Overview
Proposer

Mario Reale (GÉANT)

Area

STANDARDS & PROTOCOLS

Type of work

DEVELOPMENT

Output

PROTOTYPE  

History
Original proposal

While supporting new federations in setting up their infrastructures, IdPs and SPs,  generally speaking, we still do not have much automation in place. All is done, still very manually, and takes much time. Talking specifically of the SPs, both for the installation and configuration of the services themselves, and the required operations to federate them (i.e. make them fully functional SAML2 Service Providers), in order to be able to provide them in a federated (e.g.eduAGAIN) fashion, pretty much all is still left to manual set up. 

It would be useful to enhance the level of support we provide to them with the aim of quickly being able to deploy an initial set of services, the ones which could de-facto start to attract users towards the newly deployed federation infrastructure and the federated IdPs. 

The idea here is to propose  a new cycle of T&I incubator task activities aimed at the following tasks:

  1. Identifying an initial set of 2-3 services we’d like to promote as SPs to the new identity federations. (e.g.: Wiki, Moodle, Joomla, eduMEET, Filesender, ..)
  2. Design a solution based on automation, possibly using containers, or automated deployment tools like Ansible, Puppet (which we should aim at making easy for early services deployers), for the services we’d like to deploy. Or any script with the corresponding clear, easy to use documentation which would do as much of the initial installation and configuration work as possible, leaving to a minimum the amount of residual manual interventions required. 
  3. Define both technical and strategic roadmaps to ensure sustainability of these deployment solutions: how will they be upgraded/ported to new versions, which task, or permanent activity in the GN project, or the community could endorse the future work to keep the developed solution working also in future.

    This proposal is about using a full Incubator cycle  to develop an initial solution, work on it, and add some work to design in a clear way how things can be made sustainable after the T&I cycle would be over. 


More information on the proposal on https://docs.google.com/document/d/1pYN73FEbFApkPNAVgdbNIA1_87ekIEAt8HvzhhXkxrk/edit?usp=sharing  

It is noted some very similar requiremtents may serve Virtual Organisations. Arnount Terpstra from SURF writes:

"What I am basically looking for is a set of (fairly simple) "collaboration tools" which nearly every collaboration needs. (Since I am focusing on my service SURF Research Access Management (SRAM) which targets researchers, the type of collaborations I am dealing with are research collaborations, but of course such tools could be used by any type.) What do researchers / collaborations need regardless of which topic they are in? Some tool to do collaborative writing, to jointly make presentations, a date picker to plan meetings, a Wiki to keep meeting notes / documentation, etc. Most of such tools are already freely available (Google Docs, Doodle, etc.) but of course you pay with your privacy. Also, most institutions have something like Microsoft Office365 + Teams, but for some reason these tools are often inaccessible for people outside of their own institution. Thus: based on already available open source and privacy friendly tools, it would be nice to combine this with Mario's idea of making the deployment of these tools quick and easy such that different NRENs (or whoever) can (easily) offer it to their constituency. (BTW I recently stumbled upon this tool: Crypt Pad (https://cryptpad.fr/ for a hosted free demo), which seems to already contain 90%+ of the tools I'm thinking of. Maybe that's an option to start with?)
In my case, access management to these tools is or course handled by SRAM."



Description of the activity

With respect to the implementation of this, there are a numer of scenarios, basically automating deployment as proposed by Mario above, where the focus is on creating deployment and integration scipts, or an approache as suggested by Niels whic introduces a proxy to aggregate the servces and potentially simplyfy the deployment and integration of tools, however, increasing the complexity in a way, as new comonents are added. We have to describe these scenarios and weigth the imact in terms of technical complexity, maintainability, etc.

The list of high level activiteis is:

  • Describe scenarios and discuss with stakeholders
  • Make an inventory of relevant services we would like to include
  • Create proof of concept of at least one scenario and present to stakeholders
  • Develop proof of concept infor useable product.
Ownership & Utilisation

The following parties will use the results of this activity:

T&I Service
R&E Community
External Party


Results & Deliverables

The following results were created and delivered:

  • No labels

2 Comments

  1. I would like to aim for the functional capability you propose, but I propose a different technical solution. What you propose in part (2) of your propose with provisioning and configuring using Ansible or the likes is technically fully possible of cause. However, it is fairly brittle as it totally depends on both the state and quality of the AuthN and provisioning solution of the various SPs and on the other hand by the state of the federation and the capabiliteis of the FedOps. This confronts us with a multitude of platforms and configuration permutations we need to cater for. I would like to propose a solution where we reduce the implementation interfaces to 1: we deploy a proxy solution in front of the SPs to group them together (even of the number of SPs ==1)

    The fedop or VO then only needs to integrate the front end of the proxy into a federation, whereas the developers of the SPs only need to deal with the integration into the proxy. This significantly reduces the amount of things one needs to take into account and we can let the proxy do the heavy lifting in terms of protocol translation, attribute release and provisioning.

    I feel such a solution would not only make integration technically easier, it also make the solution more sustainable, and would more readily allow for community contributions of new services to the ecosystem.

    As an advanced feature I can even see we could have a GUI near the proxy where a fedops or VO manager would be able to select ready build apps for 'automagic' deployment. 

  2. A few more ideas for services:

    • MkDocs as (a kind of) Wiki?
    • Sympa for mailing lists
    • WordPress instead of Joomla?
    • ONLYOFFICE as a Google Docs alternative
    • Selected (Edu)VPN deployment variant
    • An additional email server? (beyond Sendmail; however, it is quite likely that there must be one already in place...)