Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

Slides:

Advertisements

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

July 18, 2012 XSEDE12 Panel: Security for Science Gateways and Campus Bridging Jim Basney, Randy Butler, Dan Fraser, Suresh Marru, and Craig Stewart go.illinois.edu/xsede12secpanel.

Interfederation subgroup of InCommon Technical Advisory Committee (TAC) spaces.internet2.edu/display/incinterfed.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign InCommon and TeraGrid Campus Champions Jim Basney

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

FIM-ig Federated Identity Management Interest Group.

SWITCHaai Team Federated Identity Management.

InCommon Forum Fall 2012 Internet2 Member Meeting Wednesday, October 3,

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

CILogon and InCommon: Technical Update Jim Basney This material is based upon work supported by the National Science Foundation under grant numbers

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

The InCommon Federation The U.S. Access and Identity Management Federation

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Open Science Grid For CI-Days Internet2: Fall Member Meeting, 2007 John McGee – OSG Engagement Manager Renaissance Computing Institute.

11-July-2011, SURFnet Heather Flanagan, COmanage Project Coordinator Benn Oshrin, COmanage Developer Scott Koranda, U. Wisconsin – Milwaukee and LIGO.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Secure Access to Research Infrastructure via the InCommon Federation.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

COmanage and InCommon: Present and Future Activities and Interactions Heather Flanagan, COmanage Project Coordinator, Internet2.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

7 th FIM 4 R meeting April 2014 ESRIN Frascati.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

SIF for US Science Michael Helm Esnet 09 June 2011.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Challenges of Federated Authentication to TeraGrid and Open Science Grid Jim Basney

European Life Sciences Infrastructure for Biological Information ELIXIR and Identity Management 2 nd Workshop on Federated Identity.

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.

Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.

David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.

Keeping Your Federation in Shape Discussion with InCommon Technical Advisory Committee Members Jim Basney Scott Cantor Tom Barton.

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.

Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

WLCG Update Hannah Short, CERN Computer Security.

LIGO Identity and Access Management

CheckIn: the AAI platform for EGI

Identity & Access Management InCommon Research and Scholarship

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific Collaborations STFC at Rutherford Appleton Laboratory in the UK 2-3 November 2011

About Me Project staff for: – Open Science Grid ( – XSEDE ( (TeraGrid follow-on) Member: – InCommon Technical Advisory Committee ( – TAGPMA ( Project lead for: – CILogon ( – MyProxy (myproxy.ncsa.uiuc.edu) – GSI-OpenSSH (grid.ncsa.uiuc.edu/ssh) –

What is my definition of a community? Simply: A group of scientists working together, using common cyberinfrastructure Examples: – Virtual Organization in Open Science Grid – Science Gateway in XSEDE – Project in XSEDE – Research and Scholarship community in InCommon – CILogon user community: Ocean Observatories Initiative users DataONE users

What must a community do to be recognized? Register a new Virtual Organization with OSG ( h_OSG/Form_New_VO) Apply for an XSEDE Project allocation ( Register an XSEDE Science Gateway ( Register as an InCommon R&S Service Provider ( Request a custom CILogon instance

Federated ID Use Cases 1.Federating project-managed identities (example: LIGO/Virgo) 2.Linking project-managed identities with external identities – SAML + OpenID + … – International inter-federation 3.Integration across browser and non-browser (thick client, command-line, etc.) apps 4.Multi-tier apps: portals, glide-ins, pilot jobs

Lessons Learned InCommon today supports browser SSO – SAML->X.509 bridges are common for non-web apps (CILogon, TERENA Certificate Service, etc.) – SAML ECP adopted by ~5 InCommon IdPs so far ( Attribute release is a major challenge today for SPs that want to support many IdPs Google OpenID is a popular “catch-all” IdP – US ICAM LOA 1 certified (

Overhead of On-boarding User may need to approve attribute release User may need to provide additional information during a service-specific registration process IdP must scale to many SPs – Attribute release policy using federation managed SP “tags” – Federation metadata for UI elements, public keys, etc. SP must scale to many IdPs – Apply to federation(s), not individual IdPs – Leverage federation metadata as with idP User should not need to IdP and SP administrators to make this work! What do you consider to be an acceptable administrative overhead for a user to connect to a service WRT the actions that the user and actions that the IdP and SP administration have to perform?

Attribute Release Policies Per-Project / Per-SP doesn’t scale Alternatives: – Release defined attribute bundles (targetedID, “directory attributes”), with user consent, to projects/SPs approved (“tagged”) by federation – Handle attribute release problems at SP Automated request to IdP for attribute release Don’t leave user stranded – redirect to “catch-all” IdPs

Can IdPs serve many concurrent and distinct projects? Yes! Motivation – Expensive and inconvenient for every project to operate its own IdP(s) – Better to leverage cost of IdP operations across multiple projects How: General-purpose IdPs – Examples: University IdPs, IGTF CAs, Google OpenID, ProtectNetwork, Globus Online – Projects still need to manage their own attributes

Are there any efforts to bring harmonization of identity attributes across federations? Yes! MACE-Dir ( REFEDS (

References A Roadmap for Using NSF CyberInfrastructure with InCommon ( An Analysis of the Benefits and Risks to LIGO When Participating in Identity Federations ( derationRiskAnalysis.pdf) Federated Security Incident Response (

Thanks! Questions/Comments? Contact: