Presentation is loading. Please wait.

Presentation is loading. Please wait.

AAI in EGI Status and Evolution

Published byMarie-Christine Lacroix Modified over 5 years ago

Similar presentations

Presentation on theme: "AAI in EGI Status and Evolution"— Presentation transcript:

1 AAI in EGI Status and Evolution
European Grid Infrastructure AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager concept of VOs to support scientific communities - security issues in general: confidentiality, integrity, accessibility, non-repudiation, delegation, 'traditional solution portfolio' - PKI, X509, proxies, VOMS, PERUN, ARGUS - lowering access barrier: TCS, robot certificates, per-user proxy component (from LToS project) - Emerging solutions: identity federations, EduGain - New activities: AARC, EGI-Engage WP3

2 EPOS Competence centre kick off
Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Examples of AAI service use cases Summary EPOS Competence centre kick off

3 User authentication in a federated environment
Local environment (e.g. one institution, one cluster) Users have local accounts, validated often in a F2F verification with the system administrator All the needed information are filled in at the moment of the registration Federated environment (e.g. distributed infrastructure) Users do not have local accounts on every service/cluster/centre Users own credentials that are recognized by all the service providers in the federation Identity providers and service providers must agree on the: Information provided to the SP Level of assurance of the credentials Operations of the IdP EPOS Competence centre kick off

4 EPOS Competence centre kick off
User’s identity A user must be able to authenticate with the same identity on the distributed services From the user’s point of view Uniform authentication enable cross-site workflows Use of distributed resources using the same credential From the service provider’s point of view Uniform authentication improves security operations in a federated environment Easier management of users, and their access to resources EPOS Competence centre kick off

5 EPOS Competence centre kick off
Delegation For some workflows and use cases, delegation is an important capability Applications that in general need to: access data stored by the user and not publicly accessible or to save data in the user’s storage area Portals and scientific gateways do actions on behalf of the user, like job submission to compute resources. This is usually implemented by impersonating and delegating Impersonation: the application/service acts as the user (using user’s temporary credentials). Done at authentication level. Delegation: the user enables the service to work on his/her behalf. Done at authorization level EPOS Competence centre kick off

6 EPOS Competence centre kick off
Level of assurance Not all the credentials are the same! Examples: Very high level of assurance: eID High level of assurance with ID verification: X509 certificates, many institutional IdP Social media credentials Everyone with an account can have one Not always the highest LoA is required: for some low-risk activities low assurance credentials are usable! The minimum LoA required is determined by the user community and the service provider requirements EPOS Competence centre kick off

7 Authorization in a federated environment
In a federated environment individual user authorization cannot be handled by the service provider Service provider does not know the user and if him/her should be allowed to perform a specific action Rules for the authorization must use information associated with the user Provided by the IdP Provided by the research collaboration who grants users access to resources

8 Distribute collaboration management in EGI: Virtual Organization
Virtual Organization: A group of researchers with common interests, requirements and applications, who need to work collaboratively and/or share resources. Service providers enable users to access services and resources based on the VO membership and additional attributes such as roles within the VO and sub-groups of users within the VO The VO membership is managed by the VO Manager(s) who is the main contact with EGI and who knows the users and the groups in the collaboration New users can be added and removed enabling/disabling their access rights, without direct intervention of service providers VO Manager usually does not manage users credential, a VO is not an IdP EPOS Competence centre kick off

9 EPOS Competence centre kick off
Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Examples of AAI service use cases Summary EPOS Competence centre kick off

10 EGI user authentication: X509 certificates
X509 certificates are the main authentication technology used in EGI Trust network of certification authorities (IGTF/EUGridPMA) EGI services are configured to accept certificates released by the Certification Authorities federated within IGTF You have one IGTF personal certificate  you can authenticate wherever in EGI EPOS Competence centre kick off

11 Policy Management Authorities
IGTF Trust framework Trust Domain: IGTF Policy Management Authorities TAGPMA EUgridPMA APgridPMA National level .... .... CA CA CA CA CA CA CA CA CA • The Interoperable Global Trust Federation (IGTF) is the body that manages a global trust domain for distributed computing infrastructures worldwide: l The IGTF is split in three regional Policy Management Authorities: l EUgridPMA => Europe l APgridPMA => Asia Pacific l TAGPMA => Americas l Establish common policies and guidelines. l Help establish interoperable, global trust relations between providers of e-Infrastructures and cyber-infrastructures, identity providers, and other qualified relying parties. Institution level .... .... RA RA RA .... .... CA: Certification Authority RA: Registration Authority User User User EPOS Competence centre kick off

12 How to obtain a certificate
Do you own credentials provided by an IdP federated in one of the national federations part of eduGAIN? You can most probably access the Terena Certificate Service (TCS) through your NREN, and get an X509 certificate without the need to contact a registration authority EPOS Competence centre kick off

13 Register in a Virtual Organization
User registers at the VO via VOMS VO manager authorizes the user via VOMS VO manager can give specific attributes to users, or insert them in specific groups Specific VOMS service is configured in all the services supporting the VO Personal certificate Request membership Registering user VOMS VO Database Approve request Set additional attributes/groups VO Manager EPOS Competence centre kick off

14 Authentication and Authorization workflow
TRUST TRUST Virtual Organization EPOS Competence centre kick off

15 The key is: trust & collaboration
Authentication and Authorization workflows scale with the number of service providers and users User identity is verified by the IGTF Certification Authorities who release the X509 certificates The certificate enable uniform authentication of the user across resource centres User communities have the tools to manage the membership of their users and their structure Collaborate to the trust chain and to integrate the information provided by the Identity Providers Authorization is based on the Virtual Organization membership and attributes not on the single user identity The user capabilities based on groups and roles within the VO are reflected into uniform access rights across the sites that support the VO EPOS Competence centre kick off

16 EPOS Competence centre kick off
X509 proxy certificate The X509 proxy certificate is a short-term credential derived by (and signed with) the user personal certificate In EGI proxy certificates are used for all non-interactive services and for delegation capabilities A computational task is “shipped” with the user’s proxy and can store output data on behalf of the user A proxy is self contained, and carries all the information needed to authenticate and to authorize the user at service level User identity User VO membership information signed by the VOMS that manages the VO User Certificate info VO Information X509 Proxy DN: EPOS Competence centre kick off

17 Robot certificates and science gateways
Portals and Scientific Gateways can hide the complexity of X509 to the users: Users are AuthN&AuthZ in the portal Portal/SciGW is responsible for this May or may not have a X.509 cert Portal/SciGW has a robot X.509 cert A robot certificate can be stored on a machine and used programmatically to generate proxies Perform tasks on Grids on behalf of users Issues: Auth & logging responsibilities move to portals Users become invisible to the infrastructure, traceability For certain types of applications only Security limitations EPOS Competence centre kick off

18 EPOS Competence centre kick off
Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Examples of AAI service use cases Summary EPOS Competence centre kick off

19 Improving the use of robot certificates
In the science gateways every user impersonates the owner of the robot certificate Security limitations Non accurate accounting EGI is testing the per user sub-proxies X509 proxies generated using a robot certificate Including an additional extension with the user ID Additional extension added by the science gateway. Robot Certificate info VO Information User UID X509 Proxy DN: The same for every user of the gateway EPOS Competence centre kick off

20 Advantages of the sub proxy
User tracking Services get “different” credentials for individual users It’s possible to block one user without blocking all the users using the same robot certificate Security Individual users can be isolated, e.g. preventing them to access other users’ workspace Accounting Account for individual users’ usage Report the actual number of real users accessing the infrastructure Per user sub-proxy tested within the Long tail of Science platform under development EPOS Competence centre kick off

21 EPOS Competence centre kick off
Extend the X509 mechanism For some users approaching EGI, the X509 mechanism is a barrier They do not have easy access to a Certification Authority They would prefer to continue using their institutional credentials VOs and Resource Providers implement portals to ease the access to the resources The most effective solution is to bridge other identity federations (eduGAIN, institutional IdP) with the EGI AAI Technical bridge: credentials translation, support in the middleware for other AuthN protocols Policy bridge: build trust between SP and IdP, enable different level of trust EPOS Competence centre kick off

22 Flexible authentication
By extending the current authentication mechanisms we will also enable users with the flexibility they need: Use lower level of assurance credentials for low-risk activities Integrate the IdP currently used by the communities with the EGI services EPOS Competence centre kick off

23 Enable federated AuthZ
Provide tools to the users to manage their user communities Distributed Attribute Authorities connected with the user’s IdPs Can be used also within application-specific environments for user authorization Maintain uniform authorization across multiple service providers Based on the attributes provided by the user communities Apply the collaborative trust approach of EGI to new authentication technologies EPOS Competence centre kick off

24 EPOS Competence centre kick off
eduGAIN and EGI eduGAIN is the pan-European federation of national IdP federations Includes most of the IdP used by researchers in Europe Limitations: Not all the IdPs are part of eduGAIN federations For many use cases a direct IdP <-> SP communication (paperwork) is required Some IdP The European-funded AARC project aims – among other things – to overcome part of these limitations EPOS Competence centre kick off

25 Authentication and Authorisation for Research and Collaboration
AARC Authentication and Authorisation for Research and Collaboration support the collaboration model across institutional and sector borders guarantee user privacy and security build on the existing and evolving components EGI, ESFRI clusters, eduGAIN, national AAI federations, NGIs, IGTF, SCI, SirTFi, … design, test and pilot any missing components integrate them with existing working flows Expected starting date May 1st EPOS Competence centre kick off

26 EPOS Competence centre kick off
Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Examples of AAI service use cases Summary EPOS Competence centre kick off

27 High level of assurance
Strong authentication Now: X509 certificate In the close future: eduGAIN IdP with ID verification, institutional IdP Submit custom applications/run arbitrary code submit and manage virtual machines store big amount of data Access sensitive protected data EPOS Competence centre kick off

28 Intermediate level of assurance
Medium authentication Now: robot certificates + username/password In the close future: IdP with no ID verification Submit pre-defined applications through science gateways Use PaaS on the cloud Access resources dedicated to the VO and isolated from other VOs EPOS Competence centre kick off

29 EPOS Competence centre kick off
Low level of assurance Low authentication In the close future: social network credentials, google account, plain EGI SSO Access open data Perform read-only operation on non-sensitive data EPOS Competence centre kick off

30 EPOS Competence centre kick off
Workflow example: now IGTF certificate VOMS Science gateway Robot Certificate User/password EPOS Competence centre kick off

31 EPOS Competence centre kick off
Workflow example: How EGI can support communities in the AAI integration Possible scenario: User community want to use eduGAIN credentials to access EGI User community want to use an institutional IdP to access EGI services EGI Federation Service Proxy IdP EG could act as a proxy between IdP(s) and service providers federated in EGI And provide attirbute authorities to manage the community structure Attribute Authority EPOS Competence centre kick off

32 EPOS Competence centre kick off
Outline Introduction to AAI in a federated environment EGI services and solutions for AAI Evolution of AAI in EGI Examples of AAI service use cases Summary EPOS Competence centre kick off

33 Current EGI Services for AAI
EUGridPMA network of Certification Authorities operated by the NGIs All EGI services are configured to accept EUGridPMA certificates VOMS services to manage VO membership and attributes Science gateways to use other types of authentication (username/password) and robot certificates to access EGI services EPOS Competence centre kick off

34 Possible future EGI services for EGI
Based on the requirements and use cases Integration with federations and individual IdPs Service proxy to easily integrate new IdPs Attribute authorities network to manage user membership and regulate authorization Credential translation services to integrate the Authentication technologies used by the user community with the existing services EPOS Competence centre kick off

35 Better support for collaborations
The current trust architecture has proven to be scalable and to work: Empower the user communities to regulate the access to the resources for their users Build trust between user communities, service providers and identity providers Extend this approach by integrating other AuthN technologies in EGI Provide tools to manage attributes using non X.509 credentials Link the attribute authorities with eduGAIN and other IdPs Where necessary bridge diverse AuthN technologies using credential translation services Bring the requirements from the CCs and in general the user communities to the European level, and ensure interoperability with other e-infrastructures through the AARC project EPOS Competence centre kick off

Download ppt "AAI in EGI Status and Evolution"

Similar presentations

EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu 05-02-2013.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Www.egi.eu EGI-Engage www.egi.eu EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.

EGI-Engage EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.
Www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
DTI Mission – 29 June 2004 - 1 LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Similar presentations

Ads by Google