Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMI INFSO-RI-261611 Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "EMI INFSO-RI-261611 Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH"— Presentation transcript:

1 EMI INFSO-RI-261611 Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH john.white@cern.ch christoph.witzig@switch.ch

2 EMI INFSO-RI-261611 Outline Introduction Requirements and Plans of different Communities Summary Findings Note: – authN = authentication – authZ = authorization

3 EMI INFSO-RI-261611 Introduction AAI = authentication and authorization infrastructure DCI = distributed computing infrastructure AAI-DCI Workshop – organized as part of EMI workplan – Indico: https://www.egi.eu/indico/sessionDisplay.py?sessionId=11&slotId=0&confId=48 - 2010-09-14 https://www.egi.eu/indico/sessionDisplay.py?sessionId=11&slotId=0&confId=48 - 2010-09-14 – Milestone document to follow EMI needs to provide harmonized middleware stack – Provide user-friendly interface, especially for authenticating to an infrastructure

4 EMI INFSO-RI-261611 Questionnaire to Communities (1/2) Targeted a set of communities with dependency to an (emerging) infrastructure – Many tied to an ESFRI project All are rather large communities distributed over many European countries Most are rather early in their lifecycle

5 EMI INFSO-RI-261611 Questionnaire to Communities (2/2) 1.How are users authenticated? 1.Which credentials are in use? 2.How is the user vetting done? 2.Is there a link to national identities? 3.Which types of resources are in use? How are users authorized? 1.Resources access through Grid? 2.Resources accessed without Grid? 4.Where does project want to be in ~5 years? 5.Are users and resource owners happy with current authN and authZ schemes?

6 EMI INFSO-RI-261611 The vision …

7 EMI INFSO-RI-261611 … and the reality

8 EMI INFSO-RI-261611 Earthscience Grid (1/2) Horst Schwichtenberg, Fraunhofer Institute Access to data is central for ES – Archived sensor data or derived data from multiple sources and in multiple formats  different providers and different systems Geographical Information System (GIS) – WS Specification from Open Geospatial Consortium (OGC)  no specification for authN/authZ – Work in progress HTTP authN, HTTP cookies, SSL X.509, SAML, Shibboleth and openID

9 EMI INFSO-RI-261611 Earthscience Grid (2/2) Requirements: – Protect data down to the single user – Federated identity and single sign-on SAML and OAuth, WS-* protocols SSO based on Shibboleth and OpenID – Science gateways to provide access to computing infrastructure (EGI) in the background Automatic certificate generation – Data centers need to protect licensed data and code

10 EMI INFSO-RI-261611 Biomedical Community (1/2) Key requirements: – Preserve patient privacy – Copyrighted data processing tools Current authN: – X.509 (grid users and French Health Professional smartcards) Resources: – EGI storage (SRM) and external data repositories – Web-based resources

11 EMI INFSO-RI-261611 Biomedical Community (2/2) Goal in ~5 years: – Homogenous AA handling in Grid services – Access control to relational and semantic stores User’s view: – AA scheme is irrelevant. Only functionality matters. – Dedicated solutions often needed in Life Sciences.

12 EMI INFSO-RI-261611 CLARIN (1/2) Dieter Van Uytvanck, MPI for Psycholinguistics Aim: – Provide language resources and technologies for humanities and social sciences Typical use-case: – On basis of browsing catalogues and/or searching through data create a virtual collection and process it through work flows using web services

13 EMI INFSO-RI-261611 CLARIN (2/2) Long term AA objectives: – Rely on user’s home organization of national AAIs for establishing trust  SAML, Shib – CLARIN as legal entity to sign contracts with national identity federations – Rely on eduGAIN to provide trust between national AAIs Issues raised: – License acceptance must be solved (special license service) – Multi-level WAYFs and attribute release consent confusing for the user

14 EMI INFSO-RI-261611 Photon Facilities (1/2) Hans Weyer, PSI Environment: – Photon facilities with wide range of research areas and ~30’000 visiting scientists / year – ~15 synchrotrons in EU, often national facilities Facilities partly co-operating, partly competing

15 EMI INFSO-RI-261611 Photon Facilities (2/2) AA Ansatz: “Umbrella” – Use EU wide, central user identification Username, pwd, email, birthday – Local management of additional, site-specific attributes Phone, registrations, facility roles, proposals – Based on SAML – Note: Do not plan to use national AAIs for authN

16 EMI INFSO-RI-261611 ILL – Neutron Science Neutron facility, very diverse user community Need federated authentication and management of user’s attributes authN should provide access to – Web based applications – Network connection – Workstation access

17 EMI INFSO-RI-261611 ELIXIR ESFRI BMS Project coordinated by EBI Very large user community (~1 mio users) Provide access to life science data (genoms, …) for many different sciences Users are not authenticated many users find authN unacceptable Sensitive data (e.g. patients data) handled through a special procedures (data custodian)

18 EMI INFSO-RI-261611 Lifewatch Axel Poigné, Fraunhofer Still design phase – no decisions taken Present thoughts: – X.509 not appropriate – Use Shibboleth Credential translation for access to Grid OpenID complementary

19 EMI INFSO-RI-261611 HEP Maarten Litmaath, CERN Key technologies: – X.509, IGTF – VOMS Issues with Grid security – Certificates are difficult for users to handle – Proxy issues, use of primary FQANs – etc

20 EMI INFSO-RI-261611 Other talks Moonshot: D.Kouril, CESNET Goal: enable use of identity federations and SAML for non-web applications Target core internet protocols: SSH, SMTP, IMAP, NFSv4, HTTP… Started spring 2010 Presentations of – IGI: V.Ciaschini, INFN – UK NGI, C. Devereux, STFC

21 EMI INFSO-RI-261611 Summary Findings (1/2) Different communities do have different requirements User-centric view is mandatory – Very large and very diverse user communites – Many users have “modest IT knowledge” and “limited enthusiasm for complex solutions”

22 EMI INFSO-RI-261611 Summary Findings (2/2) Key technologies – Federated identity / SAML / Shibboleth With / without leveraging national AAIs – X.509 still basis for Grid technology – SLCS, MICS CA – Need novel ways to bridge security domains ECP support in Shibboleth (useful for portals  Swiss Grid Portal project) Security token service (work item in EMI) Pseudonymity service (EMI) Moonshot Key requirement for AA solutions: – Standards-based, interoperable

23 EMI INFSO-RI-261611 Should be aware of time lag between development and deployment But if not all, then most roads lead to Rome

Download ppt "EMI INFSO-RI-261611 Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
CLARIN Common Language Resources and Technology Infrastructure Daan Broeder & Dieter van Uytvanck Max-Planck Institute for Psycholinguistics TF-EMC2 Meeting,

CLARIN Common Language Resources and Technology Infrastructure Daan Broeder & Dieter van Uytvanck Max-Planck Institute for Psycholinguistics TF-EMC2 Meeting,
Interoperability ERRA System.

Interoperability ERRA System.
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)
1 Common Challenges Across Scientific Disciplines Laurence Field CERN 18 th November 2013.

1 Common Challenges Across Scientific Disciplines Laurence Field CERN 18 th November 2013.
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Similar presentations

Ads by Google