Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Your organization not listed? Create a local account to use Internet2 services.

Create SiteID

NSF SDCI Bedrock Award

Background on the NSF SDCI Bedrock Award

Collaboration management platforms (CMPs) and services complete the basic vision of federated identity by adding components to do effective and scalable access controls and permission management. Together attributes are able to be created, managed and transported to relying parties that can then directly make decisions about users accessing resources.

CMPs are intended to provide consistent, scalable identity and access control information to both collaboration applications (including wikis, event and ad hoc calendaring, mailing list processors, etc.) and domain applications (including grids, shell-based services, science gateways and portals, etc.)

Such platforms are built by repackaging enterprise middleware, such as Shibboleth, Grouper, LDAP, etc. for use in virtual organizations. At this point, CMPs are typically built by assembling a coherent service from a variety of separate middleware and application servers, but a VM and a resulting cloud-based service are expected once the field is better understood.

While many of the core ideas for CMPs came from the US, other countries, most notably the Netherlands, Switzerland and Norway have advanced the practice considerably. Several countries are planning a national level collaboration service. (See, for example, SURFconext in the Netherlands at

The Internet2 middleware activity received a significant NSF OCI grant, beginning September 1, 2010 and ending August 31, 2015, called "Building from Bedrock: Infrastructure Improvements for Collaboration and Science." The intent of "Bedrock" was to enhance and package enterprise tools for CO (collaborative organization) use and work intensively with several major collaborations for deployment.

Bedrock focused on the identity management needs as well as the domestication and integration of applications for large and small VOs. Working with a variety of VOs, the work paved the way towards stronger collaborations and better science within the VO.

Harvesting the science content from LIGO data is a collaborative effort between instrumentalists, data analysts, modelers, and theorists. Efficient collaboration begins with scalable and robust identity management infrastructure that can easily be leveraged and integrated with the wide spectrum of tools LIGO scientists use to collaborate and analyze the LIGO data. Middleware from Internet2, including Shibboleth and Grouper, is enabling more LIGO science through easier collaboration and access to resources.
-- Scott Koranda, Senior Scientist at the University of Wisconsin-Milwaukee and lead architect of the LIGO Identity Management effort

Work ranged from international to local campus in scope, as the project team collaborated with federations around the world such as the Netherlands' SURFnet and Japan's Gakunin and specific universities with VO-like challenges such as the University of Chicago. No matter the size or scope of the organization, problems of provisioning and deprovisioning identity and and access management benefit from the Bedrock project.

Common use case:
Research groups from several notable institutions around the globe form a collaboration. As part of their normal cyberinfrastructure, each institution manages the identity of their own students and researchers, including authentication and attribute information and the local provisioning and deprovisioning of standard user accounts. But the collaboration is not housed under any one institution; it forms a separate "virtual" organization. The virtual organization wants to integrate information about the researchers from the member institutions with information and permissions specific to the collaboration. Administrators of the virtual organization are responsible for permissions to access research resources, managing group information which incorporates both research considerations and up-to-date institutional information. A single set of identity management services will in turn automatically populate/provision/control access to mailing lists, wiki space, groups, calendaring, videoconferencing and net meetings, and more as well as to domain science applications. The integration of education and research is significantly improved: A researcher can grant permissions to research resources by class; the students can use their usual local accounts to access remote resources; a student's permissions can begin as soon as they add the class; a student's research permissions can be automatically deactivated if they disenroll from the class. Improved ease of use and enhanced security both result.

When a researcher or student leaves one of the associated institutions, and that institution deprovisions their account, that information will automatically feed back to the VO which will in turn automatically deprovision their access to the VO space.

Participating VOs in the initial stages of Bedrock development included:

  • LIGO (The Laser Interferometer Gravitational-Wave Observatory) - the largest NSF funded physics project.
  • iPlant - the overarching cyberinfrastructure for the NSF Plant Biology Division within the Directorate for Biological Sciences.
  • The Internet Society (ISOC)
  • The Earth Science Women's Network (ESWN)
  • Project Bamboo - a multi-institutional, interdisciplinary, and inter-organizational effort that brought together researchers in arts and humanities, computer scientists, information scientists, librarians, and campus information technologists.

One of the additional possibilities of Bedrock is to set up a small service instance for Internet2 and/or InCommon. Beyond providing a collaboration service for those that might want it (several smaller NSF VOs have asked), it would provide critical feedback to the development processes within the grant.

See, particularly the mockups, to better understand the approach.

NOTE WELL: All Internet2 Activities are governed by the Internet2 Intellectual Property Framework.