VO Identity, Attributes, and Infrastructure: Some Basics.

Slides:



Advertisements
Similar presentations
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Advertisements

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
New CyberInfrastructure for Collaboration between Higher Ed and NIH.
FIM-ig Federated Identity Management Interest Group.
SWITCHaai Team Federated Identity Management.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Updates on Internet Identity. Topics Consumer marketplace update The big consumer players – OIX - and the other big consumer players.
BfB: Supporting Collaboration with Infrastructure.
Identity Management Report By Jean Carreon and Marlon Gonzales.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
11-July-2011, SURFnet Heather Flanagan, COmanage Project Coordinator Benn Oshrin, COmanage Developer Scott Koranda, U. Wisconsin – Milwaukee and LIGO.
Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.
InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.
Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.
COmanage and InCommon: Present and Future Activities and Interactions Heather Flanagan, COmanage Project Coordinator, Internet2.
Enabling Collaborations via a Transformative Virtual Organization Platform Dr. Gordon K. Springer University of Missouri-Columbia CS Department Seminar.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Scared Straight… if you want to go outside… Authenticate Locally, Act Globally.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Identity Management Practical Issues Associated with Sharing Federated Services William A. Weems The University of Texas Health Science Center at Houston.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.
Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
SMXL: Tailoring Technology to Collaboration. SMXL FAQ Is SMXL a new web scripting language? No, it is the art of tailoring IdM and access.
Identity Management Systems for Collaborations and Virtual Organizations.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Access Policy - Federation March 23, 2016
EGI Updates Check-in Matthew Viljoen – EGI Foundation
Federation made simple
Shibboleth Roadmap
Extending Authentication to Members of Social Networks
John O’Keefe Director of Academic Technology & Network Services
CLARIN Federated Identity Vision
Minimal Level of Assurance (LoA)
Context, Gaps and Challenges
Matthew Levy Azure AD B2B vs B2C Matthew Levy
VO Identity, Attributes, and Infrastructure: Some Basics
Community AAI with Check-In
Shibboleth 2.0 IdP Training: Introduction
The Attribute and the ecosystem
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

VO Identity, Attributes, and Infrastructure: Some Basics

Topics Quick terminology and reference model Attributes of attributes VOs, Identity and Access Control Assessment tools VO authentication/authorization Demo of real world examples

The Current World A rapidly growing, maturing federated identity infrastructure, increasingly integrated with federal identity and security initiatives A peered set of trust anchors (IGTF) that provided X.509 certificates to a number of virtual organizations and shared science resources Ad hoc ssh keys being shared Proliferation of usernames/passwords, with accompanying security implications Widespread usage of shared accounts, with accompanying audit and security implications A set of theoretically interoperable OpenID providers serving large masses of social and low-risk applications Non-scalable access control mechanisms

SAML federations worldwide - scope

SAML federations worldwide – a bit of size

The evolved model The trust infrastructure An international peering of SAML R&E federations, with common attributes and LOA, with some careful integration of other identity approaches (e.g. OpenID). Privacy preserving real time interrealm authentication and attribute exchange The collaboration/VO IdM overlay Services that provide integrated VO identity and access management to both domain and collaboration apps Leverages trust infrastructure, enterprise and VO attributes, etc.

Internet identity Two forms of Internet identity have experienced exponential growth in the last few years Federated identity leverages organizational identity, rich attributes and multiple levels of assurance Social identity, represented by Google, MSN, Yahoo!, AOL, Facebook, etc. provide convenient and lightweight identities for many popular sites Activities are moving beyond web applications, national borders, and beyond vertical sectors into ubiquity

Why (not) federated identity? + Not everyone can have one Home institutions do the vetting of the individual Federations establish a certain minimum level(s) of assurance Federation is seen as institutionally hard but can actually save the institution money and its users time − Not everyone can have one Higher bar to entry in to a collaboration, especially if the home institution is not in a federation

Why (not) social identity? + Everyone can have one Do not need to rely on home institutions to “do the right thing” if Google, Facebook, Twitter already have accounts ready − Everyone can have one No assurance of identity; little confidence in authentication Higher burden on the individual to keep info such as home institution and research area up to date (if that’s important to the VO) Extensive conversation about trust/security/privacy issues – OpenID was not created with a trust framework in mind Don’t interoperate and Facebook doesn’t play with others…

Integration of forms of Internet identity The trick is to use the right identity for the community being served, the needs being served and the risks of exposure For the official work of the researcher, domain, collaboration, administration, federated identity offers the security, privacy, and roles needed For the outreach work of the research, for the stateful access to public materials, etc., OpenID supports the general audience and simple technology

Attributes are important They define access control They provide the handle for further automation They are a useful taxonomy for identity information

Attributes Federationperson National level info – identifiers, locations, languages, etc. Not for InCommon, yet Eduperson Authenticated member of ePPN, ePTId, affiliation, primary affiliation, entitlements The Classics Orgperson –Inetorgperson – names, address, physical addresses, phone numbers, faxes, titles, etc

Attributes and the real world Regardless of which standard… They don’t necessarily get populated They get improperly updated The vocabulary doesn’t stay controlled It is getting better…

Scalable access control via attributes Allows us to avoid the pain of… Dealing with access control on a per application level Dealing with access control on a person-by-person level Think about the workflows Do you need to have citizenship established before further access is granted? Do you need particular training to be completed before further attributes are assigned?

Federated identity terms (Shibboleth/SAML) IdP – identity providers Provides authN, basic attributes SP – service providers/relying parties (RP) Consumes attributes from IdPs (maybe several) to make access control decisions Federation Collection of IdPs and SPs with a federated operator that has established a legal basis for trust Addresses policies, practices, indemnification, incident handling, schema, etc. Sources of authority Definitive source of assigning values to attributes Can be a role at the institution or in the VO

Social identity terms (OpenID) End-user The entity that wants to assert a particular identity. Identifier or OpenID The URL or XRI chosen by the end-user to name the end-user's identity.URLXRI OpenID provider A service that specializes in registering OpenID URLs or XRIs and providing OpenID authentication (and possibly other identity services). Relying party The site that wants to verify the end-user's identifier; other terms include "service provider" or the now obsolete "consumer". User-agent The program (such as a browser) used by the end-user to communicate with the relying party and OpenID provider.

Other important Internet identity concepts Addressing non-web apps OAuth Project Moonshot and the IETF Abfab (“Application Bridging, Federated Authentication Beyond”) WG User attribute management For privacy and consent For scalability in use Discovery Interfederation and metadata exchange

Virtual Organizations Multi-institutional, usually multi-national collaborations Frequently centered on unique instruments (e.g. CERN, Sloan), data repositories (e.g. medical records, economic data), etc Examples: hard sciences - LIGO, ATLAS, NEON, OOI, iPlant social sciences and humanities - Bamboo, CLARIN Use standard collaboration tools and domain tools, often in an integrated fashion SSH to manage an instrument that populated a DB that a web browser accesses

VOs are… International by nature A less privileged crust than enterprises Some VOs are deep first and then wide NEON Some are as much wide as deep iPlant Some are mostly wide ESWN

VOs and Identity Management Permit or deny access control to wiki pages, calendars, computing resources, version control systems, domain apps, etc. Add or remove people from groups Create new subgroups, identify overlapping memberships, etc. Add people to mailing lists, wikis, etc Ad hoc calendaring Create and delete/archive users, accounts, keys Identify group membership on a given date Usage reporting

VO IdM versus Enterprise IdM Both may be authoritative for certain information about individuals, however… Enterprise IdM will get that authoritative data from centralized sources of record such as PeopleSoft, Kuali VO will create the information through internal processes or user input Examples: Enterprise IdM = Name, institutional affiliation VO IdM = VO group membership, VO reporting

Integration of identity and access control Identity and access control (groups) need to integrate across three science environments Command-line-managed instruments generate data feeds that populate data bases Using web browsers, scientists access the database, mark events, set data feeds, etc. Other communities come in through science gateways and portals Federated identity and domestication of applications is needed Automated provisioning and deprovisioning a big win

Single Profile As VOs get more data-centric in nature, profiles are the automated way to match users with new data sources, and a simple access control mechanism The controlled vocabulary/ontology aspects of profiles needs active management tools as well as storing the profiles and managing releases. Some of the new NSF data nets are using multiple profiles; single profile is the next single sign-on…. VIVO is an important building block for answers here

VO Assessment Tool Culture and management Community – outreach, admin, etc Users, Guests, and Contributors Application Requirements Access Control and Profiles Existing Middleware infrastructure rements+Assessment

Good theory, but what does this really look like? pubmed - nih research/collaboration

Wrapping up Tools are out there – decide what is appropriate for your VO Attributes are Important It all comes down to scalable access control

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.