AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden) Authentication and Authorisation for Research and Collaboration Nicolas Liampotis (based on the work of Mikael Linden) JRA1, AARC2 GRNET AARC2 Kick-off meeting, Bad Herrenalb 7 June 2017

AAI alignment Platforms EGI CheckIn ELIXIR AAI EUDAT B2ACCESS GÉANT eduTEAMS

AAI alignment Main areas Technical architecture Infrastructure identifier(s) and attributes used Infrastructure identity’s cardinality and lifecycle Protocols and external account linking eduGAIN presence – principles and policies eduGAIN presence – technical Levels of Assurance

AAI comparative analysis results and suggestions Technical architecture EGI CheckIn, ELIXIR AAI and EUDAT B2ACCESS based on similar IdP- SP-Proxy model GÉANT eduTEAMS is a centralised Attribute Provider that IdP-SP- Proxies/Relying Parties can query for extra user attributes Suggestions None

AAI comparative analysis results and suggestions Infrastructure identifier(s) and attributes used All AAIs assign a unique, opaque, non-revocable, non-reassignable infrastructure identifier to users and deliver it to the Relying Parties as the primary user ID Suggestions align user identifier syntax investigate possibility to align Home Organisation affiliation attribute its name and syntax (can proxies assert scope they are not authoritative to?) how it is assigned if it cannot be retrieved from the home organisation IdP at least document the per-platform approaches attribute assurance needed align mapping of attributes to OIDC claims

AAI comparative analysis results and suggestions Infrastructure identity’s cardinality and lifecycle ELIXIR is the only AAI encouraging users to have only one identity; others let the users create multiple identities if they want to EGI and EUDAT identities have a single-valued Home Organisation attribute that is decided at the time of registration and presented to the Relying Parties. ELIXIR has a multi-valued Home Organisation attribute. All AAIs need fresh affiliation information; approaches vary Suggestions share approaches on data retention (EUDAT has documented approach)

AAI comparative analysis results and suggestions Protocols and external account linking All AAIs support SAML2 authentication EGI, ELIXIR and EUDAT support OAuth2/OIDC towards Authentication providers and Relying Parties eduTEAMS supports attribute queries based on SAML2 and VOOT EGI and EUDAT support IGTF X.509 certificates and locally managed passwords to authenticate the users EGI, ELIXIR and EUDAT support credential translation to X.509 certificates. Suggestions use common SAML profile (SAML2Int or successor) and OIDC profile towards Relying Parties

AAI comparative analysis results and suggestions eduGAIN presence – principles and policies All AAIs automatically trust IdPs from eduGAIN In the case of EGI, R&S and/or Sirtfi may affect the authenticating user’s LoA and service entitlements values eduTEAMS only automatically trusts REFEDS R&S and Sirtfi compliant SPs from eduGIAN Suggestions None

AAI comparative analysis results and suggestions eduGAIN presence – techincal All AAIs exposed in eduGAIN as SPs All AAIs satisfied with an eduGAIN IdP releasing the R&S attribute bundle ELIXIR requests only user’s unique identifiers and affiliation information from Identity Providers in eduGAIN EGI and EUDAT B2ACCESS request also their name, e-mail address eduTEAMS requests and supplies attributes in accordance with the R&S entity category eduTEAMS will also be exposed as Attribute Provider in eduGAIN Suggestions harmonisation of requested attributes from IdPs in eduGAIN (R&S attributes)

AAI comparative analysis results and suggestions Levels of Assurance Each AAI following different approach Suggestions harmonisation of LoA levels (separating things done internally in an infrastructure and the original IdPs) how to position social media identities? how to manage and rank the eduGAIN IdPs? make use of (endorse together?) REFEDS assurance profiles? many-to-one mapping in the platform and the related LoA calculus

mikael.linden@csc.fi