AAI in EGI Status and Evolution European Grid Infrastructure AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager peter.solagna@egi.eu concept of VOs to support scientific communities - security issues in general: confidentiality, integrity, accessibility, non-repudiation, delegation, ... - 'traditional solution portfolio' - PKI, X509, proxies, VOMS, PERUN, ARGUS - lowering access barrier: TCS, robot certificates, per-user proxy component (from LToS project) - Emerging solutions: identity federations, EduGain - New activities: AARC, EGI-Engage WP3

EPOS Competence centre kick off Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Examples of AAI service use cases Summary EPOS Competence centre kick off

User authentication in a federated environment Local environment (e.g. one institution, one cluster) Users have local accounts, validated often in a F2F verification with the system administrator All the needed information are filled in at the moment of the registration Federated environment (e.g. distributed infrastructure) Users do not have local accounts on every service/cluster/centre Users own credentials that are recognized by all the service providers in the federation Identity providers and service providers must agree on the: Information provided to the SP Level of assurance of the credentials Operations of the IdP EPOS Competence centre kick off

EPOS Competence centre kick off User’s identity A user must be able to authenticate with the same identity on the distributed services From the user’s point of view Uniform authentication enable cross-site workflows Use of distributed resources using the same credential From the service provider’s point of view Uniform authentication improves security operations in a federated environment Easier management of users, and their access to resources EPOS Competence centre kick off

EPOS Competence centre kick off Delegation For some workflows and use cases, delegation is an important capability Applications that in general need to: access data stored by the user and not publicly accessible or to save data in the user’s storage area Portals and scientific gateways do actions on behalf of the user, like job submission to compute resources. This is usually implemented by impersonating and delegating Impersonation: the application/service acts as the user (using user’s temporary credentials). Done at authentication level. Delegation: the user enables the service to work on his/her behalf. Done at authorization level EPOS Competence centre kick off

EPOS Competence centre kick off Level of assurance Not all the credentials are the same! Examples: Very high level of assurance: eID High level of assurance with ID verification: X509 certificates, many institutional IdP Social media credentials Everyone with an email account can have one Not always the highest LoA is required: for some low-risk activities low assurance credentials are usable! The minimum LoA required is determined by the user community and the service provider requirements EPOS Competence centre kick off

Authorization in a federated environment In a federated environment individual user authorization cannot be handled by the service provider Service provider does not know the user and if him/her should be allowed to perform a specific action Rules for the authorization must use information associated with the user Provided by the IdP Provided by the research collaboration who grants users access to resources

Distribute collaboration management in EGI: Virtual Organization Virtual Organization: A group of researchers with common interests, requirements and applications, who need to work collaboratively and/or share resources. Service providers enable users to access services and resources based on the VO membership and additional attributes such as roles within the VO and sub-groups of users within the VO The VO membership is managed by the VO Manager(s) who is the main contact with EGI and who knows the users and the groups in the collaboration New users can be added and removed enabling/disabling their access rights, without direct intervention of service providers VO Manager usually does not manage users credential, a VO is not an IdP EPOS Competence centre kick off

EPOS Competence centre kick off Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Examples of AAI service use cases Summary EPOS Competence centre kick off

EGI user authentication: X509 certificates X509 certificates are the main authentication technology used in EGI Trust network of certification authorities (IGTF/EUGridPMA) EGI services are configured to accept certificates released by the Certification Authorities federated within IGTF You have one IGTF personal certificate  you can authenticate wherever in EGI EPOS Competence centre kick off

Policy Management Authorities IGTF Trust framework Trust Domain: IGTF Policy Management Authorities TAGPMA EUgridPMA APgridPMA National level .... .... CA CA CA CA CA CA CA CA CA • The Interoperable Global Trust Federation (IGTF) is the body that manages a global trust domain for distributed computing infrastructures worldwide: l The IGTF is split in three regional Policy Management Authorities: l EUgridPMA => Europe l APgridPMA => Asia Pacific l TAGPMA => Americas l Establish common policies and guidelines. l Help establish interoperable, global trust relations between providers of e-Infrastructures and cyber-infrastructures, identity providers, and other qualified relying parties. Institution level .... .... RA RA RA .... .... CA: Certification Authority RA: Registration Authority User User User EPOS Competence centre kick off

How to obtain a certificate Do you own credentials provided by an IdP federated in one of the national federations part of eduGAIN? You can most probably access the Terena Certificate Service (TCS) through your NREN, and get an X509 certificate without the need to contact a registration authority EPOS Competence centre kick off

Register in a Virtual Organization User registers at the VO via VOMS VO manager authorizes the user via VOMS VO manager can give specific attributes to users, or insert them in specific groups Specific VOMS service is configured in all the services supporting the VO Personal certificate Request membership Registering user VOMS VO Database Approve request Set additional attributes/groups VO Manager EPOS Competence centre kick off

Authentication and Authorization workflow TRUST TRUST Virtual Organization EPOS Competence centre kick off

The key is: trust & collaboration Authentication and Authorization workflows scale with the number of service providers and users User identity is verified by the IGTF Certification Authorities who release the X509 certificates The certificate enable uniform authentication of the user across resource centres User communities have the tools to manage the membership of their users and their structure Collaborate to the trust chain and to integrate the information provided by the Identity Providers Authorization is based on the Virtual Organization membership and attributes not on the single user identity The user capabilities based on groups and roles within the VO are reflected into uniform access rights across the sites that support the VO EPOS Competence centre kick off

EPOS Competence centre kick off X509 proxy certificate The X509 proxy certificate is a short-term credential derived by (and signed with) the user personal certificate In EGI proxy certificates are used for all non-interactive services and for delegation capabilities A computational task is “shipped” with the user’s proxy and can store output data on behalf of the user A proxy is self contained, and carries all the information needed to authenticate and to authorize the user at service level User identity User VO membership information signed by the VOMS that manages the VO User Certificate info VO Information X509 Proxy DN: EPOS Competence centre kick off

Robot certificates and science gateways Portals and Scientific Gateways can hide the complexity of X509 to the users: Users are AuthN&AuthZ in the portal Portal/SciGW is responsible for this May or may not have a X.509 cert Portal/SciGW has a robot X.509 cert A robot certificate can be stored on a machine and used programmatically to generate proxies Perform tasks on Grids on behalf of users Issues: Auth & logging responsibilities move to portals Users become invisible to the infrastructure, traceability For certain types of applications only Security limitations EPOS Competence centre kick off

EPOS Competence centre kick off Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Examples of AAI service use cases Summary EPOS Competence centre kick off

Improving the use of robot certificates In the science gateways every user impersonates the owner of the robot certificate Security limitations Non accurate accounting EGI is testing the per user sub-proxies X509 proxies generated using a robot certificate Including an additional extension with the user ID Additional extension added by the science gateway. Robot Certificate info VO Information User UID X509 Proxy DN: The same for every user of the gateway EPOS Competence centre kick off

Advantages of the sub proxy User tracking Services get “different” credentials for individual users It’s possible to block one user without blocking all the users using the same robot certificate Security Individual users can be isolated, e.g. preventing them to access other users’ workspace Accounting Account for individual users’ usage Report the actual number of real users accessing the infrastructure Per user sub-proxy tested within the Long tail of Science platform under development EPOS Competence centre kick off

EPOS Competence centre kick off Extend the X509 mechanism For some users approaching EGI, the X509 mechanism is a barrier They do not have easy access to a Certification Authority They would prefer to continue using their institutional credentials VOs and Resource Providers implement portals to ease the access to the resources The most effective solution is to bridge other identity federations (eduGAIN, institutional IdP) with the EGI AAI Technical bridge: credentials translation, support in the middleware for other AuthN protocols Policy bridge: build trust between SP and IdP, enable different level of trust EPOS Competence centre kick off

Flexible authentication By extending the current authentication mechanisms we will also enable users with the flexibility they need: Use lower level of assurance credentials for low-risk activities Integrate the IdP currently used by the communities with the EGI services EPOS Competence centre kick off

Enable federated AuthZ Provide tools to the users to manage their user communities Distributed Attribute Authorities connected with the user’s IdPs Can be used also within application-specific environments for user authorization Maintain uniform authorization across multiple service providers Based on the attributes provided by the user communities Apply the collaborative trust approach of EGI to new authentication technologies EPOS Competence centre kick off

EPOS Competence centre kick off eduGAIN and EGI eduGAIN is the pan-European federation of national IdP federations Includes most of the IdP used by researchers in Europe Limitations: Not all the IdPs are part of eduGAIN federations For many use cases a direct IdP <-> SP communication (paperwork) is required Some IdP The European-funded AARC project aims – among other things – to overcome part of these limitations EPOS Competence centre kick off

Authentication and Authorisation for Research and Collaboration AARC Authentication and Authorisation for Research and Collaboration support the collaboration model across institutional and sector borders guarantee user privacy and security build on the existing and evolving components EGI, ESFRI clusters, eduGAIN, national AAI federations, NGIs, IGTF, SCI, SirTFi, … design, test and pilot any missing components integrate them with existing working flows Expected starting date May 1st EPOS Competence centre kick off

EPOS Competence centre kick off Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Examples of AAI service use cases Summary EPOS Competence centre kick off

High level of assurance Strong authentication Now: X509 certificate In the close future: eduGAIN IdP with ID verification, institutional IdP Submit custom applications/run arbitrary code submit and manage virtual machines store big amount of data Access sensitive protected data EPOS Competence centre kick off

Intermediate level of assurance Medium authentication Now: robot certificates + username/password In the close future: IdP with no ID verification Submit pre-defined applications through science gateways Use PaaS on the cloud Access resources dedicated to the VO and isolated from other VOs EPOS Competence centre kick off

EPOS Competence centre kick off Low level of assurance Low authentication In the close future: social network credentials, google account, plain EGI SSO Access open data Perform read-only operation on non-sensitive data EPOS Competence centre kick off

EPOS Competence centre kick off Workflow example: now IGTF certificate VOMS Science gateway Robot Certificate User/password EPOS Competence centre kick off

EPOS Competence centre kick off Workflow example: How EGI can support communities in the AAI integration Possible scenario: User community want to use eduGAIN credentials to access EGI User community want to use an institutional IdP to access EGI services EGI Federation Service Proxy IdP EG could act as a proxy between IdP(s) and service providers federated in EGI And provide attirbute authorities to manage the community structure Attribute Authority EPOS Competence centre kick off

EPOS Competence centre kick off Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Examples of AAI service use cases Summary EPOS Competence centre kick off

Current EGI Services for AAI EUGridPMA network of Certification Authorities operated by the NGIs All EGI services are configured to accept EUGridPMA certificates VOMS services to manage VO membership and attributes Science gateways to use other types of authentication (username/password) and robot certificates to access EGI services EPOS Competence centre kick off

Possible future EGI services for EGI Based on the requirements and use cases Integration with federations and individual IdPs Service proxy to easily integrate new IdPs Attribute authorities network to manage user membership and regulate authorization Credential translation services to integrate the Authentication technologies used by the user community with the existing services EPOS Competence centre kick off

Better support for collaborations The current trust architecture has proven to be scalable and to work: Empower the user communities to regulate the access to the resources for their users Build trust between user communities, service providers and identity providers Extend this approach by integrating other AuthN technologies in EGI Provide tools to manage attributes using non X.509 credentials Link the attribute authorities with eduGAIN and other IdPs Where necessary bridge diverse AuthN technologies using credential translation services Bring the requirements from the CCs and in general the user communities to the European level, and ensure interoperability with other e-infrastructures through the AARC project EPOS Competence centre kick off