Trust and Identity in Research and Education (TIER) Final Report to Investors August 20, 2019 Repository ID: TI 138.1 Persistent URL: http://doi.org/10.26869/TI.138.1 Authors: Bill Kaufman, Kevin Morooney, Erin Murtha, Ann West, Dean Woodbeck Sponsor: TIER Community Investor Council Proposed future review date: None Subject tags TIER © 2019 Internet2. This work is licensed under a Creative Commons Attribution 4.0 International License. Table of Contents Executive Summary 3 Activities and Details 4 Notable Accomplishments 5 Detailed Milestones 6 Financials 10 Appendix A – Investor Institutions 11 Appendix B - Metrics 12 Appendix C – Internet2 Events 15 Executive Summary For 20 years, the Internet2 community has developed identity and trust programs and software to make it easier to offer and access services and collaborate. Each component was designed to address a community-identified gap in commonly available tools.  In 2015, the Trust and Identity in Education and Research (TIER) work was initiated to tie these separate components together and form an identity and access management platform that is easy to manage and install, and preconfigured to leverage InCommon and global federation. In short, TIER would add needed functionality while making things easier for operations.  To support this goal, the TIER project team set about to:  • Integrate the existing components to make them easier to connect and use. • Package the components to reduce the time necessary to install and manage the software. • Identify and integrate additional components to complete a full-featured identity and access management platform.  This report provides a short history of the TIER initiative, its accomplishments, some metrics and financial information. Accomplishments include:  • Reducing the installation and basic software configuration time from several hours to less than 10 minutes.  • Adding capability to provide access for end-users while also increasing security by removing access when appropriate. • Providing the capability of managing access for guests, collaborators or third parties as well as students, faculty, and staff.  • Preconfiguring connections with global federations (adhering to community practices). • Jump-starting a program to help organizations adopt the software and move to production faster, including training, documentation and consulting. • Building enforcement of community metadata requirements into InCommon federation operations. Activities and Details The Trust and Identity in Education and Research (TIER) work began in mid-2015 with extensive community workshops, gathering more than 100 common identity and access management challenges. Community members identified the major gaps and key requirements to be addressed, and formed working groups in four areas: • Software architecture and integration requirements • Exploring entity registries for maintaining identities • Security recommendations • Software packaging requirements to help streamline adoption In early 2016, 49 higher education institutions committed to providing funding over three years to support the TIER effort (see Appendix A). In October 2017 (at about the halfway point for the funding), community architects and developers met at the Internet2 Technology Exchange to evaluate the progress made thus far and to set priorities for the next 18 months.  At this point, 16 campuses had started implementing at least one of the TIER component packages. To increase adoption, the TIER investors agreed to allocate some funding to support a program to provide implementation assistance, training and consulting. Ten campuses joined the Campus Success Program, each with the goal of adopting at least one of the components. Most campuses either successfully adopted at least one component or made substantial progress towards that end. The program also provided valuable feedback on barriers to adoption and community needs for training and assistance. To date, there are over 100 TIER component packages actively being run in testing, production or training. Notable Accomplishments • Packaging of the TIER software components in Docker containers and the development of a continuous development and integration pipeline resulting in:
 o Reduced automated build times to produce new containers from several hours to 15 minutes or less.
 o Improved the installation and basic configuration time for the components from potentially several hours to less than 10 minutes.
 • Identifying of midPoint as an additional key software component to act as a registry and powerful provisioning/de-provisioning engine.
 • Developing a continuous stream of demonstrations and presentations for key Internet2 and community meetings to share progress and viability with the community.
 • Adding telemetry to the TIER packages (status and version installed) to help estimate adoption rates.
 • Publishing the Grouper Deployment Guide to assist in the adoption and deployment of the Grouper enterprise access management software.
 • Implementing the TIER Campus Success Program, a collaboration of 10 campuses working together to deploy one or more of the TIER components. Each campus also produced a case study to share with the community.
 • Developing a graphical user interface for the Shibboleth Identity Provider software to eliminate some manual processes. • Refactoring and streamlining the Federation Manager software for ease of use by site administrators and allowing for rapid approval of routine federation metadata changes.
 Much of this work was accomplished through hours of community design, architecture, and best practices discussion. At the end of 2018, the cumulative metrics for associated conference calls and meetings included: • 525 working group and related community calls. • 11,936 collaboration hours (calls and face-to-face meetings) comprising: • 3,509 Internet2 staff hours. • 8,426 community representative hours. Detailed Milestones 2015 2016 2017 2018 Financials Appendix A – Investor Institutions Arizona State University Baylor University Boston University Caltech (California Institute of Technology) Carnegie Mellon University Case Western Reserve University Clemson University Cornell University Duke University Harvard University Indiana University Lafayette College Louisiana State University MIT (Massachusetts Institute of Technology) New York University Northwestern University The Ohio State University Old Dominion University Oregon State University The Pennsylvania State University Purdue University - Main Campus Rice University Stanford University Tulane University University of Arizona University of California - Berkeley University of California - Merced University of Chicago University of Florida University of Hawaii - Manoa University of Illinois – Urbana-Champaign University of Iowa University of Maryland – Baltimore County University of Maryland - College Park University of Miami University of Michigan - Ann Arbor University of Missouri - Columbia University of Nebraska - Lincoln University of North Carolina – Chapel Hill University of Notre Dame University of Oregon University of Pittsburgh – Pittsburgh Campus University of Utah University of Virginia University of Washington University of Wisconsin - Madison Virginia Polytechnic Institute and State University Washington University in Saint Louis Yale University Appendix B - Metrics The following is a brief summary of many of the activities that occurred as key parts of the TIER work. Twelve TIER Newsletters and 11 Trust and Identity community newsletters were published including TIER community updates along with 9 TIER quarterly reports. Fifteen companies, contractors, independent consultants, and partners were engaged to assist with TIER development activities including: Evolveum, West Arete, Alfa Jango, Levvel.IO, Spherical Cow Group (Benn Oshrin, Scott Koranda, Tom Zeller), Unicon (Various), FasurTech (Vivek Sachdeva) , Docker Inc., Duke University (Consent Development Team), University of Wisconsin (Keith Hazelton), University of Chicago (Tom Barton), Independent consultants: Chris Hyzer, Bert Bee-Lindgren, Marlena Erdos and David Walker.  Thirty-four external groups engaged with to provide them with knowledge and awareness of the TIER activities, integration with InCommon and the Federation, as well as the different ways to collaborate:  • AACRAO • Amazon • American Association of College Registrars and Admissions Officers • American Association of Medical Colleges • American Jesuit Colleges and University • Carbon8 • Cisco • Common Solutions Group • Duquesne​​ University • EDUCAUSE organizational leadership • Federated Cloud Workshop (OpenResearch Cloud) • FIM4R • GÉANT (eduGAIN and REFEDS and related working groups), • General Services Administration (GSA), • Global​​ CEO​​ Forum​​ (representing​​ the Shibboleth ​​Board) • Google • Identity Ecosystem Steering Group • IMS • International federation operators • Internet2 Board • Kantara • MCNC • National Institute of Standards and Technology (NIST) • RA-21 Project Steering Committee • Research ​​University ​​CIO ​​Conclave (RUCC) • Safe BIOPharma • Shibboleth Consortium • SIRTFI Working Group • State of Wisconsin Department of Instruction • SunCorridor Regional in Arizona • US Government Agencies(GSA, NSF, NIH) • The QUILT • University​​ of​​ Arizona • US Government Middleware And Grid Interagency Coordination Group (MAGIC) More than 20 presentations and webinars were given including attending many conferences  (excluding Internet2 Global Summit and Internet2 Technology Exchange conferences): • AACRAO​​ Technology ​​Conference • Chinese and American Networking Symposium (CANS) • Conducted two international webinars representing the Shibboleth Board • Four EDUCAUSE opportunities:  • TIER Breakfast (115 attendees) • Trust and Identity BOF (25 attendees) • Trust and Identity poster session • and a podcast interview • Held two ​IAM Online​ webinars • KINBERcon • MAX • MCNC Community Day • Microsoft • New America • NSF Campus Cyberinfrastructure and InCommon Webinar held in January 2018 • NSF Transition to Practice workshop • Pacific Northwest GigaPOP • SC (Supercomputing) conference • Scientific, Technical and Medical Publishers meeting • The Quilt Regional Network meeting in February 2018 • Three international webinars (as part of  the Shibboleth Consortium) • TIER midPoint workshop prior to the March RUCC meeting in Denver, CO • TNC • Trust and identity breakfast at the EDUCAUSE Annual Conference and presented at track sessions • US regional network leadership in Tempe, AZ • Westnet CIO meeting Appendix C – Internet2 Events The Internet2 Global Summit and Internet2 Technology Exchange conferences were used as checkpoints to communicate both the progress and building momentum of the TIER work: Global Summit 2016 • Trust and Identity in Research and Education (TIER) Initiative (Community Collaboration for the Next Decade) TechEx 2016 • Federated Identity Management For Virtual Organizations • Base CAMP: The Identity Landscape & Emerging Technologies  • Trust and Identity CAMP: Opening Keynote • Grouper Provisioning: Locally & Cloud • What’s New and What’s Next with TIER • Trust and Identity CAMP: Closing Plenary • Many ACAMP sessions specific to TIER • TIER DevOps Environment - First View of New TIER Community Testing and Usability Platform • A functional IAM infrastructure integrated into the Demo Workbench, including a cross-reference with the TIER Reference Architecture as one of many narrative use cases • ​Consent-informed Attribute Release (CAR) service live demo • IdMatch service and its integration into the Demo Workbench • Preview of COmanage v1.1.0 including capabilities for loading external source records Global Summit 2017 • TIER Stories from the Field: Harvesting Early Adopter Experiences • TIER Roadmap: Working Together to Develop the Path • (Demonstrations) TIER DevOps Environment - Fresh Presentations from the (Demonstrations) TIER Community Testing and Usability Platform • Provisioning/De-Provisioning Commercial Apps & TIER • Instrumentation included in the new TIER Release • The new Internet2 TIER Implementation for Community Collaboration (preview) TechEx 2017 • In-Depth Theme: TIER: Moving the Community to Adoption and Production • In-Depth Theme: DevOps: Continuous Integration and What it Means for IAM Service Delivery • Many ACAMP sessions specific to TIER • (Demonstrations) Enabling TIER Community Adoption using a DevOps Approach and the TIER Workbench • TIER Provisioning/Deprovisioning Demo • SOR to midPoint and midPoint to Resources Demo • Internet2 COmanage Demo Global Summit 2018 • Trust & Identity Showcase including CSP Institutions and TIER WG members • T&I Showcase 1 • COmanage / Grouper implementation at Colorado State • Banner TIER Connector Overview - Colorado School of Mines • DevOps at the University of Illinois • T&I Showcase 2 • Shibboleth UI/UX (Unicon) • SOR to Registry / Identity On-Boarding, Credential management, architecture, and data flows (TIER WGs) • COmanage - midPoint Integration Architectures (SCG) • T&I Showcase 3 • Provisioning Architecture and data flows (TIER WGs) • Provisioning and De-provisioning (TIER WGs) • TIER Packaging - Container overview and GitHub Repos (TIER WGs) • Trust and Identity at Internet2: Delivering Services and Software for Access and Collaboration TechEx 2018 • midPoint as Entity Registry and Provisioning Engine • My Year With TIER: Adoption Experiences with the IAM Software Suite: Part 1 (CSP Schools) • My Year With TIER: Adoption Experiences with the IAM Software Suite: Part 2 (CSP Schools) • Introducing the TIER ID Match Component • Many ACAMP sessions specific to TIER Table of Contents 2 Trust and Identity in Education and Research (TIER) Final Report Appendix C – Internet2 Events