Authentication and Authorisation for Research and Collaboration On behalf of the MJRA1.2 scribes J Jensen (STFC) (ed), U Stevanovic (FZJ), I Kakavas, N Liampotis, C Kanellopoulos (GRNET), M Haase (DAASI), M Jankowski (PSNC), M Reale, M-L Mantovani (GARR) Authentication and Authorisation for Research and Collaboration JRA1.3 – Guest Identities – MJRA1.2 organisation?? country?? Utrecht, 25 May 2016

A tale of two versions – long version and short version The short(ish) version Short version for submission Reviewed by Licia – generally sensible comments (of course), will need ½ day to tidy up Awaiting additional comments by Christos Also needs glossary and remaining references Feedback from SA1 on libraries Check whether we still have delegation in there (see DoW) Many thanks to Licia and Christos for reviewing it! Long version will be picked up later A second non-deliverable document describing the wider landscape Your contributions are not lost! 2 Guest Identities Status of MJRA1.2

One of the main requirements reported by different research and education communities as identified in the FIM4R paper and in the AAI Workshop held in April 2014, is to offer support for guest identities. The support should serve nomadic users (those without a “home” organisation, such as “long-tail” researchers) as well as users belonging to an institution that is not able to operate an Identity Provider (IdP), or one which operates a stand-alone IdP which is not part of an established federation. Also, community IdPs are considered, since many communities have established practices independently of their home organisations. Finally, it has been argued (in FIM4R) that many younger researchers, having grown up with social media, may expect to continue to use social media in their research roles. This task will explore models for supporting guest identities, including solutions to ease the creation of an identity provider. Commercially available solutions will also be considered in relation to solutions built by NRENs. 3 DoW part 1

The aims of this task are to: investigate and propose solutions for Guest Identities; investigate the use of alternative methods of identification (e.g. social networks etc); investigate the usefulness of the IdMaaS model (IdP-in-the-Cloud); define a strategy to permit broad public access at large to services, including libraries via AAIs; collaborate with NA3 for the definition of the levels of assurance relevant for European federated AAI, based on the existing levels when possible, investigate the risks associated with implementing delegation of credentials develop a risk-based model for assessing the suitability of identities for infrastructure provisioning. 4 DoW part 2

1.What are GIs? 1.“Identities used outside of their original context” 2.Lacking doc’d processes necessary to establish their LoA 2.Why use Gis 3.Options for using GIs 1.LoA 2.Reputation 3.Peer to peer networks 4.Supplementary information 4.Deployment 1.IdMaaS 2.Other types of GIs: social media, communities, gov’t/banks (see Mario’s presentation), commercial, libraries 5.Risk management 5 MJRA1.2 short version (outline)

Mario is the key person connecting SA1 and JRA1.3 Demonstrating a reputation service Take a proxy Add a reputation attribute to each account Add means for reputation to be incr/decr By peers (voting up/down) By algorithms (assessing work or behaviour) Eventually decided not worth it: Goodish amount of effort for little practical gain Would be better to study existing reputation-based services Library identities Need feedback from SA1 for deliverable? Gov’t ids? 6 Previously Proposed Pilot Pactivities

Finalise comments for MJRA1.3 Longer document resurrected: Turn them into publications of some sort Specialised into the “ways of managing guest accounts” Is there more related work out there Guidance for NA2 on Practical Stuff™ (maybe not for libraries  ?) Follow up on IdMaaS – much more interesting stuff to do Identity management in the cloud NREN-provided Commercially provided Hosted in public cloud, e.g. Azure AD Follow up on work on GI in infrastructure projects - IdPology E.g. EUDAT, EGI Communities? Integrate libraries back in (based on exp with pilots) Potential research topics (see next slide) Making management of GIs scalable, automate as much as possible 7 Activities for the Rest of the Project

Managing GIs at the proxy ML for reputation management? Combine with (meta)data from account mgmt and accounting Some Bayesian Stuff™ on supporting information, e.g. ORCID? Training datasets? Graph algorithms (e.g. communities) for peer-to-peer network derivations If known from the IdPs Or managed separately by the proxy Incident handling Automating detecting and handling incidents Tools for managing the risks identified in deliverable (extending IdMaaS) Some already do this with some risks Deployment 8 Potential Research Topics – Thinking Out Loud As Usual™

© GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No (AARC). Thank you Any Questions? --jens