Authorization and Authentication Infrastructure Daan Broeder & Dieter Van Uytvanck Max Planck Institute for Psycholinguistics CLARIN-NL Info Session Nijmegen

CLARIN-NL Info Session Nijmegen Overview  CLARIN and the holy grail  Traditional Federations  AAI prototype  Planning

CLARIN-NL Info Session Nijmegen CLARIN and the Holy Grail (1)  A researcher authenticates at his/her own organization and creates a “virtual” collection of resources from different repositories.

CLARIN-NL Info Session Nijmegen CLARIN and the Holy Grail (2)  browsing a catalogue, searching through metadata, or searching in resource content.  workflow specification tool to process this virtual collection with possibly a mix of home grown and remote service components.  Resulting data can be added to the origin repositories (with “virtual” collection)  For our domain this is very ambitious and challenging, but even a partial realization is worthwhile!

CLARIN-NL Info Session Nijmegen Traditional Federations (1) FederationExternal Local DB HTTP LDAP SAML (HTTP) IDP DB IDP SP B BB HTTP From a local user store to a traditional federation…

CLARIN-NL Info Session Nijmegen Traditional Federations (2) IdP SPIdP SP IdPSP

CLARIN-NL Info Session Nijmegen CLARIN AAI prototype (1) IDP SPIDP SP IDPSP IDP SPIDP SP IDPSP (Identity) Federation

CLARIN-NL Info Session Nijmegen CLARIN AAI Prototype (2)  7 Service Providers:  INL, Meertens Instituut, MPI  IDS, DFKI, BBAW  CSC / U Helsinki  3 national Identity Federations:  SurfFederatie (NL)  DFN (DE)  HAKA (FI)

CLARIN-NL Info Session Nijmegen AAI prototype agreements  Two options:  One SP signs on behalf of all participating SPs (1xN, preferred)  Every SP signs a separate contract with each national Identity Federation (NxN, more fuss but feasible)

CLARIN-NL Info Session Nijmegen Planning  Before end 2009: prototype federation  WP7: contractual issues  WP2: technical aspects  Keep good contacts with GEANT3/TERENA/eduGAIN  Talks with CSC about implementing a common code of conduct service

Thank you for your attention CLARIN has received funding from the European Community's Seventh Framework Programme under grant agreement n°

CLARIN-NL Info Session Nijmegen Backup slides

CLARIN-NL Info Session Nijmegen References   

CLARIN SP Metadata DFN Metadata HAKA SurfFederatie Push SP metadata to national IdF via protocol as chosen by the specific IdF SMTP SWITCH system Include MD about IdPs within national IdF ?

CLARIN SP Metadata DFN Metadata HAKA SurfFederatie Include MD about national IdPs in SP MD eduGAIN Metadata hub With eduGAIN 2.0

CLARIN-NL Info Session Nijmegen Beyond the Traditional Federations: SPO IDP SPIDP SP IDPSP IDP SPIDP SP IDPSP Service Provider Federation/ Organization

CLARIN-NL Info Session Nijmegen AAI Issues & Challenges (1)  CLARIN is not an IdF  Our intended clientele is too wide spread  No special IdP configuration can be expected  So, only a SP organization relying on national IdFs  What forms the SP organization (wrt. AAI)?  LRT Community  Standard contracts with the (national) IdFs  Common set of CCs / licenses  Attribute requirements  Shallow versus deep federation  SPs specify auditing level  No penalties

CLARIN-NL Info Session Nijmegen AAI Issues & Challenges (2)  Attribute harmonization  eduGAIN solves it all?  WAYF (& WFAYF)  AAI software  Shibboleth and SimpelSamlPhp  Is there more needed?  Guest accounts for the homeless

CLARIN-NL Info Session Nijmegen AAI Issues & Challenges (3)  SSO for client applications  E.g. downloading distributed virtual collections  SSO for web services  Deal with workflows chaining web services from different providers  SSO when dealing with CCs, 3 options:  Leave it to the SP  User attribute (~ IdP)  Separate service, external attribute authorities.  Use of GRID resources  Data GRID & Compute GRID

CLARIN-NL Info Session Nijmegen eduGAIN confederation  Connect national AAI on a pan-European level  GEANT (2,3) workgroup: TF-EMC2  CLARIN: excellent use case!

CLARIN-NL Info Session Nijmegen CLARIN Federation Infrastructure CLARIN wants to be a LR&T “service federation” simplified and unified rules for licensing, accessing agreements with national identity federations must make sure all necessary attributes are available cater also for A&A of non-web applications and web services interaction with GRID AAI national Identity Federations eJournal Service Providers LRT Service Providers Trust Agreement Trust Agreements

CLARIN-NL Info Session Nijmegen DAM-LR EU project (1) Small EU project ( ) on archive integration of 4 partners  corpus/computational linguistics and endangered language documentation  Resource discovery: sharing a single metadata set for searching & browsing  Authentication & Authorization: single user identity, single sign-on by using Shibboleth.  Referencing and citing “archived resources” using a single persistent identifier system.

CLARIN-NL Info Session Nijmegen DAM-LR EU project (2)  Experiences:  Standard eduPerson attribute set is probably sufficient, (but CCs …)  Shibboleth is nice when using web applications, but applications need access too!  Shibboleth efficient when dealing with groups e.g. staff, student, … But our domain has also to deal with individuals => store user IDs in authorization records  DAM-LR federation of both IdPs & SPs, CLARIN aims at a much larger potential user group whose home organizations do not want to run a CLARIN specific IdP => use the national IDFs

CLARIN-NL Info Session Nijmegen Applications need Authentication too IdP Shib. apache userapplication User scenario: Copying resources from different repositories to the local machine archiveA The application speaks only HTTP with basic authentication It does not understand form based authentication employed by the Shib. IdP Shib. apache archiveB The application is also not able to profit from the SSO over archives IMDI copier Possible solution: Use certificates for authentication Obtained by SLCS (But can auth. handshake be mimicked by software?)

CLARIN-NL Info Session Nijmegen CHAT EAF Shoebox MPI Archive DB/SE Search service Parsers “normalize” the structural format Content search in one archive: no problem (check single DB) Searching through annotations Auth DB IdP

CLARIN-NL Info Session Nijmegen CHAT EAF Shoebox MPI Archive Archive B DB/SE CHAT Search service Search service Specialized web portal Federative search scenario Parsers “normalize” the structural format Searching through annotations AuthZ DB IdP AuthN AuthZ DB The web portal app would like to act on behalf of the user and access the search services.

CLARIN-NL Info Session Nijmegen What do we aim for?  blah-blah

CLARIN-NL Info Session Nijmegen Licenses & Code of conducts 1 IdP SPa SPb user SP requires CC signed and takes care of this but only for its own domain This can break the SSO if the user is required to sign the same CC several times browser CC DB CLARIN will harmonize the CCs and licenses to a limited number

CLARIN-NL Info Session Nijmegen Licenses & Code of conducts 2 IdP SPa SPb user browser Store the CC DB info in the user attributes at the IdP (cfr Switch aaiUapprove) But how does it get there? Special app? Not every IdP will/can run this CC DB

CLARIN-NL Info Session Nijmegen Licenses & Code of conducts 3 IdP SPa SPb user browser Create special CC service. This is part of the SPF independent of the IDFs CC DB CC service

CLARIN-NL Info Session Nijmegen What do we aim for?  blah-blah

CLARIN-NL Info Session Nijmegen AAI Planning (1)  Training courses for AAI: support of SimplSAMLPhp, Shibboleth

CLARIN-NL Info Session Nijmegen AAI Planning (2)  Centers should make their policies explicit:  Integration of SP with AAI  IdP support for their users  Is there potential for a “fire brigade”?  Help with configuration & integration  MPG (RZG) does something there, who else?  Contracts with national IdFs (WP7)  What role has eduGAIN?

CLARIN-NL Info Session Nijmegen What‘s next?  SLCS with SURFnet (preliminary research)  Direct interaction with GEANT 3 (May 5/6)  Talks with CSC about implementing a CC service