EGI Updates Check-in Matthew Viljoen – EGI Foundation

Slides:



Advertisements
Similar presentations
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Advertisements

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.
Security in the wider world David Kelsey (STFC-RAL) GridPP37 – Ambleside 2 Sep 2016.
The IGTF to eduGAIN Bridge
Building Trust for Research and Collaboration
Introduction to AAI Services
Guidelines for attribute translation to X.509
The EGI AAI “CheckIn” Service
WLCG Update Hannah Short, CERN Computer Security.
Boosting AAI for research and collaboration
RCauth.eu CILogon-like service in EGI and the EOSC
Cross-sector and user-centric AAI
Diego Scardaci EGI Technical Outreach Expert
The Policy Puzzle Many groups and (proposed) policies, but leaving many open issues AARC “NA3” is tackling a sub-set of these “Levels of Assurance” –
AARC Update What’s been happening in AARC which matters for GÉANT
User Community Driven Development in Trust and Identity
eduTEAMS platform for collaboration Niels Van Dijk
eduTEAMS – Current status & Future Plans
Identity Federations - Overview
Identity Management and Authorization
Christos Kanellopoulos
AARC Strategy and Approach
CheckIn: the AAI platform for EGI
AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
Check-in Nicolas Liampotis
An AAI solution for collaborations at scale
Boosting AAI for research and collaboration
Updates on Training Andrea Biancini (AARC2.AHM)2 NA2 WP leader
The AARC Project Licia Florio (GÉANT) Christos Kanellopoulos (GRNET)
The AARC Project Licia Florio AARC Coordinator GÉANT
Identity Management and Authorization
Identity Management and Authorization
GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –
The RCauth.eu CILogin-like TTS Pilot in EGI
Solutions for federated services management EGI
Policy in harmony: our best practice
ESA Single Sign On (SSO) and Federated Identity Management
Leveraging the IGTF authentication fabric for research
Leveraging the IGTF authentication fabric for research
Thursday pilot session: 7-minutes
OIDC Federation for Infrastructures
Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)
Updated (VO) Community Security Policies
AARC Blueprint Architecture and Pilots
Supporting communities with harmonized policy
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
OIDC Federation for Infrastructures
AARC2 JRA1 Update Nicolas Liampotis
AAI Architectures – current and future
RCauth.eu CILogon-like service in EGI and the EOSC
Community AAI with Check-In
AAI in EGI Status and Evolution
JRA1: Integrated AAI Developments
Authentication and Authorisation for Research and Collaboration
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

EGI Updates Check-in Matthew Viljoen – EGI Foundation Nicolas Liampotis – GRNET Peter Solagna – EGI Foundation FIM4R, 19 Sept 2017, Montreal

FIM4R, 19 September 2017, Montreal Contents Overview Use cases Production status Work in progress FIM4R, 19 September 2017, Montreal

FIM4R, 19 September 2017, Montreal Check-in Overview FIM4R, 19 September 2017, Montreal

FIM4R, 19 September 2017, Montreal AAI strategy for EGI OIDC X.509 OIDC SAML X.509 X.509 X.509 OIDC SAML X.509 Check-in X.509 X.509 SAML X.509 OIDC Social media IdP FIM4R, 19 September 2017, Montreal

FIM4R, 19 September 2017, Montreal Check-in Overview Check-in provides a reliable and interoperable AAI solution for the EGI service providers federation, and external service providers. It enables single sign-on to services through eduGAIN identity providers and other institutional or social media credentials Check-in development, lead by GRNET, has been supported by the EGI-Engage project. The EGI Council supports the long-term operations of the service. Check-in has been developed in close collaboration with the AARC project, and it implements the recommendations of the AARC Blueprint Architecture and Policy Framework FIM4R, 19 September 2017, Montreal

FIM4R, 19 September 2017, Montreal Check-in Features Supports authorised access to protected resources based on VO/group membership and role information Aggregates user attributes from different sources, including external community-managed attribute providers Supports the linking of multiple external identities to a persistent, non-re-assignable, unique user identifier within the EGI infrastructure Associates a Level of Assurance (LoA) to each authenticated identity in the EGI infrastructure Reliable and secure: Highly available by design. Operated under the strict security policies of the EGI federation, and the EGI Foundation ISO20k-certified processes Simple: CheckIn hides the complexity of dealing with multiple IdPs and sources of authorisation information Low overhead: Service providers do not need to deal with the bureaucracy of integrating with multiple identity providers and attribute authorities Interoperable: Published in eduGAIN as a service provider compliant with REFEDS R&S and Sirtfi. Supports translation of credentials across the most popular standards: SAML 2.0, OpenID Connect, OAuth 2.0, and X.509 FIM4R, 19 September 2017, Montreal

Check-in Architecture Implementation of the AARC blueprint architecture All EGI SPs can have one statically configured IdP No need to run an IdP Discovery Service on each SP Connected SPs get consistent/harmonised user identifiers and accompanying attribute sets from different IdPs/AAs that can be interpreted in a uniform way for authorisation purposes External IdPs only deal with a single EGI SP proxy FIM4R, 19 September 2017, Montreal

FIM4R, 19 September 2017, Montreal Check-in use cases FIM4R, 19 September 2017, Montreal

For the RI using EGI: AAI integration eduGAIN Social IDPs Institutional IdP Community operating its own AAI connected as an IdP to CheckIn to allow its users to access EGI services & resources Access EGI services without changing your authentication workflow AAI Proxy EGI Check-in EGI Infrastructure Service Service FIM4R, 19 September 2017, Montreal

For the communities: External attribute provider eduGAIN Community managing authorisation information about the users (VO/group memberships and roles) via their own  group management service, which is connected to Check-in as an external attribute authority Check-in will handle the configuration of the IdPs and the aggregation of the attributes for the SPs No need to migrate the group management functionality to an EGI-specific attribute authority Institutional IdP Social IdPs Virtual Organization Service EGI Check-in EGI Infrastructure Service Service FIM4R, 19 September 2017, Montreal

For the communities: full AAI platform with group management as a service eduGAIN Communities that do not operate their own group management service can leverage the group management capabilities of the CheckIn platform Ready-to-use solution Avoid overhead of deploying a dedicated group management service Support for multi-tenancy to allow authorised VO admins to manage the information about their users independently Easy connect to both EGI and non-EGI services Institutional IdP Social IDPs EGI CheckIn Service Virtual Organization Service EGI Infrastructure Service Supported technologies: CΟmanage Perun FIM4R, 19 September 2017, Montreal

For service providers: AAI as a service eduGAIN Social IDPs Check-in as an authentication proxy Enable login from institutional IdPs in eduGAIN and social media Minimal overhead for the service development All the other CheckIn features are available for the SP: account linking, attribute aggregation, .. Prerequisites: Service provider must accept EGI policies on data protection Institutional IdPs EGI CheckIn EGI Infrastructure Service FIM4R, 19 September 2017, Montreal

Check-in production status FIM4R, 19 September 2017, Montreal

FIM4R, 19 September 2017, Montreal Check-in today Identity Providers: SAML2.0: eduGAIN OIDC/OAuth2: Google, Facebook, LinkedIn, ORCID X.509: IGTF Service Providers: SAML2.0 & OIDC Attribute Authorities SAML2.0 Attr. Query, REST, LDAP, SQL Token Translation Services SAML2.0-to-X.509: Master Portal to RCauth.eu Online CA Support for Levels of Assurance User enrolment & account linking IdP Discovery User Consent FIM4R, 19 September 2017, Montreal

Check-in consumes information from many diverse sources GOCDB VOMS COmanage Perun SAML IdP OpenID Connect IdP e/R-Infra AAI proxy (e.g. ELIXIR) External VO Management (e.g. Unity IDM) FIM4R, 19 September 2017, Montreal

Support for Levels of Assurance Check-in supports 3 different Levels of Assurance: Use case Check-in conveys the LoA associated with the authenticated identity to SPs for authorisation purposes Communicated through the eduPersonAssurance attribute in SAML or acr clain in OIDC Translated into entitlements expressing the right of a user to access a particular resource (e.g. access Rcauth Onlince CA) Key features/ Profiles AARC-Assam IGTF-DOGWOOD IGTF-BIRCH AARC-Darjeeling Unique ID ✔ Identity Vetting Multi Factor FIM4R, 19 September 2017, Montreal

FIM4R, 19 September 2017, Montreal Check-in will implement the AARC guidelines to express group membership information Use of URN-formatted entitlement values: <namespace>:group:<group>[:<subgroup>*][:role=<role>]#<group-authority> <group> is the name of a VO, research collaboration or a top level arbitrary group; unique within a given <namespace> optional list of <subgroup> components represents the hierarchy of subgroups in the <group> optional <role> component indicates particular position of the user; scoped to the rightmost (sub)group <group-authority> indicates the authoritative source for the group membership and role information FIM4R, 19 September 2017, Montreal

User-friendly interface for managing OpenID Connect/OAuth 2.0 tokens Provides users with an overview of all OpenID Connect/Oauth 2.0 services they have authorised to access their EGI account Allows users to see the specific permissions (e.g. read email, offline access, etc.) granted to each service Enables users to manage access/refresh tokens associated with each service: Revoke access for individual tokens or service as a whole Retrieve access/refresh tokens to be used for federated access to CLI tools/APIs FIM4R, 19 September 2017, Montreal

Integration with RCauth.eu Online CA Check-in has been integrated with the production RCAuth.eu Online CA Users can retrieve X.509 proxies by authenticating through Check-in FIM4R, 19 September 2017, Montreal

Reliable and secure AAI platform EGI has always invested in improving and maintaining the reliability and security of the services EGI has a mature and complete set of security policies and the processes to enforce them Extended with Check-in specific policies: Check-in acceptable usage policy Check-in data protection policy Agreement documents to integrate non-EGI and non-eduGAIN SPs and IdPs and maintain the compliance FIM4R, 19 September 2017, Montreal

FIM4R, 19 September 2017, Montreal Work in progress FIM4R, 19 September 2017, Montreal

FIM4R, 19 September 2017, Montreal Check-in Next Steps Align with AARC guidelines on expressing group membership and role information Align with REFEDS/AARC Assurance Profiles Complete integration with EUDAT AAI Provide user-friendly interfaces for managing OpenID Connect/OAuth 2.0 tokens Support for (de-)provisioning and continuous update of user account information FIM4R, 19 September 2017, Montreal

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.