AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013
2006 © SWITCH Group Management Tool Lukas Haemmerle
How-to Use iLab Solutions software within Auckland Science Analytical Services in the Faculty of Science, the University of Auckland Auckland Science Analytical.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
SWITCHaai Team Federated Identity Management.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
AAF Middleware update February Presented by Terry Smith Technical Manager and Heath Marks Manager.
SWITCHaai Team Introduction to Shibboleth.
Identity Management Report By Jean Carreon and Marlon Gonzales.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Integrating with UCSF’s Shibboleth system
Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
2004 © SWITCH 1 Shibboleth in Switzerland Internet2 Spring Meeting 2004 Thomas Lenggenhager Overview SWITCH & SWITCHaai Project.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.
Supporting Are we ready? REFEDS, Oct 2013 Ann Harding
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI-InSPIRE PY5 new activities Peter Solagna – EGI.eu.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Web SSO with Cloud Resources using AD Federation Services
Using Your Own Authentication System with ArcGIS Online
LIGO Identity and Access Management
EGI Updates Check-in Matthew Viljoen – EGI Foundation
Federation Systems, ADFS, & Shibboleth 2.0
eduTEAMS platform for collaboration Niels Van Dijk
An authorization service for Virtual Organizations (VO)
HMA Identity Management Status
Géant-TrustBroker Dynamic inter-federation identity management
AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
Shared Space Admin Demo
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –
Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)
Björn Erik Abt :: Paul Scherrer Institut
Community AAI with Check-In
Shibboleth in Switzerland
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010

© 2010 SWITCH 2 Outline Introduction AAI and VO: The SWITCH approach Technical Solution Roadmap and Summary Appendix: Enrollment

© 2010 SWITCH 3 SWITCHaai Federation in Spring 2010 # AAI enabled accounts # Resources # Home Organizations >96% coverage in higher education

© 2010 SWITCH Access to AAI Resources 3

© 2010 SWITCH Use-case: Access to SP within AAI Federation 5 AuthType Shibboleth ShibRequireSession On ShibRequireAll require homeOrg idpX.ch idpY.ch idpZ.ch require affiliation student require studyBranch medicine Medicine students Other users Example: Access of medical students to a common SP Authorization based on attributes released by IdP

© 2010 SWITCH Use-case: Access for Arbitrary Groups Formulating access rules becomes cumbersome for arbitrary groups in different institutions  concept of virtual organization (VO) Note: Most VOs need very simple services –Mailing lists –Wiki –Document store –… and many of these services already support Shibboleth! 6

© 2010 SWITCH Virtual Organization Virtual organization (VO) is needed for –Enabling access based on attributes not tied to the „home organization“ What does virtual organization need? –VO specific services –Authentication –Access control / authorization –Management of VO-specific attributes 7

© 2010 SWITCH 8 Outline Introduction AAI and VO: The SWITCH approach Technical Solution Roadmap and Summary Appendix: Enrollment

© 2010 SWITCH AAI and VO: SWITCH Approach (1/2) Basic Idea: Keep it as simple as possible - “VO without Tears” Requirements: –Many Services are already AAI-enabled  only minimal configuration changes should be needed in order to VO-enable a service  SAML2 as basis –Interactions between home organization and VO is completely hidden for the user  Authentication done by Home Organization  user uses well-known AAI credentials –Administrator of home organization is not involved  IT services do not want to administrate VO specific attributes –Administration of VO must be easy – done by VO admins 9

© 2010 SWITCH 10 AAI and VO: SWITCH Approach (2/2) SP aggregates attributes: 1. From user’s Home Organisation Attributes are set by IdP admin 2. From VO Platform(s) Attributes are set by VO admin User is identified by an attribute that is used as shared ID ‣ Augmented set of attributes available at VO SP

© 2010 SWITCH 11 Components Needed Home Organization: Authenticates user and asserts basic identity information Virtual Organization Services: Used by VO members in order to perform their work. Could be wikis, calendars, etc. Virtual Organization Platform: Set of software to manage VOs and their members. Interacts with Virtual Organization Services.

© 2010 SWITCH 12 Outline Introduction AAI and VO: The SWITCH approach Technical Solution Roadmap and Summary Appendix: Enrollment

© 2010 SWITCH 13 How to Identify User between IdP and VO? Shared ID must be known at user IdP, VO services SP and VO platform Value of shared ID is used in SAML 2 Persistent Name Identifier of attribute request Option 1: Value of common identifier attribute like eduPersonPrincipalName, address or similar –Easy to implement and already works today –Problematic if used for multiple VOs that span multiple organizations due to data correlation attacks (SP A from VO 1 and SP B from VO 2 could merge data) Option 2: Use value of persistentID that is generated by the IdP for an SP or group of VO SPs using an Affiliation descriptor in metadata

© 2010 SWITCH 14 Architecture Overview

© 2010 SWITCH 15 How to enroll users to a VO? Self-enrollment: Open or using a password Manual enrollment: User requests to join a VO. Request then has to be approved or rejected by a VO administrator -enrollment (most likely): invitation with a one-time token –See appendix

© 2010 SWITCH 16 Advantages of this VO approach No additional protocols required –It’s pure SAML 2 and Shibboleth supports all that is required Simple configuration on VO SP –Add approximately 4 lines to enable attribute aggregation on an SP No API/Library needed to access VO Attributes –VO service applications get access to VO attributes the same way as any other Shibboleth attribute. No special API/Library required. Access control works out of the box with Shibboleth. Easy to query multiple VO Platforms –Statically or dynamically (based on an attribute values) configured

© 2010 SWITCH 17 Outline Introduction AAI and VO: The SWITCH approach Technical Solution Roadmap and Summary Appendix: Enrollment

© 2010 SWITCH 18 Roadmap VO Platform is currently being implemented by SWITCH –Design and partial implementation Itumi PLC (C. La Joie) SWITCH adapts and initially operates 3 core VO Services –Wiki service (domesticated Dokuwiki) –Mailing list service (probably Sympa) –Document storage service (t.b.d.) Goal: Pilot VO Platform in SWITCHaai with basic set of features in Q Deployment and adding more SP services in 2011

© 2010 SWITCH Summary Membership for a VO is expressed by an attribute VO attributes are aggregated from VO Platform(s) Access control using VO Attributes very easy with Shib VO Attributes are managed on VO Platform More information and demo instructions – – contact: 19

© 2010 SWITCH 20 Outline Introduction AAI and VO: The SWITCH approach Technical Solution Roadmap and Summary Appendix: Enrollment

© 2010 SWITCH 21 Step 1: Invitation token sent by Subject: Join the Swiss Resistance From: VO Group Admin To: William Tell You are invited to join the VO group “SwissResistance”, please click on ken=324jcxio34529cj ken=324jcxio34529cj User is invited by VO admin

© 2010 SWITCH 22 Step 2: Authentication at user IdP User clicks on invitation link which points to VO Platform administration. This forces the user to authenticate at his IdP

© 2010 SWITCH 23 Step 3: Adding Shared ID to data store SP provides user’s Shared ID to VO Platform administration, which stores information in a data store and adds the user to the VO assigned to the invitation token

© 2010 SWITCH 24 Step 4: Access of a VO Service User is shown a list of VO Services that are available for this VO. User clicks on a link of one particular service.

© 2010 SWITCH 25 Step 5: VO Service authentication with SSO VO Service SP forces user to authenticate. Due to SSO this may not be noticed by user. SP receives user’s attributes and Shared ID from User IdP

© 2010 SWITCH 26 Step 6: Attribute aggregation SP uses Shared ID of user to query VO Platform with a standard SAML attribute query and receives user’s VO attributes

© 2010 SWITCH 27 Step 7: SP delivers aggregated attributes SP provides user’s attributes from User IdP and from VO AA to application

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.