Presentation is loading. Please wait.

Presentation is loading. Please wait.

GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –

Published byClifford Hall Modified over 6 years ago

Similar presentations

Presentation on theme: "GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –"— Presentation transcript:

1 GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia – Simple affiliation validation as a Service Introduction & Use cases Demo

2 eduTEAMS (created from the VOpaas project)
a suite of services that supports AAI for Virtual Organisations Basic Services For Collaborative Organisations with generic AAI requirements Operated by GÉANT as a multi tenant service Also for Collaborations that are not legal entities Upcoming: eduTEAMS Identity Hub eduTEAMS Membership Management Advanced Services Aimed to support ‘larger’ Collaborative Organisations with advance AAI requirements Single tenant service, operated by GÉANT on behalf of a VO A legal entity is responsibility for the data and pays a fee

3 eduTEAMS market analysis

4 eduTEAMS Basic Services ecosystem
IdP VOOT AA SAML AA COmanage eduTEAMS Membership Management Service Provider AuthN: ID + attributes eduTEAMS Identity Hub External IdP

5 eduTEAMS Identity Hub eduTEAMS Identity Hub Examples!! Your Service
Persistent ID LOA Account Recovery Zoom in a bit on eduTEAMS Identity Hub Leverage existing patchwork of ID services Let the user choose the IdP it wants to use Persistent identity for the Servcices LOA information Examples!!

6 eduTEAMS Pilots & new features
We have begun preparing for pilot (Q1,2 2017) with Umbrella Pilot eduTEAMS services in AARC2 Who is interested to test what? New features currently at go/no-go eduTEAMS Discovery -> Centralised discovery service for SAML SPs w/ capability for SPs to filter IdPs Investigating – feedback welcome What would be most interesting as a service? Step-up Authentication as a Service SAML2 <-> OIDC gateway to allow OIDC services to act as R&S entities Other?

7 InAcademia - a Simple validation Service
InAcademia leverages existing eduGAIN infrastructure for Institutions, while at the same time radically simplifying affiliation validation for services Microsoft wants to offer free Office365 to all students in EU ORCID seeks to improve account quality SMEs want low barriers for leveraging digital academic Identity: a simple contract, a predictable cost model and high assurance on identity Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

8 InAcademia - a Simple validation Service
How to make affiliation validation much easier? Services get most attributes from user (self asserted) Only affiliation must come from the Home Organisation Query a single, centralised service to confirm affiliation (yes or no) A user ‘proves’ affiliation by authentication with home IdP Validation service accessible for all eduGAIN IdPs A simple protocol is used by the Services (OpenID Connect) The policy barrier for using should be low (a single contract) Service pays a small transaction fee (pay per use) Academic services get 100% discount Why not directly use eduGAIN? Joining a federation has several obstacles (policies and contracts) Implementing SAML and doing federation is not easy Inter-federation is even harder Upfront cost, but no customers Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

9 InAcademia - Flow 1- Is this user a { student | faculty | staff }?
Service Provider 1- Is this user a { student | faculty | staff }? 4- Yes 2- Please login to prove affiliation 3- IdP says Affiliation: { student | faculty | staff} Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

10 InAcademia - Demo If there is still time….
If not, see the slides after this one.. Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

11 InAcademia – A webshop Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

12 InAcademia – Getting my Stuff
Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

13 InAcademia – Checkout time, get my discount!
Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

14 InAcademia – So where R-U-FROM?
Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

15 InAcademia – After login, please consent
Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

16 InAcademia – That’s a decent discount!
Contrary to normal federation, the enduser will enter data as is relevant for the transaction, e.g. postal address But affiliation cannot be entered by the user, it must be validated by an authoritative source A centra service will allow Servies to easlily reach many IDPs AuthN at InAcademia Servcie: InAcademia is a SAML SP And an SP in eduGAIN, InAcademia allows all IdPs in eduGAIN, and prefers a simple policy for SPs using the service. A transaction fee model makes upfront cost transparent, and could make InAcademia selfsustained.

Download ppt "GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –"

Similar presentations

EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
AAI with simpleSAMLphp

AAI with simpleSAMLphp
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n. 306819.

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n
Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.

Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.

Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.

Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.
Diego R. Lopez, RedIRIS TF-EMC2, Umea SIR, FedSSH and more to come…

Diego R. Lopez, RedIRIS TF-EMC2, Umea SIR, FedSSH and more to come…
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Clain update TF-EMC2 22.10.2009 Mikael Linden, CSC.

Clain update TF-EMC Mikael Linden, CSC.
HEXAA e-Science gateways with external attribute authority István Tétényi, MTA SZTAKI 21-May-2014 Co-Authors: Mr. Héder, Mihály (MTA SZTAKI); Mr. BAJNOK,

HEXAA e-Science gateways with external attribute authority István Tétényi, MTA SZTAKI 21-May-2014 Co-Authors: Mr. Héder, Mihály (MTA SZTAKI); Mr. BAJNOK,

Similar presentations

Ads by Google