David Groep Nikhef Amsterdam PDP programme Authentication and Authorization for Research and Collaboration David Groep, Nikhef with materials gratefully.

Slides:



Advertisements
Similar presentations
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Advertisements

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.
David Groep Nikhef Amsterdam PDP programme Evolving the trust fabric for research and collaboration May 2015 David Groep, Nikhef enabling pragmatic credentialing.
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Updates Licia Florio, TERENA REFEDS Meeting 5 Sept 2012.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.
Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
A uthentication & A uthorization for R esearch & C ollaboration Pilots in SA1 Paul van Dijk, SURFnet AARC.
NREN Trust and Identity Strategy Ann Harding, SWITCH Cambridge July 2014.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Authentication and Authorisation for Research and Collaboration Taipei Taiwan Authentication and Authorisation for Research and.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting AARC and AARC2 Vienna, 1 st December.
David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
Authentication and Authorisation for Research and Collaboration Heiko Hütter, Martin Haase, Peter Gietz, David Groep AARC 3 rd.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC CORBEL Workshop The AARC Project Paris, 31 May.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos David Groep 9 th FIM4R Meeting The AARC Project.
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Authentication and Authorisation for Research and Collaboration Licia Florio IGTF Meeting The AARC Project Amsterdam, 8 September.
ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.
The IGTF to eduGAIN Bridge
Introduction to AAI Services
Evolving the trust fabric for research and collaboration
Boosting AAI for research and collaboration
RCauth.eu CILogon-like service in EGI and the EOSC
Cross-sector and user-centric AAI
Authentication and Authorisation for Research and Collaboration
The Policy Puzzle Many groups and (proposed) policies, but leaving many open issues AARC “NA3” is tackling a sub-set of these “Levels of Assurance” –
EGI Updates Check-in Matthew Viljoen – EGI Foundation
User Community Driven Development in Trust and Identity
eduTEAMS platform for collaboration Niels Van Dijk
Wrap up Licia Florio AARC Coordinator
An AAI solution for collaborations at scale
Boosting AAI for research and collaboration
The AARC Project Licia Florio (GÉANT) Christos Kanellopoulos (GRNET)
The AARC Project Licia Florio AARC Coordinator GÉANT
Policy in harmony: our best practice
Leveraging the IGTF authentication fabric for research
Policy and Best Practice … in practice
Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)
AAI For Researchers Licia Florio AARC Project Coordinator GÉANT DI4R
AARC Blueprint Architecture and Pilots
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
OIDC Federation for Infrastructures
AAI Architectures – current and future
RCauth.eu CILogon-like service in EGI and the EOSC
Community AAI with Check-In
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

David Groep Nikhef Amsterdam PDP programme Authentication and Authorization for Research and Collaboration David Groep, Nikhef with materials gratefully provided by Licia Florio (GÉANT), Paul van Dijk (SURFnet), and other AARC collaborators

David Groep Nikhef Amsterdam PDP programme Our status today? Non-web SSO ✗ Attribute management for AuthZ ✗ “Guest” access ✗ / ✔ Int’l AuthN ✗ / ✔ Nat’l AuthN ✔ graphic: Paul van Dijk, SURFnet

David Groep Nikhef Amsterdam PDP programme support the collaboration model across institutional and sector borders advance mechanisms that will improve the experience for users guarantee their privacy and security 3 AARC? Authentication and Authorisation for Research and Collaboration build on the very many existing and evolving components ESFRI clusters, eduGAIN, national AAI fed’s, NGIs, IGTF, SCI, SirTFi, … design, test and pilot any missing components integrate them with existing working flows

David Groep Nikhef Amsterdam PDP programme 4 AARC – Authentication and Authorisation for Research and Collaboration Two-year project 19 funded plus 2 unfunded ◦ Coordinated by the Amsterdam Office ◦ NRENs, e-Infrastructure providers and Libraries as equal partners About 3M euro budget Starting date 1 May, 2015

David Groep Nikhef Amsterdam PDP programme OUTREACH and TRAINING ◦ To lower entry barriers for organisations to join national federations ◦ To improve penetration of federated access 5 AARC - Goals TECHNICAL and POLICY Work To develop an integrated AAI built on production services (i.e. eduGAIN) To define an incident response framework to work in a federated context To agree on a LoA baseline for the R&E community To pilot new components and best practices guidelines in existing production services

David Groep Nikhef Amsterdam PDP programme 6 AARC Strengths and Challenges ›AARC Strength : ›Consortium with NRENs, Libraries, e-Researchers and campuses ›Good opportunity to work together as a team ›Consensus among different groups to work together ›AARC Challenges: ›Address technical challenges to satisfy most of the communities ›Scale the training to EU dimension ›Deliver best practises in an ‘implementable’ way ›Scope the pilots to address use-cases and test results from other WPs in AARC ›AARC Strength : ›Consortium with NRENs, Libraries, e-Researchers and campuses ›Good opportunity to work together as a team ›Consensus among different groups to work together ›AARC Challenges: ›Address technical challenges to satisfy most of the communities ›Scale the training to EU dimension ›Deliver best practises in an ‘implementable’ way ›Scope the pilots to address use-cases and test results from other WPs in AARC

David Groep Nikhef Amsterdam PDP programme 7 AARC – Work Packages JRA1 (GRNET) To research on technologies to deliver the design of the integrated AAI JRA1 (GRNET) To research on technologies to deliver the design of the integrated AAI NA3 (Nikhef) To define scalable policies and operational models for the integrated AAI NA3 (Nikhef) To define scalable policies and operational models for the integrated AAI SA1 (SURFnet) To pilot key components of the integrated AAI SA1 (SURFnet) To pilot key components of the integrated AAI NA2 (GEANT Ass.) To train, disseminate and reach out NA2 (GEANT Ass.) To train, disseminate and reach out NA1 (GEANT Ass.) Overall Management NA1 (GEANT Ass.) Overall Management Liaison with other relevant user communities, e-Infrastructures and international relevant AAI activities

David Groep Nikhef Amsterdam PDP programme IdPs – extend coverage National IdPs VU eduGAIN IdPs TC “External” access TC All SAML but differences in attribute management need policies and formats Lower barriers for non academia (“externals”) Use of Gov e-ID, social IDs, linking accounts Support scalable LoA for “externals” accounts Deal with “library walk-in users” All SAML, national policies and formats Any issues? perhaps promote opt-out approach graphic: Paul van Dijk, SURFnet

David Groep Nikhef Amsterdam PDP programme Training for IdPs ◦ Directly focusing on research use cases, engaging their local researchers and their requirements ◦ Encourage them to harmonize through best practices ◦ Expand coverage of national identity federations, supporting institutions with low levels of technical or organisational preparedness Architectures for integrated/interoperable AAI ◦ technical elements needed for the integrated AAI: attribute frameworks and deployable web & non-web technologies ◦ Support for guest IdPs ◦ Risk-based models for AAI solutions Training Activities GRNET, Christos Kanellopoulos GÉANT, Alessandra Scicchitano

David Groep Nikhef Amsterdam PDP programme Building end-to-end prototypes example: PoC EGI, GRNET, CESNET, INFN, SURFnet... Attr provider Verifies authenticity Adds attributes Provides workflows Self Asserted +31(6) Skype: DirkStap LinkedIn: DirkHStap Collab Organisation CO- admin CO- researcher Self Asserted +31(6) Skype: DirkStap LinkedIn: DirkHStap Collab Organisation CO- admin CO- researcher University Dirk Stap Staff member ID#: Aggregate attributes Forward with ARP to SP add. attr. at logon add. attr. by query University Dirk Stap Staff member ID#: UVK Authenticate Add attributes graphic: Paul van Dijk, SURFnet

David Groep Nikhef Amsterdam PDP programme There are lots of components out there! Attribute&Community management VOMS & VOMS-SAML PERUN REMS HEXAA Conext LDAP queries Co-manage Non-Web Authentication GSI over GSSAPI X-realm KRB Moonshot* OpenID Connect *lacks AuthZ system support CI-Logon & Client PKI Unity-IdM FACIUS SAML ECP Delegation support - needed for broker scenarios & long-running workflows – mostly missing PKI/GSI + RFC3820 does it KRB TGT SAML ECP could, but with re-usable ‘golden’ token OpenID Connect promising, but not yet there … Credential repositories + STS can...but no solution 

David Groep Nikhef Amsterdam PDP programme Pilots on integrated R&E AAI ◦ Introduction of attribute management services ◦ Access to R&E + commercial services ◦ Guest services, also for SME/R&D collaborators ◦ Build PoCs together with the community Demonstrate ‘production-worthy’ pilots that have a sustainability model ◦ e.g. adoption by the GEANT services activity, run by the research community, or by the e-Infrastructures ◦ Facilitate researchers to collaborate in a secure and trusted virtual research environment Technical pilots SURFnet, Paul van Dijk

David Groep Nikhef Amsterdam PDP programme Policy challenges What’s a sustainable distribution of responsibilities amongst AAI participants? How can we share necessary accounting? ‘What does assurance mean? Who needs to say so? Can we have ‘mixed quality’ attributes?

David Groep Nikhef Amsterdam PDP programme Policy and Best Practices harmonisation ◦ collate a level of assurance framework  for SPs: where we already have DP CoC, R&S EC  for IdPs: express reasonably achievable assurances  for AAs and communities: a ‘new’ domain ◦ consistent handling of security incidents (in eduGAIN &c) ◦ scalable policy expression and negotiation  identify policies needed for attribute aggregation  policy & security to enable the integration of attribute providers and of credential translation services ◦ support models for (inter)federated access (i.e. how are we going to sustain something scalable once AARC is over? ◦ guidelines to enable exchange of accounting data Policy and best practice harmonization Nikhef, DavidG

David Groep Nikhef Amsterdam PDP programme 15 Liaisons with other groups

David Groep Nikhef Amsterdam PDP programme 16 Approach Use existing e- infrastructures in the delivery chain Liaison with existing e- Infras, communities and initiatives Deliver a cross-discipline framework built on federated access

David Groep Nikhef Amsterdam PDP programme 17 AARC/REFEDS/GN4 – Working together AARC Requirements Anchored in real use cases Pilot AARC technical and policy findings Training REFEDS Pre-existing design work Federation Operators expertise Validate AARC finding GN4 Develop business case (P1) Costing Supply chain Pilot the deployment (P2) eduGAIN Incorporate (P2, P3)

David Groep Nikhef Amsterdam PDP programme Started on May 1 st Open kick-off meeting June 3+4, Amsterdam, NL ◦ Theme sessions around cross-activity topics, e.g. ◦ ‘how to enable access for guests and non-academic users’, crossing topics such as technical IdPs of last resort, access policies, LoA for guests, engagement with industrial R&D, support for library walk-in users in a digital content world’ ◦ ‘enabling expression of SCIRT collaboration by IdPs through federation through to resource providers’ 18 Where are we now

David Groep Nikhef Amsterdam PDP programme AARC