Join InCommon

CILogon Hosted COmanage Registry for the OSG Consortium

InCommon Catalyst Program Case Study

Executive summary

The Open Science Grid (OSG) Consortium is a distributed high throughput computing (dHTC) organization that manages access to a global network of data and computing resources shared across more than 70 institutions. The OSG Consortium worked with InCommon Catalyst, CILogon, to implement a user registry to facilitate distributed onboarding, offboarding, and authorization workflows delegated to volunteer administrators across the globe. Without dedicated IT resources, and being staffed by researchers, the task of managing access could not require the OSG Consortium to staff a help desk. But with nearly 200 research projects and growing, the project needed to be scalable without demanding significant staff time.

Incommon catalyst logo

Leveraging CILogon’s established services in the InCommon Federation, the OSG Consortium outsourced the credentialing and authentication tasks to researchers’ home institutions and focused solely on the authorization workflows to ensure the right researchers have access to their projects in a timely manner. 

By “meeting the researchers where they are,” the OSG Consortium was able to support the majority of researchers, who are at R1 research institutions, as well as small colleges and universities throughout the U.S. and the world, through InCommon’s connection to the global eduGAIN single sign-on federation. CILogon was able to also support authentication via ORCID and commercial identity providers like Google, Microsoft, and GitHub to accommodate researchers from organizations not supported by an eduGAIN federation like InCommon.

Background

The Morgridge Institute for Research, a private, nonprofit biomedical research institute in Madison, Wisconsin, affiliated with the University of Wisconsin–Madison, contracted with CILogon, a non-profit based at the University of Illinois to provide a hosted COmanage Registry for the OSG Consortium. Established in 2005, the OSG Consortium operates a fabric of dHTC services in support of the national science and engineering community. Two core services the OSG Consortium supports include Open Science Data Federation (OSDF) and Open Science Pool (OSPool). OSDF enables users and institutions to share data and storage capacity with dHTC environments such as OSPool. These services together provide a valuable set of resources for the global research community.

OSDF Stats

  • 12 Origin Sites at 10 Institutions
  • 29 Cache Sites at 20 Institutions
  • 6 Origin and Cache Sites at 6 Institutions

OSPool Stats

  • 71 Institutions
  • 197,240,015 Jobs Run
  • 58 Impacted Fields of Science
  • 197 Impacted Research Projects

COmanage is a set of tools designed to help streamline collaborative cross-institutional communities’ digital lifecycle and identity data management. COmanage tools are components of the InCommon Trusted Access Platform, and in this case study, by CILogon deployed them as a registry to manage the identities and access rights of researchers across multiple institutional boundaries. Researchers can authenticate with their local institutional credentials, and the CILogon COmanage registry grants access to resources based on the rules defined in the registry data.

Challenges

Managing secure access to large data and computing resources on a global scale can strain the limited administrative resources available to research organizations. The OSG Consortium needed a new registry service for users, site contacts, and staff that streamlined sign-up, updates, approvals, and systems management to replace their previously internally developed solution. Ease of access (e.g., support for single sign-on) was an essential requirement for serving the broad national science and engineering community and supporting a growing group of research collaborations, campuses, national laboratories, and software providers that form the consortium.  Supporting as many researchers as possible without imposing large administrative burdens on OSG staff was essential to project success.

Additionally, because the OSG Consortium is not a legal entity, but rather a coalition of researchers volunteering time in a shared effort, it is unable to sign legal documents required to join the InCommon Federation.  Leveraging CILogon’s established interoperation with the InCommon Federation allowed the consortium to implement a federated solution through CILogon’s proxy service.

Solutions

CILogon’s services enabled streamlined and scalable authentication, authorization, and connectivity to support efficient access to the OSG Consortium’s research systems.

Authentication: By leveraging identity and access management (IAM) infrastructure the global research and education community already uses, CILogon enables users to authenticate the way they do every day at their home institutions, using single sign-on to the CILogon Registry via the InCommon federation. Consortium members who do not have  InCommon Federation institutional credentials can use their ORCID, Google, Microsoft, or GitHub (a.k.a. Social) credentials. Members can also attach their GitHub identities and SSH (secure shell protocol) keys to their CILogon registration to streamline secure authentication. By outsourcing authentication to users’ home institutions or other identity providers, OSG staff do not need to worry about the security risks associated with managing user ids and passwords.

Authorization: Authorizing access to the OSG Consortium resources is the heart of what the COmanage registry does, allowing OSG staff to set permissions for users or groups of users according to established policies. COmanage provides an intuitive interface for delegating the management of resources to administrators responsible for the various assets, so local administrators can grant or deny access with ease within a delegated workflow. This supported multiple workflows within COmanage, including onboarding, reverification, and offboarding workflows.

Connecting to dHTC Resources; REST API and LDAP integrations allow dHTC resources to connect to the authentication and authorization infrastructure CILogon’s COmanage registry provides. These well-known interfaces are highly compatible with applications and resources in the research ecosystem.

Diagram displaying Authentication, Research Applications, and REST API connections.

Impact

More than 400 active members are currently registered in the CILogon COmanage registry, primarily authenticating via the InCommon Federation with a smaller population using ORCID to authenticate. Commercial providers (e.g., Google, Microsoft, and GitHub) constitute a minority of user authentications. Prospective research participants can register online with help from thorough online documentation. While management of authorized system users is an essential role of the volunteer staff administering access to OSG systems, outsourcing authentication via the InCommon Federation, ORCID, and commercial identity providers fulfills the central requirement that OSG staff not be burdened by managing usernames and passwords, and that system users not need to track another set of credentials. This approach addresses user, administrator, efficiency, and security needs well.

Lessons learned

By leveraging CILogon and COmanage’s support for authentication via InCommon and ORCID, the OSG Consortium streamlined the user registration process and minimized overhead to just the tasks that require OSG administrators’ attention like authorization of the permitted users into specific data and applications. CILogon’s familiarity with the InCommon Federation and the many different connectivity requirements in research computing made the process go smoothly without requiring researchers to dive deep into the behind-the-scenes technology.

About CILogon

CILogon, a nonprofit subscription service from the University of Illinois, enables researchers and scholars to log on to cyberinfrastructure (CI). CILogon provides an open-source IAM platform for research and scholarship collaborations that combines federated identity management (Shibboleth) with collaborative organization management (COmanage Registry), directory services (OpenLDAP), OIDC/SAML proxy services (SATOSA), SAML Metadata Query services (pyFF), and capability-based authorization (SciTokens). CILogon follows REFEDS standards (Assurance, MFA, R&S, SIRTFI, voPerson).

CILogin logo
About The OSG Consortium

Established in 2005, the OSG Consortium operates a fabric of distributed High Throughput Computing (dHTC) services in support of the National Science & Engineering community. The research collaborations, campuses, national laboratories, and software providers that form the consortium are unified in their commitment to advance open science via these services.

The InCommon Catalyst Program, launched in June 2021, assists higher education institutions, research organizations, and sponsored partners in their efforts to enable better security, access to services, and user experience through InCommon’s integrated service and software solutions. A group of industry leaders and Internet2 members that actively contribute to IAM within the R&E community, InCommon Catalysts offer a wide range of IAM support services. If you’re interested in leveraging the experience and expertise of an InCommon Catalyst to solve a particular challenge or devise a roadmap for a full IAM reboot, feel free to reach out directly.


< Back to the InCommon Catalyst Case Studies