(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.

Slides:



Advertisements
Similar presentations
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Advertisements

Lousy Introduction into SWITCHaai
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Agenda AD to Windows Azure AD Sync Options Federation Architecture
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.
Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.
Contrail and Federated Identity Management
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
SWITCHaai Team Federated Identity Management.
EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck
Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
The Application and the Ecosystem. Acknowledgments Home and Scott Cantorhttps://spaces.internet2.edu/display/fedapp/
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Example Use Case for Attribute Authorities and Token Translation Services Jens Jensen, EUDAT/AARC/STFC.
AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park October 2015
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
Soapbox (S Series) Who, what, where, why, how Rome Soapbox, Jan 2013 Jens Jensen, Chief Soapbox Officer.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.
EGI Updates Check-in Matthew Viljoen – EGI Foundation
AAI for a Collaborative Data Infrastructure
User Community Driven Development in Trust and Identity
eduTEAMS platform for collaboration Niels Van Dijk
eduTEAMS – Current status & Future Plans
Identity Management and Authorization
Jens Jensen, STFC Sep EUGridPMA Manchester
CLARIN Federated Identity Vision
An AAI solution for collaborations at scale
The AARC Project Licia Florio (GÉANT) Christos Kanellopoulos (GRNET)
The AARC Project Licia Florio AARC Coordinator GÉANT
Identity Management and Authorization
Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)
AARC Blueprint Architecture and Pilots
OIDC Federation for Infrastructures
AAI Architectures – current and future
Community AAI with Check-In
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013

Background Question ePTID

Why – Basic Advantages Meet needs of existing user communities Avoiding managing ids and pwds Build on existing work, e/cyber-infra Users get single login (sort of)

Security as a 1 st class WP in projects Prev: Build first, secure later – afterthought –Still often is… AAI designed in from the start –But that requires a usable AAI ready to integrate –Supported in useful languages (or SOA) –Still hard problems to solve –Inconsistent between

Single Sign-On Single “account” Single password with x-ple resources Single login (subject to timeout) –Typ., 1hr for Shib –Expiry of TGT for K5 –Expiry of GSI proxy (typ. 12 hrs)

Single Sign-On Pros: –Improves the user experience –Reduces the password sharing –Single point to re(set) password –Password can be validated Cons: –Phishing problem –Serious if cred stolen –Needs X-site trust –LoA not always well defined –The attribute problem…

The attribute problem(s) Attributes not always suitable for service IdP rarely knows AuZ attributes Consistency of naming values (schemata) Users have no control –Cf. mobile phone apps

The “Account” Holds user identity –Identity-related attributes (AuC) Holds (sometimes) AuZ attrs/request Accounting information, billing Linked to credential – proof of pos. Single identifier / single persistent identifier

Not just true for e-/cyber-I Checking into a hotel –Payment (pre or post) –Customer leaves without… Paying Their jewellery –Process – detailed, brokered

Aye, there’s the rub Is the user authorised to access the service? –Has the user paid/can we make the user pay? (“payment” doesn’t have to be money) Can we trace the user if something goes wrong (or very wrong)

The Rub How much information do we (RPs) need about the user? How do we ensure it is timely and accurate?

Two Approaches Federations Policy defined, processes MinLoA RPs and IdPs Reputations More unilateral, doesn’t scale More ad-hoc

How to build a better user? Someone better says something nice –VO, or other trusted –Peers: social Reputation Policies accepted Higher LoA

How to build a better user? Combining known statements IdP AA

How to build a better user? Combining known statements IdP AA Federation PoliciesP2P trust

Why build a better user? “Cloudier” –Less work needed before accessing privileged resource –(Train and grant) vs (grant and enforce) Enable multi-LoA access to resources

Policies need more work Users accept RP AUP… how much is that worth? Fed policies: home org says user accepts –Still the education issue Combining policies: site, federation, VO

Actual Project Experiences Yes, ePTID is a pain in the bum –But it’s what it is for a reason –Workaround requires tighter integration EUDAT Community Two portals, one presented inside the other Single login actually works! Demonstrated with CLARIN

IdP Bridg e Google Yahoo Umbrella WAYF IdP Auz Svr DB Account creation LoA set Attribute update (eg ) Single SP for all IdPs Uniform identity presented to the fed core (OAuth AS)

Recommendations Give users more control over attrs Introduce multi-LoA Like data protecion – RPs need adequate (just-about-good-enough LoA) and relevant data Publish data requirements (eg SLAs) –Negotiate (cf WS-AgreementNegotiation)

User Control of Personal Attrs Which ones are released from the IdP How they are being used (and where) Data protection guarantees –Not just promises How they are used once released Withdraw the rights-of-use Note the when-is-consent-not-consent from data protection directive

Compare Contrail use of OAuth Delegate rights to obtain credential –With AuZ attrs Users access AS to check their delegations

Dramatis Personae NRENs, GEANT, eduGain – infrastructure, superfederating, policy e/cyber Projects – build User projects (ESFRI et al) – policy, integration

Technology View Shibboleth –Designed to err on the side of caution –Lacks flexibility in practical deployments Moonshot –Superfederation –Carrying attrs from IdP (org), or from AA designated by IdP org.

Conclusion Users are not authoritative for their attrs –Except for self assertions (cardspace, non-org ) Users should be able to release and control –Many users, of course, “just want it to work” Multi-fed policies, multi-LoA –Combine in sensible ways: fed, community, site, user Need for AAAaaS (Piyush Harsh) Need Community effort

Acks This work partially funded by the Contrail and EUDAT FP7 projects Special thanks to: Shiraz Memon, FZJ, Germany Aleš Černivec, XLAB, Slovenia Willem Elbers, MPI, Netherlands

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.