Tuesday, April 1, 2014

Outsourcing Identity Management

Identity Management (IdM) in scientific cyberinfrastructure is a means to an end: provide convenient and secure access to applications, data, instruments, and services so scientists can focus on the science. Implementing a custom IdM solution can be a significant drain on resources for science projects. Outsourcing IdM can help with managing user identities, credentials, groups, and profiles. Three IdM outsourcing options that we see used in US scientific cyberinfrastructure are Globus Nexus, Agave, and Google Apps for Education.

Globus Nexus provides identity, profile, and group management as part of the Globus Platform, which is designed to support data-intensive collaborative research. Multiple research projects have adopted Globus Nexus for identity management, including US ATLAS, OSG, and KBase. Globus Nexus supports federated identities via InCommon/CILogon and Google OpenID, as well as user-managed groups. US ATLAS and OSG use CI Connect to integrate with Globus Nexus. The KBase Authentication developer tutorial demonstrates KBase’s integration with Globus Nexus via an OAuth/REST API.

Agave is a science-as-a-service platform, designed to support science gateways, that was developed by the iPlant Collaborative. Agave provides hosted identity, profile, and group management via an OAuth/REST API. Science gateways can integrate with iPlant identities (hosted in the Agave platform), use Agave as a hosted OpenID Connect interface to their existing identity solutions, or leverage Agave’s identity-as-a-service offering. For example, the Bioextract Server and CIPRES science gateways now accept iPlant identities for login via Agave, the Arabidopsis Informatics Portal and VDJServer leverage Agave’s hosted identity service, and the Texas Advanced Computing Center uses Agave with their Active Directory to provide OAuth protection to their internal and external APIs.

The Google Apps for Education collaboration platform is widely used for smaller scientific collaborations, due to ease of setup and powerful collaboration tools (Docs, Forms, Groups, Chat, Hangouts, etc.) provided out-of-the-box . External applications can integrate with Google identities and Google+ profiles via OpenID Connect. Google Apps also supports SAML SSO for integration with campus identities. Google’s Directory API provides an OAuth/REST interface to Google Groups.

What do you think about science projects outsourcing identity management? Post your comments below.

For more about how CTSC helps NSF projects visit http://trustedci.org/howwehelp.


  1. Hi
    Thanks ! Great post !
    Group and identity management is always required for outsourcing.


  2. With the entire world getting access to the internet, I think this is very important. I hope this goes well. Thanks for sharing this post!