ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Implementing and Administering AD FS
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
WebFTS as a first WLCG/HEP FIM pilot
FIM-ig Federated Identity Management Interest Group.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
SWITCHaai Team Federated Identity Management.
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth: An Introduction
Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
The UK Access Management Federation John Chapman Project Adviser – Becta.
Federating non-web services with LDAP-Façade
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)
Project Moonshot Daniel Kouřil EGI Technical Forum
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
CEOS Working Group on Information System and Services (WGISS) Data Access Infrastructure and Interoperability Standards Andrew Mitchell - NASA Goddard.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC CORBEL Workshop The AARC Project Paris, 31 May.
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Access Policy - Federation March 23, 2016
WLCG Update Hannah Short, CERN Computer Security.
Applying eduGAIN to network operations The perfSONAR case
ESA EO Federated Identity Management Activities
Cross-sector and user-centric AAI
LIGO Identity and Access Management
EGI Updates Check-in Matthew Viljoen – EGI Foundation
AARC Update What’s been happening in AARC which matters for GÉANT
Federation made simple
Federation Systems, ADFS, & Shibboleth 2.0
eduTEAMS platform for collaboration Niels Van Dijk
HMA Identity Management Status
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
GÉANT 4-2 JRA3 T1 and T2 Federations and Campus (CaFe) e-Infrastructures and Service Providers (RASP) Daniela Pöhn JRA3 T1 LRZ/DFN-AAI Technology Exchange.
INPE, São José dos Campos (SP), Brazil
Policy in harmony: our best practice
ESA Single Sign On (SSO) and Federated Identity Management
Single Sign-On (SSO) Authentication
Community AAI with Check-In
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:

ESA EO Identity Management Evolution AuthenticationAuthentication Password Recovery Security Enforcement Authentication for Java applications AuthorizationAuthorization Secure Storage AuditingAuditing Easy Deployment User Registration User’s Administration ReportingReporting IT Redundancy Internal ESA EO Federation: Attribute Authority, ECP, STS Internal ESA EO Federation: Attribute Authority, ECP, STS Short Term Internal/Inter federation ESA joining IDEM/EDUGAIN Short Term Internal/Inter federation ESA joining IDEM/EDUGAIN Mid/Long Term Space Identity Management Federation Federation Mid/Long Term Space Identity Management Federation Federation

Implementation of additional auditing and reporting services to monitor: Infrastructure behaviour Users’ access Data distribution AAI Infrastructure redundancy for High Availability: Multiple IDPs/LDAPs distributed on geographical basis Synchronisation of IDPs and LDAPs at transaction level Load balancing to optimise the resources utilisation Identity Management Infrastructure Enhancements

Internal ESA EO Federation (1) Split of the current ESA EO domain into different administrative domains (e.g. ESA EO and Copernicus users communities): No users duplication Improvement of the users and services management User profile rationalisation and extension for implementing: ESA SPs authorisation attributes for EO data dissemination services Attributes required for the (inter)federations

Internal ESA EO Federation (2) Introduction of a ESA EO Attributes Authority in charge of: Users’ profile management Authorisation attributes provisioning Introduction of a Discovery Service to support the identification of the Federation Identity Providers.

EOLISA (ESA EO products discovery/download standalone application) currently uses a java “JCL” library to implement the EO- SSO authentication. ESA intents to replace the current JCL library with a standard ECP- based implementation for EOLI-SA. ESA wants to provide alternative applications (e.g. scripting applications in bash, perl, etc.) to allow users to download EO products via non-web applications. The Enhanced Client or Proxy profile is supported by the Shibboleth IDP. ECP - Enhanced Client or Proxy Profile

The OGC - Open Geospatial Consortium has approved the “User Management Interfaces for EO Services: OGC ” * document as a new OGC Best Practice. The document describes how existing specifications from W3C and OASIS can be used in combination to pass identity information to OGC Web services. The document assumes the use of a Security Token Service for the implementation OGC Best Practice *

The document covers both B2B and C2B scenarios: B2B - Business to Business Authentication & Authorisation via SAML 2 Security Token Service between systems. C2B - Consumer to Business Authentication & Authorisation: Web SSO shall interact with B2B service authorisation environment based on SAML tokens. Some of the scenarios described in the document will be implemented to satisfy the requirements coming from the ESA EO FIM project Relevant Scenarios from the OGC Best Practice

First steps towards the ESA use cases Re-organising ESA EO FIM Services ESA EO Federation needs process, procedures and tools to be aligned with FIM best practise: Detailed census of FIM components (IDPs, SPs) Management of IDP and SP metadata, certificates, etc. Rules and policies for the ESA EO Internal Federation

ESA EO Internal Federation (e.g. ESA Copernicus, etc.) ESA EO Mirror Sites: ESA data distributed by 3rd parties (e.g.Nasa, VITO) ESA distributing other organisations’ data Cooperative Scenario amongst federation partners: Sentinel data access Cooperative LTDP access Exploitation Platform Accepting Social Network Users (e.g. OpenID) Use cases for ESA

Federation Context ESA Data NASA/NOAA Data NASA/NOAA Users Communities Third Party Data (non-ESA missions) ESA Data (including Copernicus data) ESA Users Community Local Communities LTDP Data Local Communities Missions Data (including Sentinels) Independent Distributor (e.g. EuroImage, VITO) B. ESA EO Mirror Sites ESA Data Social Networks (e.g. Facebook, Google, …) Social Networks’ Users Communities Thematic Communities (Scientific, Academic, …) Other Users Communities C. Inter Federation Scenario C. Cooperative Scenario A. EO ESA Domain A. EO Copernicus Domain A. Internal Federation

Data Service Providers Providers Cooperative Scenario ESA Dissemination Service Federated Dissemination Service ESA AAI RegistrationRegistration Authenticatio n Authorisation Authorisation Federated User’s Home AAI Federation Service Registration RegistrationRegistration Authenticatio n Authorisation Authorisation Organisations provide their own data and services to any federation members Data Policy Agreements shall be established and implemented within the federation. Users registered at any federated organisation can access data of any other federated member (e.g. Sentinel data) Users always authenticate via their own organisation Users’ access Reporting in agreement with federation policies ESA UsersReportingReportingReportingReporting Federated Reporting ESA Users Federated User Federated User

Space Identity Management Federation ContextEuropeEurope Space Identity Management Federation Space NASANASA DLRDLR EUMETSATEUMETSAT DLRDLR DLRDLR OtherOther UK Space Agency ESAESA Single Sign On for any service supplied by federated space organisations Priority is European Organisations Interoperability of users’ among different space organisations Easy access to data and services offered by federated space organisations Expanding users access to EO services with no overhead for user management Assure the level of trust among space federation partners Shorter time-to-market for new services deployment within the space federation GSCB as forum for Space federation discussions JAXAJAXA

Inter Federation Service Space IM Federation Inter Federation Context DLRDLROtherOther GARR-IDEMGARR-IDEM Academic Communities (universities, GARR) Scientific Communities (CERN, PSI, CNR...) Scientific Communities (CERN, PSI, CNR...) GARR-IDEMGARR-IDEM GARR-IDEMGARR-IDEM GARR-IDEMGARR-IDEM Other Communities (arts and humanity,...) Other Communities (arts and humanity,...) Extends the already mentioned federation benefits one level more by joining existing federations How to join: Be a federation: Space IM Federation Join an existing federation: Scientific Academic Social Networks Users can access data with their google/facebook/linkedin accounts Users don't need to remember their specific credentials Level of trust not assured Social Networks (facebook, google, linkedin...) Social Networks (facebook, google, linkedin...) ESAESA EUMETSATEUMETSAT UK Space Agency CNESCNES

Inter Federation Service Joining EDUGAIN Via IDEM GARR-IDEMGARR-IDEM Academic Communities (universities, IDEM/GARR) Scientific Communities (CERN, PSI, CNR...) Scientific Communities (CERN, PSI, CNR...) GARR-IDEMGARR-IDEM GARR-IDEMGARR-IDEM GARR-IDEMGARR-IDEM Other Communities (arts and humanity,...) Other Communities (arts and humanity,...) Joining EDUGAIN ESA plans to join the Italian Federation (IDEM) in order to be part of EDUGAIN Pilot project in place: Kick off 30 April Will connect: A clone IDP A data dissemination server SP Test Scenario: a selection of ESA user accessing community services provide a sample of ESA EO data to EDUGAIN members Goals: assess ESA EO profile structure/attributes and services to be interoperable. Go in the exercise of becoming part of an inter federation Be ready to have EO SSO Copernicus Domain ready for federation ESAESA

What next? ESA is going to support user requirements via internal projects and collaborations with international partners: Kick-off FIM internal project for completing the baseline for Identity Management Federation (30/April): Design and implementation of new building blocks for FIM Establish Internal ESA EO Federation (e.g. Copernicus, Multi Mission, Earth Explorer,s etc) Build capabilities to join existing federations ( e.g. IDEM/ EDUGAIN) Establish technical contact points for preparing the Space FIM: exchange technical information about AAI used by the participant organisations discuss programmatic aspects of a Space FIM (e.g. rules,policy, trust, framework, etc) plan for an implementation. Continue collaboration with FIM4R partners to share ideas/plans