own or community provided codes● ...on HPC, HTC, and cloud resources

your own, shared, or commercial systems● ...and manage your data

reliable, multi-protocol, async data movement● …in a collaborative way

fine grain ACL for working securely with others● ...from the web

webhooks, rest, json, cors, oauth2● ...and remember how you did it

deep provenance, history, and reproducibility built in

A Platform For Science Portals

A Proliferation of Portals

drug discovery portalEARTHCUBE

An Identity Crisis

● Each portal maintains a separate database of users.● Users have to be vetted manually each time.● Users have to remember separate credentials.● No single sign-on.● No way for share platform assets (apps, jobs, metadata).

One Identity To Rule Them All

CAMPUS LOGIN:

TACC Identity Service

● Create central identity service for entire center.● Core of the service is WSO2 IS.● Leverage campus identity providers.

Federated Identity Via InCommon

Nearly 600 Universities

200 government agencies and

partnersSAML based trust

fabric

Architecture

TACC Identity Service

(WSO2 IS)

InCommon

University IDP University

IDPUniversity

IDP

University IDP

Discovery Portal

Discovery Portal

Discovery Portal

TenantAPIM

TenantAPIM

TenantAPIM A

A

AA

A

Agave APIsDomain-Specific Applications

Identity Server and APIM

● Internal accounts mapped and managed by IS.○ Self-service reconciliation, password management.

● SSO across web apps now possible.● Implicit trust between IS <-> APIM.● Clients use OAuth2 SAML Bearer Assertion.

○ Exchange SAML assertion for bearer token.● Still working on the IS <-> InCommon trust.

Status And Timeline

● In production with APIM.● Working on InCommon membership and IS deployment.● Goal is to be in prod with first tenant by summer 2016.● New tenants will be built leveraging the TACC IS.● Existing tenants will convert over time, if applicable.