Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID


InCommon and TIER: Better Together

Nov 03, 2016, by Nicholas Roy
Tags: InCommon, InCommon Federation, TIER, Trust & Identity, Trust and Identity in Education and Research

The TIER program and the InCommon suite of services—which form the national infrastructure for scalable identity transactions in support of research and education—are deeply linked in terms of their missions, mutual dependencies, and complementary investments of skill, time and resources. In this blog, I’ll share some highlights of just a few of the major ways that InCommon and TIER benefit each other and are highly connected.

For the past 18 months, InCommon has analyzed its operations, performed risk assessments and gap analyses against best practices, and put itself on a path to close these gaps. Many of the gaps indicate a need to adopt formal project planning, change management, DevOps and a sustainability model for software development. If we examine the initial community requirements for the TIER program, the direct relationships in the needs of TIER and InCommon become obvious. They are nearly a 1:1 mapping.

TIER services need an interoperable, secure and highly scalable platform on which to articulate the inter-institutional exchange of identity data. As a result, the InCommon Federation has been identified as one of the core TIER components, alongside Shibboleth, Grouper, COmanage and Scalable Consent. This interrelationship results in a strong correlation between TIER requirements and InCommon requirements for gap closure.

I sit on the TIER Component Architects group as a component architect for the federation. The federation is highly dependent on Shibboleth software; in fact, roughly 90 percent of InCommon IdPs are Shibboleth. In addition, the federation metadata aggregation and signing processes depend on Shibboleth Metadata Aggregator (MDA) and XmlSecTool software. This means that both InCommon and TIER have a vested interest in the sustainability of Shibboleth.

TIER Technical Reference Architecture with Annotations (Click for larger version) This diagram (left - click for larger version), based on the TIER Reference Architecture, provides an illustration of how the InCommon Federation connects with TIER.

The numbered areas illustrate how InCommon and its participant sites fit into the TIER architecture to facilitate the trusted exchange of identity information at scale. From left to right, 1) Identity Providers (IdPs) (called “Identity Sources” in this diagram) assert trusted identities, 2) the federation registers and publishes trusted endpoints and key material and 3) Service Providers (SPs) (called “Identity Consumers” in this diagram) use the identities asserted by IdPs. IdPs and SPs publish information about their technical interoperation in the federation metadata.

The overlap in the needs of InCommon and TIER has resulted in a series of closely-aligned planning sessions at the executive level. Execs with governance roles in both TIER and InCommon have identified common resource needs and organizational requirements that must be met. The close alignment of these conversations and the staffing models that have been developed have, in turn, enabled close collaboration between InCommon staff and TIER management in areas such as project planning, change management and development roadmaps. This alignment began in mid-2015 with the rollout of InCommon support for  eduGAIN. It continues in projects such as the InCommon Steward Program pilot, the new Security Incident Response Trust Framework for Federated Identity (SIRTFI) pilot, work to address technical debt in the InCommon Federation Manager, and shortly to begin to examine the metadata generation, aggregation, signing and distribution processes in preparation for the delivery of per-entity metadata.

As we continue to work towards operational excellence in InCommon (a process of continuous improvement), InCommon and TIER will take advantage of the technical infrastructures, services, operational models and security measures developed in cooperation. This cooperation ensures that InCommon and TIER services (a suite of services that fall under the banner of “Internet2 Trust and Identity Services”) are operated in a way that makes it possible for the community to depend on them and ensures that the services meet the highly complex and evolving needs of education organizations and research collaborations.

Stay tuned to next month’s TIER newsletter for part 2 of this blog, which will focus on how InCommon is leveraging the TIER DevOps environment to build out a continuous integration, testing and quality assurance platform.