The Science Identity Federation

NUFO – June 2010

Michael Helmhelm@es.net

Energy Sciences Network (ESnet)Lawrence Berkeley National Laboratory

But First, About ESnet….But First, About ESnet….

6/7/2010 SIF - NUFO

But First, About ESnet….But First, About ESnet….

2NUFO

The Energy Sciences Network

The Department of Energy’s Office of Science is one of the largest supporters of

basic research in the physical sciences in the U.S.

• Directly supports the research of some 15,000 scientists, students at DOE laboratories, universities, other Federal agencies, and industry worldwide

• Operates major scientific facilities at DOE laboratories that that have participation by the US and international research and education (R&E) community

6/7/2010

Established in 1985, ESnet is the Department of Energy’s science networking

program whose responsibility is to provide the network infrastructure supporting the missions of the Office of Science• Enabling a new era in scientific discovery as we tackle global issues like climate change,

alternative energy/fuels and understanding the origins of the universe.

SIF - NUFO

The Energy Sciences Network

The Department of Energy’s Office of Science is one of the largest supporters of

basic research in the physical sciences in the U.S.

Directly supports the research of some 15,000 scientists, postdocs and graduate students at DOE laboratories, universities, other Federal agencies, and industry

Operates major scientific facilities at DOE laboratories that that have participation by the US and international research and education (R&E) community

Established in 1985, ESnet is the Department of Energy’s science networking

provide the network infrastructure supporting the missions of

Enabling a new era in scientific discovery as we tackle global issues like climate change, alternative energy/fuels and understanding the origins of the universe.

3NUFO

ESnet: Driven by Science

Networking needs of researchers are far different than commercial users.

Therefore, ESnet regularly explores the plans and processes of major

stakeholders to understand:

• The extreme data characteristics of instruments and facilities

– How much data will be generated by instruments coming on

• The future process of science

– How and where will the new data be analyzed and used

6/7/2010

– How and where will the new data be analyzed and used doing science change over 5-10 years?

• SC Networking Requirements Workshops– 2 workshops a year, rotating thru BES, BER, FES, NP, HEP, ASCR communities

– Workshop reports: http://www.es.net/hypertext/requirements.html

Observing current and historical network traffic trends

• What do the trends in network patterns predict for future network needs?

SIF - NUFO

ESnet: Driven by Science

Networking needs of researchers are far different than commercial users.

Therefore, ESnet regularly explores the plans and processes of major

The extreme data characteristics of instruments and facilities

How much data will be generated by instruments coming on-line over the next 5-10 years?

How and where will the new data be analyzed and used – that is, how will the process of How and where will the new data be analyzed and used – that is, how will the process of

SC Networking Requirements Workshops2 workshops a year, rotating thru BES, BER, FES, NP, HEP, ASCR communities

http://www.es.net/hypertext/requirements.html

Observing current and historical network traffic trends

What do the trends in network patterns predict for future network needs?

4NUFO

Science: Driven by Data

Scientific data sets are growing exponentially

• Ability to generate data is exceeding our ability to store and analyze

• Simulation systems and some observational devices grow in capability with Moore’s Law

Petabyte (PB) data sets will

6/7/2010

Petabyte (PB) data sets will

soon be common: • Climate modeling: estimates of the next IPCC data is in 10s

of petabytes

• Genome: JGI alone will have 0.5 petabyte of data this year and double each year

• Particle physics: LHC is projected to produce 16 petabytes of data per year

• Astrophysics: LSST and others will produce 5 petabytes/year

SIF - NUFO

Science: Driven by Data

Scientific data sets are growing exponentially

Ability to generate data is exceeding our ability to store

Simulation systems and some observational devices grow

Petabyte (PB) data sets will Petabyte (PB) data sets will

Climate modeling: estimates of the next IPCC data is in 10s

Genome: JGI alone will have 0.5 petabyte of data this year

Particle physics: LHC is projected to produce 16 petabytes

Astrophysics: LSST and others will produce 5

55NUFO

Solution: ESnet4

ESnet4: a unique hybrid packet- & circuit

infrastructure specifically designed to handle massive amounts of

data

• Combines the flexibility and resiliency of IP routed networks with the deterministic, high-speed capability of a circuit

Used commercially available technologies to create two logically

6/7/2010

Used commercially available technologies to create two logically separate networks over which traffic seamlessly switches

• IP Network: One network for IP traffic using a single 10 ESnet provides audio/videoconferencing and data collaboration tools

• Science Data Network: Circuit-switched core network consisting of

multiple 10 Gbps circuits connecting directly with other highR&E networks and utilizing Layer 2/3 switches

SIF - NUFO

Solution: ESnet4

& circuit-switched network

infrastructure specifically designed to handle massive amounts of

Combines the flexibility and resiliency of IP routed networks with the speed capability of a circuit-switched infrastructure

Used commercially available technologies to create two logically Used commercially available technologies to create two logically separate networks over which traffic seamlessly switches

One network for IP traffic using a single 10 Gbps circuit over which ESnet provides audio/videoconferencing and data collaboration tools

switched core network consisting of

circuits connecting directly with other high-speed R&E networks and utilizing Layer 2/3 switches

6NUFO

ESnet4 June 2009

L

LB

L

SLAC

Ames

PNNL

LLNLLLNL

INLINL

NRELNREL

CA*net4FranceGLORIAD(Russia, China)

Korea (Kreonet2

MRENStarTapTaiwan (TANet2,

ASCGNet)

Japan (SINet)Australia (AARNet)Canada (CA*net4Taiwan (TANet2)SingarenTranspac2CUDI

KAREN/REANNZODN Japan Telecom AmericaNLR-PacketnetInternet2Korea (Kreonet2)

KAREN / REANNZ Transpac2Internet2 Korea (kreonet2)SINGAREN Japan (SINet)ODN Japan Telecom

FRGPFRGP

6/7/2010

SLAC

IP router

DOE Lab

Optical node

SDN router

LANLLANL

GAGA

YuccaYucca

Bechtel-NVBechtel-NV

IARCIARCNSTecNSTec

PantexPantex

SNLASNLA

DOE-ALBDOE-ALBAllied SignalAllied Signal

KCPKCP

CUDI(S. America)

SIF - NUFO

ESnet4 June 2009

JLAB

PPPL

ANL

StarLight

MAN LAN(32 A of A)

BNLBNL

L

FNA

L

DOEDOE

NETLNETL

NNSANNSA

SINet (Japan)Russia (BINP)

CERN/LHCOPN(USLHCnet:DOE+CERN funded) GÉANT

- France, Germany,Italy, UK, etc

AMPATH

CA*net4

GÉANT in Vienna(via USLHCNet circuit)

JLAB

ORNL

LL

Lab LinkMAN

NLR 10G20G SDN10G SDN

10G IP

Peering Link

KCPKCP

SRSSRS

ARMARM

ORAUORAUOSTIOSTI

NOAANOAAAMPATHCLARA(S. America)

SOXSOX

7NUFO

But … is 10 GBps enough for you?But … is 10 GBps enough for you?

6/7/2010 SIF - NUFO

But … is 10 GBps enough for you?But … is 10 GBps enough for you?

NUFO 8

ESnet Service Links

• http://www.es.net

• http://www.es.net/OSCARS

• http://fasterdata.es.net

• http://www.perfsonar.net

6/7/2010

• http://www.doegrids.org

• http://www.ecs.es.net

• And SIF – Science Identity Federation

SIF - NUFO

ESnet Service Links

http://www.es.net/OSCARS

Science Identity Federation

9NUFO

Science Identity Federation

• Collaborations need scalable "security" infrastructure� Authentication ... Authorization ... Identity

• Environment is diverse� DOE sites ... Projects ... Academia ... Industry

• Different security and identity objectives• Internet is changing

� Social network• Internet identity and security environment is • Internet identity and security environment is

changing� Software, protocols, APIs, principles and practices

• Efficiency and process� We have a lot of identity "process" locked up in sites� Why build new identity silos for each new service?

Science Identity Federation

Collaborations need scalable "security" infrastructureAuthentication ... Authorization ... Identity

DOE sites ... Projects ... Academia ... IndustryDifferent security and identity objectives

Internet identity and security environment is Internet identity and security environment is

Software, protocols, APIs, principles and practices

We have a lot of identity "process" locked up in sitesWhy build new identity silos for each new service?

Science Identity Federation (SIF)

• Interoperable Identity for DOE labs… based on the well-known

• Shibboleth authentication software from Internet2

… so that labs can also… so that labs can also

• Federate with InCommonUS Higher Education Shibboleth Federation:

see InCommonfederation.org.... and other federations as needed

Science Identity Federation (SIF)

Interoperable Identity for DOE labs

Shibboleth authentication & authorization Internet2

Federate with InCommonUS Higher Education Shibboleth Federation:

InCommonfederation.org.... and other federations as needed

Let's Explain...

• "Federation" - coalition of resources; resources retainof their autonomy, but agree to respect a few common rules

� Science Identity Federation is an AUTHENTICATION federation … for Logical Access to Computers

• "Identity" - attributes about a person • "Identity" - attributes about a person contact information

• "Shibboleth" - A particular implementation of authentication federation, based on certain profiles of SAML

• SAML - Security Assertion Markup Language

Let's Explain...

coalition of resources; resources retain most of their autonomy, but agree to respect a few common rules

Science Identity Federation is an AUTHENTICATION federation … for Logical Access to Computers

attributes about a person - name, affiliation, attributes about a person - name, affiliation,

A particular implementation of authentication federation, based on certain profiles of SAML

Security Assertion Markup Language

Safe, Secure Identity

• I login with my home site identity• I login with my home site identity

• Your service gets valid, useful

attributes about me

6/7/2010 SIF - NUFO

Safe, Secure Identity

I login with my home site identityI login with my home site identity

Your service gets valid, useful

attributes about me

NUFO 13

SIF Today

We have ….• Discussion Group

• http://groups.google.com/group/science• Basic discovery service• Interesting service – confluence.scifed.org�See Demo�See Demo

• Several test IDPs• Blanket contract for InCommon membership

• Coming soon!• Training Event (Shib Install Fest)

SIF Today

We have ….

http://groups.google.com/group/science-federationBasic discovery service

confluence.scifed.org

Blanket contract for InCommon membership

Training Event (Shib Install Fest)

What Is InCommon?

6/7/2010 SIF - NUFO

What Is InCommon?

NUFO 15

Why Science Identity Federation?

DOE User Facilities

• DOE operates a unique complex of research programs, sites, and over 60 user facilities for scientific research.

• Identity federation should• Identity federation shouldo Reduce long-run costs of running existing facilitieso Remove an administrative barrier for new facilities

• These facilities are very valuable asset to a federation�Your identity can enable you do something useful!

Why Science Identity Federation?

DOE operates a unique complex of research sites, and over 60 user facilities for

shouldshouldrun costs of running existing facilities

Remove an administrative barrier for new facilitiesThese facilities are very valuable asset to a

Your identity can enable you do something useful!

What Can We Do Together?

• Use Cases

• Attributes

• Look at your user community

– Where are they from?

– Are there users of multiple user facilities– Are there users of multiple user facilities

• YES – if you include the computational resources

• DOE Facilities –

– Talk to your site CIO about SIF

– Talk to your DOE program managers

6/7/2010 SIF - NUFO

What Can We Do Together?

Look at your user community

Are there users of multiple user facilitiesAre there users of multiple user facilities

if you include the computational resources

Talk to your site CIO about SIF

Talk to your DOE program managers

NUFO 17

What Was That SIF Site Again?

http://groups.google.com/group/science

Or

Go to groups.google.comSearch for science federationSearch for science federation

Or

Contact me:Michael Helmhelm@es.net +1-510

What Was That SIF Site Again?

http://groups.google.com/group/science-federation

groups.google.com andscience federationscience federation

510-621-7353

Links

• Science Identity Federation google group• http://groups.google.com/group/science-federation

o Shibboleth project at Internet2• http://shibboleth.internet2.edu/

o InCommon - US Shibboleth Federation• http://incommonfederation.org• Many interesting things to see here; consider IAM• http://www.incommonfederation.org/iamonline.html• http://www.incommonfederation.org/iamonline.html• InCommon metadata:• http://wayf.incommonfederation.org/InCommon/InCommon

metadata.xmlo SWITCH AAI demoo http://www.switch.ch/aai/demo/expert.htmlo How the Internet works video

• http://www.youtube.com/watch?v=a5837LcDHfE

Links

Science Identity Federation google groupfederation

US Shibboleth Federation

Many interesting things to see here; consider IAMhttp://www.incommonfederation.org/iamonline.htmlhttp://www.incommonfederation.org/iamonline.html

http://wayf.incommonfederation.org/InCommon/InCommon-

http://www.switch.ch/aai/demo/expert.html

http://www.youtube.com/watch?v=a5837LcDHfE

Acknowledgements

• Bill Johnston, Mike O’Connor

• Adam Stone, Walter Dykas, Roy Whitney

inspiration, support

• Dhiva Muruganantham, Greg Haverkamp

work

• Mine Altunay, Nate Klingenstein

• … and many more ….

6/7/2010 SIF - NUFO

Acknowledgements

Bill Johnston, Mike O’Connor – ESnet slides

Adam Stone, Walter Dykas, Roy Whitney –

Dhiva Muruganantham, Greg Haverkamp – hard

Mine Altunay, Nate Klingenstein - Installfest

NUFO 20