Presentation is loading. Please wait.

Presentation is loading. Please wait.

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Published byKevin Thornton Modified over 8 years ago

Similar presentations

Presentation on theme: "European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager"— Presentation transcript:

1 www.egi.eu European Grid Initiative www.egi.eu AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager peter.solagna@egi.eu peter.solagna@egi.eu 1

2 www.egi.eu Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Summary EGI AAI Webinar 2

3 www.egi.eu User authentication in a federated environment Local environment (e.g. one institution, one cluster) –Users have local accounts, validated often in a F2F verification with the system administrator –All the needed information are filled in at the moment of the registration Federated environment (e.g. distributed infrastructure) –Users do not have local accounts on every service/cluster/centre –Users own credentials that are recognized by all the service providers in the federation –Identity providers and service providers must agree on the: Information provided to the SP Level of assurance of the credentials Operations of the IdP EGI AAI Webinar 3

4 www.egi.eu User’s identity A user must be able to authenticate with the same identity on the distributed services From the user’s point of view –Uniform authentication enable cross-site workflows –Use of distributed resources using the same credential From the service provider’s point of view –Uniform authentication improves security operations in a federated environment –Easier management of users, and their access to resources EGI AAI Webinar 4

5 www.egi.eu Delegation For some workflows and use cases, delegation is an important capability –Applications that in general need to: access data stored by the user and not publicly accessible or to save data in the user’s storage area –Portals and scientific gateways do actions on behalf of the user, like job submission to compute resources. This is usually implemented by impersonating and delegating –Impersonation: the application/service acts as the user (using user’s temporary credentials). Done at authentication level. –Delegation: the user enables the service to work on his/her behalf. Done at authorization level EGI AAI Webinar 5

6 www.egi.eu Level of assurance Not all the credentials are the same! Examples: Very high level of assurance: eID High level of assurance with ID verification: –X509 certificates, many institutional IdP Social media credentials –Everyone with an email account can have one Not always the highest LoA is required: for some low-risk activities low assurance credentials are usable! The minimum LoA required is determined by the user community and the service provider requirements EGI AAI Webinar 6

7 www.egi.eu EGI-InSPIRE RI-261323 Authorization in a federated environment In a federated environment individual user authorization cannot be handled by the service provider –Service provider does not know the user and if him/her should be allowed to perform a specific action Rules for the authorization must use information associated with the user –Provided by the IdP –Provided by the research collaboration who grants users access to resources 7

8 www.egi.eu Distribute collaboration management in EGI: Virtual Organization Virtual Organization: A group of researchers with common interests, requirements and applications, who need to work collaboratively and/or share resources. Service providers enable users to access services and resources based on the VO membership and additional attributes such as roles within the VO and sub-groups of users within the VO The VO membership is managed by the VO Manager(s) who is the main contact with EGI and who knows the users and the groups in the collaboration –New users can be added and removed enabling/disabling their access rights, without direct intervention of service providers –VO Manager usually does not manage users credential, a VO is not an IdP EGI AAI Webinar 8

9 www.egi.eu Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Summary EGI AAI Webinar 9

10 www.egi.eu EGI user authentication: X509 certificates X509 certificates are the main authentication technology used in EGIX509 certificates Trust network of certification authorities (IGTF/EUGridPMA) EGI services are configured to accept certificates released by the Certification Authorities federated within IGTF You have one IGTF personal certificate  you can authenticate wherever in EGI EGI AAI Webinar 10

11 www.egi.eu IGTF Trust framework Trust Domain: IGTF TAGPMAAPgridPMAEUgridPMA Policy Management Authorities CA RA.... User.... CA: Certification Authority RA: Registration Author ity Institution level National level EGI AAI Webinar 11

12 www.egi.eu How to obtain a certificate EGI AAI Webinar 12 Do you own credentials provided by an IdP federated in one of the national federations part of eduGAIN? You can most probably access the Terena Certificate Service (TCS) through your NREN, and get an X509 certificate without the need to contact a registration authorityTerena Certificate Service Do you own credentials provided by an IdP federated in one of the national federations part of eduGAIN? You can most probably access the Terena Certificate Service (TCS) through your NREN, and get an X509 certificate without the need to contact a registration authorityTerena Certificate Service

13 www.egi.eu Register in a Virtual Organization User registers at the VO via VOMS VO manager authorizes the user via VOMS VO manager can give specific attributes to users, or insert them in specific groups Specific VOMS service is configured in all the services supporting the VO VOMS VO Database Registering user Personal certificate VO Manager Request membership Approve request Set additional attributes/groups EGI AAI Webinar 13

14 www.egi.eu Authentication and Authorization workflow Virtual Organization TRUST EGI AAI Webinar 14

15 www.egi.eu The key is: trust & collaboration Authentication and Authorization workflows scale with the number of service providers and users –User identity is verified by the IGTF Certification Authorities who release the X509 certificates –The certificate enable uniform authentication of the user across resource centres User communities have the tools to manage the membership of their users and their structure –Collaborate to the trust chain and to integrate the information provided by the Identity Providers –Authorization is based on the Virtual Organization membership and attributes not on the single user identity –The user capabilities based on groups and roles within the VO are reflected into uniform access rights across the sites that support the VO EGI AAI Webinar 15

16 www.egi.eu X509 proxy certificate The X509 proxy certificate is a short-term credential derived by (and signed with) the user personal certificate In EGI proxy certificates are used for all non-interactive services and for delegation capabilities A computational task is “shipped” with the user’s proxy and can store output data on behalf of the user A proxy is self contained, and carries all the information needed to authenticate and to authorize the user at service level User identity User VO membership information signed by the VOMS that manages the VO User Certificate info VO Information X509 Proxy DN: EGI AAI Webinar 16

17 www.egi.eu Robot certificates and science gateways Portals and Scientific Gateways can hide the complexity of X509 to the users: –Users are AuthN&AuthZ in the portal Portal/SciGW is responsible for this –May or may not have a X.509 cert Portal/SciGW has a robot X.509 cert –A robot certificate can be stored on a machine and used programmatically to generate proxies –Perform tasks on Grids on behalf of users Issues: –Auth & logging responsibilities move to portals –Users become invisible to the infrastructure, traceability –For certain types of applications only Security limitations EGI AAI Webinar 17

18 www.egi.eu Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Summary EGI AAI Webinar 18

19 www.egi.eu Improving the use of robot certificates In the science gateways every user impersonates the owner of the robot certificate –Security limitations –Non accurate accounting EGI is testing the per user sub-proxies –X509 proxies generated using a robot certificate –Including an additional extension with the user ID Robot Certificate info VO Information X509 Proxy DN: The same for every user of the gateway User UID Additional extension added by the science gateway. EGI AAI Webinar 19

20 www.egi.eu Advantages of the sub proxy User tracking –Services get “different” credentials for individual users –It’s possible to block one user without blocking all the users using the same robot certificate Security –Individual users can be isolated, e.g. preventing them to access other users’ workspace Accounting –Account for individual users’ usage –Report the actual number of real users accessing the infrastructure Per user sub-proxy tested within the Long tail of Science platform under development Other alternatives: Online CA It’s an alternative (more elegant?) solution for the same problem Not commonly available as the robot-certificates Robot-certificates at the moment are the quickest solution. EGI AAI Webinar 20

21 www.egi.eu Extend the X509 mechanism For some users approaching EGI, the X509 mechanism is a barrier –They do not have easy access to a Certification Authority –They would prefer to continue using their institutional credentials –VOs and Resource Providers implement portals to ease the access to the resources The most effective solution is to bridge other identity federations (eduGAIN, institutional IdP) with the EGI AAI –Technical bridge: credentials translation, support in the middleware for other AuthN protocols –Policy bridge: build trust between SP and IdP, enable different level of trust EGI AAI Webinar 21

22 www.egi.eu Flexible authentication By extending the current authentication mechanisms we will also enable users with the flexibility they need: Use lower level of assurance credentials for low-risk activities Integrate the IdP currently used by the communities with the EGI services EGI AAI Webinar 22

23 www.egi.eu Enable federated AuthZ Provide tools to the users to manage their user communities –Distributed Attribute Authorities connected with the user’s IdPs –Can be used also within application-specific environments for user authorization Maintain uniform authorization across multiple service providers –Based on the attributes provided by the user communities Apply the collaborative trust approach of EGI to new authentication technologies EGI AAI Webinar 23

24 www.egi.eu eduGAIN and EGI eduGAIN is the pan-European federation of national IdP federations –Includes most of the IdP used by researchers in Europe Limitations: –Not all the IdPs are part of eduGAIN federations –For many use cases a direct IdP SP communication (paperwork) is required –Some IdP The European-funded AARC project aims – among other things – to overcome part of these limitations EGI AAI Webinar 24

25 www.egi.eu How EGI can support communities in the AAI integration Possible scenario: User community want to use an institutional IdP to access EGI services IdP EGI AAI Webinar 25

26 www.egi.eu How EGI can support communities in the AAI integration Possible scenario: User community want to use an institutional IdP to access EGI services IdP EGI Federation Service Proxy Attribute Authority EGI AAI Webinar 26

27 www.egi.eu AARC support the collaboration model across institutional and sector borders guarantee user privacy and security build on the existing and evolving components EGI, ESFRI clusters, eduGAIN, national AAI federations, NGIs, IGTF, SCI, SirTFi, … design, test and pilot any missing components integrate them with existing working flows Expected starting date May 1 st Authentication and Authorisation for Research and Collaboration EGI AAI Webinar 27

28 www.egi.eu AARC – Work Packages JRA1 (GRNET) To research on technologies to deliver the design of the integrated AAI JRA1 (GRNET) To research on technologies to deliver the design of the integrated AAI NA3 (Nikhef) To define scalable policies and operational models for the integrated AAI NA3 (Nikhef) To define scalable policies and operational models for the integrated AAI SA1 (SURFnet) To pilot key components of the integrated AAI SA1 (SURFnet) To pilot key components of the integrated AAI NA2 (GEANT Ass.) To train, disseminate and reach out NA2 (GEANT Ass.) To train, disseminate and reach out NA1 (GEANT Ass.) Overall Management NA1 (GEANT Ass.) Overall Management Liaison with other relevant user communities, e-Infrastructures and international relevant AAI activities EGI.eu: Coordinate pilots involving EGI resources.Test attribute authorities solution for community management EGI.eu: Gather and bring the EGI RP requirements and EGI user communities requirements 28

29 www.egi.eu Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Summary EGI AAI Webinar 29

30 www.egi.eu Current EGI Services for AAI EUGridPMA network of Certification Authorities operated by the NGIs All EGI services are configured to accept EUGridPMA certificates VOMS services to manage VO membership and attributes Science gateways to use other types of authentication (username/password) and robot certificates to access EGI services EGI AAI Webinar 30

31 www.egi.eu Possible future EGI services for EGI Based on the requirements and use cases Integration with federations and individual IdPs Service proxy to easily integrate new IdPs Attribute authorities network to manage user membership and regulate authorization Credential translation services to integrate the Authentication technologies used by the user community with the existing services EGI AAI Webinar 31

32 www.egi.eu Better support for collaborations The current trust architecture has proven to be scalable and to work: –Empower the user communities to regulate the access to the resources for their users –Build trust between user communities, service providers and identity providers Extend this approach by integrating other AuthN technologies in EGI –Provide tools to manage attributes using non X.509 credentials –Link the attribute authorities with eduGAIN and other IdPs –Where necessary bridge diverse AuthN technologies using credential translation services Bring the requirements from the CCs and in general the user communities to the European level, and ensure interoperability with other e-infrastructures through the AARC project EGI AAI Webinar 32

33 www.egi.eu Thanks for your attention Questions? EGI AAI Webinar 33

Download ppt "European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager"

Similar presentations

EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu 05-02-2013.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Www.egi.eu EGI-Engage www.egi.eu EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.

EGI-Engage EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.
Www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
European Grid Initiative Federated Cloud update Peter solagna Pre-GDB Workshop 10/11/2015....1.

European Grid Initiative Federated Cloud update Peter solagna Pre-GDB Workshop 10/11/
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.

Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.
Www.egi.euEGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 EGI Future activities Peter Solagna – EGI.eu.

RI EGI-InSPIRE RI EGI Future activities Peter Solagna – EGI.eu.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Similar presentations

Ads by Google