Networks ∙ Services ∙ People www.geant.org Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.

Slides:



Advertisements
Similar presentations
CLARIN AAI, Web Services Security Requirements
Advertisements

Secure Communication Architectures.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo
SWITCHaai Team Federated Identity Management.
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
The DSpace Course Module – User management and authentication options.
INFRASTRUCTURE FOR GIS INTEROPERABLITY APPLICATION FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY (FTMK) THE TECHNICAL UNIVERSITY OF MALAYSIA MELAKA.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Electronic data collection system eSTAT in Statistics Estonia: functionality, authentication and further developments issues 4th June 2007 Maia Ennok,
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.
© 2006 The University of Chicago Grouper Backgrounder for Authorization WG Tom Barton, U Chicago.
Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.
Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.
The German eID and eIDAS
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
Authentication and Authorisation for Research and Collaboration Niels van Dijk AARC General Meeting Authentication and Authorisation.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
Networks ∙ Services ∙ People Bert van Pinxteren General Assembly, Porto, Portugal Transition to one GÉANT Annual Review June,
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Networks ∙ Services ∙ People eduGAIN Townhall Meeting Nicole Harris (or updating the eduGAIN policy suite) “Unicorns can be sued in Wales”
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Networks ∙ Services ∙ People Ann Harding GÉANT Symposium, Vienna Users Session A3 Trust and Identity March GÉANT Activity Leader Trust.
Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Possibilities for Grouper in a cross/inter organizational use Andrea Biancini, Consortium GARR GN3+ F-2-F meeting Stockholm, April.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI-InSPIRE PY5 new activities Peter Solagna – EGI.eu.
Networks ∙ Services ∙ People Sonja Filiposka, Yuri Demchenko, Tasos Karaliotas, Migiel de Vos, Damir Regvart TNC 2016 DISTRIBUTED CLOUD SERVICES.
Networks ∙ Services ∙ People Mark Johnston TNC15, Porto Plans in GEANT Innovation on the Production Network 15 th June 2015 Chief Network.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.
Authentication and Authorisation for Research and Collaboration Heiko Hütter, Martin Haase, Peter Gietz, David Groep AARC 3 rd.
Networks ∙ Services ∙ People Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -
Authentication and Authorisation for Research and Collaboration Licia Florio AARC CORBEL Workshop The AARC Project Paris, 31 May.
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
How eduGAIN can help education: a real life story Sabita Behari Product Manager TNC14.
Networks ∙ Services ∙ People TNC 2016, Prague Alice Through the Looking Glass Science DMZ goes above the network 13 June
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.
Authentication and Authorisation for Research and Collaboration Brussels Training and Outreach Authentication and Authorisation.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Networks ∙ Services ∙ People Mandeep Saini AARC/CORBEL Workshop Collaborative Organisation Platform as a Service June 1, 2016, Paris Product.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
ESA EO Federated Identity Management Activities
Cyber-crisis exercises
Extending Authentication to Members of Social Networks
An authorization service for Virtual Organizations (VO)
John O’Keefe Director of Academic Technology & Network Services
GÉANT 4-2 JRA3 T1 and T2 Federations and Campus (CaFe) e-Infrastructures and Service Providers (RASP) Daniela Pöhn JRA3 T1 LRZ/DFN-AAI Technology Exchange.
ESA Single Sign On (SSO) and Federated Identity Management
Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.
Presentation transcript:

Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization June 16 th, 2015 JRA3 T1 - Possibilities for Grouper in a cross/inter organizational use R&D Project Consortium GARR and IDEM Part of the GÉANT Project (GN4-1) distributed workshop

Networks ∙ Services ∙ People Currently, the goals of an Identity Federation are: give a delegated mechanism to manage user identification among different entities and within different subjects; provide a set of attributes to an authenticated users to be used by the final application. Federations today We decided to extend the success of current identity federation to the field of user authorization.

Networks ∙ Services ∙ People Traditionally, identity federations have solved the authorization problems with two opposite approaches: SP managed authorization IdP managed authorization A different approach may be followed (leveraging Attributes Authorities and implementing tools like Grouper) where authorization is delegated to a specific system designed for that purpose. How to reach that goal?

Networks ∙ Services ∙ People We want to evaluate the introduction of Grouper for a cross/inter organizational use. Grouper will be used to manage in a centralized way (yet permitting delegation): Groups of users Authorization attributes for users. Tools

Networks ∙ Services ∙ People To prove real use cases, three SPs will be integrated with Grouper in a Proof of Concept: A MediaWiki application: Grouper will manage user groups for read/write access; A Moodle application: Grouper will provide course list and manage students/teachers enrolment to courses; A custom application (not covered within this presentation). Proof of Concept

Networks ∙ Services ∙ People MediaWiki – 1/3 To implement this use case we had to define access groups within MediaWiki. MediaWiki defines standard groups which are always present: Administrators: administrators of the wiki Bureaucrats: technical personnel of the wiki Users: registered users of the wiki Besides, it is possible to define new groups as needed.

Networks ∙ Services ∙ People Inside Grouper we can define a coherent group structure and we can assign different users (even from different VOs) to these groups. In this way the group membership of a user is described in Grouper and will be retrieved by MediaWiki during the login operation of accessing users. MediaWiki – 2/3

Networks ∙ Services ∙ People At login time user groups are retrieved from the Attribute Authority. MediaWiki uses the Shibboleth Authentication module, modified within this activity, to manage the attribute describing group memberships. MediaWiki – 3/3

Networks ∙ Services ∙ People Moodle This use case needs to retrieve groups and attributes for authorization during the login phase (as the case for the wiki). Besides, Moodle also needs some off-line interfaces (executed not only at login time) to query Grouper and retrieve: a list of courses; a list of teachers; and a list of students for each course.

Networks ∙ Services ∙ People VOOT is a protocol for exchanging group information externally to applications. Very simple API: The VOOT protocol

Networks ∙ Services ∙ People Moodle integration – 1/2 In Grouper we create a group for each course that must be activated on the Moodle platform. User members of these groups can be of two kinds: 1. the «admin» members will be teachers of the course 2. all other members will be students of the course.

Networks ∙ Services ∙ People Moodle integration – 2/2 Moodle will use an enrollment plugin to retrieve the group information from Grouper. For this purpose, a specific enrollment plugin has been developed. It is able to retrieve information form a VOOT server.

Networks ∙ Services ∙ People The wiki page for the JRA3 T1 activity: The code developed to integrate MediaWiki with Grouper: The code developed to integrate Moodle with Grouper: The VOOT connector for Grouper: References

Networks ∙ Services ∙ People The architecture explored is being rolled out into two production environments: 1. To model access of the GN4 project, phase 1 activities. 2. To model authorization for the applications operating IDEM (the Italian Identity Federation). During the PoC it we had the opportunity to address problems and future activities, in particular: AAs still have some issue regarding privacy and security. User enrolment must be supported to reduce effort. Conclusion

Networks ∙ Services ∙ People Thank you Networks ∙ Services ∙ People This work is part of a project that has applied for funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No (GN4-1). 15

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.