An authorization service for Virtual Organizations (VO)

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Sympa Mailing List Server

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

The DSpace Course Module – User management and authentication options.

Shibboleth for Real Dave Kennedy

Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.

LGfL Update Stewart Duncan LGfL Technical Manager Ian Lehmann LGfL Operations Manager.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Master Data Management & Microsoft Master Data Services Presented By: Jeff Prom Data Architect MCTS - Business Intelligence (2008), Admin (2008), Developer.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

CARSI: Federated Identity and Resource Sharing over CERNET Dr. PING CHEN Peking University( 北京大学 ) Jan, 24 th, 2008.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.

“Rendez-Vous”: Web(RTC) Conference as a Service Franck Rupin RENATER TNC15 Porto, Portugal june

Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.

Networks ∙ Services ∙ People Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Fall 2009 Internet2 Member Meeting - 8, October Using Sympa as a VO manager Serge Aumont, David Verdin - CRU Fall 2009 Internet2 Member Meeting -

The FederID project The First Identity Management and Federation Free Software.

19 Copyright © 2008, Oracle. All rights reserved. Security.

Using Your Own Authentication System with ArcGIS Online

Shibboleth Architecture

LIGO Identity and Access Management

CollegeSource Security Application &

EGI Updates Check-in Matthew Viljoen – EGI Foundation

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Federation made simple

Federation Systems, ADFS, & Shibboleth 2.0

eduTEAMS platform for collaboration Niels Van Dijk

eduTEAMS – Current status & Future Plans

Shibboleth Integration Fairfield University

HMA Identity Management Status

Géant-TrustBroker Dynamic inter-federation identity management

Grid accounting system

e-Infrastructure Workshop 28th March 2006, University of Leeds

TYPES OF SERVER. TYPES OF SERVER What is a server.

Identity Federations - Installation and operation

ESA Single Sign On (SSO) and Federated Identity Management

GALILEO Approach and implementation

AARC Blueprint Architecture and Pilots

Community AAI with Check-In

Shibboleth in Switzerland

Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.

eIDAS-enabled Student Mobility

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

An authorization service for Virtual Organizations (VO) using Sympa group manager Rafael Diaz Maurin, RENATER 15 June 2015, Porto Federation Identity permits : -to delegate authentication for a user to its home institution -to manage authorization within a same institution (using user attributes)

How to easily grant access on VO web resource for VO members ? Federated Identities Institution A IdP VO web resource Institution B IdP SYMPA VO 1 Guest IdP IdP At RENATER we have FedID + Sympa infra Many VOs Vos whith little budgets Need to manage groups Authenticate and authorize An opportunist approach Use case for the VO authorization service VOs need to provide access control to their web resources for the VO members. Users' home institution don't know about VO members. Which institution will host the VO? Authorization Service for VOs is the solution found by RENATER to meet this need With reuse of existant VO 2 VO 3 TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

Sympa’s user friendly web interface to manage groups Add a member Edit roles Sympa’s main asset All in one place The web interface group management is easy to use -for research communities -for teachers -for Jane Doe -for John Doe Add multiple members TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

Other Sympa assets to manage groups Sympa has various connectors to populate the groups: SQL, LDAP, SMTP, flat files, Sympa, SOAP, VOOT… Sympa natively offers 4 different roles RENATER is in charge of developing Sympa project Sympa has been used to manage groups since 18 years TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

RENATER’s Sympa statistics Number of groups by domain (most active groups) Sympa is used by many VOs as their main group manager : 1608 VOs 930 VOs with more than 10 members with up to 300.000 members Here is the chart of the grouth since fiveteen years TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

French Federation statistics 243 Identity Providers (IdP) 613 Services Providers (SP) 22243 guests accounts activated plus RENATER runs a guest Identity Provider TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

An AuthZ service for VOs using Sympa group manager The service workflow Institution B IdP groups email 2 SP 6 VO web resource Institution A 1 IdP email 5 RENATER groups AA Sympa Caption workflow 1. The user accesses the resource and is redirected to its home IdP by the SP 2. The user is authenticated on it’s home IdP 3. The SP requests the Attribute Authority (AA) with the user’s email adress SP --> AA : attribute Query with email 4. The AA gets the user’s groups membership from Sympa AA : Atribute resolving 5. The AA sends back the user’s groups membership AA sends attributes to the SP 6. Given his group membership, the user grants access to the resource How to use the service The VO administrator creates a group on Sympa plateform. The VO administrator allows the protected resource to request Sympa. The VO administrator populates the group in Sympa. The resource manager configures the SP to query the RENATER's Attribute Authority for Sympa The resource manager restricts access to the group 3 groups Guest IdP IdP VO SAML2 flow 4 SQL flow TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

An AuthZ service for VOs using Sympa group manager Implementation Based on Sympa 6.2 + Shibboleth IdP 2.4.4 Sympa standard installation Shibboleth IdP configured as an Attribute Authority attribute isMemberOf provided through SAML protocol DataConnector to request Sympa database Migration to Shibboleth IdP V3 expected in July TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

An AuthZ service for VOs using Sympa group manager FileSender Premium RENATER will shortly launch its FileSender Premium service (with extra quotas) Access control will make use of our authorization service for VOs. The service will be allowed for a metagroup that includes various groups Each group (with limited members) will be managed by the institution that paid for the service TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

An AuthZ service for VOs using Sympa group manager Some resources A demo is available to test the service : https://groupes-aa.renater.fr/validation Find documentation here : https://services.renater.fr/groupware/autorisation/index Contact me IRL : during the conference at poster’s session By mail at: rafael.diazmaurin@renater.fr TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

Thank you for your attention Thanks to Lukas Hämmerle from Switch for his work at RENATER ;-) I will upload an complete presentation with technical overview (howto) for : -federation & web masters -groupmanagers TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager