EMI INFSO-RI-261611 Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
CLARIN AAI, Web Services Security Requirements
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
FIM-ig Federated Identity Management Interest Group.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
CLARIN Common Language Resources and Technology Infrastructure Daan Broeder & Dieter van Uytvanck Max-Planck Institute for Psycholinguistics TF-EMC2 Meeting,
Interoperability ERRA System.
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)
1 Common Challenges Across Scientific Disciplines Laurence Field CERN 18 th November 2013.
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
CLARIN Infrastructure Vision (and some real needs) Daan Broeder CLARIN EU/NL Max-Planck Institute for Psycholinguistics.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Jamie Hall (ILL). SciencePAD Persistent Identifiers Workshop PANData Software Catalogue January 30th 2013 Jamie Hall Developer IT Services, Institut Laue-Langevin.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Authorization and Authentication Infrastructure Daan Broeder & Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Project Moonshot Daniel Kouřil EGI Technical Forum
Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)
DARIAH EU AAI consideration K. Skala, D. Davidović, Z. Šojat Lisbon, 22 May 2015.
CERN IT Department CH-1211 Genève 23 Switzerland Federated identity system for scientific collaborations Summary of user requirements session.
ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.
Accessing the VI-SEEM infrastructure
WLCG Update Hannah Short, CERN Computer Security.
LIGO Identity and Access Management
AAI for a Collaborative Data Infrastructure
Federated Identity Management for Researchers (FIM4R)
CLARIN Federated Identity Vision
ESA Single Sign On (SSO) and Federated Identity Management
Common Authentication and Authorisation Service for Life Science Research Mikael Linden, ELIXIR Finland.
AAI in EGI Status and Evolution
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

EMI INFSO-RI Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH

EMI INFSO-RI Outline Introduction Requirements and Plans of different Communities Summary Findings Note: – authN = authentication – authZ = authorization

EMI INFSO-RI Introduction AAI = authentication and authorization infrastructure DCI = distributed computing infrastructure AAI-DCI Workshop – organized as part of EMI workplan – Indico: – Milestone document to follow EMI needs to provide harmonized middleware stack – Provide user-friendly interface, especially for authenticating to an infrastructure

EMI INFSO-RI Questionnaire to Communities (1/2) Targeted a set of communities with dependency to an (emerging) infrastructure – Many tied to an ESFRI project All are rather large communities distributed over many European countries Most are rather early in their lifecycle

EMI INFSO-RI Questionnaire to Communities (2/2) 1.How are users authenticated? 1.Which credentials are in use? 2.How is the user vetting done? 2.Is there a link to national identities? 3.Which types of resources are in use? How are users authorized? 1.Resources access through Grid? 2.Resources accessed without Grid? 4.Where does project want to be in ~5 years? 5.Are users and resource owners happy with current authN and authZ schemes?

EMI INFSO-RI The vision …

EMI INFSO-RI … and the reality

EMI INFSO-RI Earthscience Grid (1/2) Horst Schwichtenberg, Fraunhofer Institute Access to data is central for ES – Archived sensor data or derived data from multiple sources and in multiple formats  different providers and different systems Geographical Information System (GIS) – WS Specification from Open Geospatial Consortium (OGC)  no specification for authN/authZ – Work in progress HTTP authN, HTTP cookies, SSL X.509, SAML, Shibboleth and openID

EMI INFSO-RI Earthscience Grid (2/2) Requirements: – Protect data down to the single user – Federated identity and single sign-on SAML and OAuth, WS-* protocols SSO based on Shibboleth and OpenID – Science gateways to provide access to computing infrastructure (EGI) in the background Automatic certificate generation – Data centers need to protect licensed data and code

EMI INFSO-RI Biomedical Community (1/2) Key requirements: – Preserve patient privacy – Copyrighted data processing tools Current authN: – X.509 (grid users and French Health Professional smartcards) Resources: – EGI storage (SRM) and external data repositories – Web-based resources

EMI INFSO-RI Biomedical Community (2/2) Goal in ~5 years: – Homogenous AA handling in Grid services – Access control to relational and semantic stores User’s view: – AA scheme is irrelevant. Only functionality matters. – Dedicated solutions often needed in Life Sciences.

EMI INFSO-RI CLARIN (1/2) Dieter Van Uytvanck, MPI for Psycholinguistics Aim: – Provide language resources and technologies for humanities and social sciences Typical use-case: – On basis of browsing catalogues and/or searching through data create a virtual collection and process it through work flows using web services

EMI INFSO-RI CLARIN (2/2) Long term AA objectives: – Rely on user’s home organization of national AAIs for establishing trust  SAML, Shib – CLARIN as legal entity to sign contracts with national identity federations – Rely on eduGAIN to provide trust between national AAIs Issues raised: – License acceptance must be solved (special license service) – Multi-level WAYFs and attribute release consent confusing for the user

EMI INFSO-RI Photon Facilities (1/2) Hans Weyer, PSI Environment: – Photon facilities with wide range of research areas and ~30’000 visiting scientists / year – ~15 synchrotrons in EU, often national facilities Facilities partly co-operating, partly competing

EMI INFSO-RI Photon Facilities (2/2) AA Ansatz: “Umbrella” – Use EU wide, central user identification Username, pwd, , birthday – Local management of additional, site-specific attributes Phone, registrations, facility roles, proposals – Based on SAML – Note: Do not plan to use national AAIs for authN

EMI INFSO-RI ILL – Neutron Science Neutron facility, very diverse user community Need federated authentication and management of user’s attributes authN should provide access to – Web based applications – Network connection – Workstation access

EMI INFSO-RI ELIXIR ESFRI BMS Project coordinated by EBI Very large user community (~1 mio users) Provide access to life science data (genoms, …) for many different sciences Users are not authenticated many users find authN unacceptable Sensitive data (e.g. patients data) handled through a special procedures (data custodian)

EMI INFSO-RI Lifewatch Axel Poigné, Fraunhofer Still design phase – no decisions taken Present thoughts: – X.509 not appropriate – Use Shibboleth Credential translation for access to Grid OpenID complementary

EMI INFSO-RI HEP Maarten Litmaath, CERN Key technologies: – X.509, IGTF – VOMS Issues with Grid security – Certificates are difficult for users to handle – Proxy issues, use of primary FQANs – etc

EMI INFSO-RI Other talks Moonshot: D.Kouril, CESNET Goal: enable use of identity federations and SAML for non-web applications Target core internet protocols: SSH, SMTP, IMAP, NFSv4, HTTP… Started spring 2010 Presentations of – IGI: V.Ciaschini, INFN – UK NGI, C. Devereux, STFC

EMI INFSO-RI Summary Findings (1/2) Different communities do have different requirements User-centric view is mandatory – Very large and very diverse user communites – Many users have “modest IT knowledge” and “limited enthusiasm for complex solutions”

EMI INFSO-RI Summary Findings (2/2) Key technologies – Federated identity / SAML / Shibboleth With / without leveraging national AAIs – X.509 still basis for Grid technology – SLCS, MICS CA – Need novel ways to bridge security domains ECP support in Shibboleth (useful for portals  Swiss Grid Portal project) Security token service (work item in EMI) Pseudonymity service (EMI) Moonshot Key requirement for AA solutions: – Standards-based, interoperable

EMI INFSO-RI Should be aware of time lag between development and deployment But if not all, then most roads lead to Rome

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.