Presentation is loading. Please wait.

Presentation is loading. Please wait.

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Published byKatrine Olsen Modified over 5 years ago

Similar presentations

Presentation on theme: "Check-in Identity and Access Management solution that makes it easy to secure access to services and resources."— Presentation transcript:

1 Check-in Identity and Access Management solution that makes it easy to secure access to services and resources

2 Content Motivation and driving consideration about the service
Service architecture and interfaces: overview How the user can access the service E.g.: REST, GUI, CLIs, etc. Service options and attributes Acceptable Usage Policy (AUP) Access policy and business model Use cases Documentation/tutorial/information 11/3/2019

3 Motivation Single sign-on to services through eduGAIN, social media and other institutional or community-managed identity providers Single sign-on to services through eduGAIN, social media and other institutional or community-managed identity providers Only one account needed for federated access to multiple heterogeneous (web and non-web) service providers using different technologies (SAML, OpenID Connect, OAuth 2.0, X509) Identity linking enables access to resources using different login credentials (institutional/social) Association of assurance information to each authenticated identity for expressing the level of trust in the identity assertions Aggregation and harmonisation of authorisation information (VOs/groups, roles, assurance) from multiple sources 11/3/2019

4 Service architecture and interfaces
Check-in is an implementation of the AARC blueprint architecture Single point of integration for Identity Providers (IdPs) and Service Providers (SPs) Registered in eduGAIN as an SP complying with REFEDS Research & Scholarship and Sirtfi All connected end-services can have one statically configured IdP No need to run an IdP Discovery Service on each end-service All connected end-services get consistent/harmonised user identifiers and accompanying attribute sets from different IdPs/AAs that can be interpreted in a uniform way for authorisation purposes 11/3/2019

5 Service access – IdP Discovery
11/3/2019

6 Service access – User enrollment
11/3/2019

7 Service access – Group management
11/3/2019

8 Service access – Non-web use cases & delegated access via OpenID Connect/OAuth 2.0
Friendly UI for managing/testing OpenID Connect/OAuth 2.0 clients Provides overview of OpenID Connect/Oauth 2.0 services authorised to access their identity Allows users to see the specific permissions (e.g. read , offline access, etc.) granted to each service Enables users to manage access/refresh tokens associated with each service: Revoke access for individual tokens or service as a whole Retrieve access/refresh tokens to be used for federated access to CLI tools/APIs Multipath delegation via OAuth 2.0 Token Exchange Support for attenuation of rights/scopes Device code flow (experimental) 11/3/2019

9 Service access – Non-web use cases & delegated access via RCauth Online CA issued certificates
Check-in has been integrated with the production RCAuth.eu Online CA for allowing users to retrieve X.509 proxy certificates using their federated credentials Master Portal retrieves end-entity certificate from RCauth.eu Long-lived proxy certificate stored in backend MyProxy server Short-lived proxies provided via: Science Gateways via OIDC (so-called VO-portals) users e.g. via SSH key authentication RCauth Online CA 11/3/2019

10 Service options and attributes
Service option 1 – Check-in as community AAI: Manage your users and enable multiple federated authentication sources using different technologies Authentication: Check-in enables users to re-use their academic and social accounts Authorisation: Check-in manages community/group membership information to control access to services Built-in group management tools for creating and managing a Virtual Organisation (VO) and (sub)groups, adding and removing users, and managing user consent and the VO acceptable usage policy Service option attributes: Deployment type: shared or dedicated Authentication options: eduGAIN ORCID Google Facebook LinkedIn IGTF X.509 digital certificates Other identity provider managed by the community User registration and group management service operated by: community, or EGI User registration & group management: COmanage Perun VOMS Other group management technology that best fits the community’s requirements 11/3/2019

11 Service options and attributes
Service option 2 – Check-in for services or resource providers Check-in acts as an identity provider proxy. Service providers can configure it as a normal SAML or Open ID Connect identity provider and let Check-in handle external identity providers. Check-in will provide all the required authentication and authorisation information to service providers in a single assertion. Advantages for service providers: Users can use their existing accounts from the eduGAIN identity provider interfederation, social media, and ORCID Your service can become available to new identity providers added to Check-in Users can link different accounts and access you service with a single user identifier All required information for handling user authentication and authorisation including: persistent unique user identifier, GOCDB roles, Virtual Organisation/group membership information, Assurance, X.509 certificate DN Service option attributes: AAI protocol: OIDC or SAML Communities allowed to access your resources: All or custom list of communities 11/3/2019

12 Service options and attributes
Service option 3 – Check-in as a Bridge to EGI services & resources Community operating its own AAI connected to Check-in as an Identity Provider Proxy for allowing its users to access EGI services & resources Service option attributes: AAI protocol for connection with Community AAI Identity Provider Proxy: OIDC or SAML EGI services to be connected: All or custom list of services 11/3/2019

13 Acceptable Usage Policy
11/3/2019

14 Access policies and Funding models
Multi-tenant service (aai.egi.eu) All the standard Check-in authentication options (academic & social) Community management using COmanage or Perun Basic customisation of user-facing interfaces (e.g. community-specific themes for enrolment flows, group management) Basic customisation of AAI proxy behavior Enables access to services and resources offered by the European Open Science Cloud Suited for and freely available to small and medium sized communities Dedicated service (individual components or AAI service as a whole) All the features of the multi-tenant (shared) service, plus: Full customisation of user-facing interfaces: IdP discovery service, enrolment, group membership UI Full customisation of AAI proxy behaviour (e.g. attribute aggregation rules, service entitlements/capabilities) Integration with community-specific identity providers and/or attribute authorities 11/3/2019

15 Featured use case – For communities in need of a ready-to-use group management solution
Communities that do not operate their own group management service can leverage the group management capabilities of the Check-in platform to: Avoid overhead of deploying a dedicated group management service Allow authorised group admins to manage the information about their users independently Enable easy and secure access to resources offered by EGI and other infrastructures participating in EOSC eduGAIN Social EGI CheckIn Virtual Organization Service EOSC Infrastructure Service Use Case: Training and Long Tail of Science communities 11/3/2019

16 Featured use case – For communities operating their own AAI
Social eduGAIN Community IdP Community’s AAI connected to Check-in as an IdP Proxy to allow its users to access EGI services & resources Community can access EGI services without changing their users’ authentication workflow Community AAI EGI Check-in EGI Infrastructure Use Case: ELIXIR Research Infrastructure - Check-in allows ELIXIR users to use their ELIXIR IDs to interact with relevant EGI services (Cloud, Configurations database, Applications on Demand) Service Service 11/3/2019

17 Documentations Usage guide Integration guide for service providers
Integration guide for identity providers Frequently Asked Questions 11/3/2019

18

Download ppt "Check-in Identity and Access Management solution that makes it easy to secure access to services and resources."

Similar presentations

EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Contrail and Federated Identity Management

Contrail and Federated Identity Management
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Www.eudat.eu EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No. 654065 B2ACCESS LSDMA.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team

Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Www.eudat.eu b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.

b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.
Networks ∙ Services ∙ People www.geant.org Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Similar presentations

Ads by Google