Download presentation
Presentation is loading. Please wait.
1
CheckIn: the AAI platform for EGI
Nicolas Liampotis - GRNET
2
Outline Overview The evolution of CheckIn Today in production
Work in progress Use cases EGI Conference 2017
3
Overview EGI Conference 2017
4
Overview CheckIn is the new AAI platform for the EGI infrastructure
Developed in the context of EGI-Engage, task JRA1.1, lead by GRNET Adoption of federation solutions based on open and standards-based technologies: SAML 2.0, OpenID Connect/OAuth 2.0, X.509 Integration of off-the-shelf products with some customisations The work in EGI-Engage has been performed in close collaboration with the AARC project. CheckIn is aligned with the architecture, policies and best practices produced by AARC EGI Conference 2017
5
Goals of CheckIn Enable users to access EGI services and resources using their existing credentials from their Home Organisations (via eduGAIN when possible) Institutional IdPs must provide a unique user identifier Support “homeless” users, who cannot rely on a reliable institutional IdP Support authorised access to protected resources based on VO/group membership and role information Aggregate user attributes from different sources, including community-managed attribute providers Support the linking of multiple external identities to a persistent, non-reassignable, unique user identifier within the EGI infrastructure Associate a Level of Assurance (LoA) to each authenticated identity in the EGI infrastructure Provide translation mechanisms to hide the complexity of different protocols/technologies from EGI services EGI Conference 2017
6
The evolution of CheckIn
EGI Conference 2017
7
How it all started May 2015: Introduction of the EGI AAI Roadmap and Architecture EGI Conference 2017
8
Why proxy? Because… AARC! EGI Conference 2017
9
Why proxy? All EGI SPs can have one statically configured IdP
No need to run an IdP Discovery Service on each EGI SP Connected SPs get consistent/harmonised user identifiers and accompanying attribute sets from different IdPs/AAs that can be interpreted in a uniform way for authZ purposes External IdPs only deal with a single EGI SP proxy EGI Conference 2017
10
The road to production EGI Conference 2017
May 2015 Introduction of AAI roadmap and architecture Dec 2015 First PoC with support for SAML IdPs/SPs Mar 2016 First Alpha Release with support for SAML (institutional) & OIDC/OAuth2 (social) IdPs and SAML SPs Apr 2016 Start of on-boarding activity with user communities (ELXIR) and ops tools (GOCDB, AppDB) Aug 2016 Support for OpenID Connect/OAuth2 services Sep 2016 Registration of SP Proxy with eduGAIN under REFEDS R&S Entity Category Feb 2017 Support for Sirtfi Framework & integration with RCauth.eu online CA EGI Conference 2017
11
Today in production EGI Conference 2017
12
CheckIn today Identity Providers: Service Providers:
SAML2.0: eduGAIN OIDC/OAuth2: Google, Facebook, LinkedIn, ORCID X.509: IGTF Service Providers: SAML2.0 & OIDC Attribute Authorities SAML2.0 Attr. Query, REST, LDAP, SQL Token Translation Services SAML2.0-to-X.509: Master Portal to RCauth.eu Online CA Support for Levels of Assurance User enrolment & account linking IdP Discovery User Consent EGI Conference 2017
13
Sources of attributes CheckIn aggregates attributes from the following sources: SAML attribute authorities and IdPs OIDC IdPs LDAP/SQL Specific REST interface-based attribute authorities All the relevant attributes to a service are provided in the authentication assertion released by CheckIn to the SP, including: Attributes stored by CheckIn (e.g. EGI UID) Attributes released by the user’s IdP Attributes released by the attribute authorities (e.g. VO membership and role information) Sources of attributes integrated COmanage GOCDB Perun Unity IDM (LToS) EGI Conference 2017
14
Integration with operational tools
GOCDB - Configuration management database Integrated as SAML 2.0 SP (Shibboleth) Requires substantial LoA Integrated as Attribute Authority (REST API) Provides EGI Resource Centre Admin roles AppDB - Software and Cloud marketplace Integrated as SAML 2.0 SP (SimpleSAMLphp) Requires VO membership and role information from CheckIn GGUS - Helpdesk EGI Conference 2017
15
OpenID Connect support
Service Providers can connect to the EGI AAI using OpenID Connect (OIDC) as an alternative to SAML2 allowing integration with a wider range of services built on top of modern web standards (OAuth 2.0, REST and JSON) enabling federated access for non-browser based resources, such as CLI tools and APIs in a standardised way (OAuth 2.0 access & refresh tokens) The CheckIn OIDC Provider allows users to sign in using any of the supported backend authentication mechanisms, i.e institutional IdPs (eduGAIN) or Social Media IdPs OIDC client integration through Client Management UI for: obtaining OAuth 2.0 credentials registering one or more redirect URIs registering required scopes (e.g. openid, profile, ) PoC with cloud services under implementation EGI Conference 2017
16
Level of Assurance – What is it?
In a nutshell: Level of confidence that the person who is authenticating is actually who they claim to be, based on: Identifier uniqueness (including the reassignment policy in place) Identity proofing and credential issuance, renewal and replacement Authentication strength Attribute quality and freshness (primarily pertaining to the home organisation and affiliation information) Operational security of Identity Provider EGI Conference 2017
17
Levels of Assurance – What to do with it?
CheckIn supports different Levels of Assurance Examples: Low level: Social Media IDs Everyone with an account can have one Substantial level: IGTF X.509 certificates, many institutional IdPs (e.g. compliant with REFEDS R&S and Sirtfi requirements) High: eGov IDs, Substantial + Multi Factor Authentication (TBD) Use case CheckIn conveys the LoA associated with the authenticated identity to SPs for authorisation purposes Communicated through the eduPersonAssurance attribute in SAML or acr clain in OIDC Translated into entitlements expressing the right of a user to access a particular resource (e.g. access RCauth) EGI Conference 2017
18
Integration with RCauth.eu Online CA
RC Auth components EGI Conference 2017
19
Integration with RCauth.eu Online CA
Production RCAuth.eu Online CA has been integrated with CheckIn Users can retrieve X.509 proxies by authenticating through CheckIn So, can I submit grid jobs with my eduGAIN account? Not yet RCAuth can be used only with VOs that are authorized New version of LCMAPS that implement this condition for user authorization: EGI Conference 2017
20
Policies and procedures
CheckIn is published as a Service Provider in eduGAIN compliant with: REFEDS Research and Scholarship Entity Category sufficient attribute release and unique non-reassignable user identifiers by compliant Identity Providers Sirtfi Framework v1.0 coordination of incident response across federated organisations EGI CheckIn Acceptable Use Policy EGI CheckIn Data Privacy Policy EGI CheckIn integration forms for IdPs/SPs EGI Conference 2017
21
Work in progress EGI Conference 2017
22
Transparent VO management
Translation of VO information into VOMS proxies (from SAML/OIDC) Provisioning of VOMS information through SAML and OIDC interfaces X.509 Credentials VOMS Service SAML/OIDC Credentials Attribute service CheckIn EGI Conference 2017
23
Translation of group information into VOMS proxies
Use case description User does not have a personal certificate User VO is not managed by a VOMS, but with a generic attribute management service User needs to access X.509 based service Work in progress COmanage plugin for VOMS (de)provisioning EGI Conference 2017
24
Translation of VO information into VOMS proxy
(Virtual Organization (SAML2) Science Gateway My Proxy RC Auth CheckIn VOMS EGI Conference 2017
25
Provisioning of VOMS information through SAML and OIDC interfaces
Use case Classic VOMS-based VO members need to access a SAML/OIDC service VO membership should be translated into an entitlement included in the authentication assertion Work in progress: Record the user DN as an additional identifer associated to the EGI UID Retrieve VOMS-based VO membership information EGI Conference 2017
26
Use cases EGI Conference 2017
27
Use case: AAI as a service
eduGAIN Social IDPs CheckIn as an authentication proxy to allow user logins from institutional IdPs in eduGAIN and social media for non EGI services Minimal overhead for the service development Prerequisites: Service provider must accept EGI policies on data protection See the EDISON portal use case Institutional IdP EGI CheckIn EGI Infrastructure Service EGI Conference 2017
28
Use case: AAI integration
eduGAIN Social IDPs Institutional IdP Community operating its own AAI connected as an IdP to CheckIn to allow its users to access EGI services & resources Users can access EGI services without changing their authentication workflow See the ELIXIR use case AAI Proxy EGI CheckIn EGI Infrastructure Service Service EGI Conference 2017
29
Use case: External attribute provider
eduGAIN Community managing authorisation information about the users (VO/group memberships and roles) via their own group management service, which is connected to CheckIn as an external attribute authority CheckIn will handle the configuration of the IdPs and the aggregation of the attributes for the SPs The VO is managing independently the information about their users No need to migrate the group information into an EGI specific attribute authority LTOS is one example of VO integrated in this way Institutional IdP Social IDPs Virtual Organization EGI CheckIn EGI Infrastructure Service Service EGI Conference 2017
30
Use case: group management as a service
eduGAIN Communities that do not operate their own group management service can leverage the group management capabilities of the CheckIn platform Avoid overhead of deploying a dedicated group management service Authorised VO admins will manage the information about their users independently Can be used with EGI and non-EGI services Institutional IdP Social IDPs EGI CheckIn Service Virtual Organization Service EGI Infrastructure Service Supported technologies: CΟmanage Perun EGI Conference 2017
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.