Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Slides:

Advertisements

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Advertisements

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

WebFTS as a first WLCG/HEP FIM pilot

Federated A(A(A))I Jens Jensen hepsysman, RAL,

PaN-data WP4 - Users Gordon Brown STFC-e-Science Alun Ashton DLS Bill Pulford DLS.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

European Grid Initiative Federated Cloud update Peter solagna Pre-GDB Workshop 10/11/

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

EGI-InSPIRE RI EGI-InSPIRE RI User Support in IGI: Related Tools and Services in Italy EGI Technical Forum

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.

Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI-InSPIRE PY5 new activities Peter Solagna – EGI.eu.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS

Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

DARIAH EU AAI consideration K. Skala, D. Davidović, Z. Šojat Lisbon, 22 May 2015.

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE Software provisioning and HTC Solution Peter Solagna Senior Operations Manager.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI solution for high throughput data analysis Peter Solagna EGI.eu Operations.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

The IGTF to eduGAIN Bridge

Guidelines for attribute translation to X.509

WLCG Update Hannah Short, CERN Computer Security.

RCauth.eu CILogon-like service in EGI and the EOSC

EGI Updates Check-in Matthew Viljoen – EGI Foundation

User Community Driven Development in Trust and Identity

eduTEAMS – Current status & Future Plans

Christos Kanellopoulos

CheckIn: the AAI platform for EGI

Check-in Nicolas Liampotis

Solutions for federated services management EGI

ESA Single Sign On (SSO) and Federated Identity Management

OIDC Federation for Infrastructures

Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)

AARC Blueprint Architecture and Pilots

AAI Architectures – current and future

RCauth.eu CILogon-like service in EGI and the EOSC

David Kelsey (STFC-RAL)

Community AAI with Check-In

AAI in EGI Status and Evolution

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans EGI VO Management and AAI Operations Manager EGI.eu

2 EGI, IGTF and VO management Virtual Organization: VOMS Service TRUST

The key is: collaboration Authentication and Authorization workflows scale with the number of service providers and users User identity is verified by the IGTF Certification Authorities who release the X509 certificates The certificate enable uniform authentication of the user across resource centres User communities have the tools to manage the membership of their users and their structure Collaborate to the trust chain and to integrate the information provided by the Identity Providers Authorization is based on the Virtual Organization membership and attributes not on the single user identity The user capabilities based on groups and roles within the VO are reflected into uniform access rights across the sites that support the VO

VO Management Service VOMS requires X509 credentials for the users to register ask for the VO membership and to be a VO Manager (approve Users) VOMS adds additional information to an X509 proxy generated by the user: VO membership VO group VO roles The extensions are signed using the VOMS host certificate The user uses the VOMS-signed proxy to access services: all the information are shipped to the service provider Service providers supporting a VO configure the information about the VOMS to verify that the proxy certificates has been signed by the authoritative VOMS for the specific VO 4

How is EGI bridging Federated authentication with X509 now? Robot certificates: X509 credentials that can programmatically generate short-lived proxy credentials. Science gateways portals are using the Robot Certificates to make resources available Users in some cases can login with their SAML credentials in the portals, in many cases science gateways are accessing eduGAIN IdPs. Problems with Robot certificates: Users hidden behind the robot credentials Robot certificate could be the only member of the VO Authentication and authorization is delegated to the portal 5

Extend federated AuthZ Provide tools to the users to manage their user communities Distributed Attribute Authorities connected with the user’s IdPs Can be used also within application-specific environments for user authorization Maintain uniform authorization across multiple service providers Based on the attributes provided by the user communities Apply the collaborative trust approach of EGI to new authentication technologies

Next steps EGI wants to provide a full AAI integration layer for our service providers and users: Provide authoritative services for: Provisioning of attribute authorities usable using credential different than X509 Use these sources of information to generate X509 credentials backward compatible with the traditional X509-VOMS proxies Allow VOs to support user with mixed credentials (e.g. SAML and X509) in a transparent way Nothing should be done from scratch, but build on the AARC work 7