Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networks ∙ Services ∙ People www.geant.org Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.

Published byJody Palmer Modified over 8 years ago

Similar presentations

Presentation on theme: "Networks ∙ Services ∙ People www.geant.org Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and."— Presentation transcript:

1 Networks ∙ Services ∙ People www.geant.org Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and Education VAMPIRE 16 th June 2015 Task Leader, GN4-1 SA5 T6 – AAI in GÉANT Senior Software Engineer, GÉANT Task Leader, GN4-1 SA7 T3 – Service Delivery and Adoption

2 Networks ∙ Services ∙ People www.geant.org GN4 - a 7 year project under Horizon 2020 Requires a robust and efficient solution for all aspects of identity management. GÉANT Community Virtual Organisation VO Authentication eduGAIN service Successfully addresses authentication in heterogeneous environment. VO Authorisation Multiple services, each with local database to store groups and authorisation attributes. 2 Introduction

3 Networks ∙ Services ∙ People www.geant.org 3 GN3Plus Intranet 1. Access Protected Page GN3Plus Intranet 2. User not authenticated, redirected to IdP Authenticates User 3. Returns SAML Assertion via browser Retrieves Unique Handle 4. fetch group membership 5. Display content Identity Provider GÉANT Active Directory

4 Networks ∙ Services ∙ People www.geant.org Distributed authorisation leads to … Duplication of data Duplication of effort Increased risk of stale data Complex centralised user provisioning and de-provisioning process Audit ineffectiveness 4 Problem Statement

5 Networks ∙ Services ∙ People www.geant.org Central Authorisation Management System (CAMS) Centralises authorisation data Decentralises the management for authorisation data Defines workflows for the effective data and people management Makes use of following tools: Gropuper Comanage 5 Proposed Solution

6 Networks ∙ Services ∙ People www.geant.org GÉANT Service 2 GÉANT Service 3 6 High Level Architecture SP Proxy Discovery Service IdP 1 IdP 2 IdP n GÉANT Service n Attribute Authority Grouper LDAP COmanage GÉANT Service 1

7 Networks ∙ Services ∙ People www.geant.org Bootstrapping using delegation model Adding/Removing a project participant Change of Affiliation Change of group membership Project participant accesses a service for the first time, who is not registered in central system. Revalidating project participants Managing exceptions Auditing 7 Workflows

8 Networks ∙ Services ∙ People www.geant.org Bootstrapping using delegation model GÉANT Project Start-up Registration of all project participants with appropriate groups and authorisation data. Defined automated process using delegation model. To reduce IT overhead Includes features such as: Email invitations Enabling participant’s self-registration A delegation model to fit in the distributed management environment. IT invites Activity Leaders Activity Leaders invites Task Leaders Task Leaders invites Team Members The workflow is not only useful at the start of the project but also every time a new service or organisation is added to the central authorisation system. 8 Workflows … (Part 1)

9 Networks ∙ Services ∙ People www.geant.org 9 User Provisioning Sequence Diagram GÉANT CAMS 3. Redirected to Discovery Service 5. Authenticates User 6. Returns SAML Assertion via browser Identity Provider SP Proxy DS 1.User receives invitation via email 2.Click on invitation URL 4. User selects Idp, redirected to the selected IdP via browser 7. Generates Unique Internal Id, if not already exists for the user. 9. Provisions user - maps grouper memberships to EPPN, SP Proxy generated unique user Id and COmanage generated unique user Id 8. Returns user attributes, in the form of SAML assertion via browser

10 Networks ∙ Services ∙ People www.geant.org Adding/Removing a project participant: Defines project participants’ provisioning and de-provisioning using delegation model. Preserves history when a project participant is de-provisioned. Change of group membership: The need arises: if user needs to be added or removed from a specific group or if user’s role has changed within project/home organisation etc. Change of Affiliation: Migrate the project participant’s profile to a new ID, affiliated to a new organisation. 10 Workflows … (Part 2)

11 Networks ∙ Services ∙ People www.geant.org Project participant accesses a service for the first time User doesn’t exist in the CAMS. Focuses on creating a positive user experience Automated process for self-registration. Project participant presented with a webpage Pre-populated fields Principal Name, First Name, Last Name, Email Address, Affiliation, Scoped Affiliation User to specify why they need access Request sent to group owner Verify and validate the information provided Assign user to the appropriate groups. 11 Workflows … (Part 3)

12 Networks ∙ Services ∙ People www.geant.org Revalidating project participants To ensure that the project participant accounts are still active, defines automated and periodic revalidation. Managing exceptions Handles scenarios that deviate from “standard” practices e.g. a project participant might not hold the role of Task Leader (TL) but still be required to have all the same access as TLs. Defines the workflow, while taking care to provide the correct information as well e.g. list of TLs should not return ‘like TLs’ project participants. Auditing Defines verification of all the processes that are carried out at the central authorisation system to ensure their effectiveness and correctness at regular intervals. 12 Workflows … (Part 4)

13 Networks ∙ Services ∙ People www.geant.org 13 Detailed Architecture COmanage Grouper WS Grouper UI Tomcat Apache HTTP Server Grouper PSP Attribute Authority Grouper WS Tomcat Apache HTTP Server Tomcat Attribute Authority Grouper WS Tomcat Apache HTTP Server Web Browser Load Balancer MySQL replica Master LDAP Master MySQL LDAP replica MySQL replica LDAP replica VOOT SAML LDAP Virtual Machine SP Proxy / Service Provider SAML VOOT LDAP

14 Networks ∙ Services ∙ People www.geant.org 14 User Login Sequence Diagram [ User found] 9. Display content 1. Access Protected Page 2. User not authenticated, redirected to DS 3. User selects Idp, redirected to the selected IdP via browser Authenticates User 4. Returns SAML Assertion via browser Locates user’s unique internal Id Attribute Resolving 5. Request attributes 6. Returns attributes SP Proxy DS Tools Portal IdP AA alt user’s self-registration 8. Authentication success Response [ else ] 7. Authentication success response + attributes

15 Networks ∙ Services ∙ People www.geant.org GÉANT CAMS rolled out in production in April 2015. Used bootstrapping workflow to register GN4 Phase 1 project participants. GN4 Intranet (SharePoint 2013) using CAMS for authorisation Doesn’t use any local database for AA SP 2013 Grouper Claim Provider Uses VOOT Connector Queries Grouper to add search capabilities to the people picker. ADFS LDAP Attribute Store Provides user’s authorisation data at login time. Grouper Attribute Store implementation in progress. 15 Current Status

16 Networks ∙ Services ∙ People www.geant.org No single product covers all use cases out of the box. All VO’s are unique with different requirements. Product usability needs improvement. User training is important. Define group & OUs structure in advance. Decentralisation requires user buy-in. 16 Challenges and Lessons Learnt

17 Networks ∙ Services ∙ People www.geant.org GÉANT SP Proxy’s integration with CAMS. GÉANT Wiki GÉANT Tools Portal GÉANT JIRA Other GÉANT Services Automation of remaining workflows: Project participant accesses a service for the first time, who is not registered in CAMS. Revalidating project participants Managing exceptions Auditing Complete Grouper Attribute Store implementation Feedback given to Comanage and Grouper developers Bugs and feature requests 17 Next Steps

18 Networks ∙ Services ∙ People www.geant.org Thank you Networks ∙ Services ∙ People www.geant.org This work is part of a project that has applied for funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 691567 (GN4-1). 18 Mandeep.saini@geant.org

Download ppt "Networks ∙ Services ∙ People www.geant.org Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and."

Similar presentations

Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.

Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Valma Technical Aspects

Valma Technical Aspects
ABSTRACT Zirous Inc. is a growing company and they need a new way to track who their employees working on various different projects. To solve the issue.

ABSTRACT Zirous Inc. is a growing company and they need a new way to track who their employees working on various different projects. To solve the issue.
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.

RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.
U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.

U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.

I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Helsinki Institute of Physics (HIP) - 2003 Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Networks ∙ Services ∙ People www.geant.org Mandeep Saini TF-MSP, Espoo, Finland Service Delivery and Adoption 10 th Sep 2015 Task Leader, GN4-1 SA7 T3.

Networks ∙ Services ∙ People Mandeep Saini TF-MSP, Espoo, Finland Service Delivery and Adoption 10 th Sep 2015 Task Leader, GN4-1 SA7 T3.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
Training Role Module 8 – User Admin Ver. 10 Oct 2009.

Training Role Module 8 – User Admin Ver. 10 Oct 2009.
1 The World Bank Internet Services Program Rajan Bhardvaj

1 The World Bank Internet Services Program Rajan Bhardvaj
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Similar presentations

Ads by Google