Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)

Published byHenriette Giese Modified over 6 years ago

Similar presentations

Presentation on theme: "Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)"— Presentation transcript:

1 Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)
SA1 Activity Coordinators SURFnet AARC f2f June 6 – 8

2 Overall goals AARC Pilots 2017-2019
To show the feasibility of establishing an overarching AA infrastructure for Research Communities and e-Infrastructures To further consolidate the results of AARC1 and improve technical readiness levels of AAI components. To introduce and test new emerging AAI solutions and approaches and show their viability in real life practice Improve the adoption of proposed tools and approaches at the research communities and e- infrastructures and check whether it satisfies their needs

3 Tasks in AARC pilot activity (lead: Arnout Terpstra)
Task1: Pilots with user communities based on use cases provided by communities (Kostas Koumantaros & Mario Reale) Task2: Support e-infrastructures to deploy AARC proposed approaches and solutions (Peter Solagna) Task3: Piloting advanced use cases, new solutions and approaches based on the outcomes of JRA1 and NA3 (Ioannis Kakavas) Task4: Creation of showcases, deployment scenarios and documentation based on pilots in AARC to improve adoption of AAI components by the community (Andrea Biancini) Task1 Using the AAI of one of the e-infrastructure (EGI) Are they able to operate this for the community (pricing, componentes) How will branding be done in a multi-tenant environment (at least the user facing part). Experience is key. In 2020 Elixir would like to hand over to one of the e-infrastructure EPOS is using step up LIGO currently, self-signup registration, someone else verifies the account. ACTIONS: send around: pointers blue print pointers to existing pilots Priorities Branding and simplified scoped flow (from the end-user perspective) Appropriate level of assurance Delegation on behalf of the user (EPOS)  could be certificate  RCAuth or OAuth2 Attribute management for CTA (step up authentication) Start, portal branded, with wayf tailored to those institutions that are relevant in the context redirect

4 Mapping of use cases

5 Community High-level requirements HELIX NEBULA Leveraging AARC results with HNSciCloud Connecting services & Brokering. Leverage the work done by AARC on policies and architectural blueprints Implementing Sirtfi using eduGAIN Eiscat 3d Cross infra use case integration with EGI/EUDAT/PRACE Controlled, granular access to resources. Need for a good LoA scheme for AuthZ EPOS Cross infra use case integration with EGI/EUDAT/PRACE Delegated federated access (non-interactive) Workflows CTA (INAF) Cross infra use case integration with EGI/EUDAT/PRACE Exchange of group information(VOOT) Access for citizen scientists Lifewatch services for biodiversity and citizen scientists Integration, access for citizen scientist BMIs (INSTRUCT, BBMRI, INFRAFRONTIER...) AAI for BMSRIs Inter compatibility, share a common AAI shaping according to the ideas in Elixir. Also focus on sustainability and operational aspects WLCG Federated Access Deployment Non web (SAML-X509) Implementation of Sirtfi stuff. Solution for a persistent unique ID (ORCID?) LIGO Enabling federated access for the LIGO Scientific Collaboration Non web scenarios

6 Requirements – Solutions matchmaking
Attribute Release Attribute Aggregation User Friendliness SP Friendliness Credential translation Persistent Unique Id User Man. Information Credential Delegation Levels of Assurance Guest users Step-up AuthN Best Practices Community based AuthZ Non-web-browser Social & e-Gov IDs Incident Response

7 Requirements – Solutions matchmaking
Community based AuthZ Community based AuthZ Community based AuthZ Community based AuthZ User Man. Information SP Friendliness Non-web-browser Non-web-browser Guest users Attribute Aggregation Attribute Aggregation Attribute Aggregation Attribute Aggregation Community based AuthZ Levels of Assurance Incident Response Social & e-Gov IDs Attribute Release Attribute Release Attribute Release Attribute Release Persistent Unique Id Incident Response Persistent Unique Id Levels of Assurance Guest users Credential translation Social & e-Gov IDs Levels of Assurance Cross-infra Cross-infra Cross-infra Cross-infra ... .... .... .... ..... ..... .... .... Attribute Release Attribute Aggregation User Friendliness SP Friendliness Credential translation Persistent Unique Id User Man. Information Credential Delegation Levels of Assurance Guest users Step-up AuthN Best Practices Community based AuthZ Non-web-browser Social & e-Gov IDs

8 CORBEL, Instruct, Westlife, BBMRI, Elixir (11 e-infra/communities in total)
Introduction Dealing with many LSH communities with different levels of AAI maturity Dealing with sensitive data (!) Some proxies already in place and the proxy approach is supported Problem space Thoroughly described already in CORBEL WP5 Difficulties to include all IdPs/Users: opt-out of eduGAIN due to data protection rules Need LoA policies to be implemented User experience needs to be improved. E.g. include homeless users in one consistent way but an operational model for such a EU-wide service is lacking Need for a sound solution for non web scenarios SPs should be able to request a certain LoA This consortium does not want to run their own AAI Ideas/approaches Can vetting be done by representatives of national nodes for all 15 community partners? Can we learn from RCAuth in terms of operational models and administrative domains (what to do on EU level, national level, VO level) Non web scenarios...how about Moonshot? Cross-infra User Man. Information Community based AuthZ Persistent Unique Id Credential translation Levels of Assurance

9 E-infrastructures Introduction Work focuses on two areas:
All E-infras start to rely on eduGAIN so there is a single verified identity source to be used within one e-infra Handle cross infrastructure use cases Problem space Some e-infras still rely on their own IdM solutions (e.g. LDAP syncing) Despite some first promising integration steps, there is still a lot of manual/ad-hoc work involved Mapping of accounts is a challenge Need for solutions to aggregate and exchange attributes between e-infras The cross infrastructure use case will quickly become more prevalent Ideas/approaches Use AARC pilots as a lever to achieve further integration After successful operation of pilots, results (harmonization guidelines) should be implemented at the e-infrastructures (including clear documentation) We need operational models for overarching components For PRACE further look into previous work with Unicore/Unity Leveraging eduGAIN Cross infra use cases Resource admin friendly Persistent Unique Id Exchange of attributes One accredited CA

10 CTA/INAF, Lifewatch, Eiscat3D
Introduction CTA, collecting info on gamma rays: N=1000 users, 52 institutions, 3 services. Currently using a legacy LDAP system Lifewatch: N= 1000nds, 20 institutions Eiscat3D: N= thousands of users (public/private data) Problem space CTA: long list of requirements but need group managed access control. Primarily web based scenarios Lifewatch: Serving users from academia and citizen scientist. Resources that need to be shared now still have their own IdM silo Eiscat3D: need for moderated and guest access Ideas/approaches Many topics already adressed in AARC1 pilots  map communities to pilots E.g. link ORCID, eduTEAMS to leverage external AuthN providers All 3 communities use EGI services so integration with and use of EGI middleware is needed Community based AuthZ Attribute Aggregation Attribute Release Guest users Social & e-Gov IDs CTA Alessandro Costa Lifewatch Alvaro Lopez EISCAT3D Ingemar Häggström Cross-infra

11 WLCG, EPOS, LIGO Introduction
Community based AuthZ Introduction WCLG: N=15000, lots of little AAI bits need to be brought together EPOS: N=1000nds users, still in an early phase LIGO: N= clusters in UK, USA, Germany Problem space WCLG: Mainly certificate based now. How to bridge eduGAIN IdP users, IGTF cert users, link accounts, use VOMS together with other AAs...associate grid with federated accounts. EPOS: web and non web based scenarios. Only small amount of federated users now. Need access for citizen scientists as well LIGO: Already use COmanage. Want to get rid of certificates. Tested with Moonshot in the past. May explore this again. Ideas/approaches General impression: need to bridge/close the information gap. Many existing piloted solutions may do the trick already Attribute Aggregation Attribute Release Non-web-browser Incident Response EPOS Tomasz Szepieniec Persistent Unique Id Guest users

12 Actions for the AARC pilot activity
We need to find ways to improve mutual understanding of the needs and solutions The Blueprint Architecture is a useful tool to explore the needs. Research Communities are requested to plot their wished situation on the BPA and indicate necessary/unnecessary components (including MUST, SHOULD, COULD, WON’T) The team will organize a number of pilot showcase sessions to further explain the deployed pilots and to discuss to what extent they fit with the needs of the communities We appointed to put all relevant information on the wiki Based on the f2f session we concluded that the end-user flow needs to be assessed on user friendliness as well Task1 Using the AAI of one of the e-infrastructure (EGI) Are they able to operate this for the community (pricing, componentes) How will branding be done in a multi-tenant environment (at least the user facing part). Experience is key. In 2020 Elixir would like to hand over to one of the e-infrastructure EPOS is using step up LIGO currently, self-signup registration, someone else verifies the account. ACTIONS: send around: pointers blue print pointers to existing pilots Priorities Branding and simplified scoped flow (from the end-user perspective) Appropriate level of assurance Delegation on behalf of the user (EPOS)  could be certificate  RCAuth or OAuth2 Attribute management for CTA (step up authentication) Start, portal branded, with wayf tailored to those institutions that are relevant in the context redirect

13

Download ppt "Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)"

Similar presentations

EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.

Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.

Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
A uthentication & A uthorization for R esearch & C ollaboration Pilots in SA1 Paul van Dijk, SURFnet AARC.

A uthentication & A uthorization for R esearch & C ollaboration Pilots in SA1 Paul van Dijk, SURFnet AARC.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team

Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Networks ∙ Services ∙ People www.geant.org Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Taipei Taiwan Authentication and Authorisation for Research and.

Authentication and Authorisation for Research and Collaboration Taipei Taiwan Authentication and Authorisation for Research and.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Connect communicate collaborate Case Studies in Federated Identity Management for Research Communities Ann Harding, SWITCH/GN3plus Peter Gietz, DAASI International.

Connect communicate collaborate Case Studies in Federated Identity Management for Research Communities Ann Harding, SWITCH/GN3plus Peter Gietz, DAASI International.

Similar presentations

Ads by Google