Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

WebFTS as a first WLCG/HEP FIM pilot

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

FIM-ig Federated Identity Management Interest Group.

SWITCHaai Team Federated Identity Management.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Connect communicate collaborate GÉANT3plus Enabling Users Pilots Lukas Hämmerle Task Leader "Enabling Users"

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI CF, FIM workshop 11 Apr 2013.

7 th FIM 4 R meeting April 2014 ESRIN Frascati.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Federated Identity Management for Research Collaborations Bob Jones, CERN Daan Broeder, Max-Planck Institute for Psycholinguistics David Kelsey, Particle.

Innovation through participation eduGAIN interfederation service for research and education Cern FedID workshop in RAL, UK 2-3 Nov 2011 Mikael Linden,

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Federated Identity Management for HEP David Kelsey STFC – RAL Nijmegen workshop 22 June 2012.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Federated Identity Management for HEP David Kelsey HEPiX, Ann Arbor MI 30 Oct 2013.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Federated Identity Management for Scientific Collaborations The Common Vision David Kelsey (STFC) 3 Nov 2011.

Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team

Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.

Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.

Federated Identity Management How do we proceed? Bob Jones, CERN.

Research Community Requirements Ann Harding, SWITCH Cambridge July 2014.

David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.

Connect communicate collaborate Case Studies in Federated Identity Management for Research Communities Ann Harding, SWITCH/GN3plus Peter Gietz, DAASI International.

David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.

B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.

Federated Identity Management for Research Communities: FIM4R PSI workshop objectives Bob Jones, CERN.

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC CORBEL Workshop The AARC Project Paris, 31 May.

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Research Community Requirements (FIM4R) David Kelsey (STFC-RAL) VAMP Workshop 6 Sep 2012.

SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014.

WLCG Update Hannah Short, CERN Computer Security.

Boosting AAI for research and collaboration

AARC Update What’s been happening in AARC which matters for GÉANT

User Community Driven Development in Trust and Identity

Federated Identity Management for Researchers (FIM4R)

EGI Security Policy Update

Boosting AAI for research and collaboration

Federated Identity Management for Scientific Collaborations

The AARC Project Licia Florio (GÉANT) Christos Kanellopoulos (GRNET)

The AARC Project Licia Florio AARC Coordinator GÉANT

AARC Blueprint Architecture and Pilots

AAI Architectures – current and future

Community AAI with Check-In

FIM4R Requirements where GN3+ (SA5) is Active and Involved (9/2013)

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012

Overview Update on Federated Identity Management (FIM) since Prague HEPiX Federated Identity Management for Research (FIM4R) WLCG FIM pilot project 18 Oct 12HEPiX FIM, Kelsey2

Introduction to FIM Remove identity management from the service –Identity managed in one place, typically by employer –Benefits (and drawbacks!) of single sign-on Identity Provider (IdP) manages/provides attributes about Users –For AuthN and to some extent AuthZ Service Provider (SP) consumes attributes for access control and offers services to users Federation: a common trust and policy framework between multiple organisations, IdPs and SPs Federations also manage and distribute information (metadata) about the various providers 18 Oct 12HEPiX FIM, Kelsey3

18 Oct 12HEPiX FIM, Kelsey4 SP User IdP Many different permutations depending on the technology

18 Oct 12HEPiX FIM, Kelsey5 SP User IdP Then add a community operated attribute authority (for AuthZ), e.g. VOMS AA

Some example federations Grid X.509 certificates in WLCG and elsewhere –International Grid Trust Federation eduroam European higher education (Shib, SAML etc) –UK Access Management Federation, SWITCHaai, SURFfederatie –And many others USA education and research: InCommon TERENA Cert Service connects national identity federation to a CA for personal certs (and similar CIlogon in USA) eduGAIN is linking national federations Social networking (OpenID, Oauth) 18 Oct 12HEPiX FIM, Kelsey6

Federated IdM for “Research” (FIM4R) A collaborative effort started in June 2011 Involves photon & neutron facilities, social science & humanities, high energy physics, climate science and life sciences 4 workshops to date (next one in March 2013) Documented common requirements, a common vision and recommendations Accepted by the REFEDS community as an important use case for international federation CERN-OPEN : 18 Oct 12HEPiX FIM, Kelsey7

Last 6 months FIM4R presented at REFEDS meeting, TERENA VAMP meeting, TNC2012, CHEP2012 and WLCG GDB/MB HEP (ie WLCG MB) has endorsed the paper FIM4R has prioritised the requirements We await a response from REFEDS Pilot projects by each community are the best way forward –In collaboration with eduGAIN, academic federations, Oct 12HEPiX FIM, Kelsey8

Common Requirements (High priority, Medium) End-User friendliness Browser and non-browser federated access Bridging between communities Multiple technologies and translators Open standards and sustainable licenses Different Levels of Assurance Authorisation under community and/or facility control Well defined semantically harmonised attributes Flexible and scalable IdP attribute release policy Attributes must be able to cross national borders Attribute aggregation for authorisation Privacy and data protection to be addressed with community-wide individual identities 18 Oct 12HEPiX FIM, Kelsey9

Federated IdM in HEP X.509 certificates for Grid services –Using TERENA Cert Service in many places But many other services (not just Grid!) –E.g. collaboration tools, wikis, mail lists, webs, agenda pages, etc. Today CERN has to manage 10s of thousands of user accounts, many are “external” eduroam (for wireless) What about other services/federations? –Using Shibboleth, SAML, OpenID, etc Technology appropriate to required level of assurance 18 Oct 12HEPiX FIM, Kelsey10

WLCG FIM pilot Romain Wartel (CERN) is leading this Mail list created with current volunteers First meeting happened on 5 th Oct 2012 See next slides from Romain 18 Oct 12HEPiX FIM, Kelsey11

18 Oct 12HEPiX FIM, Kelsey12

18 Oct 12HEPiX FIM, Kelsey13

18 Oct 12HEPiX FIM, Kelsey14

18 Oct 12HEPiX FIM, Kelsey15

18 Oct 12HEPiX FIM, Kelsey16

18 Oct 12HEPiX FIM, Kelsey17

Results of the1 st meeting Many issues to look at: requirements, technical feasibility, trust, policy, levels of assurance, etc. Focus of the pilot –The pilot is not just browser-based (need a CLI) –We should incorporate the university-based authentication systems (including SAML) –The end-user never sees the certificate 18 Oct 12HEPiX FIM, Kelsey18

1 st meeting (2) Goal of the pilot –a CLI login tool typically a "voms-proxy-init" or "grid-proxy-init" replacement –able to authenticate users based on their home credentials –create X509 credentials and proxy –optionally add voms extension CILogon, EMI Security Token Service (STS), arcproxy –All claim to meet the requirements –To be investigated further 18 Oct 12HEPiX FIM, Kelsey19

1 st meeting (3) focus on defining the requirements and options for a proof-of-concept Later two separate subtasks might be defined –A trust, level of assurance, policy subtask –Software and technical issue subtask 18 Oct 12HEPiX FIM, Kelsey20

More info – HEP pilot aterialId=slides&confId=190743https://indico.cern.ch/getFile.py/access?contribId=7&resId=0&m aterialId=slides&confId= materialId=slides&confId=155069https://indico.cern.ch/getFile.py/access?contribId=18&resId=0& materialId=slides&confId= Oct 12HEPiX FIM, Kelsey21

Next steps FIM4R –Work with REFEDS and GEANT to make progress on pilot projects and solving the requirements WLCG FIM Pilot –Start the agreed plan of work Volunteers still welcome to join –Contact Romain Wartel at CERN 18 Oct 12HEPiX FIM, Kelsey22

Questions? 18 Oct 12HEPiX FIM, Kelsey23