Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

Slides:

Advertisements

Similar presentations

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Advertisements

(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.

Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.

Contrail and Federated Identity Management

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EMI INFSO-RI Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH

Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

EGI-Engage EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.

JASMIN and CEMS: The Need for Secure Data Access in a Virtual Environment Cloud Workshop 23 July 2013 Philip Kershaw Centre for Environmental Data Archival.

IRODS workshop, September , Linköping (Sweden) iRODS Workshop users needs summary Agnès Ansari – Wednesday, 26 September.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

European Life Sciences Infrastructure for Biological Information Life science community update for the 7 th Federated Identity Management.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

EUDAT: Data sharing and management in a collaborative data infrastructure Rob Baxter, EPCC, University of Edinburgh.

Example Use Case for Attribute Authorities and Token Translation Services Jens Jensen, EUDAT/AARC/STFC.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

A uthentication & A uthorization for R esearch & C ollaboration Pilots in SA1 Paul van Dijk, SURFnet AARC.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No EUDAT EGI interoperability.

The Mapper project receives funding from the EC's Seventh Framework Programme (FP7/ ) under grant agreement n° RI Requirements for Multiscale.

EUDAT operations perspective and initial achievements Johannes Reetz EGI Technical Forum 2012 EGI/EUDAT/PRACE operations workshop Prague, 18 Sep 2012 eudat.eu.

INDIGO – DataCloud WP5 introduction INFN-Bari CYFRONET RIA

European Life Sciences Infrastructure for Biological Information ELIXIR Cloud Roadmap Chairs: Steven Newhouse, EMBL-EBI & Mirek Ruda,

Implementing Community Security Policies for Trustworthy e/cyberinfrastructure Jens Jensen, STFC (UK) Paolo Mori, CNR (IT) Stephan Kindermann, DKRZ (DE)

INDIGO – DataCloud Security and Authorization in WP5 INFN RIA

David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.

Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.

RI EGI-InSPIRE RI Earth science e-infrastructures workshop Diego Scardaci, EGI.eu Technical Outreach Expert.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.

RI EGI-InSPIRE RI Pre-OMB meeting Preparation for the Workshop “EGI towards H2020” NGI_UK John Gordon and.

Web SSO with Cloud Resources using AD Federation Services

WLCG Update Hannah Short, CERN Computer Security.

PIDs in EUDAT Webinar, 15 Februari 2013

Towards a pan-European Collaborative Data Infrastructure

Jens Jensen EU Grid PMA, Berlin Jan 2015

This work is licensed under the Creative Commons CC-BY 4.0 licence.

EGI Updates Check-in Matthew Viljoen – EGI Foundation

AAI for a Collaborative Data Infrastructure

AAAI Pathfinder J Jensen, STFC 031 Oct,

Christos Kanellopoulos

Jens Jensen, STFC Sep EUGridPMA Manchester

EGI-Engage Engaging the EGI Community towards an Open Science Commons

Jens Jensen, STFC 15 Sep GridPP39, Lancaster

Identity Management and Authorization

Mark van de Sanden Giovanni Morelli

Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)

AARC2 JRA1 Update Nicolas Liampotis

European Research Data Services, Expertise & Technology Solutions

David Kelsey (STFC-RAL)

Pre-OMB meeting Preparation for the Workshop “EGI towards H2020”

Single Sign-On (SSO) Authentication

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013

Background – EUDAT in nuce EUDAT is building a data e-infrastructure –Support user communities (ESFRI) CLARIN (linguistics, heterogeneous + long tail) ENES (climate) EPOS (Earth obs) VPH (human physiology) LifeWatch (biodiversity) –Move data in and out of EUDAT: PRACE, EGI, … –Move data between sites (replication) –Data storage for individual users 2

Principles: AAI Authentication –Make use of existing infrastructures –SSO whenever possible –Make use of existing code - pragmatic Authorisation –Link to community rôles (users can be in more than one community) Infrastructure –Like the grids, secure with IGTF+commercial 3

4

Requirements Scalable (10**7 users) Easy enough to use for “non-technical” users Support long tail researchers (aka homeless) Portal and command line login Mature, robust, performant Standards-based Work with existing community practices (if pos.) Communities manage authorisation policies 5

Premise Support existing user communities –CLARIN already using Shib (note the ePTID problem) –ENES already use OpenID (in ESGF) –Provide “authentication services” Federated identity management –Must work with iRODS for data storage –Must work with GridFTP (and GlobusOnline) for data movement –Must work with Invenio (ORCID) 6

Plan A and Plan B API Redirect to EUDAT Obtain Access Token Call CA API Plan A Plan B

Evaluations – Standalone Shib (or SAML) 2.Work with a single community’s portal 3.Use SimpleSAMLPhp 4.EGI or GEMBUS STS 5.Contrail AAI code – see Yvon’s talk 6.Moonshot 8

Findings Code satisfying most requirements least mature Need X.509 – at least internally (GridFTP) Need good docs for integrators – and effort! –Need to be able to work with betas Technical collaborations: EGI, EUDAT, Contrail Supporting multiple communities: –Ends up being kludgy –MyProxy for GO, OAuth2 for ORCID, … Requirements change regularly Can spend ∞ time on evaluations 9