European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager 1
Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Summary EGI AAI Webinar 2
User authentication in a federated environment Local environment (e.g. one institution, one cluster) –Users have local accounts, validated often in a F2F verification with the system administrator –All the needed information are filled in at the moment of the registration Federated environment (e.g. distributed infrastructure) –Users do not have local accounts on every service/cluster/centre –Users own credentials that are recognized by all the service providers in the federation –Identity providers and service providers must agree on the: Information provided to the SP Level of assurance of the credentials Operations of the IdP EGI AAI Webinar 3
User’s identity A user must be able to authenticate with the same identity on the distributed services From the user’s point of view –Uniform authentication enable cross-site workflows –Use of distributed resources using the same credential From the service provider’s point of view –Uniform authentication improves security operations in a federated environment –Easier management of users, and their access to resources EGI AAI Webinar 4
Delegation For some workflows and use cases, delegation is an important capability –Applications that in general need to: access data stored by the user and not publicly accessible or to save data in the user’s storage area –Portals and scientific gateways do actions on behalf of the user, like job submission to compute resources. This is usually implemented by impersonating and delegating –Impersonation: the application/service acts as the user (using user’s temporary credentials). Done at authentication level. –Delegation: the user enables the service to work on his/her behalf. Done at authorization level EGI AAI Webinar 5
Level of assurance Not all the credentials are the same! Examples: Very high level of assurance: eID High level of assurance with ID verification: –X509 certificates, many institutional IdP Social media credentials –Everyone with an account can have one Not always the highest LoA is required: for some low-risk activities low assurance credentials are usable! The minimum LoA required is determined by the user community and the service provider requirements EGI AAI Webinar 6
EGI-InSPIRE RI Authorization in a federated environment In a federated environment individual user authorization cannot be handled by the service provider –Service provider does not know the user and if him/her should be allowed to perform a specific action Rules for the authorization must use information associated with the user –Provided by the IdP –Provided by the research collaboration who grants users access to resources 7
Distribute collaboration management in EGI: Virtual Organization Virtual Organization: A group of researchers with common interests, requirements and applications, who need to work collaboratively and/or share resources. Service providers enable users to access services and resources based on the VO membership and additional attributes such as roles within the VO and sub-groups of users within the VO The VO membership is managed by the VO Manager(s) who is the main contact with EGI and who knows the users and the groups in the collaboration –New users can be added and removed enabling/disabling their access rights, without direct intervention of service providers –VO Manager usually does not manage users credential, a VO is not an IdP EGI AAI Webinar 8
Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Summary EGI AAI Webinar 9
EGI user authentication: X509 certificates X509 certificates are the main authentication technology used in EGIX509 certificates Trust network of certification authorities (IGTF/EUGridPMA) EGI services are configured to accept certificates released by the Certification Authorities federated within IGTF You have one IGTF personal certificate you can authenticate wherever in EGI EGI AAI Webinar 10
IGTF Trust framework Trust Domain: IGTF TAGPMAAPgridPMAEUgridPMA Policy Management Authorities CA RA.... User.... CA: Certification Authority RA: Registration Author ity Institution level National level EGI AAI Webinar 11
How to obtain a certificate EGI AAI Webinar 12 Do you own credentials provided by an IdP federated in one of the national federations part of eduGAIN? You can most probably access the Terena Certificate Service (TCS) through your NREN, and get an X509 certificate without the need to contact a registration authorityTerena Certificate Service Do you own credentials provided by an IdP federated in one of the national federations part of eduGAIN? You can most probably access the Terena Certificate Service (TCS) through your NREN, and get an X509 certificate without the need to contact a registration authorityTerena Certificate Service
Register in a Virtual Organization User registers at the VO via VOMS VO manager authorizes the user via VOMS VO manager can give specific attributes to users, or insert them in specific groups Specific VOMS service is configured in all the services supporting the VO VOMS VO Database Registering user Personal certificate VO Manager Request membership Approve request Set additional attributes/groups EGI AAI Webinar 13
Authentication and Authorization workflow Virtual Organization TRUST EGI AAI Webinar 14
The key is: trust & collaboration Authentication and Authorization workflows scale with the number of service providers and users –User identity is verified by the IGTF Certification Authorities who release the X509 certificates –The certificate enable uniform authentication of the user across resource centres User communities have the tools to manage the membership of their users and their structure –Collaborate to the trust chain and to integrate the information provided by the Identity Providers –Authorization is based on the Virtual Organization membership and attributes not on the single user identity –The user capabilities based on groups and roles within the VO are reflected into uniform access rights across the sites that support the VO EGI AAI Webinar 15
X509 proxy certificate The X509 proxy certificate is a short-term credential derived by (and signed with) the user personal certificate In EGI proxy certificates are used for all non-interactive services and for delegation capabilities A computational task is “shipped” with the user’s proxy and can store output data on behalf of the user A proxy is self contained, and carries all the information needed to authenticate and to authorize the user at service level User identity User VO membership information signed by the VOMS that manages the VO User Certificate info VO Information X509 Proxy DN: EGI AAI Webinar 16
Robot certificates and science gateways Portals and Scientific Gateways can hide the complexity of X509 to the users: –Users are AuthN&AuthZ in the portal Portal/SciGW is responsible for this –May or may not have a X.509 cert Portal/SciGW has a robot X.509 cert –A robot certificate can be stored on a machine and used programmatically to generate proxies –Perform tasks on Grids on behalf of users Issues: –Auth & logging responsibilities move to portals –Users become invisible to the infrastructure, traceability –For certain types of applications only Security limitations EGI AAI Webinar 17
Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Summary EGI AAI Webinar 18
Improving the use of robot certificates In the science gateways every user impersonates the owner of the robot certificate –Security limitations –Non accurate accounting EGI is testing the per user sub-proxies –X509 proxies generated using a robot certificate –Including an additional extension with the user ID Robot Certificate info VO Information X509 Proxy DN: The same for every user of the gateway User UID Additional extension added by the science gateway. EGI AAI Webinar 19
Advantages of the sub proxy User tracking –Services get “different” credentials for individual users –It’s possible to block one user without blocking all the users using the same robot certificate Security –Individual users can be isolated, e.g. preventing them to access other users’ workspace Accounting –Account for individual users’ usage –Report the actual number of real users accessing the infrastructure Per user sub-proxy tested within the Long tail of Science platform under development Other alternatives: Online CA It’s an alternative (more elegant?) solution for the same problem Not commonly available as the robot-certificates Robot-certificates at the moment are the quickest solution. EGI AAI Webinar 20
Extend the X509 mechanism For some users approaching EGI, the X509 mechanism is a barrier –They do not have easy access to a Certification Authority –They would prefer to continue using their institutional credentials –VOs and Resource Providers implement portals to ease the access to the resources The most effective solution is to bridge other identity federations (eduGAIN, institutional IdP) with the EGI AAI –Technical bridge: credentials translation, support in the middleware for other AuthN protocols –Policy bridge: build trust between SP and IdP, enable different level of trust EGI AAI Webinar 21
Flexible authentication By extending the current authentication mechanisms we will also enable users with the flexibility they need: Use lower level of assurance credentials for low-risk activities Integrate the IdP currently used by the communities with the EGI services EGI AAI Webinar 22
Enable federated AuthZ Provide tools to the users to manage their user communities –Distributed Attribute Authorities connected with the user’s IdPs –Can be used also within application-specific environments for user authorization Maintain uniform authorization across multiple service providers –Based on the attributes provided by the user communities Apply the collaborative trust approach of EGI to new authentication technologies EGI AAI Webinar 23
eduGAIN and EGI eduGAIN is the pan-European federation of national IdP federations –Includes most of the IdP used by researchers in Europe Limitations: –Not all the IdPs are part of eduGAIN federations –For many use cases a direct IdP SP communication (paperwork) is required –Some IdP The European-funded AARC project aims – among other things – to overcome part of these limitations EGI AAI Webinar 24
How EGI can support communities in the AAI integration Possible scenario: User community want to use an institutional IdP to access EGI services IdP EGI AAI Webinar 25
How EGI can support communities in the AAI integration Possible scenario: User community want to use an institutional IdP to access EGI services IdP EGI Federation Service Proxy Attribute Authority EGI AAI Webinar 26
AARC support the collaboration model across institutional and sector borders guarantee user privacy and security build on the existing and evolving components EGI, ESFRI clusters, eduGAIN, national AAI federations, NGIs, IGTF, SCI, SirTFi, … design, test and pilot any missing components integrate them with existing working flows Expected starting date May 1 st Authentication and Authorisation for Research and Collaboration EGI AAI Webinar 27
AARC – Work Packages JRA1 (GRNET) To research on technologies to deliver the design of the integrated AAI JRA1 (GRNET) To research on technologies to deliver the design of the integrated AAI NA3 (Nikhef) To define scalable policies and operational models for the integrated AAI NA3 (Nikhef) To define scalable policies and operational models for the integrated AAI SA1 (SURFnet) To pilot key components of the integrated AAI SA1 (SURFnet) To pilot key components of the integrated AAI NA2 (GEANT Ass.) To train, disseminate and reach out NA2 (GEANT Ass.) To train, disseminate and reach out NA1 (GEANT Ass.) Overall Management NA1 (GEANT Ass.) Overall Management Liaison with other relevant user communities, e-Infrastructures and international relevant AAI activities EGI.eu: Coordinate pilots involving EGI resources.Test attribute authorities solution for community management EGI.eu: Gather and bring the EGI RP requirements and EGI user communities requirements 28
Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Summary EGI AAI Webinar 29
Current EGI Services for AAI EUGridPMA network of Certification Authorities operated by the NGIs All EGI services are configured to accept EUGridPMA certificates VOMS services to manage VO membership and attributes Science gateways to use other types of authentication (username/password) and robot certificates to access EGI services EGI AAI Webinar 30
Possible future EGI services for EGI Based on the requirements and use cases Integration with federations and individual IdPs Service proxy to easily integrate new IdPs Attribute authorities network to manage user membership and regulate authorization Credential translation services to integrate the Authentication technologies used by the user community with the existing services EGI AAI Webinar 31
Better support for collaborations The current trust architecture has proven to be scalable and to work: –Empower the user communities to regulate the access to the resources for their users –Build trust between user communities, service providers and identity providers Extend this approach by integrating other AuthN technologies in EGI –Provide tools to manage attributes using non X.509 credentials –Link the attribute authorities with eduGAIN and other IdPs –Where necessary bridge diverse AuthN technologies using credential translation services Bring the requirements from the CCs and in general the user communities to the European level, and ensure interoperability with other e-infrastructures through the AARC project EGI AAI Webinar 32
Thanks for your attention Questions? EGI AAI Webinar 33