EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop 09.06.2011, CERN,

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

CLARIN AAI, Web Services Security Requirements

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.

Contrail and Federated Identity Management

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

EMI INFSO-RI Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

WebFTS as a first WLCG/HEP FIM pilot

FIM-ig Federated Identity Management Interest Group.

ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:

EMI INFSO-RI European Middleware Initiative (EMI) Standardization and Interoperability Florida Estrella (CERN) Deputy Project Director.

Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

EGI-Engage EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

CLARIN Infrastructure Vision (and some real needs) Daan Broeder CLARIN EU/NL Max-Planck Institute for Psycholinguistics.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGI Operations Tiziana Ferrari EGEE User.

EMI INFSO-RI Accounting John Gordon (STFC) APEL PT Leader.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park October 2015

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

European Middleware Initiative (EMI) – Training Kathryn Cassidy, TCD EMI NA2.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Operations Automation Team Kickoff Meeting.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI-InSPIRE PY5 new activities Peter Solagna – EGI.eu.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)

CERN IT Department CH-1211 Genève 23 Switzerland Federated identity system for scientific collaborations Summary of user requirements session.

Security in the wider world David Kelsey (STFC-RAL) GridPP37 – Ambleside 2 Sep 2016.

Research Community Requirements (FIM4R) David Kelsey (STFC-RAL) VAMP Workshop 6 Sep 2012.

WLCG Update Hannah Short, CERN Computer Security.

EGI Updates Check-in Matthew Viljoen – EGI Foundation

EMI Interoperability Activities

AARC Blueprint Architecture and Pilots

Common Authentication and Authorisation Service for Life Science Research Mikael Linden, ELIXIR Finland.

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN, Geneva, Switzerland

EMI INFSO-RI /06/2011 John White at Federated Identity Systems for Scientific Collaborations Workshop 2 Content Background AAI WG use cases Security Token Service (STS) Current work plan

EMI INFSO-RI Background AAI workshop held at EGI TF (Sept. 2010) [1] Questionnaires for projects crossing national boundaries and National Grid Initiatives (NGIs) – 3 User communities Biomed, Earth Sciences, HEP – 5 ESFRI projects CLARIN, Lifewatch, ELIXIR, EuroFEL, ILL – 2 NGIs Italy, U.K. 09/06/2011 John White at Federated Identity Systems for Scientific Collaborations Workshop

EMI INFSO-RI Results for the questionnaire [2] Grid users do not want to handle credentials themselves Grid users would like to obtain X.509 credentials and VOMS attributes from other credentials and vice-versa Projects would like to use federated identities Projects recognize that both national and international identity federations will become more important User identities and actions on a Grid should be protected (anonymized) Projects realize that access to the majority of Grid infrastructures requires and will require in the future X.509 credentials 09/06/2011 John White at Federated Identity Systems for Scientific Collaborations Workshop

EMI INFSO-RI AAI WG use cases [2] Use- case DescriptionStatus 1X.509 issuance based on AAI (another security domain) „Solved“ (but needs improvement!) 2AAI-enabled portals to Grid infrastructures Solutions exist SAML delegation new 3AAI-enabled Grid information portals Low priority 4Security Token Service (STS)New, general purpose service, high priority 5Use of AAI attributes in GridInteresting, potentially very important 6VO registration using AAI (identity vetting) Low priority 09/06/2011 John White at Federated Identity Systems for Scientific Collaborations Workshop

EMI INFSO-RI STS functionality overview Security Token Service (STS) is defined in the WS-Trust specification [3] – Authenticates and “authorizes” users based on security tokens – Transforms the security token into another security token – Aggregates required information from external sources – Establishes a trust relationship between different application domains 09/06/2011 John White at Federated Identity Systems for Scientific Collaborations Workshop

EMI INFSO-RI STS Example Use Case (1/2) 09/06/2011 John White at Federated Identity Systems for Scientific Collaborations Workshop

EMI INFSO-RI STS Example Use Case (2/2) 09/06/2011 John White at Federated Identity Systems for Scientific Collaborations Workshop

EMI INFSO-RI (Some) issues in the previous sequence SAML token must be targeted for both Portal and STS Who generates the key pair and stores the private key? – Depending on the online CA, key pair can be theoretically generated by any party WS-Trust [3] profile definitions How about if the STS is accessed directly via a (non-browser) client tool? 09/06/2011 John White at Federated Identity Systems for Scientific Collaborations Workshop

EMI INFSO-RI Current work plan Continue the WS-Trust interoperability profile [4] effort started in EGEE-III Define the other profiles missing in the sequence – E.g. for SAML, the building blocks include SAML delegation and ECP profile STS service- and client-side implementations – Service implementation is based on the upcoming Shibboleth Identity Provider v3 09/06/2011 John White at Federated Identity Systems for Scientific Collaborations Workshop

EMI INFSO-RI References [1] EGI TF 2010: AAI needs of the DCIs – =11&confId=48# =11&confId=48# [2] EMI AAI Working Group – [3] OASIS Standard: WS-Trust 1.3 – [4] Chad La Joie / SWITCH: WS-Trust 1.3 Interoperability profile – /06/2011 John White at Federated Identity Systems for Scientific Collaborations Workshop

EMI is partially funded by the European Commission under Grant Agreement RI Thank you!