Working group task: Compile a summary of the current state of identity management solutions, initiatives underway, identification of organizations and individuals engaged in developing solution approaches, identification of gaps, articulation of technical guidance that would facilitated federation of current (perhaps fragmented) efforts.
Develop 1-3 draft statements that would be included in the declaration.
Link to Group List
Current Members:
Enol Fernandez
Alvaro Lopez Garcia
Klaas Wierenga
Hannah Short
Peter Solagna
Steven Zoppi
Nicholas Liampotis
Presentations from Boston Congress:
Presentation by Steven Zoppi
Presentation by Hannah Short
Notes from working meetings:
Pre-Boston Congress:
- Basic identity management capability is fairly well developed.
- Challenge is having policies, understandings and technical ability in place that allow for effective sharing.
- EduGAIN is used in Europe as a SAML/Shib provider (Works well for Indigo Datacloud use case on top of OpenStack.). Keystone and IdM issues – working well, but there are some technology and policy problems – what happens when a user leaves active use — user resources are removed?
- Authorization and policies: how can a community apply a given policy for accessing the cloud? (in OpenStack tenancy is at the project level, but a community may decide that their users only can access their own VMs).
- Would be great to link Keystone to InCommon. If InCommon can do SAML v2 or OAUTH, this should be feasible. (CERN has SAML v2,Kerberos, X.509 all running).
- For CLI access, you need SAML-ECP extensions.
- Current Identity federation efforts:
- The REFEDS project (https://wiki.refeds.org/dashboard.action) is developing a set of trust policies for identity federation, such as the exchange of personal information. AARC (https://aarc-project.eu/ ) have developed a SIRTFI (https://wiki.refeds.org/display/SIRTFI/SIRTFI+Home) (Security Incident Response for Federations) to provide a level of confidence in how incidents will be jointly handled.
- The technical implementation for OpenStack Identity Federation is largely a solved problem (https://wiki.geant.org/display/gn41sa7/Agenda, https://eventr.geant.org/events/2527). There are more problems to consider to improve the user experience (such as image sharing and consistent flavors).
- Status of OpenStack federation at http://www.slideshare.net/noggin143/20150924-rda-federationv1.
- Background video from CERN/Rackspace work at https://www.openstack.org/videos/video/hybrid-openstack-clouds-cern-research-project-aims-to-solve-federation-for-the-real-world.