Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1) SA1 Activity Coordinators SURFnet AARC f2f June 6 – 8

Overall goals AARC Pilots 2017-2019 To show the feasibility of establishing an overarching AA infrastructure for Research Communities and e-Infrastructures To further consolidate the results of AARC1 and improve technical readiness levels of AAI components. To introduce and test new emerging AAI solutions and approaches and show their viability in real life practice Improve the adoption of proposed tools and approaches at the research communities and e- infrastructures and check whether it satisfies their needs

Tasks in AARC pilot activity (lead: Arnout Terpstra) Task1: Pilots with user communities based on use cases provided by communities (Kostas Koumantaros & Mario Reale) Task2: Support e-infrastructures to deploy AARC proposed approaches and solutions (Peter Solagna) Task3: Piloting advanced use cases, new solutions and approaches based on the outcomes of JRA1 and NA3 (Ioannis Kakavas) Task4: Creation of showcases, deployment scenarios and documentation based on pilots in AARC to improve adoption of AAI components by the community (Andrea Biancini) Task1 Using the AAI of one of the e-infrastructure (EGI) Are they able to operate this for the community (pricing, componentes) How will branding be done in a multi-tenant environment (at least the user facing part). Experience is key. In 2020 Elixir would like to hand over to one of the e-infrastructure EPOS is using step up LIGO currently, self-signup registration, someone else verifies the account. ACTIONS: send around: pointers blue print pointers to existing pilots Priorities Branding and simplified scoped flow (from the end-user perspective) Appropriate level of assurance Delegation on behalf of the user (EPOS)  could be certificate  RCAuth or OAuth2 Attribute management for CTA (step up authentication) Start, portal branded, with wayf tailored to those institutions that are relevant in the context redirect

Mapping of use cases

Community High-level requirements HELIX NEBULA Leveraging AARC results with HNSciCloud Connecting services & Brokering. Leverage the work done by AARC on policies and architectural blueprints Implementing Sirtfi using eduGAIN Eiscat 3d Cross infra use case integration with EGI/EUDAT/PRACE Controlled, granular access to resources. Need for a good LoA scheme for AuthZ EPOS Cross infra use case integration with EGI/EUDAT/PRACE Delegated federated access (non-interactive) Workflows CTA (INAF) Cross infra use case integration with EGI/EUDAT/PRACE Exchange of group information(VOOT) Access for citizen scientists Lifewatch services for biodiversity and citizen scientists Integration, access for citizen scientist BMIs (INSTRUCT, BBMRI, INFRAFRONTIER...) AAI for BMSRIs Inter compatibility, share a common AAI shaping according to the ideas in Elixir. Also focus on sustainability and operational aspects WLCG Federated Access Deployment Non web (SAML-X509) Implementation of Sirtfi stuff. Solution for a persistent unique ID (ORCID?) LIGO Enabling federated access for the LIGO Scientific Collaboration Non web scenarios

Requirements – Solutions matchmaking Attribute Release Attribute Aggregation User Friendliness SP Friendliness Credential translation Persistent Unique Id User Man. Information Credential Delegation Levels of Assurance Guest users Step-up AuthN Best Practices Community based AuthZ Non-web-browser Social & e-Gov IDs Incident Response

Requirements – Solutions matchmaking Community based AuthZ Community based AuthZ Community based AuthZ Community based AuthZ User Man. Information SP Friendliness Non-web-browser Non-web-browser Guest users Attribute Aggregation Attribute Aggregation Attribute Aggregation Attribute Aggregation Community based AuthZ Levels of Assurance Incident Response Social & e-Gov IDs Attribute Release Attribute Release Attribute Release Attribute Release Persistent Unique Id Incident Response Persistent Unique Id Levels of Assurance Guest users Credential translation Social & e-Gov IDs Levels of Assurance Cross-infra Cross-infra Cross-infra Cross-infra ... .... .... .... ..... ..... .... .... Attribute Release Attribute Aggregation User Friendliness SP Friendliness Credential translation Persistent Unique Id User Man. Information Credential Delegation Levels of Assurance Guest users Step-up AuthN Best Practices Community based AuthZ Non-web-browser Social & e-Gov IDs

CORBEL, Instruct, Westlife, BBMRI, Elixir (11 e-infra/communities in total) Introduction Dealing with many LSH communities with different levels of AAI maturity Dealing with sensitive data (!) Some proxies already in place and the proxy approach is supported Problem space Thoroughly described already in CORBEL WP5 Difficulties to include all IdPs/Users: opt-out of eduGAIN due to data protection rules Need LoA policies to be implemented User experience needs to be improved. E.g. include homeless users in one consistent way but an operational model for such a EU-wide service is lacking Need for a sound solution for non web scenarios SPs should be able to request a certain LoA This consortium does not want to run their own AAI Ideas/approaches Can vetting be done by representatives of national nodes for all 15 community partners? Can we learn from RCAuth in terms of operational models and administrative domains (what to do on EU level, national level, VO level) Non web scenarios...how about Moonshot? Cross-infra User Man. Information Community based AuthZ Persistent Unique Id Credential translation Levels of Assurance

E-infrastructures Introduction Work focuses on two areas: All E-infras start to rely on eduGAIN so there is a single verified identity source to be used within one e-infra Handle cross infrastructure use cases Problem space Some e-infras still rely on their own IdM solutions (e.g. LDAP syncing) Despite some first promising integration steps, there is still a lot of manual/ad-hoc work involved Mapping of accounts is a challenge Need for solutions to aggregate and exchange attributes between e-infras The cross infrastructure use case will quickly become more prevalent Ideas/approaches Use AARC pilots as a lever to achieve further integration After successful operation of pilots, results (harmonization guidelines) should be implemented at the e-infrastructures (including clear documentation) We need operational models for overarching components For PRACE further look into previous work with Unicore/Unity Leveraging eduGAIN Cross infra use cases Resource admin friendly Persistent Unique Id Exchange of attributes One accredited CA

CTA/INAF, Lifewatch, Eiscat3D Introduction CTA, collecting info on gamma rays: N=1000 users, 52 institutions, 3 services. Currently using a legacy LDAP system Lifewatch: N= 1000nds, 20 institutions Eiscat3D: N= thousands of users (public/private data) Problem space CTA: long list of requirements but need group managed access control. Primarily web based scenarios Lifewatch: Serving users from academia and citizen scientist. Resources that need to be shared now still have their own IdM silo Eiscat3D: need for moderated and guest access Ideas/approaches Many topics already adressed in AARC1 pilots  map communities to pilots E.g. link ORCID, eduTEAMS to leverage external AuthN providers All 3 communities use EGI services so integration with and use of EGI middleware is needed Community based AuthZ Attribute Aggregation Attribute Release Guest users Social & e-Gov IDs CTA Alessandro Costa Lifewatch Alvaro Lopez EISCAT3D Ingemar Häggström Cross-infra

WLCG, EPOS, LIGO Introduction Community based AuthZ Introduction WCLG: N=15000, lots of little AAI bits need to be brought together EPOS: N=1000nds users, still in an early phase LIGO: N= clusters in UK, USA, Germany Problem space WCLG: Mainly certificate based now. How to bridge eduGAIN IdP users, IGTF cert users, link accounts, use VOMS together with other AAs...associate grid with federated accounts. EPOS: web and non web based scenarios. Only small amount of federated users now. Need access for citizen scientists as well LIGO: Already use COmanage. Want to get rid of certificates. Tested with Moonshot in the past. May explore this again. Ideas/approaches General impression: need to bridge/close the information gap. Many existing piloted solutions may do the trick already Attribute Aggregation Attribute Release Non-web-browser Incident Response EPOS Tomasz Szepieniec Persistent Unique Id Guest users

Actions for the AARC pilot activity We need to find ways to improve mutual understanding of the needs and solutions The Blueprint Architecture is a useful tool to explore the needs. Research Communities are requested to plot their wished situation on the BPA and indicate necessary/unnecessary components (including MUST, SHOULD, COULD, WON’T) The team will organize a number of pilot showcase sessions to further explain the deployed pilots and to discuss to what extent they fit with the needs of the communities We appointed to put all relevant information on the wiki Based on the f2f session we concluded that the end-user flow needs to be assessed on user friendliness as well Task1 Using the AAI of one of the e-infrastructure (EGI) Are they able to operate this for the community (pricing, componentes) How will branding be done in a multi-tenant environment (at least the user facing part). Experience is key. In 2020 Elixir would like to hand over to one of the e-infrastructure EPOS is using step up LIGO currently, self-signup registration, someone else verifies the account. ACTIONS: send around: pointers blue print pointers to existing pilots Priorities Branding and simplified scoped flow (from the end-user perspective) Appropriate level of assurance Delegation on behalf of the user (EPOS)  could be certificate  RCAuth or OAuth2 Attribute management for CTA (step up authentication) Start, portal branded, with wayf tailored to those institutions that are relevant in the context redirect