Presentation is loading. Please wait.

Presentation is loading. Please wait.

The IGTF to eduGAIN Bridge

Published byMartina Price Modified over 7 years ago

Similar presentations

Presentation on theme: "The IGTF to eduGAIN Bridge"— Presentation transcript:

1 The IGTF to eduGAIN Bridge
Bringing X.509 and SAML together Ioannis Kakavas Nicolas Liampotis AARC SA1 - Pilots AARC SA1 - Pilots Identity & Security Engineer, GRNET S.A. AAI Research Engineer, GRNET S.A. 39th EUGridPMA meeting, Firenze

2 AARC support the collaboration model across institutional and sector borders advance mechanisms that will improve the experience for users guarantee their privacy and security build on the very many existing and evolving components ESFRI clusters, eduGAIN, national AAI federations, NGIs, IGTF, SCI, SirTFi design, test and pilot any missing components integrate them with existing working flows

3 AARC support the collaboration model across institutional and sector borders advance mechanisms that will improve the experience for users guarantee their privacy and security build on the very many existing and evolving components ESFRI clusters, eduGAIN, national AAI federations, NGIs, IGTF, SCI, SirTFi design, test and pilot any missing components integrate them with existing working flows

4 Bridging IGTF to eduGAIN The facts
eScience Services Traditionally support X.509 authentication Paradigm shift towards federated SSO Support for authentication at Home Organizations eScience Services Users Large number of them already have X.509 certificates Some of them might not have an account at the Identity Provider of their Home Organization Some of them might not have a Home Organization Some of them might not want to / cannot use their Home Organization account eScience Services Authentication X.509 certificates from IGTF Accredited CAs provide higher assurance than Home Organization IdP credentials

5 Bridging IGTF to eduGAIN The problem statement
How can we allow eScience Services Users to access the Services Using the X.509 certificates that they already have Not forcing them to register/use Home Organization accounts Carrying a high LoA (Level of Assurance) And at the same time How can we allow eScience Services To follow the paradigm shift to federated SSO To not lose/alienate their user base To maintain LoA requirements

6 Bridging IGTF to eduGAIN The solution
authX509toSAML

7 Bridging IGTF to eduGAIN authX509toSAML
Functionality Authenticates users based on their X.509 certifcates Translates X.509 certificates to SAML assertions Stateless by design -> Distributed nature *

8 Bridging IGTF to eduGAIN authX509toSAML
Design Principles* Principle of Economy of Mechanism Minimal implementation ( minimal bugs ) Each component should do what it is designed to do Principle of Fail-safe Defaults Provide sane defaults where applicable Principle of Open Design Use / extend well known software components Principle of Psychological Acceptability Easy to use workflow / UX that users are familiar with *

9 Bridging IGTF to eduGAIN authX509toSAML Components
Apache2 httpd server Handles X509 client authentication Accepts only certificates signed by IGTF accredited Cas SimpleSAMLphp module ( authX509toSAML) Performs token translation Authenticated certificate  SAML Assertion

10 Bridging IGTF to eduGAIN authX509toSAML

11 Bridging IGTF to eduGAIN authX509toSAML
Apache2 httpd Configuration SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificatePath "/usr/share/igtf-policy/classic_mics“ Debian packages: igtf-policy-{classic,mics}

12 Bridging IGTF to eduGAIN authX509toSAML
SimpleSAMLphp module (authX509toSAML) 'x509' => array( 'authX509toSAML:X509userCert', 'authX509toSAML:cert_name_attribute': 'CN', 'authX509toSAML:assertion_name_attribute': 'displayName', 'authX509toSAML:assertion_dn_attribute': 'distinguishedName', 'authX509toSAML:assetion_assurance_attribute': 'eduPersonAssurance', 'authX509toSAML:parse_san_ s': TRUE 'authX509toSAML:parse_policy': TRUE, 'authX509toSAML:export_eppn': FALSE, ),

13 Bridging IGTF to eduGAIN authX509toSAML
SimpleSAMLphp module (authX509toSAML) 'cert_name_attribute': The attribute in the certificate carrying the name of the subject 'assertion_name_attribute':The attribute in the SAML Assertion to map the above 'assertion_dn_attribute': The attribute in the SAML Assertion to map the DN 'assetion_assurance_attribute': The attribute ubin the SAML Assertion to use for certificate policy attributes ‘parse_san_ s': Attempt to parse SANs with type Address 'parse_policy': Attempt to parse Certificate Policy extention, 'export_eppn': Attempt to parse eduPersonPrincipalName from the CN ( i.e. Grid Robot certificates

14 Bridging IGTF to eduGAIN Demo
“Researcher needs to have access to SAML Service Provider published in eduGAIN, but they do not have an account at the IdP of their Home Organization. They do, however, have a certificate issued to them by the IGTF accredited HellasGrid Certification Authority.”

15

Download ppt "The IGTF to eduGAIN Bridge"

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
PAPI Points of Access to Providers of Information.

PAPI Points of Access to Providers of Information.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Similar presentations

Ads by Google