The award-winning paper, titled “Migrating towards Single Sign-On and Federated Identity,” describes a novel approach to implementing a continuous migration to a new identity management method for Chameleon, a testbed for computer science research and education, with sites at the Texas Advanced Computing Center (TACC) and the University of Chicago.
The Chameleon project began almost a decade ago. “At that time, developing a bare-metal reconfigurable systems testbed from scratch was extremely challenging, and our primary focus went into providing core capabilities with a bare-bones approach to identity management that required users to create Chameleon accounts,” said Keahey, a senior computer scientist in Argonne’s Mathematics and Computer Science Division and PI of the Chameleon project.
That strategy was effective, providing bare-metal reconfigurability, reboot, power on/off and console access as well as strong support for security within the first six months of the project. Hitting the ground running allowed the Chameleon community to grow rapidly, and it now enjoys more than 6,000 users. But in the long run, the project staff found that they needed to refine their approach to account management. Specifically, two features were lacking: support for single sign-on and federated identity. Without single sign-on, users who used the testbed via multiple applications – Chameleon’s portal, JupyterHub, or OpenStack’s Horizon GUI interface – or used multiple sites had to start a new login session for each application or site, something that was both confusing and onerous. And without support for federated identity, integration with other testbeds was difficult. Partial solutions – such as replicating the databases at the two testbed sites or devising a custom authentication mechanism redirecting web application logins to a user portal – proved just that: partial. They were brittle and inefficient and did not scale.
“Migrating to a different way of managing user identity in a mature system is a challenge because the users will have created thousands of artifacts tied to their identity and the system will have grown in complexity,” Keahey said. “The experience was very much like rebuilding a foundation under a skyscraper with thousands of people living in it.”
Faced with these issues, Anderson and Keahey devised a two-tier architecture consisting of an account system that provides central authentication and session management but delegates the actual authentication to one of several external identity providers. This allowed Chameleon to support multiple identity providers, essential for implementing continuous migration.
The account management system is implemented in Keycloak, an open-source identity and access management software product, and is configured to delegate authentication to either Globus Auth or the TACC Administration System, the original Chameleon identity provider; and it can be extended to support others. Among the many changes involved, the Chameleon team developed patches for Keystone to enable one-time configuration for authenticating across applications, implementing plugins for adding actions a user must complete to enable an account, and building a new service for managing allocations.
A major consideration of the system reconfiguration was the migration needs of the community. Most of the Chameleon’s users use the testbed for only a few months at a time, whether for a class or a specific project, and then potentially not return to the system for a long time, fully expecting to have access to all the data they created. To meet these community needs, the Chameleon team developed a self-migration tool that essentially syncs the user’s original Chameleon account to their federated account. The tool was introduced during the official migration period, and most users were able to complete account migration themselves via the portal; in a few cases, the Chameleon support staff had to manually reconcile accounts after the migration period.
Creating an intuitive login experience took longer than expected, the team discovered. and some trade-offs had to be made. For example, the adoption of federated identity has meant less reliable information about the system users as more users log in without creating an allocation; but these come with greater benefits of easier and more ubiquitous access.
“Overall, the reconfiguration met all our goals – single sign-on, use of federated credentials, support for multiple identity providers and flexible, centralized authorization policies,” Keahey said.
The PEARC conference series is sponsored by the Association for Computing Machinery, the world’s largest educational and scientific computing society. This year’s conference focused on the current practice and experience in advanced research computing, including workforce development, training, diversity, applications and software and systems and software.