AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park 20-21 October 2015

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.
E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
A uthentication & A uthorization for R esearch & C ollaboration Pilots in SA1 Paul van Dijk, SURFnet AARC.
NREN Trust and Identity Strategy Ann Harding, SWITCH Cambridge July 2014.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Authentication and Authorisation for Research and Collaboration Taipei Taiwan Authentication and Authorisation for Research and.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.
© 2006 Open Grid Forum FEDSEC-CG FEDerated infrastructure SECurity.
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.
European Life Sciences Infrastructure for Biological Information European Life Sciences Infrastructure for Biological Information.
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
European Life Sciences Infrastructure for Biological Information European Life Sciences Infrastructure for Biological Information.
ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.
Authentication and Authorisation for Research and Collaboration On behalf of the MJRA1.2 scribes J Jensen.
Security in the wider world David Kelsey (STFC-RAL) GridPP37 – Ambleside 2 Sep 2016.
Introduction to AAI Services
WLCG Update Hannah Short, CERN Computer Security.
Authentication and Authorisation for Research and Collaboration
EGI Updates Check-in Matthew Viljoen – EGI Foundation
AAI for a Collaborative Data Infrastructure
AARC Update What’s been happening in AARC which matters for GÉANT
User Community Driven Development in Trust and Identity
eduTEAMS platform for collaboration Niels Van Dijk
eduTEAMS – Current status & Future Plans
Identity Federations - Overview
AAAI Pathfinder J Jensen, STFC 031 Oct,
Identity Management and Authorization
Christos Kanellopoulos
CheckIn: the AAI platform for EGI
AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
Check-in Nicolas Liampotis
The AARC Project Licia Florio (GÉANT) Christos Kanellopoulos (GRNET)
The AARC Project Licia Florio AARC Coordinator GÉANT
Identity Management and Authorization
AARC Blueprint Architecture and Pilots
David Kelsey (STFC-RAL)
Community AAI with Check-In
AAI in EGI Status and Evolution
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park October 2015

AAAI definitions Authentication – the process of establishing that entities are what they claim to be; or, a service that provides assurances of entities being who they claim to be or message origin Identification – establishing the identity of an entity – (a) that the name is a real world name of the entity and (b) that the entity is seeking access is the named entity (from RFC3647)

AAAI definitions Authorisation – conveyance of privilege from one entity that holds such privilege, to another entity ; the act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential. Accounting - The act of collecting information on resource usage for the purpose of trend analysis, auditing, billing, or cost allocation (X.509/RFC3281, RFC3539)

(Some) Background Studies e-IRG ENISA and NIST CSRC papers Terena AAA study –“Advancing technologies and Federating communities” FIM4R study(ies) PDG cloud comp. for R&I AARC –Similar architectures for AAI in projects

Common Requirements Build on existing work –Federations, IGTF, infrastructures Federated identity management –=> Multi-LoA –Identities with policies are stronger –Establish trust in infrastructure –Trust is the Warm and Fuzzy Feeling

Securing e-Infrastructures HOWTO Secure endpoints –IGTF (particularly for volume) –Commercial CAs (particularly browser-facing endpoints) – via NRENs Decide end user architecture –Everything-can-talk-to-everything Grid (X.509) –Portals as front ends Federated login – multifederation, multiLoA –Or a hybrid?

Securing e-Infrastructures HOWTO Prefer standards based –Promoting interoperation and reuse –Improve sustainability of components –No single technology solves every problem Credential conversions, proxies Plethora of attribute authorities and authorisation managers –Hexaa, VOMS, Perun, Comanage, Gakunin, REMS, Unity, …

Example Technologies Authentication – Moonshot, SAML, X.509, OAuth2/OpenID Connect Membership/role mgmt – Authorisation – SAML, X.509, (eduroam) Delegation – X.509/GSI, OAuth2 Account mgmt – SAFE Accounting – SAFE, APEL

Example Issues Proxies, certificates, ACs, cookies expire –Tradeoff: short lifetime vs revocation Usability vs security –User motivation to do the Right Thing™ –Understandability of security goals/certifications PEBKACs –End users focus on research not on security –People forget, share credentials Access control granularity Long term support for components

Example Problems 1.(EUT0) assign an attribute to people in the room 2.(DiRAC) workaround expiring creds

Standards Organisations IETFOGFOASISISOITU/IECETSI

Dramatis Personae Entities (which authenticate themselves) –Users –Hosts –Automated agents (monitoring, file movers) Resources –Endpoints –Accounting systems –Resource owners Projects

AARC –Common ground: architecture, LoA, … –Training –Policies –Piloting (only) technologies EGI, EUDAT, INDIGO DataCloud Community IdPs –E.g. Umbrella

Attempted Summary Security is a process Work with what’s there Work with standards –Lowers risk, i Work with reusable and interoperable components

Demo, pursued by bear If there is time… (or try it yourself) 1.Upload file to EUDAT using Google id 2.Authenticate to JISCMAIL using UKAMF Exercise: what does it do? What is missing? Why doesn’t eventbooking.stfc.ac.uk do this?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.