CLARIN AAI, Web Services Security Requirements

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Building metadata components Dieter Van Uytvanck Max Planck Institute for Psycholinguistics CLARIN-NL Info Session Nijmegen
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Interoperability aspects in the The Virtual Language Observatory Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
User Attributes; who, where, how many? Daan Broeder TLA – MPI for Psycholinguistics.
Contrail and Federated Identity Management
Advanced Metadata Usage Daan Broeder TLA - MPI for Psycholinguistics / CLARIN Metadata in Context, APA/CLARIN Workshop, September 2010 Nijmegen.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
CLARIN and the DSA Paul Trilsbeek The Language Archive Max Planck Institute for Psycholinguistics.
Steven KrauwerLREC20081 CLARIN: Common Language Resources and Technology Infrastructure for the Humanities and Social Sciences Kimmo Koskenniemi (University.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
FIM-ig Federated Identity Management Interest Group.
SWITCHaai Team Federated Identity Management.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n
CLARIN Common Language Resources and Technology Infrastructure Daan Broeder & Dieter van Uytvanck Max-Planck Institute for Psycholinguistics TF-EMC2 Meeting,
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
CLARIN and the Humanities Daan Broeder The Language Archive – MPI for Psycholinguistics CLARIN EU/NL Workshop on Federated Identity Management CERN, June.
CLARIN Infrastructure Vision (and some real needs) Daan Broeder CLARIN EU/NL Max-Planck Institute for Psycholinguistics.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
Authentication and Authorization Overview Kimmo Koskenniemi, Antti Arppe, Mikael Lindén University of Helsinki, CSC – IT Centre for Science Consortium.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
CLARIN work packages. Conference Place yyyy-mm-dd
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
CLARIN Issues Peter Wittenburg MPI for Psycholinguistics Nijmegen, NL.
A Data Category Registry- and Component- based Metadata Framework Daan Broeder et al. Max-Planck Institute for Psycholinguistics LREC 2010.
Recent Developments in CLARIN-NL Jan Odijk P11 LREC, Istanbul, May 23,
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Authorization and Authentication Infrastructure Daan Broeder & Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
Clain update TF-EMC Mikael Linden, CSC.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
A Data Category Registry- and Component- based Metadata Framework Daan Broeder et al. Max-Planck Institute for Psycholinguistics LREC 2010.
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
DARIAH EU AAI consideration K. Skala, D. Davidović, Z. Šojat Lisbon, 22 May 2015.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
RCauth.eu CILogon-like service in EGI and the EOSC
AAI for a Collaborative Data Infrastructure
eduTEAMS – Current status & Future Plans
Identity Federations - Overview
CLARIN Federated Identity Vision
GÉANT International Networking and Collaboration
ESA Single Sign On (SSO) and Federated Identity Management
Krister Lindén and Ville Oksanen FINCLARIN / University of Helsinki
RCauth.eu CILogon-like service in EGI and the EOSC
Common Solutions to Common Problems
Community AAI with Check-In
eIDAS-enabled Student Mobility
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

CLARIN AAI, Web Services Security Requirements Daan Broeder Max-Planck Institute for Psycholinguistics CLARIN EU WP2 Web Services Security meeting Amsterdam May 27

What is CLARIN The CLARIN project is a large-scale pan-European collaborative effort to create, coordinate and make language resources and technology available and readily useable for Language & SSH (Social Sciences & Humanities) researchers. Resources: Lexica, text corpora, multi-media/multi-modal recordings, … Technology: parsers, speech recognizers, editors, … Ever more often available as web services

CLARIN Organization CLARIN is an EU Infrastructure project with 4.2 ME funding for a 3 year preparatory phase started in 2008. Additional funding from national governments, currently at least 16 ME The CLARIN consortium has now 32 partners from 26 EU countries and 132 member organizations CLARIN EU continuation after the preparatory phase likely as an ERIC This is important if only to provide a legal entity that is able to make contracts with outside parties on behalf of the CLARIN community. Rechtspersoon

CLARIN “Holy Grail” Use Case A researcher authenticates at his own organization and creates a “virtual” collection of resources from different repositories. He does this on the basis of browsing a catalogue, searching through metadata, or searching in resource content. He is then able to use a workflow specification tool and have a workflow engine process this virtual collection using reliable distributed web services which he is authorized to use. After evaluation resulting data (including metadata) can be added to a repository setting proper and checked ownership information. This user scenario does not touch all aspects of the CLARIN infrastructure. Things like persistent identifiers and essential registries are not mentioned.

CLARIN AAI It looks that EU wide federated authentication will be solved either by: A future GEANT eduGain solution (confederation of national Identity Federations) Creating CLARIN SP federation and making contracts with the individual IDFs Current state of affairs, CLARIN test federation was successfully demonstrated. However three problems remain unsolved Homeless users. CLARIN members with no national IDF For true SSO functionality requires the CLARIN users to have CLARIN specific user attributes that no IdP will support. E.g. EULA signing Authentication for web services

WS Security/delegation Simple example IdP AS distributed web-services SOAP & REST WS Security should be Not too complex not too many different systems maintainable Auth info federated authentication WS Web App Also for a WS to decide if a user has access it uses information from the IdP (EPPN, affiliation,…) but also from other information sources either locally stored with the WS itself or CLARIN wide (EULAs). delegation (distributed) web-services repository

WS Security/delegation for workflows Authorization records are not shown tokenizer parser semantic tagger WF engine parserA parserB delegation dataflow federated authentication Web App Composite Web service This scenario was added to the GN3 portfolio repository (distributed) web-services

Workflow AAI scenario The web application controlling the workflow engine functions as a SP and allows federated login. The workflow engine can send messages to other web services that assert, with sufficient certainty that the workflow engine acts on behalf of the user. Every web service is then itself capable of performing the same action again: delegating the authority of the user.

Solutions? “always trust the web service” rule. Any registered web service should be trusted if it claims to act on behalf of a specific user. web services identify each other by means of server certificates, user identity itself is not proven solution for a relatively limited number of web services, not a scalable solution. Embody the identity (and thus the authority) of the user in a user certificate (upload, SLCS, …) certificate is then propagated from web service to web service. Use SAML assertions especially the Relayed-Trust (RT) SAML assertion. the workflow engine will use the original authentication assertion it obtained from and build a RT SAML assertion that is specific for itself and the web service it needs to access

Thank you for your attention CLARIN has received funding from the European Community's Seventh Framework Programme under grant agreement n° 212230

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.