Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities in attribute management AARC Project
Dissemination of the results from JRA1 and SA1 in attribute management Inputs for the discussion from Davide Vaghetti Entitlements linking/encapsulation ORCID SAML AuthN workflows Inputs and demos from: Niels van Dijk and Nicolas Liampotis Attributes translation: OIDC Attributes SAML Attributes Inputs for the discussion: Niels SAML/OIDC Attributes X509 Attributes LoA for attributes 2 Where should AARC focus in PY2 for attribute management?
Agree on the topics for PY2 Agree on the first steps for each topic Agree on who is contributing 3 Goals of this discussion
In the same assertion a user may carry multiple information about VO membership: Member of the VO “VO1” Member of the group “Managers” within the VO1 When in the same assertion there could be information about multiple groups and sub-groups, service providers need to interpret which sub-group is referring to a group (VO) In this field there is already some work done for scoped entitlements: ment ment But the scope suggested here is slightly different, scoped per Issuer or Attribute Authority More relevant would be to scope entitlements per VO: Where the user has also the entitlement: Edupersonentitlement:VO1 4 Emtitlements linking/encapsulation
AARC should produce a white paper-like document to suggest best practices to handle these use cases 5 Emtitlements linking/encapsulation #2
Integrate the ORCID ID in the SAML authentication workflows Make available ORCID as attribute to SPs SURFnet has a demo service to integrate ORCID GRNET integrated ORCID for EGI in the IdP/SP proxy of the EGI AAI Let’s now: Chek the demos Discuss how this can be piloted more extensively in PY2 6 ORCID -> SAML workflows
ORCID offers a Public REST API that allows organisations that are not ORCID members to connect their applications to the ORCID registry in order to: Allow users sign in with their ORCID username and password Get a user’s authenticated ORCID iD Retrieve a machine-readable version (JSON/XML) of a user’s public ORCID record The Public API is one of two APIs that ORCID provides - the other, the Member API, offers additional functions to organisations that financially support ORCID EGI AAI developed a SimpleSAMLphp authN module that uses the Public ORCID REST API. The ORCID client obtains OAuth access tokens using the following scopes: authenticate gets the user’s ORCID iD in the access token response read-public reads public information from the user's ORCID record This is not part of the standard 3-legged OAuth flow - requires extra client_credentials access token Test EGI AAI ORCID auth module 7 ORCID authenticator for EGI AAI © Nicolas
Twofold problem: Map OIDC Attributes into SAML attributes to allow a user with OIDC credentials to log in into a SAML service Produce an OIDC assertion with attributes from SAML IdPs Nicolas and Niels have done already some work on the topic What to do in PY2? Define best practices for the translation and the mapping of attributes Pilot the solutions, in particular the OIDC -> SAML translation is the one less explored 8 Attribute translation: OIDC SAML © Nicolas
Google (OIDC)FacebookLinkedInSAML subn/a ePUID n/athird_party_idn/aePPN n/aid ePTID name formatted-namedisplayName given_namefist_namefirst-namegivenName family_namelast_namelast-namesn -addressmail 9 Attribute translation: Social SAML
A pilot that involves both attribute management and token translation Allow users with SAML credentials to generate X509 credentials with the VO information to be used for the authorization at service level What to do in PY2? Design the workflow for this translation Pilot a solution which uses the attribute management and CILogon results 10 Attribute translation: SAML/OIDC -> X509
Trial Text here 11 LoA for Attributes
© GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No (AARC). Thank you Any Questions?