TIER Adopter Profile: University of Illinois at Urbana-Champaign
Trust and Identity in Education and Research (TIER) is a community-driven effort and response to the need for a comprehensive suite of identity services tools and software, as well as consistent campus identity practices. In 2015, 49 colleges and universities made a three-year financial commitment for the TIER start-up. Each month, we will check in with an investor campus and share their interest in and experience with implementing the TIER program in a monthly blog series.
- Successful deployment of TIER-packaged versions of Shibboleth and Grouper with AWS, with additional work needed for standard Docker deployment
- Recommendations for additional specifications and improvements to TIER components
The University of Illinois at Urbana-Champaign’s (UIUC) interest in the TIER program was motivated largely by an acknowledgment that any identity system for a university environment needed to recognize the diversity in affiliations and have the ability to delegate management of many of these affiliations. At the time that UIUC expressed interest in the TIER program, they were in the process of re-architecting their entire system across all three University of Illinois campuses as well as the central university administration.
The identity and access management team at UIUC is currently deploying numerous services to the cloud, focusing primarily on the use of Amazon’s Elastic Beanstalk framework. This framework allows for Dockerized services to run in a highly scalable cloud environment, which in turn makes it easy to deploy the TIER packaged versions of Shibboleth and Grouper. In working with the TIER program, they are hoping for a recommended person registry, schema, and reference architecture to help address their identity system needs, and better align them with their peer institutions for better collaboration.
The TIER program is based on community working groups developing specifications that inform software development efforts and, in turn, are reviewed and tested by campuses. Like all new software development efforts, the TIER components are a work-in-progress and there is room for improvement to ensure that the components can truly serve the higher education and research environment.
The identity and access management team at UIUC would like to see additional specifications added to the TIER components, such as the ability for standard Docker deployment from Dockerhub as well as the ability to deploy a development VM to build the Docker images. They would also like to see improvements in the ease, speed, and convenience of upgradeability of the TIER-packaged software, especially when it’s time-critical such as when a security vulnerability is announced.
A new and recurring challenge that the identity and access management team at UIUC faces is the in-house custom SAML integrations needed for third-party vendors who either are not part of the InCommon Federation, are not following best practices, do not fully understand SAML, or all of the above. They hope future TIER components will have vendor-specific configurations that can be implemented by the vendors prior to working with campuses.
“If a vendor could be enabled in a TIER-packaged IdP by following an easy recipe or even by just checking a box, it would add a lot of value to the TIER packaged IdP as well as make that vendor much easier to integrate with,” said Keith Wessel, identity service manager. “This would involve cooperation between the vendor to follow best practices and InCommon/TIER to develop and distribute configurations.”
The identity and access management team at UIUC plans to fully utilize TIER-packaged Grouper and Shibboleth as soon as the packages are production-ready. In more long term-plans, they hope to utilize the work of the TIER API and Entity Registry working group to deploy a standard person registry and standards-based service provisioning. They are confident that the TIER program will not only ease cloud deployment for their campus, but also has the potential to solve some of their more fundamental problems such as cloud service integration and identity challenges in-house.
This blog post was written with the help of Keith Wessel, identity service manager and Tracy Tolliver, director of application services at the University of Illinois at Urbana-Champaign.