Presentation is loading. Please wait.

Presentation is loading. Please wait.

CheckIn: the AAI platform for EGI

Published bySophie McGee Modified over 6 years ago

Similar presentations

Presentation on theme: "CheckIn: the AAI platform for EGI"— Presentation transcript:

1 CheckIn: the AAI platform for EGI
Nicolas Liampotis - GRNET

2 Outline Overview The evolution of CheckIn Today in production
Work in progress Use cases EGI Conference 2017

3 Overview EGI Conference 2017

4 Overview CheckIn is the new AAI platform for the EGI infrastructure
Developed in the context of EGI-Engage, task JRA1.1, lead by GRNET Adoption of federation solutions based on open and standards-based technologies: SAML 2.0, OpenID Connect/OAuth 2.0, X.509 Integration of off-the-shelf products with some customisations The work in EGI-Engage has been performed in close collaboration with the AARC project. CheckIn is aligned with the architecture, policies and best practices produced by AARC EGI Conference 2017

5 Goals of CheckIn Enable users to access EGI services and resources using their existing credentials from their Home Organisations (via eduGAIN when possible) Institutional IdPs must provide a unique user identifier Support “homeless” users, who cannot rely on a reliable institutional IdP Support authorised access to protected resources based on VO/group membership and role information Aggregate user attributes from different sources, including community-managed attribute providers Support the linking of multiple external identities to a persistent, non-reassignable, unique user identifier within the EGI infrastructure Associate a Level of Assurance (LoA) to each authenticated identity in the EGI infrastructure Provide translation mechanisms to hide the complexity of different protocols/technologies from EGI services EGI Conference 2017

6 The evolution of CheckIn
EGI Conference 2017

7 How it all started May 2015: Introduction of the EGI AAI Roadmap and Architecture EGI Conference 2017

8 Why proxy? Because… AARC!  EGI Conference 2017

9 Why proxy? All EGI SPs can have one statically configured IdP
No need to run an IdP Discovery Service on each EGI SP Connected SPs get consistent/harmonised user identifiers and accompanying attribute sets from different IdPs/AAs that can be interpreted in a uniform way for authZ purposes External IdPs only deal with a single EGI SP proxy EGI Conference 2017

10 The road to production EGI Conference 2017
May 2015 Introduction of AAI roadmap and architecture Dec 2015 First PoC with support for SAML IdPs/SPs Mar 2016 First Alpha Release with support for SAML (institutional) & OIDC/OAuth2 (social) IdPs and SAML SPs Apr 2016 Start of on-boarding activity with user communities (ELXIR) and ops tools (GOCDB, AppDB) Aug 2016 Support for OpenID Connect/OAuth2 services Sep 2016 Registration of SP Proxy with eduGAIN under REFEDS R&S Entity Category Feb 2017 Support for Sirtfi Framework & integration with RCauth.eu online CA EGI Conference 2017

11 Today in production EGI Conference 2017

12 CheckIn today Identity Providers: Service Providers:
SAML2.0: eduGAIN OIDC/OAuth2: Google, Facebook, LinkedIn, ORCID X.509: IGTF Service Providers: SAML2.0 & OIDC Attribute Authorities SAML2.0 Attr. Query, REST, LDAP, SQL Token Translation Services SAML2.0-to-X.509: Master Portal to RCauth.eu Online CA Support for Levels of Assurance User enrolment & account linking IdP Discovery User Consent EGI Conference 2017

13 Sources of attributes CheckIn aggregates attributes from the following sources: SAML attribute authorities and IdPs OIDC IdPs LDAP/SQL Specific REST interface-based attribute authorities All the relevant attributes to a service are provided in the authentication assertion released by CheckIn to the SP, including: Attributes stored by CheckIn (e.g. EGI UID) Attributes released by the user’s IdP Attributes released by the attribute authorities (e.g. VO membership and role information) Sources of attributes integrated COmanage GOCDB Perun Unity IDM (LToS) EGI Conference 2017

14 Integration with operational tools
GOCDB - Configuration management database Integrated as SAML 2.0 SP (Shibboleth) Requires substantial LoA Integrated as Attribute Authority (REST API) Provides EGI Resource Centre Admin roles AppDB - Software and Cloud marketplace Integrated as SAML 2.0 SP (SimpleSAMLphp) Requires VO membership and role information from CheckIn GGUS - Helpdesk EGI Conference 2017

15 OpenID Connect support
Service Providers can connect to the EGI AAI using OpenID Connect (OIDC) as an alternative to SAML2 allowing integration with a wider range of services built on top of modern web standards (OAuth 2.0, REST and JSON) enabling federated access for non-browser based resources, such as CLI tools and APIs in a standardised way (OAuth 2.0 access & refresh tokens) The CheckIn OIDC Provider allows users to sign in using any of the supported backend authentication mechanisms, i.e institutional IdPs (eduGAIN) or Social Media IdPs OIDC client integration through Client Management UI for: obtaining OAuth 2.0 credentials registering one or more redirect URIs registering required scopes (e.g. openid, profile, ) PoC with cloud services under implementation EGI Conference 2017

16 Level of Assurance – What is it?
In a nutshell: Level of confidence that the person who is authenticating is actually who they claim to be, based on: Identifier uniqueness (including the reassignment policy in place) Identity proofing and credential issuance, renewal and replacement Authentication strength Attribute quality and freshness (primarily pertaining to the home organisation and affiliation information) Operational security of Identity Provider EGI Conference 2017

17 Levels of Assurance – What to do with it?
CheckIn supports different Levels of Assurance Examples: Low level: Social Media IDs Everyone with an account can have one Substantial level: IGTF X.509 certificates, many institutional IdPs (e.g. compliant with REFEDS R&S and Sirtfi requirements) High: eGov IDs, Substantial + Multi Factor Authentication (TBD) Use case CheckIn conveys the LoA associated with the authenticated identity to SPs for authorisation purposes Communicated through the eduPersonAssurance attribute in SAML or acr clain in OIDC Translated into entitlements expressing the right of a user to access a particular resource (e.g. access RCauth) EGI Conference 2017

18 Integration with RCauth.eu Online CA
RC Auth components EGI Conference 2017

19 Integration with RCauth.eu Online CA
Production RCAuth.eu Online CA has been integrated with CheckIn Users can retrieve X.509 proxies by authenticating through CheckIn So, can I submit grid jobs with my eduGAIN account? Not yet  RCAuth can be used only with VOs that are authorized New version of LCMAPS that implement this condition for user authorization: EGI Conference 2017

20 Policies and procedures
CheckIn is published as a Service Provider in eduGAIN compliant with: REFEDS Research and Scholarship Entity Category  sufficient attribute release and unique non-reassignable user identifiers by compliant Identity Providers Sirtfi Framework v1.0  coordination of incident response across federated organisations EGI CheckIn Acceptable Use Policy EGI CheckIn Data Privacy Policy EGI CheckIn integration forms for IdPs/SPs EGI Conference 2017

21 Work in progress EGI Conference 2017

22 Transparent VO management
Translation of VO information into VOMS proxies (from SAML/OIDC) Provisioning of VOMS information through SAML and OIDC interfaces X.509 Credentials VOMS Service SAML/OIDC Credentials Attribute service CheckIn EGI Conference 2017

23 Translation of group information into VOMS proxies
Use case description User does not have a personal certificate User VO is not managed by a VOMS, but with a generic attribute management service User needs to access X.509 based service Work in progress COmanage plugin for VOMS (de)provisioning EGI Conference 2017

24 Translation of VO information into VOMS proxy
(Virtual Organization (SAML2) Science Gateway My Proxy RC Auth CheckIn VOMS EGI Conference 2017

25 Provisioning of VOMS information through SAML and OIDC interfaces
Use case Classic VOMS-based VO members need to access a SAML/OIDC service VO membership should be translated into an entitlement included in the authentication assertion Work in progress: Record the user DN as an additional identifer associated to the EGI UID Retrieve VOMS-based VO membership information EGI Conference 2017

26 Use cases EGI Conference 2017

27 Use case: AAI as a service
eduGAIN Social IDPs CheckIn as an authentication proxy to allow user logins from institutional IdPs in eduGAIN and social media for non EGI services Minimal overhead for the service development Prerequisites: Service provider must accept EGI policies on data protection See the EDISON portal use case Institutional IdP EGI CheckIn EGI Infrastructure Service EGI Conference 2017

28 Use case: AAI integration
eduGAIN Social IDPs Institutional IdP Community operating its own AAI connected as an IdP to CheckIn to allow its users to access EGI services & resources Users can access EGI services without changing their authentication workflow See the ELIXIR use case AAI Proxy EGI CheckIn EGI Infrastructure Service Service EGI Conference 2017

29 Use case: External attribute provider
eduGAIN Community managing authorisation information about the users (VO/group memberships and roles) via their own  group management service, which is connected to CheckIn as an external attribute authority CheckIn will handle the configuration of the IdPs and the aggregation of the attributes for the SPs The VO is managing independently the information about their users No need to migrate the group information into an EGI specific attribute authority LTOS is one example of VO integrated in this way Institutional IdP Social IDPs Virtual Organization EGI CheckIn EGI Infrastructure Service Service EGI Conference 2017

30 Use case: group management as a service
eduGAIN Communities that do not operate their own group management service can leverage the group management capabilities of the CheckIn platform Avoid overhead of deploying a dedicated group management service Authorised VO admins will manage the information about their users independently Can be used with EGI and non-EGI services Institutional IdP Social IDPs EGI CheckIn Service Virtual Organization Service EGI Infrastructure Service Supported technologies: CΟmanage Perun EGI Conference 2017

31

Download ppt "CheckIn: the AAI platform for EGI"

Similar presentations

EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team

Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Networks ∙ Services ∙ People www.geant.org Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Networks ∙ Services ∙ People www.geant.org Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.

Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE PY5 new activities Peter Solagna – EGI.eu.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI-InSPIRE PY5 new activities Peter Solagna – EGI.eu.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.

Similar presentations

Ads by Google