eduTEAMS platform for collaboration Niels Van Dijk eduTEAMS Technical Lead SURFnet, The Netherlands DI4R Conference, Krakow, Poland, Sept. 28, 2016
Introducing eduTEAMS Service Design Test & Deployment In Depth Market Analysis Service Offering Test & Deployment Pilots Production deployment In Depth Membership management Guest Identities Walk trough phases of creating eduTEAMS service Goals and requirements Design Highlight 2 components Pilots and production Goals & Requirements
Challenges for Collaborative Organisations Challenges in Authentication space Collaborative organisations work with people outside scope of R&E communities as well Requires Collaborative organisations to peer with other non R&E Identity providers or maintain an additional Identity provider Challenges in Authorization space Services run by Collaborative organisations often need attribute or group related information in the context of their collaboration, which are not issued by Identity providers Requires Collaborative organisations to manage and provide additional attributes and groups towards their services, independently from the Identity provider AuthN: people not in eduGAIN AuthZ: groups, attributes, in context of VO audit trail: who, when, by who
GEANT VO Platform as a Service Project Goal Investigate the conditions that would allow GÉANT to provide services to support Collaborative organisations Focus on delivery of technical services Out of scope: Technical development Policy & LOA development Activities Gather requirements and priorities with/from communities Look at existing tools and technologies Look into delivery model Investigate business case & sustainability Pilot with communities Operations and Market Virtual Organisation Platform as a Service Project in GEANT: Create and Run a service to support Collaborative Organisations Requirements from communities Use existing software Create a sustainable service Run the service
Market Analysis The FIM4R paper (April 2012) was one of the first to articulate collective requirements for using Federated AAI for VOs. The VOPaaS has performed a survey among several small and large Pan-European VOs to (re-)validate the requirements. Conducted Market Analysis including FIM4R paper Interview Vos include AARC findings
Market Analysis Results http://www.geant.org/Projects/GEANT_Project_GN4-1/deliverables/D9-2_Market-Analysis-for-Virtual-Organisation-Platform-as-a-Service.pdf
eduTEAMS deployment model eduTEAMS: a suite of services that supports AAI for Virtual Organisations Basic Services For Collaborative Organisations with generic AAI requirements Operated by GÉANT Multi tenant service Also for Collaborations that are not legal entities Advanced Services Aimed to support Collaborative Organisations with advance AAI requirements Operated by GÉANT on behalf of a VO Single tenant service Somebody – a legal entity - must take responsibility for that data Enter eduTEAMS Complements eduGAIN A suite of services, which can grow/change/improve over time 2 flavors: Basic Advanced
eduTEAMS Basic Services eduTEAMS Membership Management service VO specific workflows for onboarding members Registry for VO persistent Identifier Limited set of attributes Accessible through eduGAIN eduTEAMS Identity Hub One persistent (SAML) IdP for many ‘Guest’ Identity Providers Social (Google, Twitter, Linkedin, Facebook) NREN operated & Commercial Guest IdPs (UnitedID.org, eduID.se) eGOV (STORK) and BankID Provides Account recovery Available and accessible through eduGAIN Supports Research and Scholarship Entity Category Membership management
eduTEAMS Membership Management For R&E communities Manage your own onboarding workflows, Helps to formalize membership management, Gather additional attributes beyond identity providers Distribute authorization on membership to the right people For Federation Operators Many Federation have no support for Collaborative Organisations in their communities eduTEAMS may be offered and supported trough the Federation Federations may offer additional services on top of eduTEAMS to enhance collaboration (inter)nationally for their communities
eduTEAMS Identity Hub Leverage External Identity Provider ‘patchwork’ Let the user choose favorite ID provider Provides one integration point with many Guest ID solutions Use from within eduGAIN Offers persistent identifier for user Allows account recovery if Guest ID solution ‘goes away’ Present Level of Assurance( LOA) information on IdP Protects user privacy, as ID provider cannot look beyond the hub
eduTEAMS Basic Services ecosystem IdP VOOT AA SAML AA COmanage eduTEAMS Membership Management Service Provider AuthN: ID + attributes eduTEAMS Identity Hub External IdP
eduTEAMS in AARC Reference architecture
eduTEAMS Membership Management - flow (1) Service Provider IdP Authenticate eduTEAMS Identity Hub VOOT AA SAML AA COmanage eduTEAMS Membership Management (2) Get persistent Identifier & VO specific groups and attributes
eduTEAMS Identity Hub eduTEAMS Identity Hub Your Service Persistent ID LOA Account Recovery Zoom in a bit on eduTEAMS Identity Hub Leverage existing patchwork of ID services Let the user choose the IdP it wants to use Persistent identity for the Servcices LOA information
eduTEAMS Identity Hub demo Vanilla SimpleSAMLphp SP Multiple IdPs from eduTEAMS Identity Hub
eduTEAMS Login using Google & Account linking Choose Google Asked if I want to use account linking so I can lateron recover my account
eduTEAMS IDHub Account linking Request email and PIN
eduTEAMS IDHub Consent Ask for consent, manageable per attribute
eduTEAMS IDHub – back at the SAML SP Back at the SP
Advanced Services Advanced features are provided on a per CO basis: (advanced) Attribute Management (advanced) Group Management Provisioning - For web and non-web resources also application specific connectors Service Proxy and Attribute Aggregation Accessible through eduGAIN Scenarios for advanced services
What's in it for R&E communities and Federation Operators Deploying AAI is complex and subject matter experts are required By using eduTEAMS you can outsource your R&E AAI So you can focus on research topics, rather than building AAI solutions For Federation Operators Support Collaborative Organisations in which their communities are participating Support their communities in using the eduTEAMS offering Connect and support services connected to eduTEAMS For Infrastructure providers Host your services in eduTEAMS Advances Services Recap: why should you use eduTEAMS?
Roadmap Q4 2016 Run pilots with Basic Services, in collaboration with AARC Support application integrations Investigate new services, e.g. SAML Discovery, OpenID Connect gateway 2017 Production service for Basic Services Finalize specification for Advanced Services 2018 Deploy Pilots for Advanced Services Possibly: pick up new services as developed within GEANT, AARC or others
Interested to join eduTEAMS pilot or have any queries Contact us: support@eduteams.org