Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGI Updates Check-in Matthew Viljoen – EGI Foundation

Published byGavin Ross Modified over 6 years ago

Similar presentations

Presentation on theme: "EGI Updates Check-in Matthew Viljoen – EGI Foundation"— Presentation transcript:

1 EGI Updates Check-in Matthew Viljoen – EGI Foundation
Nicolas Liampotis – GRNET Peter Solagna – EGI Foundation FIM4R, 19 Sept 2017, Montreal

2 FIM4R, 19 September 2017, Montreal
Contents Overview Use cases Production status Work in progress FIM4R, 19 September 2017, Montreal

3 FIM4R, 19 September 2017, Montreal
Check-in Overview FIM4R, 19 September 2017, Montreal

4 FIM4R, 19 September 2017, Montreal
AAI strategy for EGI OIDC X.509 OIDC SAML X.509 X.509 X.509 OIDC SAML X.509 Check-in X.509 X.509 SAML X.509 OIDC Social media IdP FIM4R, 19 September 2017, Montreal

5 FIM4R, 19 September 2017, Montreal
Check-in Overview Check-in provides a reliable and interoperable AAI solution for the EGI service providers federation, and external service providers. It enables single sign-on to services through eduGAIN identity providers and other institutional or social media credentials Check-in development, lead by GRNET, has been supported by the EGI-Engage project. The EGI Council supports the long-term operations of the service. Check-in has been developed in close collaboration with the AARC project, and it implements the recommendations of the AARC Blueprint Architecture and Policy Framework FIM4R, 19 September 2017, Montreal

6 FIM4R, 19 September 2017, Montreal
Check-in Features Supports authorised access to protected resources based on VO/group membership and role information Aggregates user attributes from different sources, including external community-managed attribute providers Supports the linking of multiple external identities to a persistent, non-re-assignable, unique user identifier within the EGI infrastructure Associates a Level of Assurance (LoA) to each authenticated identity in the EGI infrastructure Reliable and secure: Highly available by design. Operated under the strict security policies of the EGI federation, and the EGI Foundation ISO20k-certified processes Simple: CheckIn hides the complexity of dealing with multiple IdPs and sources of authorisation information Low overhead: Service providers do not need to deal with the bureaucracy of integrating with multiple identity providers and attribute authorities Interoperable: Published in eduGAIN as a service provider compliant with REFEDS R&S and Sirtfi. Supports translation of credentials across the most popular standards: SAML 2.0, OpenID Connect, OAuth 2.0, and X.509 FIM4R, 19 September 2017, Montreal

7 Check-in Architecture
Implementation of the AARC blueprint architecture All EGI SPs can have one statically configured IdP No need to run an IdP Discovery Service on each SP Connected SPs get consistent/harmonised user identifiers and accompanying attribute sets from different IdPs/AAs that can be interpreted in a uniform way for authorisation purposes External IdPs only deal with a single EGI SP proxy FIM4R, 19 September 2017, Montreal

8 FIM4R, 19 September 2017, Montreal
Check-in use cases FIM4R, 19 September 2017, Montreal

9 For the RI using EGI: AAI integration
eduGAIN Social IDPs Institutional IdP Community operating its own AAI connected as an IdP to CheckIn to allow its users to access EGI services & resources Access EGI services without changing your authentication workflow AAI Proxy EGI Check-in EGI Infrastructure Service Service FIM4R, 19 September 2017, Montreal

10 For the communities: External attribute provider
eduGAIN Community managing authorisation information about the users (VO/group memberships and roles) via their own  group management service, which is connected to Check-in as an external attribute authority Check-in will handle the configuration of the IdPs and the aggregation of the attributes for the SPs No need to migrate the group management functionality to an EGI-specific attribute authority Institutional IdP Social IdPs Virtual Organization Service EGI Check-in EGI Infrastructure Service Service FIM4R, 19 September 2017, Montreal

11 For the communities: full AAI platform with group management as a service
eduGAIN Communities that do not operate their own group management service can leverage the group management capabilities of the CheckIn platform Ready-to-use solution Avoid overhead of deploying a dedicated group management service Support for multi-tenancy to allow authorised VO admins to manage the information about their users independently Easy connect to both EGI and non-EGI services Institutional IdP Social IDPs EGI CheckIn Service Virtual Organization Service EGI Infrastructure Service Supported technologies: CΟmanage Perun FIM4R, 19 September 2017, Montreal

12 For service providers: AAI as a service
eduGAIN Social IDPs Check-in as an authentication proxy Enable login from institutional IdPs in eduGAIN and social media Minimal overhead for the service development All the other CheckIn features are available for the SP: account linking, attribute aggregation, .. Prerequisites: Service provider must accept EGI policies on data protection Institutional IdPs EGI CheckIn EGI Infrastructure Service FIM4R, 19 September 2017, Montreal

13 Check-in production status
FIM4R, 19 September 2017, Montreal

14 FIM4R, 19 September 2017, Montreal
Check-in today Identity Providers: SAML2.0: eduGAIN OIDC/OAuth2: Google, Facebook, LinkedIn, ORCID X.509: IGTF Service Providers: SAML2.0 & OIDC Attribute Authorities SAML2.0 Attr. Query, REST, LDAP, SQL Token Translation Services SAML2.0-to-X.509: Master Portal to RCauth.eu Online CA Support for Levels of Assurance User enrolment & account linking IdP Discovery User Consent FIM4R, 19 September 2017, Montreal

15 Check-in consumes information from many diverse sources
GOCDB VOMS COmanage Perun SAML IdP OpenID Connect IdP e/R-Infra AAI proxy (e.g. ELIXIR) External VO Management (e.g. Unity IDM) FIM4R, 19 September 2017, Montreal

16 Support for Levels of Assurance
Check-in supports 3 different Levels of Assurance: Use case Check-in conveys the LoA associated with the authenticated identity to SPs for authorisation purposes Communicated through the eduPersonAssurance attribute in SAML or acr clain in OIDC Translated into entitlements expressing the right of a user to access a particular resource (e.g. access Rcauth Onlince CA) Key features/ Profiles AARC-Assam IGTF-DOGWOOD IGTF-BIRCH AARC-Darjeeling Unique ID Identity Vetting Multi Factor FIM4R, 19 September 2017, Montreal

17 FIM4R, 19 September 2017, Montreal
Check-in will implement the AARC guidelines to express group membership information Use of URN-formatted entitlement values: <namespace>:group:<group>[:<subgroup>*][:role=<role>]#<group-authority> <group> is the name of a VO, research collaboration or a top level arbitrary group; unique within a given <namespace> optional list of <subgroup> components represents the hierarchy of subgroups in the <group> optional <role> component indicates particular position of the user; scoped to the rightmost (sub)group <group-authority> indicates the authoritative source for the group membership and role information FIM4R, 19 September 2017, Montreal

18 User-friendly interface for managing OpenID Connect/OAuth 2.0 tokens
Provides users with an overview of all OpenID Connect/Oauth 2.0 services they have authorised to access their EGI account Allows users to see the specific permissions (e.g. read , offline access, etc.) granted to each service Enables users to manage access/refresh tokens associated with each service: Revoke access for individual tokens or service as a whole Retrieve access/refresh tokens to be used for federated access to CLI tools/APIs FIM4R, 19 September 2017, Montreal

19 Integration with RCauth.eu Online CA
Check-in has been integrated with the production RCAuth.eu Online CA Users can retrieve X.509 proxies by authenticating through Check-in FIM4R, 19 September 2017, Montreal

20 Reliable and secure AAI platform
EGI has always invested in improving and maintaining the reliability and security of the services EGI has a mature and complete set of security policies and the processes to enforce them Extended with Check-in specific policies: Check-in acceptable usage policy Check-in data protection policy Agreement documents to integrate non-EGI and non-eduGAIN SPs and IdPs and maintain the compliance FIM4R, 19 September 2017, Montreal

21 FIM4R, 19 September 2017, Montreal
Work in progress FIM4R, 19 September 2017, Montreal

22 FIM4R, 19 September 2017, Montreal
Check-in Next Steps Align with AARC guidelines on expressing group membership and role information Align with REFEDS/AARC Assurance Profiles Complete integration with EUDAT AAI Provide user-friendly interfaces for managing OpenID Connect/OAuth 2.0 tokens Support for (de-)provisioning and continuous update of user account information FIM4R, 19 September 2017, Montreal

23

Download ppt "EGI Updates Check-in Matthew Viljoen – EGI Foundation"

Similar presentations

EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.
Www.eudat.eu EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No. 654065 B2ACCESS LSDMA.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Www.eudat.eu b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.

b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.

ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.
Security in the wider world David Kelsey (STFC-RAL) GridPP37 – Ambleside 2 Sep 2016.

Security in the wider world David Kelsey (STFC-RAL) GridPP37 – Ambleside 2 Sep 2016.
The IGTF to eduGAIN Bridge

The IGTF to eduGAIN Bridge
Building Trust for Research and Collaboration

Building Trust for Research and Collaboration

Similar presentations

Ads by Google