Federated Identity Management IG FIM4R CLARIN pilot – progress report Menzo Windhouwer (CLARIN ERIC, Meertens Institute)

 Basically a legal proxy whereby CLARIN ERIC joins national identity federations on behalf of its centres (= Service Providers)  Details and the agreement: clarin.eu/spfclarin.eu/spf  Up-to-date list of end-user service providers: clarin.eu/node/3962 and centres.clarin.eu/spf clarin.eu/node/3962centres.clarin.eu/spf  Experiments with a SAML – OAuth2 bridge  Quality checks for the SP SAML metadata Quality checks for the SP SAML metadata FIM4R CLARIN pilot – progress

FIM4R CLARIN pilot – Identity Federations 1.ACOnet, Austria 2.Belnet Federation, Belgium 3.SWITCHaai, Switzerland 4.eduID.cz, Czech Republic 5.DFN, Germany 6.TAAT, Estonia 7.SIR, Spain 8.Haka, Finland 9.Fédération Éducation- Recherche, France [eduGAIN] 10.GRNET, Greece 11.eduID.hu, Hungary 12.Edugate, Ireland 13.IDEM, Italy [eduGAIN] 14.LAIFE, Latvia 15.SurfConext, The Netherlands 16.FEIDE, Norway 17.PIONIER.id, Poland 18.RCTSaai, Portugal 19.SWAMID, Sweden [eduGAIN] 20.ArnesAAI, Slovenia 21.UK Federation, United Kingdom [eduGAIN] 22.InCommon, United States of America 23.WAYF, Denmark, Iceland 24.LITNET fedi, Lithuania 25.Slovenia [eduGAIN]

1.MPI (lux17) 2.MPI (catalog) 3.MPI (corpus1) 4.INL 5.IDS (clarin) 6.IDS (repos) 7.BBAW 8.CSC (lat) 9.CSC (korp) 10.UTU 11.UFAL 12.ICLTT 13.Meertens 14.Meertens (OpenSKOS) 15.Huygens 16.CLARIN-DK 17.BAS 18.CMU 19.CELR 20.CLARINO 21.HZSK 22.UIL-OTS 23.CLARIN-PL 24.CLARINSI FIM4R CLARIN pilot – Service Providers

 Problem addressed:  An user is logged in to Service 1 which calls Service 2 on behalf of the user. How is the identity of the user passed on, and how can Service 2 trust it?  Solutions investigated by CLARIN-NL and BiGGrid:  Open or semi-open system  OAuth1  SAML ECP  WS-Trust  GEMBus STS  OAuth2  Selected solution for CLARIN test cases  X.509 certificates  Investigated in EUDAT User Delegation in the CLARIN Metadata Infrastructure - Part I - Research SAML – OAuth2 bridge

SAML – OAuth2 bridge: solution Authorisation Service S1S2 ? IdP AS -runs within a (separate) SP -is trusted by all involved services -also provides identity information (based on Shibboleth attributes)

 Authorisation server  Quite a few to choose from, quality varies  Trials: ndg-oauth, SURFnet OAuth-Apis, Unity IDMndg-oauthSURFnet OAuth-ApisUnity IDM  OAuth2 client  Clients available for Java, Python, PHP, …  Well specified protocol, clients interchangeable  OAuth2 resource server  Clients available for Java, Python, PHP, …  Interoperability with the AS can be a problem  OAuth 2.0 Token Introspection (IETF draft RFC) OAuth 2.0 Token Introspection (IETF draft RFC) User Delegation in the CLARIN Metadata Infrastructure - Part II - Implementation SAML – OAuth2 bridge: implementation

 Interaction between registries with private use areas  CMDI Component Registry to the ISOcat Data Category Registry  Interaction between tools and archives with closed resources  CLASS to The Language Archive  Interaction between tools and private work spaces  WebLicht to OwnCloud  Extensions:  Multistep delegation Multistep delegation  Desktop or mobile applications  … User Delegation in the CLARIN Infrastructure SAML – OAuth2 bridge: use cases

 Prepare SAML – OAuth2 bridge for production  Add more service providers  Add more federations Future Plans

Thank You! Reactions:

 Jonathan Blumtritt (University of Cologne)  Daan Broeder (MPI, Meertens Institute)  Joost van Dijk (SURFnet)  Willem Elbers (MPI, CLARIN ERIC)  Willem van Engen (NIKHEF)  Twan Goosen (MPI, CLARIN ERIC) – animated slides!  Marie Hinrichs (University of Tübingen)  Remco Poortinga – van Wijnen (SURFnet)  Mischa Sallé (NIKHEF)  Shakila Shayan (MPI)  Wei Qiu (University of Tübingen)  Dieter van Uytvanck (CLARIN ERIC) SAML – OAuth2 bridge: acknowledgements