eIDAS-enabled Student Mobility

Slides:



Advertisements
Similar presentations
CLARIN AAI, Web Services Security Requirements
Advertisements

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Stork is an EU co-funded project INFSO-ICT-PSP STORK PRESENTATION STORK Presentation Lithuania March 2010.
SWITCHaai Team Federated Identity Management.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Networks ∙ Services ∙ People Mandeep Saini AARC/CORBEL Workshop Collaborative Organisation Platform as a Service June 1, 2016, Paris Product.
Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014.
J. Quinteros, A. Heinloo, B. Weber, L. Hämmerle and W. Pempe
Access Policy - Federation March 23, 2016
Introduction to AAI Services
WLCG Update Hannah Short, CERN Computer Security.
Stop Those Prying Eyes Getting to Your Data
Applying eduGAIN to network operations The perfSONAR case
ESA EO Federated Identity Management Activities
Cross-sector and user-centric AAI
TrustTech - Task Overview (GN4-2 JRA3-T3)
Mechanisms of Interfederation
GISELA & CHAIN Workshop Digital Cultural Heritage Network
EGI Updates Check-in Matthew Viljoen – EGI Foundation
Federation made simple
eduTEAMS platform for collaboration Niels Van Dijk
eduTEAMS – Current status & Future Plans
An authorization service for Virtual Organizations (VO)
University of Stuttgart University of Murcia
HMA Identity Management Status
Identity Federations - Overview
Ian Bird GDB Meeting CERN 9 September 2003
Identity Management and Authorization
Géant-TrustBroker Dynamic inter-federation identity management
AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
Federated Identity Management for Researchers (FIM4R)
Robert Szuman – Poznań Supercomputing and Networking Center, Poland
Scalability of trust and metadata exchange across federations
CLARIN Federated Identity Vision
Neil Witheridge’s slides
GÉANT International Networking and Collaboration
Identity Management and Authorization
GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –
Why eIDAS? eID under eIDAS compliance
Choosing the Discovery Model Martin Forsberg
ESA Single Sign On (SSO) and Federated Identity Management
European Commission – DG CONNECT
Single Sign-On (SSO) Authentication
Community AAI with Check-In
Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.
GISELA & CHAIN Workshop Digital Cultural Heritage Network
Baseline Expectations for Trust in Federation
eIDAS-enabled Student Mobility
eIDAS-enabled Student Mobility
eIDAS-enabled Student Mobility
eIDAS-enabled Student Mobility
Authentication and Authorisation for Research and Collaboration
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

eIDAS-enabled Student Mobility ESMO Support Infrastructure www.ESMO-project.eu GRANT AGREEMENT UNDER THE CONNECTING EUROPE FACILITY (CEF) - TELECOMMUNICATIONS SECTOR AGREEMENT No INEA/CEF/ICT/A2017/1451951

Contents Flexible ESMO GW deployment ESMO GW as a Member State HUB Domain Specific Attributes Support EWP Network to connect remote HEI APs served by ESMO GWs ESMO GW Deployments

Flexible ESMO GW Deployment Indicate here that the microservice design allows for various deployment scenarios supporting connectivity to eIDAS and other IdPs for user authentication and with the APms allows retrieval of Domain Specific Attributes ESMO GW deployment with its common and generic microservices(ms) and protocol specific ms for connectivity to SPs, IdPs, & APs Flexible microservice multi-protocol architecture enables it to be employed for various scenarios

ESMO GW as a Member State hub Acts as a Member State (MS) hub for cross-border & national authentication Lowers SP integration costs with interfaces ready available in OIDC, SAML, JWT Used for managing trusted SP connections towards eIDAS and national IdPs – possibly sector specific

Domain Specific Attributes ESMO GW deployments enable SPs to not only authenticate the user but to query students academic atributes from trusted sources, to aid student Erasmus, mobility services as well as others Connects to trusted HEI sources, with eIDAS authenticated identity attributes sent to APs to facilitate record retrieval Broad range of academic attributes able to be retrieved and supports attributes used in eduGAIN The wide range of academic attributes can be better served, standardised and developed by the HEI community and not needed to burden eIDAS Note: Academic attributes also able to provide biographic information (name, D.O.B etc) so to provide SP services greater assurance that the academic information is indeed linked/associated with the authenticated user Example SP Request eIDAS and Academic Attributes eIDAS Attributes eIDAS Person Identifier Current Family Name Current First Name Date of Birth Academic Attributes (DSA) Academic Identifier Principal Name Surname First Name Affiliations Primary Affiliation HEI Department Study Program* email address mobile number Home Organization Reminder slide that ESMO provides also DSA attribute Exchange and why its best served outside of eIDAS before showing EWP solution. * Study Program was proposed but finally not implemented as there is no existing standard for this attribute.

EWP Network to connect remote HEI APs served by ESMO GWs ESMO GW Publishes ESMO Metadata API in EWP manifest All trusted EWP hosts / ESMO GWs consume the EWP registry and can thus implement the ESMO Metadata API endpoint Instead of ESMO publishing all its API endpoints on the EWP it publishes just the ESMO Metadata API which inturn publishes all the API services for the API endpoints it supports towards the HEI APs ESMO Metadata API publishes Attribute Request/Response APIs so that APs served by one GW are are known and are able to be queried from all other ESMO GWs and Hosts connected to EWP Automatic updates of network topology as new APs added or no longer reachable over ESMO GWs EWP Trusted Remote AP Domain Specific Attribute retrieval

ESMO GW –Affiliated HEI Group Deployment In this scenario the ESMO GW serves an affilition of multiple HEIs over various protocols to provide: trusted HEI SP connectivity to eIDAS node or proxy trusted HEI AP connectivity remote trusted HEI AP connectivity (through EWP Network) multi-protocol SSO multi federated authentication

ESMO GW – Single HEI Deployment Two Scenarios: 1) the ESMO GW is deployed to serve just one HEI A and provides: trusted HEI SP connectivity to eIDAS node or proxy trusted HEI AP connectivity remote trusted HEI AP connectivity (through EWP Network) multi-protocol SSO multi federated authentication 2) HEI B implements the ESMO Metadata API on EWP and implements the ESMO DSA Query/Response APIs to query EWP Hosts and ESMO GWs

ESMO GW – AP Deployment Attribute Providers connected over ESMO GW can automatically serve attributes to HEI SPs connected by the EWP Network Quick integration to APs by config alone for SAML2, OAUTH 2.0, OIDC

ESMO GW - Member State Deployment This scenario supposes the ESMO GW is operated by a national ministry or academic authority (e.g NREN) Provides trusted GW connectivity through EWP Network and direct governance over: trusted HEI SP connectivity to eIDAS trusted HEI AP connectivity trusted connectivity to national IdPs Maintains the ESMO GW operations e.g. manage keys for its own GW, SP & AP metadata, EWP Manifest etc. Sustainability: add new microservice protocol support as needed promote and expand standard set of Academic Attributes integrate with eduGAIN Federations at MS level (with eIDAS Person identifier to avoid 2nd login) GW GW GW

ESMO GW - Central EU Deployment This scenario supposes the ESMO GW is operated by a central EU organisation Provides pan European governance of: trusted HEI SP connectivity to eIDAS in own MS trusted HEI AP connectivity No need for EWP Network intgeration HEIs are all directly connected to the central ESMO GW HUB Issues Not close relationship / trust with MS HEIs Extra administrative overhead Tromboning effect Distributed Alternative to avoid the above issues: distribute specific microservices to the Member States that they interwork with and deployed at HEIs or by national institution generic common microservices can be deployed in a central virtual environment ESMO

ESMO GW – ESMO Project Deployment USN UIA The project scenario deploys a mixture of centralised and distributed ESMO GWs ESMO GW in Spain deploys: eIDAS SAML IdP ms towards cl@ve proxy towards eIDAS Node (ES) SAML2 ms with interfaces towards UJI SP & 2 APs (UJI & eduGAIN Federation) ESMO GW in Greece deploys: eIDAS SAML IdP ms towards eIDAS Node (GR) OIDC IdP ms towards FEIDE proxy towards eIDAS Node (NO) OIDC SP ms towards UAegean SP and UIA and USN SPs OAUth 2.0 AP ms towards UAegean AP, and Norway AP SAML 2 AP ms towards Uaegean AP (eduGAIN Federation) GW GW UJI UAegean

Thank you for your attention Ross Little ross.little@atos.net GRANT AGREEMENT UNDER THE CONNECTING EUROPE FACILITY (CEF) - TELECOMMUNICATIONS SECTOR AGREEMENT No INEA/CEF/ICT/A2017/1451951 www.ESMO-project.eu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.