IAM, CoSS and Mozillians.org - June 2017 Update

(Henrik Mitsch) #1


From the IAM Project Vision:

Mozilla’s Identity and Access Management (IAM) project builds a secure, easy to manage, and appropriate authentication and identification service for all of Mozilla and its community, which enables seamless communication & collaboration between staff and volunteers.

In the past few weeks a number of essential building blocks for Mozilla’s future of Identity and Access Management have come together:

  • Mozillians.org, the public Mozilla phonebook, was migrated to cloud infrastructure.
  • The Change Integration Service (CIS) was integrated with Mozillians.org to allow for secure, easy to manage group management.
  • Searching Mozillians.org entries was reengineered to be more privacy aware and accurate.
  • More services have been brought onto the new IAM platform as a result from the ongoing authentication provider migration.

Please read on for more details.

The Details

The achievements described here had been in progress for many months. IAM plans were announced last November and project work eventually kicked off in January.

Because of changes in Mozilla’s data center setup, Mozillians.org had to find a new home for its infrastructure. This was a great opportunity to expand the Participation Systems’ team mandate to include infrastructure and operational responsibilities. Following a successful infrastructure migration the team is now covering the whole product life-cycle from ideation to delivery to operations & maintenance. This results in shorter feedback cycles as well as living by the motto you build it, you run it.

Next, the joint team of Enterprise Information Security and Participation Systems people achieved a major success in the Access Management domain. The DEV system now has an end-to-end working IAM use case: You can add a user to a specific Mozillians.org group which allows this user to access a restricted Discourse category (video). This demonstrates how services can expand or focus access based on level of trust or role. While this still looks very similar to the NDA Group, the new mechanism is automated, more flexible, robust, and sustainable. It is a foundational capability for Mozilla to be open and participatory.

A key component in the new systems stack is the Change Integration Service (CIS), explained in detail here. There is immediate benefit from this use cases to Reps, TechSpeakers and Community Support Software (CoSS) programs and we are excited to make it available as we transition to production in early Q3.

Additionally, we also significantly improved the architecture and user experience in Mozillians.org Search. A core design principle of Mozillians.org is to be respectful of attribute-level privacy settings. This was reinforced and technical debt was cleaned up to allow for smooth access management and people discovery in the future. You will now see Mozillians Groups in your search results and you can also search for profiles based on timezone.

Finally the authentication provider migration for Mozilla’s web applications is continuously advancing (project name “RP Cutover”). Each migration marks an important addition of services to the new IAM platform. This also means that migrated services can choose their authentication method and eventually open access to a broader set of collaborators.

Building on these achievements a lot of work remains to be done in the second half of the year. There is still a number of unknowns which don’t allow for firm commitment yet. Regardless of this, desires circle around:

  • Finalize application migration. This will set up all of Mozilla’s applications and services to benefit from IAM capabilities.
  • Provide the Community Support Software (CoSS) project with excellent identity & access as well as contributor discovery capabilities. This is a foundational building block to make participation a strategic advantage for Mozilla.
  • Make Staff data available to Mozillians.org. This is an essential step to allow for access management in mixed groups of Staff and Volunteers. It also establishes organization-wide data consistency.
  • Identify & connect Mozilla’s most valuable collaboration applications to the IAM system. Combined with the previous step this empowers seamless communication & collaboration between Staff and Volunteers.
  • Rebrand & visually refresh Mozillians.org & the Application Login (Auth0 Lock). With the expansion of its value proposition from phonebook to access management, we ponder changing the visual identity to something more functional. Additionally we want the identity and access management front-facing systems - comprised by Mozillians.org, the Auth0 Lock and the SSO Dashboard - to convey a consistent, coherent and cohesive experience.

@akilroy, @jbryner and @hmitsch on behalf of the IAM & CoSS Project Teams

(Rubén Martín) #2

Congrats for all the work, super excited about the Access Management on Discourse!