Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Published byAbigayle Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012."— Presentation transcript:

1 Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012

2 Overview A sub-task in the Security TEG Introduction to Federated Identity Management (FIM) Research Communities Workshops –HEP just one of the communities WLCG Security TEG WLCG endorsement of the FIM paper recommendations 9 May 12HEP FIM, Kelsey2

3 Introduction to IdM Remove identity management from the service –Identity managed in one place, typically by employer –Benefits (and drawbacks!) of single sign-on Identity Provider (IdP) manages and provides attributes about Users –For AuthN and to some extent AuthZ Service Provider (SP) consumes attributes for access control and offers services to users Federation: a common trust and policy framework between multiple organisations, IdPs and SPs Federations also manage and distribute information (metadata) about the various providers 9 May 12HEP FIM, Kelsey3

4 9 May 12HEP FIM, Kelsey4 SP User IdP Many different permutations depending on the technology

5 9 May 12HEP FIM, Kelsey5 SP User IdP Then add a community operated attribute authority (for AuthZ), e.g. VOMS AA

6 Some example federations Grid X.509 certificates in WLCG and elsewhere –International Grid Trust Federation European higher education (Shib, SAML etc) –UK Access Management Federation, SWITCHaai, SURFfederatie –And many other Education & Research federations USA education and research: InCommon TERENA Cert Service connects national identity federation to a CA for personal certs (and similar CIlogon in USA) eduGAIN is linking national federations Social networking (OpenID, Oauth) 9 May 12HEP FIM, Kelsey6

7 Federated IdM in “Research” A collaborative effort started in June 2011 Involves photon & neutron facilities, social science & humanities, high energy physics, climate science and life sciences, fusion energy 3 workshops to date (next one in June 2012) https://indico.cern.ch/conferenceDisplay.py?confId=177418 Documented common requirements, a common vision and recommendations –To research communities, identity federations, funding bodies An important use case for international federation CERN-OPEN-2012-006: https://cdsweb.cern.ch/record/1442597https://cdsweb.cern.ch/record/1442597 9 May 12HEP FIM, Kelsey7

8 Common Requirements User friendliness Browser and non-browser federated access Bridging between communities Multiple technologies and translators Open standards and sustainable licenses Different Levels of Assurance Authorisation under community and/or facility control Well defined semantically harmonised attributes Flexible and scalable IdP attribute release policy Attributes must be able to cross national borders Attribute aggregation for authorisation Privacy and data protection to be addressed with community-wide individual identities 9 May 12HEP FIM, Kelsey8

9 Operational Requirements Risk analysis Traceability Security incident response Transparency of policies Reliability and resilience Smooth transition Easy integration with local SP 9 May 12HEP FIM, Kelsey9

10 Common vision statement A common policy and trust framework for Identity Management based on existing structures and federations either presently in use by or available to the communities. This framework must provide researchers with unique electronic identities authenticated in multiple administrative domains and across national boundaries that can be used together with community defined attributes to authorize access to digital resources 9 May 12HEP FIM, Kelsey10

11 Recommendations To Research Communities –Must perform a risk analysis of using federated IdM Together with technology providers, IdPs and SPs –Perform pilot studies In collaboration with FIM providers 9 May 12HEP FIM, Kelsey11

12 Recommendations (2) To technology providers –This includes REFEDS and national federations –Separation of AuthN and AuthZ –Revocation of Credentials –Attribute delegation to the research community –Levels of Assurance 9 May 12HEP FIM, Kelsey12

13 Recommendations (3) To funding bodies –An agreed funding model –An agreed governance structure 9 May 12HEP FIM, Kelsey13

14 Federated IdM in HEP X.509 certificates for Grid services –Using TERENA Cert Service in some places But many other services (not just Grid!) –E.g. collaboration tools, wikis, mail lists, webs, agenda pages, etc. Today CERN has to manage thousands of user accounts, many are “external” eduroam is one possible federated solution (for wireless) What about other services/federations? –Using Shibboleth, SAML, OpenID, etc Technology appropriate to required level of assurance 9 May 12HEP FIM, Kelsey14

15 WLCG Federated Identity Security TEG started on this task –Very much linked to the collaborative work Trust is essential! –not just technology How to involve IGTF? We need to agree a good HEP pilot project to get some experience 9 May 12HEP FIM, Kelsey15

16 Next steps WLCG Security TEG –Has agreed in principle to the vision and recommendations in the draft paper –We still need to identify a good pilot project for WLCG/HEP/CERN WLCG MB “endorsement” required –Before the June workshop 9 May 12HEP FIM, Kelsey16

17 Questions? 9 May 12HEP FIM, Kelsey17

Download ppt "Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Federated Identity Management for Research Communities: FIM 4 R CSC, Helsinki 2 nd October 2013 Bob Jones, CERN.

Federated Identity Management for Research Communities: FIM 4 R CSC, Helsinki 2 nd October 2013 Bob Jones, CERN.
Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC 2014 20 May 2014 Dublin.

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.

BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
7 th FIM 4 R meeting 23-24 April 2014 ESRIN Frascati.

7 th FIM 4 R meeting April 2014 ESRIN Frascati.

Similar presentations

Ads by Google