Networks ∙ Services ∙ People www.geant.org Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.

Slides:



Advertisements
Similar presentations
Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.
Advertisements

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Valma Technical Aspects
ABSTRACT Zirous Inc. is a growing company and they need a new way to track who their employees working on various different projects. To solve the issue.
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.
U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Networks ∙ Services ∙ People Mandeep Saini TF-MSP, Espoo, Finland Service Delivery and Adoption 10 th Sep 2015 Task Leader, GN4-1 SA7 T3.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
Training Role Module 8 – User Admin Ver. 10 Oct 2009.
1 The World Bank Internet Services Program Rajan Bhardvaj
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Module 4: Managing Recipients. Overview Introduction to Exchange Recipients Creating, Deleting, and Modifying Users and Contacts Managing Mailboxes Managing.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
State of e-Authentication in Higher Education August 20, 2004.
Automated Assessment Management System. The Assessment Cycle Trainee | Learner Dashboard Trainer Dashboard Employer Dashboard Verifier Dashboard Assessor.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Grouper Training Developers and Architects Integration Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Networks ∙ Services ∙ People Bert van Pinxteren General Assembly, Porto, Portugal Transition to one GÉANT Annual Review June,
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Networks ∙ Services ∙ People eduGAIN Townhall Meeting Nicole Harris (or updating the eduGAIN policy suite) “Unicorns can be sued in Wales”
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.
B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.
Networks ∙ Services ∙ People Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Authentication and Authorisation for Research and Collaboration TeSS Service Provider Training, Manchester Authentication and Authorisation.
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Networks ∙ Services ∙ People Mandeep Saini AARC/CORBEL Workshop Collaborative Organisation Platform as a Service June 1, 2016, Paris Product.
Using Your Own Authentication System with ArcGIS Online
EGI Updates Check-in Matthew Viljoen – EGI Foundation
eduTEAMS platform for collaboration Niels Van Dijk
An authorization service for Virtual Organizations (VO)
Identity Federations - Overview
Géant-TrustBroker Dynamic inter-federation identity management
CheckIn: the AAI platform for EGI
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Identity Federations - Installation and operation
ESA Single Sign On (SSO) and Federated Identity Management
AARC Blueprint Architecture and Pilots
Community AAI with Check-In
Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and Education VAMPIRE 16 th June 2015 Task Leader, GN4-1 SA5 T6 – AAI in GÉANT Senior Software Engineer, GÉANT Task Leader, GN4-1 SA7 T3 – Service Delivery and Adoption

Networks ∙ Services ∙ People GN4 - a 7 year project under Horizon 2020 Requires a robust and efficient solution for all aspects of identity management. GÉANT Community Virtual Organisation VO Authentication eduGAIN service Successfully addresses authentication in heterogeneous environment. VO Authorisation Multiple services, each with local database to store groups and authorisation attributes. 2 Introduction

Networks ∙ Services ∙ People 3 GN3Plus Intranet 1. Access Protected Page GN3Plus Intranet 2. User not authenticated, redirected to IdP Authenticates User 3. Returns SAML Assertion via browser Retrieves Unique Handle 4. fetch group membership 5. Display content Identity Provider GÉANT Active Directory

Networks ∙ Services ∙ People Distributed authorisation leads to … Duplication of data Duplication of effort Increased risk of stale data Complex centralised user provisioning and de-provisioning process Audit ineffectiveness 4 Problem Statement

Networks ∙ Services ∙ People Central Authorisation Management System (CAMS) Centralises authorisation data Decentralises the management for authorisation data Defines workflows for the effective data and people management Makes use of following tools: Gropuper Comanage 5 Proposed Solution

Networks ∙ Services ∙ People GÉANT Service 2 GÉANT Service 3 6 High Level Architecture SP Proxy Discovery Service IdP 1 IdP 2 IdP n GÉANT Service n Attribute Authority Grouper LDAP COmanage GÉANT Service 1

Networks ∙ Services ∙ People Bootstrapping using delegation model Adding/Removing a project participant Change of Affiliation Change of group membership Project participant accesses a service for the first time, who is not registered in central system. Revalidating project participants Managing exceptions Auditing 7 Workflows

Networks ∙ Services ∙ People Bootstrapping using delegation model GÉANT Project Start-up Registration of all project participants with appropriate groups and authorisation data. Defined automated process using delegation model. To reduce IT overhead Includes features such as: invitations Enabling participant’s self-registration A delegation model to fit in the distributed management environment. IT invites Activity Leaders Activity Leaders invites Task Leaders Task Leaders invites Team Members The workflow is not only useful at the start of the project but also every time a new service or organisation is added to the central authorisation system. 8 Workflows … (Part 1)

Networks ∙ Services ∙ People 9 User Provisioning Sequence Diagram GÉANT CAMS 3. Redirected to Discovery Service 5. Authenticates User 6. Returns SAML Assertion via browser Identity Provider SP Proxy DS 1.User receives invitation via 2.Click on invitation URL 4. User selects Idp, redirected to the selected IdP via browser 7. Generates Unique Internal Id, if not already exists for the user. 9. Provisions user - maps grouper memberships to EPPN, SP Proxy generated unique user Id and COmanage generated unique user Id 8. Returns user attributes, in the form of SAML assertion via browser

Networks ∙ Services ∙ People Adding/Removing a project participant: Defines project participants’ provisioning and de-provisioning using delegation model. Preserves history when a project participant is de-provisioned. Change of group membership: The need arises: if user needs to be added or removed from a specific group or if user’s role has changed within project/home organisation etc. Change of Affiliation: Migrate the project participant’s profile to a new ID, affiliated to a new organisation. 10 Workflows … (Part 2)

Networks ∙ Services ∙ People Project participant accesses a service for the first time User doesn’t exist in the CAMS. Focuses on creating a positive user experience Automated process for self-registration. Project participant presented with a webpage Pre-populated fields Principal Name, First Name, Last Name, Address, Affiliation, Scoped Affiliation User to specify why they need access Request sent to group owner Verify and validate the information provided Assign user to the appropriate groups. 11 Workflows … (Part 3)

Networks ∙ Services ∙ People Revalidating project participants To ensure that the project participant accounts are still active, defines automated and periodic revalidation. Managing exceptions Handles scenarios that deviate from “standard” practices e.g. a project participant might not hold the role of Task Leader (TL) but still be required to have all the same access as TLs. Defines the workflow, while taking care to provide the correct information as well e.g. list of TLs should not return ‘like TLs’ project participants. Auditing Defines verification of all the processes that are carried out at the central authorisation system to ensure their effectiveness and correctness at regular intervals. 12 Workflows … (Part 4)

Networks ∙ Services ∙ People 13 Detailed Architecture COmanage Grouper WS Grouper UI Tomcat Apache HTTP Server Grouper PSP Attribute Authority Grouper WS Tomcat Apache HTTP Server Tomcat Attribute Authority Grouper WS Tomcat Apache HTTP Server Web Browser Load Balancer MySQL replica Master LDAP Master MySQL LDAP replica MySQL replica LDAP replica VOOT SAML LDAP Virtual Machine SP Proxy / Service Provider SAML VOOT LDAP

Networks ∙ Services ∙ People 14 User Login Sequence Diagram [ User found] 9. Display content 1. Access Protected Page 2. User not authenticated, redirected to DS 3. User selects Idp, redirected to the selected IdP via browser Authenticates User 4. Returns SAML Assertion via browser Locates user’s unique internal Id Attribute Resolving 5. Request attributes 6. Returns attributes SP Proxy DS Tools Portal IdP AA alt user’s self-registration 8. Authentication success Response [ else ] 7. Authentication success response + attributes

Networks ∙ Services ∙ People GÉANT CAMS rolled out in production in April Used bootstrapping workflow to register GN4 Phase 1 project participants. GN4 Intranet (SharePoint 2013) using CAMS for authorisation Doesn’t use any local database for AA SP 2013 Grouper Claim Provider Uses VOOT Connector Queries Grouper to add search capabilities to the people picker. ADFS LDAP Attribute Store Provides user’s authorisation data at login time. Grouper Attribute Store implementation in progress. 15 Current Status

Networks ∙ Services ∙ People No single product covers all use cases out of the box. All VO’s are unique with different requirements. Product usability needs improvement. User training is important. Define group & OUs structure in advance. Decentralisation requires user buy-in. 16 Challenges and Lessons Learnt

Networks ∙ Services ∙ People GÉANT SP Proxy’s integration with CAMS. GÉANT Wiki GÉANT Tools Portal GÉANT JIRA Other GÉANT Services Automation of remaining workflows: Project participant accesses a service for the first time, who is not registered in CAMS. Revalidating project participants Managing exceptions Auditing Complete Grouper Attribute Store implementation Feedback given to Comanage and Grouper developers Bugs and feature requests 17 Next Steps

Networks ∙ Services ∙ People Thank you Networks ∙ Services ∙ People This work is part of a project that has applied for funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No (GN4-1). 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.