Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov IDs Milan, 04 November 2016 GRNET

Two proposed pilots: 1.Federated Access Mechanisms for Library Consortia 2.Integrating eGov IDs 2 Agenda

3 “Guest Identities” Proposed Pilot: e-Gov eduGAIN and STORK High Level Architectures

Interconnection use cases Use Case 1: eduGAIN SP makes use of the STORK infrastructure Use Case 2: STORK SP makes use of the eduGAIN infrastructure (Does it make sense for AARC??) 4 “Guest Identities” Proposed Pilot: e-Gov

5 Proposed Pilot 1: eduGAIN SP makes use of the STORK infrastructure eduPEPS C-PEPSIdP SP Discovery Service 7 6 STORK eduGAIN 5 Scenario: A user visits an “eduGAIN” enabled SP. Authentication and Attribute Retrieval on/from STORK 1.User visits an eduGAIN enabled SP in Greece 2.The Greek SP redirects the user to the Discovery Service at GRNET. The user selects that she wants to be authenticate via “STORK” 3.The DS redirects the user back to the Greek SP with the information about the eduPEPS 4.The SP redirects the user to the eduPEPS along with an attribute request. The user has to choose her country 5.The user is redirected to the C-PEPS proxy service of her country and there she authenticates using her eID 6.The C-PEPS redirects the user back to the eduPEPS along with a SAML response that include the SAML authentication assertion and the requested attributes 7.The eduPEPS validates the SAML response, translates it to SAML2Int and redirects the user to the SP along with the SAML assertion 2

STORK SPS-PEPS eduPEPS C-PEPSIdP Discovery Service STORK eduGAIN Scenario: A user visits a STORK enabled SP. Authentication using eID and Attribute Retrieval from an “eduGAIN” IdP 1.User visits a STORK enabled SP 2.The STORK SP redirects the user to the S-PEPS. The user selects that she wants to be authenticate via “eduGAIN” 3.The S-PEPS redirects the user to the C-PEPS, where the user authenticates 4.The C-PEPS redirects the user back to the S-PEPS with the authentication assertion and a basic set of attributes 5.The S-PEPS verifies the response from the C-PEPS and redirects the user to eduPEPS. The eduPEPS translates the STORK SAML Attribute Request into a SAML2Int SAML Attribute Request 6.The eduPEPS redirects the user to a Discovery Service in eduGAIN (The Discovery Service could be integrated in the eduPEPS and skip this extra step.) 7.In the Discovery Service the user selects her home institution and is redirected back to the eduPEPS 8.The eduPEPS redirects the user to the IdP of the home institution that the user selects along with the SAML2Int Attribute Request. 9.Upon successful authentication and the IdP redirects the user back to the eduPEPS along with a SAML assertion that includes the released attributes 10.The eduPEPS translates the SAML assertion(s) and the retrieved attributes and generates a STORK SAML assertion. The user is redirected back to the S- PEPS with the STORK SAML assertion generated by the eduPEPS 11.The S-PEPS verifies the response from the eduPEPS and redirects the user back to the STORK SP along with aggregated set of the requested attributes. C-PEPS STORK IdP Proposed Pilot 2: STORK SP makes use of the eduGAIN infrastructure

7

8

Have a model for the case in which publisher contracts are managed centrally by the a library consortium. Having the consortium join a federation as an SP using the SP/IdP proxy has many benefits, which we can show case in this pilot (branding, flexible handling of the contract implementation, statistics etc) Survey library/consortia that have contracts in place that enable the use of federated access for access to resources and produce guidelines for producing federated access-friendly contracts When talking with library consortia, branding is a very important aspect. In this pilot, we want so show, that it is possible to join a national federation and retain control on the branding and the policies. Pilot a solution about Guest identities in the library space. Guest identities have multiple aspects for example library walk-ins, people in small organizations with no local IdM etc. Possible synergy with the GARR Library pilot 9 Library Pilot

HEAL-Link Pilot HEAL-Link is the consortium of academic and research libraries in Greece. It has 54 libraries as members and manages access to more than titles in 19 major publishers Currently HEAL-Link operated it’s own SAML Federation outside of GRNET and eduGAIN (although the IdPs in the HEAL-Link federation are the same like those in the GRNET federation) In this pilot HEAL-Link will join the GRNET Federation using the IdP/SP proxy model 10 Library Pilot

Benefits for Libraries/Library Consortia: The consortium can provide services to its members/users, without loosing its branding as a Service Provider (please note that this is the Service Provider branding we are looking for) In some cases the contracts are centrally managed and they ensure that the users are not identified in individual basis or by the organisations they are coming from. In other cases, the contracts stipulate that the home organizations must be made known to the publishers etc. These different kind of contracts can be satisfied using the proposed model. The technical infrastructure is managed centrally by the consortium. The libraries, and specially the smaller ones, will not have the overhead of maintaining a technical infrastructure. The consortium can add even more services if required, e.g. an EZproxy could be such a service in case there is interest and this is why we find also the GARR pilot interesting. Potential benefits for AARC: Experience with variations of the SP proxy model for library consortia A potential model for library consortia to join their local federations with a turn key solution. Guidelines for establishing contracts that enable the use of federated access mechanism in order to access the publisher content 11 Library Pilot

12

13 Contract management Access Statistics Guest Access Branding

© GEANT on behalf of the AARC project. The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No (AARC). Thank you Any Questions? Christos Kanellopoulos