Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.

Slides:

Advertisements

Similar presentations

Identity Network Ideals – Heterogeneity & Co-existence

Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

WebFTS as a first WLCG/HEP FIM pilot

Identity Management, what does it solve By Gautham Mudra.

Widely Distributed Access Management Tom Barton University of Chicago.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Claims Based Authentication

Cancún - Mexico, Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS.

Report from Breakout Session 1.2 Secure Consumerization: the Genuine Trustworthiness Revolution Chair: Craig Lee Rapporteur: Paolo Mazzetti.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Kuali Identity Management Overview. Why did we write KIM? Common Interface for Kuali Applications Provide a Fully-Functional Product A Single API for:

Shibboleth: An Introduction

OGSA Security Roadmap Discussion GGF5 – 7/24/02. Outline l Introduction l Architecture Goal l Roadmap Goal l Proposed Specs l Challenges l Next Steps.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Data Access and Security in Multiple Heterogeneous Databases Afroz Deepti.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Scenario w/ WS-Federation to SAML 2.0 interop challenge for Danish public sector The following slides illustrates in a basic manner the technical/security.

Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

HELIO Introduction HELIO is designed to help scientists: finding, retrieving, and analyzing data regarding the sun, its related phenomena and their effects.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Example Use Case for Attribute Authorities and Token Translation Services Jens Jensen, EUDAT/AARC/STFC.

PAPI 2 Distributed trust model and AA interoperability.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.

Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.

INDIGO – DataCloud WP5 introduction INFN-Bari CYFRONET RIA

Possibilities for Grouper in a cross/inter organizational use Andrea Biancini, Consortium GARR GN3+ F-2-F meeting Stockholm, April.

INDIGO – DataCloud Security and Authorization in WP5 INFN RIA

Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

Connected Identity & the role of the Identity Bus Prabath Siriwardena Director of Security Architecture WSO2.

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

The FederID project The First Identity Management and Federation Free Software.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

The IGTF to eduGAIN Bridge

GEOSS Federated Single Sign-On

WLCG Update Hannah Short, CERN Computer Security.

Law Enforcement Information Sharing Program (LEISP) Federated Identity Management Pilot February 27, 2006.

User Community Driven Development in Trust and Identity

eduTEAMS platform for collaboration Niels Van Dijk

Identity Federations - Overview

Data and Applications Security Developments and Directions

Géant-TrustBroker Dynamic inter-federation identity management

Scalability of trust and metadata exchange across federations

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –

ESA Single Sign On (SSO) and Federated Identity Management

AARC Blueprint Architecture and Pilots

AIP Disaster Management Using Single-Sign-On

Community AAI with Check-In

Baseline Expectations for Trust in Federation

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini

The architecture eduGAIN is a SAML based identity federation, in this scenario Attribute Providers has been implemented leveraging two main protocols: the Attribute Authority role for a SAML federation entity, for orline information flows to be retrieved during user login; the VOOT protocol (based on SCHIM) to describe groups and memberships offline from user authentication.

Interactions - AA

Interactions - VOOT VOOT is a protocol for exchanging group information externally to applications. Very simple API:

Benefits and issues The architecture shown permitted to: Distribute the responsibility to provide information about known users to different subjects within the federation. Decouple authentication and authorization processes. AAs in eduGAIN still have some significant limitation: AAs still have some issue regarding privacy and security. User enrolment must be supported to reduce effort.

Conclusions, challenges addressed Permit delegation of the management of user information in a clear and secure way. Provide new architectural elements that could seamlessly integrate with existing architectures (to simplify technical adoption of such a solution by all the participants to the federation). Leverage the existing federations in building the reciprocal trust, needed to guarantee security.