Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication and Authorization Overview Kimmo Koskenniemi, Antti Arppe, Mikael Lindén University of Helsinki, CSC – IT Centre for Science Consortium.

Published byEustacia Daniella Conley Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication and Authorization Overview Kimmo Koskenniemi, Antti Arppe, Mikael Lindén University of Helsinki, CSC – IT Centre for Science Consortium."— Presentation transcript:

1 Authentication and Authorization Overview Kimmo Koskenniemi, Antti Arppe, Mikael Lindén University of Helsinki, CSC – IT Centre for Science Consortium meeting – Legal thematic session Barcelona 2009-05-12

2 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN players and their relationships dashed arrows: flow of permissions solid arrows: data flow and other connections Content Provider Service Provider CLARIN User Copyright Owner Authorization Records Access Database

3 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN legal entities (1)  Copyright Owner – CO  Content Provider – CP  Service Provider – SP  Identity Federation – IdF  Identity Provider – IdP  CLARIN User – CU  How do these map with the CLARIN centre types (in the WP2 documentation)?

4 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN legal entities (2)  Copyright owners (CO)  the authors and publishers or whoever possesses the original (or acquired) rights.  Content Providers (CP)  organizations which acquire language materials and sufficient rights from the Copyright Owners (CO)  may also produce these resources themselves  The rights needed by the CP typically include  right to grant some end users the right to access and use the materials  COs may put some restrictions on who may use the materials and in which ways they may be used, e.g. only for research purposes or not to make copies other than customary citations  deposits the material at a CLARIN Service Provider (SP)

5 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN legal entities (3)  Service Provider (SP)  institution which provides technical access to the LRT  usually a computing centre  agrees to allow CLARIN end-users access the materials only according to the authorization by CPs:  some materials automatically for larger groups, others only according to individual applications  agrees to protect the material against unauthorized access  CLARIN infrastructure will consist of several SPs which are linked together with agreements  Several CPs may be connected to each SP

6 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN legal entities (4)  CLARIN Identity Federation (IdF)  Consists of IdPs which operate according to a common policy (e.g. Haka in Finland, DFN in Germany, SurfFederatie in Holland)  SPs make agreements with IdFs  Each SP cooperates with all CLARIN IdFs  Identity Providers (IdP) are existing institutional identity services (e.g. University of Helsinki as a part of Haka)  Used for identifying large groups of people such as staffs of organizations or students  The (unique) identity provided by IdPs within IdFs is the basis for identifying CLARIN Users (CUs)  CLARIN User (CU)  Identified and authenticated with the attributes provided by an IdP as EduPersonPrincipalName@Domain

7 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN legal entities (5)  The CLARIN AA infrastructure consists of  many CP institutions  not so many SP centres  each CP is typically associated with one SP centre  CO involvement restricted to the negotiations and agreements by which CPs acquire LRT content from them  CLARIN SPs are linked with all national IdFs using SAML2 and ePPN@domain identities  One organization may offer several functions  some units may provide both the CP and SP functions  some CLARIN SP may maintain a national IdP federation (e.g. CSC maintains Haka in Finland)

8 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Authorization  CP institutions control the authorization by maintaining the contents of CLARIN Authorization Records (ARs)  Binding legal documents with (electronic) signatures which indicate which materials each CU is allowed to use and how  Some end-user licenses may be granted automatically by the electronic signature by the CU  The permitted uses of the material may vary  Some materials require more elaborate application by the CU and processing by the CP, including  explaining and justifying the need to use a material  possible recommendation (through an electronic signature)  acceptance or denial of the application  All rights the CP can grant to the CUs to use materials, must have been acquired from the CO

9 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN players and their relationships dashed arrows: flow of authorizing red arrows: flow of access Content Provider Service Provider CLARIN User Copyright Owner Authorization Records Access Database

10 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Authorization  The ARs are technically maintained by the SPs  The ARs are based on  Unique IdP identities: ePPN@domain  Potentially required (electronic) signatures confirming the acceptance of relevant license terms  The Access Database contains the core information of ARs, i.e. which materials identified by PIDs a user identified as ePPN@domain is allowed to use – according to the Single-Sign-On (SSO) principle

11 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Agreements between CLARIN legal entities  CO-CP acquisition of permissions  CP-SP resource depositions agreements including AR and access database maintenance  SP-SP agreement of uniform services  SP-IdF agreement of secure and uniform identification – SP-IdP agreement of the same in the absence of national IdFs  IdF-IdF confederations (eduGAIN etc.) on common policies and interpretation of attributes  CP-CU end-user license

12 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN players and their relationships red arrows: agreements Content Provider Service Provider CLARIN User Copyright Owner Authorization Records Access Database Service Provider

13 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN SP-SP agreement (1)  links all CLARIN SP centres together  harmonizes their CLARIN services  CUs can identify themselves using their local IdP services  access the materials on any SP centre according to their permissions in the ARs  contains some obligations for each of the participating centres  responsibility to enter into necessary agreements with the IdPs used within CLARIN  may include the agreements allowing the use of identity information in a systematic way together with other centres in the group

14 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN SP-SP agreement (2)  states the set of minimum requirements for usage, deposition and authorization rights  which a CP must be able to grant to all SPs  which each CP has to have negotiated with and acquired from each CO  to allow for the use of these materials throughout the CLARIN federation of SPs.  (in the form of a checklist or model licensing templates)  requires that the CPs of the SP may only include materials with sufficient rights in the CLARIN services

15 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN LRT deposition agreement: CP ↔ SP  Between each CP institution and the associated SP centre  Preferably, the rights should permit the depositing of the material in more than one CLARIN SP centres at the same time → back-up, mirroring etc.  The SP (or the SPs) must agree to allow users to access only materials for which they have an explicit authorization by the CP  The SP must also agree to destroy the copies of the materials at the possible termination of the agreement.

16 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Deposition agreement: CP ↔ SP  The materials, tools and services can be classified according to the limitations of their use to three general categories 1. Materials which can be freely used by anyone, 2. materials to which the CP can grant a license automatically through an electronic signature by the user (unilaterally) 3. materials which can only be accessed according to an individual application by the user and after individual consideration by the CP (bilaterally)  License agreements typically impose limitations of usage to which the user commits itself upon receiving permission  e.g. only for academic research and education.

17 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Deposition agreement: LRT metadata requirements  In addition to providing the actual content the CP is also responsible for  supplying some metadata in a CLARIN standard format  exact information about the authorization scheme for the material i.who is/are authorized to grant the permissions for users ii.what qualifications the individual applicants must satisfy, and iii.what license agreement the applicants must sign (including the license text which tells the exact conditions of use)  The CP may also have to indicate the level of trust needed for identifying the CUs

18 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Metadata for M Assurances and Licenses Material M Access Database ePPN@site,PID IdP Content Provider User ePPN @ site Service Provider Authorization – Access

19 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Simple authorization workflow (1) Category 2 – Resource available to users upon one-sided commitment to research use 1. Raymond Researcher from the MPI in Nijmegen wants to use language resource G, stored at CSC in Helsinki/Espoo 2. Raymond goes to CLARIN resource listing at www.clarin.eu a s a new CLARIN user 3. Raymond selects resource G – with unique PID(G) – from a list  Service informs Raymond that he has to agree to and sign a CLARIN general End-user License Agreement (EULA) concerning research use 4. Raymond clicks link  ”Apply for access to resource G”

20 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Simple authorization workflow (2) 5. Raymond is redirected to the AR service at CSC https/ar.csc.fi/licenses/request via logging in through his Dutch national IdF service SurfFederatie (specifically his local IdP: MPI/Nijmegen)  Raymond is shown the general CLARIN terms of use (EULA) for research purposes 6. Raymond ticks the box ”I have read and understood these terms of use for research and agree to abide by them” and presses the ”Agree” button Raymond's Identity Attributes raymondr@mpi.nl ( eduPersonPrincipalName@Domain ) as provided by his IdP (MPI/Nijmegen) are now linked with the resource identifier PID(G) in Authorization Records (AR) at CSC

21 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Simple authorization workflow (3) 7. Raymond proceeds to get access to resource G

22 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Complex authorization workflow (1) Category (3): User commitment to specific license terms and individual recommendation and consideration required 1. Raymond Researcher from the MPI/Nijmegen wants to use language resource S at CSC ”managed” by Kimmo Koskenniemi 2. Raymond goes to CLARIN resource listing at www.clarin.eu 3. Raymond selects resource S – identified with unique PID(S) – from a list  Service informs Raymond that access to resource S requires authorization granted personally by Kimmo Koskenniemi 4. Raymond clicks link  ”Apply for access to resource S”

23 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Complex authorization workflow (2) 5. Raymond is redirected to the AR service at CSC https://ar.csc.fi/licenses/request/ via logging in through his national IdF service SurfFederatie (specifically his local IdP: MPI/Nijmegen) 6. Raymond writes an English motivation why he should be granted access to resource S. In addition, Raymond  Includes his PhD research plan abstract  Provides a link to his home page at his home university  Selects Peter Wittenburg from a list of Dutch national referees  Reads and signs the general and resource specific terms  Clicks the button 'Send application'

24 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Complex authorization workflow (3) 7. Peter Wittenburg receives an email from AR at CSC  ”Raymond Researcher from the MPI/Nijmegen asks you for a recommendation to use resource S. In order to give the recommendation, click the link https://ar.csc.fi/licenses/recommend 8. Peter clicks the link and logs into AR at CSC with the Dutch national IdF SurfFederatie (specifically his local IdP: MPI/Nijmegen) 9. Peter is presented with Raymond's application (along with the attachments), browses them, writes a few words of recommendation to Kimmo, and clicks the button 'Recommend'

25 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Complex authorization workflow (4) 10. Kimmo Koskenniemi at the University of Helsinki receives an email from AR at CSC – ”Raymond Researcher from the MPI/Nijmegen asks you for permission to use resource S. Peter Wittenburg from MPI/Nijmegen supports Raymond's application. In order to grant the permission, click the link https://ar.csc.fi/licenses/grant /” 11. Kimmo clicks the link and logs into AR at CSC with the Finnish national IdF Haka (specifically via his local IdP: University of Helsinki)

26 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu Complex authorization workflow (5) 12. Kimmo is presented with Raymond's application (along with the attachments) as well as Peter's recommendation, browses them, and clicks to button 'Grant permission'  Raymond's Identity Attributes ( raymondr@mpi.nl) are linked in AR at CSC with the data indicating that he is now authorized to access resource S – identified by the unique PID(S) 13. Raymond receives an email from AR at CSC: ”You have been granted permission to use resource S. You now have access to this resource.”  Raymond may then access S at CSC by authenticating himself via the Dutch SurfFederatie IdF ( raymondr@mpi.nl ) which has CSC as one of its many Service Providers

27 Thank you for your attention CLARIN has received funding from the European Community's Seventh Framework Programme under grant agreement number 212230

28 Consortium Meeting Barcelona 2009-05-12 www.clarin.eu CLARIN players and their relationships Content Provider Service Provider CLARIN User Copyright Owner Authorization Records Access Database dashes red arrows: next talk by Marjut Salokannel

Download ppt "Authentication and Authorization Overview Kimmo Koskenniemi, Antti Arppe, Mikael Lindén University of Helsinki, CSC – IT Centre for Science Consortium."

Similar presentations

The DART-Europe E-theses Portal Martin Moyle Digital Curation Manager UCL Library Services, UK ETD 2009, University of Pittsburgh, June.

The DART-Europe E-theses Portal Martin Moyle Digital Curation Manager UCL Library Services, UK ETD 2009, University of Pittsburgh, June.
SDMX in the Vietnam Ministry of Planning and Investment - A Data Model to Manage Metadata and Data ETV2 Component 5 – Facilitating better decision-making.

SDMX in the Vietnam Ministry of Planning and Investment - A Data Model to Manage Metadata and Data ETV2 Component 5 – Facilitating better decision-making.
CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden,

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Copyright management in open access projects Iryna Kuchma Open Access Programme Manager www.eifl.net Attribution 3.0 Unported.

Copyright management in open access projects Iryna Kuchma Open Access Programme Manager Attribution 3.0 Unported.
Steven KrauwerLREC20081 CLARIN: Common Language Resources and Technology Infrastructure for the Humanities and Social Sciences Kimmo Koskenniemi (University.

Steven KrauwerLREC20081 CLARIN: Common Language Resources and Technology Infrastructure for the Humanities and Social Sciences Kimmo Koskenniemi (University.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
1 CA201 Word Application Collaborating with Others Week # 8 By Tariq Ibn Aziz Dammam Community college.

1 CA201 Word Application Collaborating with Others Week # 8 By Tariq Ibn Aziz Dammam Community college.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.

1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chinese-European Workshop on Digital Preservation, Beijing July 14 – 16 2004 Network of Expertise in Digital Preservation 1 Trusted Digital Repositories,

Chinese-European Workshop on Digital Preservation, Beijing July 14 – Network of Expertise in Digital Preservation 1 Trusted Digital Repositories,
EPSRC expectations on research data: What researchers need to know 12/03/2015 Masud Khokhar and Hardy Schwamm.

EPSRC expectations on research data: What researchers need to know 12/03/2015 Masud Khokhar and Hardy Schwamm.
CLARIN Common Language Resources and Technology Infrastructure Daan Broeder & Dieter van Uytvanck Max-Planck Institute for Psycholinguistics TF-EMC2 Meeting,

CLARIN Common Language Resources and Technology Infrastructure Daan Broeder & Dieter van Uytvanck Max-Planck Institute for Psycholinguistics TF-EMC2 Meeting,
Libra: Thesis and Dissertation Submission. What is Libra? UVA’s institutional repository, providing online archiving and access for the scholarly output.

Libra: Thesis and Dissertation Submission. What is Libra? UVA’s institutional repository, providing online archiving and access for the scholarly output.
The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.

The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.
©2006, CSA Creating and Managing Your COS Expertise Profile Managing Your CV and Promoting Your Work ® Resources for Research, Worldwide.

©2006, CSA Creating and Managing Your COS Expertise Profile Managing Your CV and Promoting Your Work ® Resources for Research, Worldwide.

Similar presentations

Ads by Google