2005 © SWITCH Interoperability Shibboleth and gLite in EGEE-2 MWSG Amsterdam Dec 15, 2005 Christoph Witzig SWITCH

2005 © SWITCH 2 MWSG Amsterdam Dec 15, 2005 Outline Introduction – Presentation of SWITCH – Motivation of AAIs – Overview of Shibboleth SWITCHaai: the six building blocks Interoperability Shibboleth - gLite in EGEE-2 – Work in 3 phases – Related work – Policy issues Summary Organisational Framework Service Providers Identity Provider Central Services Funding Inter- operability

2005 © SWITCH 3 MWSG Amsterdam Dec 15, 2005 SWITCH Business Development Strategic planning Technology monitoring International relations Management Services Human Resources Legal Finance/Accounting Marketing/Sales/PR/ Coord. universities Incident Handling Beratung Labor Interne DL HW/OS, Beratung, Security Incident Handling Consulting Laboratory Critical Infra- structure Protection Network engineering Network Infrastructure Consulting SWITCHlambda IP Routing IPv6, QoS, Multicast PERT Internet Identifiers Domain Names (Registration) Domain Names (further services) Invoicing Administration Help Desk Online-Queries Consulting Added Services for End Users Added Services for second level service provider User Registration NetServices Gridtechnologies virtualcommunities e-mobility SWITCHaai SWITCHmobile SWITCHvconf Collaboration Tools ContentDelivery andtools consulting

2005 © SWITCH 4 MWSG Amsterdam Dec 15, 2005 University A Library B University C Without AAI Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials  Tedious user registration at all resources  Unreliable and outdated user data at resources  Different login processes  Many different passwords  Many resources not protected due to difficulties  Often IP-based authorization  Costly implementation of inter-institutional access e-Journals

2005 © SWITCH 5 MWSG Amsterdam Dec 15, 2005 University A Library B University C AAI With AAI Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials  No user registration and user data maintenance at resource needed  Single login process for the users  Many new resources available for the users  Enlarged user communities for resources  Authorization independent of location  Efficient implementation of inter-institutional access e-Journals

2005 © SWITCH 6 MWSG Amsterdam Dec 15, 2005 SWITCHaai Project Implementation PilotOperationStudy Architecture Evaluation -> Shibboleth

2005 © SWITCH 7 MWSG Amsterdam Dec 15, 2005 Shibboleth  Open Source  Developed by Internet2  Federated Approach  Privacy  National deployment projects in the US, UK and Finland, growing interest in other European countries  Currenty for web resources only - will be extended  Based on SAML  Cooperations with Liberty Alliance  Cooperations with Content Providers (e-journals)

2005 © SWITCH 8 MWSG Amsterdam Dec 15, 2005 How it works

2005 © SWITCH 9 MWSG Amsterdam Dec 15, 2005 Demo (Try it yourself)   Live Demo  demo resource

2005 © SWITCH 10 MWSG Amsterdam Dec 15, 2005 Outline Introduction SWITCHaai: the six building blocks Interoperability Shibboleth - gLite in EGEE-2 Summary Organisational Framework Service Providers Identity Provider Central Services Funding Inter- operability

2005 © SWITCH 11 MWSG Amsterdam Dec 15, 2005 AAI Identity Provider UniL Operational ETHZ UniZH UniBE VHO SWITCH UniGE 120’000 Users of Swiss Higher Education already are AAI-enabled ( = 65% of all users) ZHWIN UniLU Getting ready (2005/2006) USZ UniFR UniBAS UniNE UniSG Identity Providers USI/SUPSI

2005 © SWITCH 12 MWSG Amsterdam Dec 15, 2005 Directories within an AAI Identity Provider AAI-enabled Identity Provider User Directory Authentication System AAI Authentication System any Apache compatible authentication any Tomcat compatible authentication method any IIS compatible authentication method User Directory Integration via Java APIs  LDAP via JNDI  Databases via JDBC  Username is the link between the two parts Identity Providers

2005 © SWITCH 13 MWSG Amsterdam Dec 15, 2005 Virtual Home Organization - VHO Federation Member Identity Provider Resource Owner End User Admin Some end users without Identity Provider VHO User Dir VHO Policy Identity Providers Integrate End Users without Identity Provider Resource Owner “AAI-enabled” accounts for users without an Identity Provider A VHO account is only usable for that resource managed by the Resource Owner

2005 © SWITCH 14 MWSG Amsterdam Dec 15, 2005 AAI Service Providers (Resources) e-LearningLibraries Other Web Applications DOIT VITELS AD Learn & Co Vconf Web-SMS EZproxy Commercial Contents ScienceDirect … OLAT Moodle BSCW Blackboard SwissLex IS-Academia ILIAS TWiki eShops CompiCampus ca. 50 AAI-enabled hosts, ca. 10’000 active users Service Providers EBSCO

2005 © SWITCH 15 MWSG Amsterdam Dec 15, 2005 Showcase: DOIT DOIT: Dermatology Online with Interactive Technology 500 AAI Users AAI Service Provider (Resource) UniL ETHZ UniZH UniBE VHO SWITCH UniGE ZHWIN UniLU Identity Provider Access Rule: HomeOrg = UniZH | UniBE | UniL Affiliation = Student StudyBranch = Medicine StudyLevel = 20 Service Providers

2005 © SWITCH 16 MWSG Amsterdam Dec 15, 2005 AAIportal: Integration of “black boxes”  Authentication/Authorization Gateway  User Management (optional)  Adaptors to Blackbox Applications:  WebCT Vista  WebCT CE …… AAIportal Shibboleth Application Sign On A A2 API Service Providers

2005 © SWITCH 17 MWSG Amsterdam Dec 15, 2005 Authorization Attributes (1) AAI transfers user attributes from a Home Organization to a Resource Requires a common understanding of what a value means  Authorization Attribute Specification v1.1 A task force selected the attributes for SWITCHaai minimal set to start with attributes with pre-existing ‘common understanding’ in line with foreign activities Interoperation

2005 © SWITCH 18 MWSG Amsterdam Dec 15, 2005 Unique Identifier Surname Given name Address(es) Phone number(s) Preferred language Date of birth Gender Name of Home Organization Type of Home Organization Affiliation (student, staff, faculty, …) Study branch Study level Staff category Group membership Organization Path Organizational Unit Path based on eduPerson specification study branch, study level, staff category are based on SHIS/SIUS username and password are missing  only used locally! ‘Matrikelnummer’ is missing for data protection reasons Personal attributes Group membership Authorization Attributes (2) Group membership Interoperation

2005 © SWITCH 19 MWSG Amsterdam Dec 15, 2005 International AAI Activities Shibboleth deployment underway in: USA (Internet2, InCommon), Finland (HAKA), Switzerland (SWITCH) Shibboleth related activities in: United Kingdom (JISC), France (CRU), Australia (AARNet), University of Amsterdam (NL), KU Leuven (BE), Statsbiblioteket Denmark Compatibility with Shibboleth planned for: PAPI (RedIRIS, ES), A-Select (SURFnet, NL), Athens Terena TF-EMC 2 – Task Force European Middleware Coordination and Collaboration GN2 – JRA5 – Ubiquity (Mobility) and Roaming Access to Services Define, prototype and build a roaming infrastructure and an AAI Cotswolds Group - Federations Coordination (Europe, US) Interoperation

2005 © SWITCH 20 MWSG Amsterdam Dec 15, 2005 Organisational Framework SWITCH acts as SWITCHaai Federation Service Provider Federation membership based on signed service agreements Organisation

2005 © SWITCH 21 MWSG Amsterdam Dec 15, 2005 Data Protection / Privacy Issues Service Provider (Resource) User’s Identity Provider Data protection laws (Switzerland, EU) allows only to gather personal data that is required The Identity provider may restrict the data release as strict as seen fit Attributes Resource Registration Authority Required Attributes Admin Proposed site.ARP Resource Registry operated by SWITCH) UniqueID allow Affiliation allow HomeOrgType allow HomeOrgName allow UniqueID allow FirstName allow LastName allow UniqueID allow FirstName allow LastName allow allow site.ARP Organisation

2005 © SWITCH 22 MWSG Amsterdam Dec 15, 2005 Funding funding / costs pilot projectproject operational service funded by SWITCH funded by subsidies funded by tariffs Funding

2005 © SWITCH 23 MWSG Amsterdam Dec 15, 2005 Central AAI-Services  Strategy & Marketing  International Contacts  Support, Consulting, Training  Providing Federation-specific Files and Configuration Guides  Operating WAYF (Where Are You From Server)  Test-HomeOrg and Test-Resource  Tools (AAIportal, AAIproxy)  Virtual Home Organization  Jump Start Service Central Services

2005 © SWITCH 24 MWSG Amsterdam Dec 15, 2005 SWITCHaai Outlook  Adding new institutions  Adding new resources  New directions:  ECTS (Study)  AAA (Study)  Federation Partners  Interoperability with grid: EGEE-2

2005 © SWITCH 25 MWSG Amsterdam Dec 15, 2005 Outline Introduction SWITCHaai: the six building blocks Interoperability Shibboleth - gLite in EGEE-2 – Work in 3 phases – Related work – Policy issues Summary Organisational Framework Service Providers Identity Provider Central Services Funding Inter- operability

2005 © SWITCH 26 MWSG Amsterdam Dec 15, 2005 Interoperability Shibboleth - gLite Part of EGEE-2 proposal (by SWITCH in EGEE NREN Federation) Focus is on – Interoperability (NO replacement for X.509) – Specific for EGEE infrastructure (VOMS etc) – Integrate, re-use, re-engineer existing code, write new code only as needed Key Concepts: – Home institution of the user should be the Identity Provider – Home institution provides some attributes – But VO is needed for (grid specific) attributes Proposal of doing work in three phases: – Two initial, shorter phases with the intention of hooking SWITCHaai up to the grid with a minimal amount of effort to have a working system – A third phase with adding support for SAML at the resource (service provider)

2005 © SWITCH 27 MWSG Amsterdam Dec 15, 2005 Phase 1 and 2

2005 © SWITCH 28 MWSG Amsterdam Dec 15, 2005 Access for Grid Users to Shib SP Intention: add “symmetry” between enabling access for Shib and grid users Test-bed SWITCH INFN in 2006

2005 © SWITCH 29 MWSG Amsterdam Dec 15, 2005 SAML Support at the Resource Third (and main) phase of project Goal: Support for SAML for authentication and authorization without relying on X.509 (on a configurable basis) Should be based on SAML2 – Supports ECP Profile (constrained delegation) – Will be used in Shibboleth 2

2005 © SWITCH 30 MWSG Amsterdam Dec 15, 2005 Related Efforts GridShib: – Emphasis is on providing attributes based authorization – Based on GT4 and Shib 1.3 – Beta version available since Sept 05 OGSA authZ working group: – Defines specifications for basic interoperability and pluggability of authorization modules in OGSA framework Condor Shibboleth Merger Project – Phase I: Shib enabled Condor web portal – Phase II: Shib enabled Condor fat client Shibboleth - grid activities in UK – ESP-Grid – Further work is planned (JISC) to look at CA/Shib issues Issue of attribute management between IdP and VO (e.g. Signet)

2005 © SWITCH 31 MWSG Amsterdam Dec 15, 2005 Policy Issues for Phase 1 Question: – what policy shall be formulated for the certificates generated out of SWITCHaai? Minimum requirements for – SLCS certificates: TAGPMA (recently adopted) – “traditional” certificates: EUGRIDPMA

2005 © SWITCH 32 MWSG Amsterdam Dec 15, 2005 Minimum requirements SLCSTraditional user certificates Several SLCSOne CA per country Automated generation based on user management system “Traditional” RA (e.g. copy of passport) Lifetime < 1mio secLifetime < 1year + 1month Revocation handling optional Revocation handling mandatory Minimum requirements for SLCS and traditional user certificates

2005 © SWITCH 33 MWSG Amsterdam Dec 15, 2005 Policy Issues for Phase 1 Question 1: why two minimum requirements documents? – Wouldn’t it be easier to have one document and simply state the differences where appropriate? Question 2: Why distinguish between SLCS and “traditional” certificates? – If you really trust your identity management systems, why not generate the traditional certificates?

2005 © SWITCH 34 MWSG Amsterdam Dec 15, 2005 What SWITCH would like to do…. Generation of X.509 by Shib Resource based on AuthN at IdP Admin. Procedures are key for quality of user management System (EUGRIDPMA compliant) User generates key pair and submits certificate signing request

2005 © SWITCH 35 MWSG Amsterdam Dec 15, 2005 Issue of certificates by SWITCHpki Generation of server certificates as now (unchanged) Generation of user certificates – If { Shib IdP EUGRIDPMA compliant } then { automatic generation } – Else { user follows “standard” procedures (e.g. picture id) } Example: – User management of HEP staff physicists of University of Berne follows EUGRIDPMA compliant norms – They have access to Shib resource to obtain their user certificate (with varying lifetime)

2005 © SWITCH 36 MWSG Amsterdam Dec 15, 2005 Advantages One set of requirements for all certificates – simplicity of policy One infrastructure to handle all certificate requests Only valid or revocated certificates at all times Capitalize on the high standards of the user management system of SWITCHaai – for those institutions who follow the more stringent requirements

2005 © SWITCH 37 MWSG Amsterdam Dec 15, 2005 Summary There is interest and activity for interoperability AAI / Shibboleth - grid – But X.509 is still the standard security mechanism for grids (and likely to remain so for quite some time) – Issue is not only authentication but also attribute sharing between IdP, VO, SP GridShib: – beta version available – GT4 and Shib 1.3 SWITCH looks forward to participate in EGEE-2 to add interoperability Shibboleth - gLite – Implement interoperability Shibboleth - gLite – Policy issues – Building a Swiss gLite grid with our partners (universities, CSCS)