Presentation is loading. Please wait.

Presentation is loading. Please wait.

Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration SA1 - Pilots on the Integrated R&E AAI TSA1.1 - Pilots on Guest.

Published byEmery Goodman Modified over 9 years ago

Similar presentations

Presentation on theme: "Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration SA1 - Pilots on the Integrated R&E AAI TSA1.1 - Pilots on Guest."— Presentation transcript:

1 https://aarc-project.eu Authentication and Authorisation for Research and Collaboration SA1 - Pilots on the Integrated R&E AAI TSA1.1 - Pilots on Guest Identities Guest Identities Pilots: Update and plans AARC General Meetings - Milan, Wednesday November 4, 2015 Mario Reale, Lalla Mantovani, Barbara Monticini, Marco Malavolti GARR

2 https://aarc-project.eu SA1 Task 1 Goals ● Implement pilots on supporting guest identities according to the recommended solutions by JRA1-NA3 o And prove their feasibility, involving user communities 2

3 https://aarc-project.eu Project Objectives on guest identities ● Lower the entrance barriers for organizations to adopt federated AAI o by providing them with solutions to  get their IDP and have it federated  make use of Guest IDPs  bridge towards non-Federated IDs (Social, eGov) ● To identify relevant use cases within selected user communities for applying solutions and prove their effectiveness 3

4 https://aarc-project.eu Guests are knocking at our door 4 “I am a librarian, can I please get rid of IP-based authentication for my users and adopt Federated AAI for authenticating them? “I have a FB account: can I use it to access these Wiki pages provided as Federated SP in eduGAIN?” “In my country there is not such a thing like “National ID Federation”: Can I use a sort of “Free trial license” Federation for my IDP somewhere ? Or can you help my country getting an ID-Federation quickly “ ? “I asked, but in my university there is no Identity Provider. Can you anyhow help me accessing FileSender provided by my NREN ” ? “I have an ID from my HO IDP registered in my national ID Fed,member of eduGAIN ” HOME

5 https://aarc-project.eu Possible strategies to manage guest users Integrate existing Social/Gov IDs with attributes for accessing federated SPs – Get rid of IP-based AuthN in the libraries Support libraries in the adoption of Federated AAI ( SSO proxy ) Integrate nat.organizations managing contracts with publishers (SPs) in national fed. Bridging towards Existing Social/Gov IDs (“Long tail of Science”) Push for adoption of Federated AAI in key User Communities ( LIBRARIES) Enrolling New Fed IDs ( New IdPs ) Spawning New Identity Federations where missing Support HOs to get their IdP providing their IDs or provide Guest IdPs Facilitate the setup of all required services and practices to implement national ID Fed 5 SUBTASK 1 SUBTASK 2 SUBTASK 3

6 https://aarc-project.eu AARC (DoW) identified three main areas of pilot activities for Guest Users: Long Tail of Science : bridging towards Social and e-Gov IDs (Subtask TSA1.1.1) Guest IDPs / Cloud IDPs / Fed-a-a-S (Subtask TSA1.1.2) Libraries pilots (Subtask TSA1.1.3) We present today five proposed pilots in three domains: Bridging towards eGov ID (GRNET) IDP-on-demand (Cloud based IDP) (GARR) Libraries ( GARR and GRNET pilots) (GARR, GRNET) We will also try to briefly summarize on-going discussions in AARC on other pilot related topics: Bridging towards social IDs (Reputation) Catch-all Federation for homeless IDPs 6 Task SA1.1 – Agenda for today 5 proposed pilots in 3 domains update on on-going discussions

7 https://aarc-project.eu 1. Pilot on Libraries: Hybrid Authentication / SSO Proxy 2. Pilot on Libraries: Extending JUSP as SP towards eduGAIN IDPs pilotJUSP 3. Pilot on Libraries: Contracts national coordinating body / HEAL-linkHEAL-link 4. Pilot on Cloud-IDP : Making Cloud-IDP a widely adoptable model 5. Pilot on eGov IDS : Bridging towards eGov-IDs 7 Five Guest Identities Pilots identified so far GARR GRNET

8 https://aarc-project.eu 1.Hybrid Authentication (SSO proxy) Libraries Pilot (GARR) [ GARR, DAASI, LIBER, MORAVIAN] 8

9 https://aarc-project.eu They are key users for AARC and are GUEST USERS by definition being often outside the federated AAI model They are familiar with publishers relying on IP-based authentication Need to move away from IP-based AuthN and adopt Federated AAI To overcome a large set of drawbacks implied by IP-based AuthN Federated SPs provided by some publishers are available Libraries have to live in an hybrid model for AAI Using both SAML/Federated and IP-based AAI Very demanding and complex in terms of users and tools to be integrated in a unique functional environment  There is room for piloting to identify critical issues and gain hands-on experience on supporting libraries within AARC and beyond it Supporting Libraries in the adoption of Fed-AAI is a major goal of AARC Libraries should not longer be «guest users» for ID Federations – but rather key elements for the adoption of Federations (linking SPs and IDPs) 9 Libraries are central in the community of AARC users

10 https://aarc-project.eu Hard to manage consistently for Multiple licensing / affiliations Different departments in an institutions Different roles ( Students, staff, alumni…) : they might share same source IP network ranges Accessing licensed resources when off-premises (home, roaming..) Thus from different IP network and ranges Open Proxy: hacked nodes on authorized IP networks opening up licensed resources for everyone Hard to segment campus neworks for the different deparments Thus hard to allow different level of service and license scoped resources VPN implies an overhead for both Campus/HO and end-users Mobile terminals on phones -> Local IP not transmitted IPv6 often affecting behavior of client-server interaction  Let’s move away from IP-based authentication towards Federated AuthN via SAML  Let’s cope with an hybrid environment for the next years To understand problems and desired solutions for libraries please have in mind “ESPReSSO Establishing Suggested Practices Regarding Single Sign-On” http://www.niso.org/workrooms/sso http://www.niso.org/workrooms/sso 10 Limitations of IP-based Authentication for Libraries

11 https://aarc-project.eu Recommendations for Libraries from the ESPReSSO study: the LIBRARIES Use CasesESPReSSO study Library IDP 11 Library Institution Page (Establishing Suggested Practices Regarding Single Sign-On)

12 https://aarc-project.eu Use Case: Library users accessing Fed & Non-Fed resources through the Library Institution page Resources listing includes both Federated and non Fed-resources An SSO proxy is required Federated resources must be listed using a DS-free (WAYF- less) syntax Non Fed resources must have a proxy syntax It does not show up in case an SSO session has already been established Non compare mai 12 DS: It never shows up

13 https://aarc-project.eu Use Case: User willing to access a protected resoruce after a search (URL, DOI, search tool) bypassing the Institution Main Menu An Acces Mode Switch is required (could be managed by the SSO proxy). Transparent in the user experience. An SSO proxy is required for non Federated resources It does not show up in case an SSO sesssion has already been established Federated resources must be resolved using an DS-free (WAYF-less) syntax 13 DS: It never shows up

14 https://aarc-project.eu 1.The coverage of service providers with SAML support is still far below 100%. A mixed approach including IP-­based access and federated access could be used but is considered confusing for users, as it means it is often unclear which resources are accessible through their educational account and which are not. 2.So called “walk-­by users”, such as citizen scientists, are not able to access academic content. 3.With IP-­based access, they are able to access content as long as they reside at the campus. 4.SAML-­based AuthN [itself] does not provide functionality to preserve the privacy of users. 5.Single sign-­off is not supported. 6.Deep linking is not always supported (but depends on SP implementation), 7.No seamless integration between providers. 8.Lack of standardization in the use of labels to login (e.g. “institutional account”, “shibboleth login”, “educational login” …). 9.It is often confusing or time-­consuming to deal with users that already have existing accounts at service providers. Not all providers provide functionality for account mapping. 14 Let’s start from the identified Requirements from the Libraries community (DJRA1.1)

15 https://aarc-project.eu (Addressing R1:) Provide users with smooth, seamless access to the available resources given their status without having to care for the SPs supporting Federated (SAML) Authentication or IP- based one (Addressing R2:) Host walk in users with no specific IDs available, but on premises (Addressing R3:) Provide users with access when outside the campus network From different IP network ranges than the Campus ones When in mobility (Addressing R6:) Have search tools (Resource Discovery) integrated in the process of user logging in and accessing full text documents (+) Grant access to patrons ensuring different access rights and scoping of the online publishers SPs according to users’ Primary affiliation Role in the Home organizations 15 Goals of this Library pilot of subtask 1 (Guest Identities)

16 https://aarc-project.eu Proposed AARC SA1 library pilot set up 16 PILOT Library Institution Portal Access Mode Switch SSO IP Proxy Institution Link Resolver Dummy SP (SAML) Walk in User workstation Library IDP AuthN SSO session Resources Catalogue EZ-proxy, Primo, Summons, SFX, HAN Resource 1 (Federated) IP based AuthN via Shibboleth IP based AuthN plugin Resource 2 (Non SAML) Walk in User Library IDM IDM DB SSO PROXY

17 https://aarc-project.eu Proposed AARC SA1 library pilot set up (in depth) Any user logs in through Library IdP (eventually) Walk-in users by means of Shibboleth IP-based AuthN plugin Already registered users are stored in a Library IDM DB When searching for a resource «Access Mode Switch» acts as following: With the result of a user search the link resolver inspects the link and checks whether the resource is served by: SAML Federated SP -> SSO path: If the user already has a valid established SSO session he gets access to the full text document Otherwise a SSO login is requested before proceeding non SAML SP -> Proxy path: SSO proxy (like EZProxy) software is needed. Requirement: transparently provide access to full text docs, the user needs a valid SSO session before proceeding 17

18 https://aarc-project.eu Objectives and results expected from the set up Evaluate the case of Discovery and Delivery tool like Primo (ex Libris), Sfx (ex Libris), Summon (ProQuest) and others already in use in Libraries from partners involved: How do they work when delivering full text from non SAML providers? How do they integrate with SSO proxy? How does the user experience look like: Is the delivery of the full text trasparent for the user in this set up based on a hybrid environment? Libraries which already expressed their interest in participating in the SSO proxy library pilot: Ca’Foscari University Libraries (IT) University of Salento (IT) Koninklijke Bibliotheek (NL) Moravian Library (CZ) 18

19 https://aarc-project.eu Pilot’s Impact: compare Libraries’ stand - without the pilot - with the solutions addressed by the pilot WITHOUT PILOT’s RESULTS: Libraries would have to set up VPNs for users outside IP range Is confusing for User to deal with federated and not-federated SPs from publishers Users would have to tell by hand and by trial-and-error if the can access a deepLink provided by a search Walk is users would have no rights WITH THE SOLUTIONS ADDRESSED BY THE PILOT IN PLACE: Libraries would rely on Federated AuthN irrespective of the user source IP address Users don’t have to mind if a SPs is federated or not. Users would be presented with all and only the links they are entitled to access according to their affiliation Walk in users will be granted access via the IP-based AuthN shibboleth plugin 19 Having in place the solutions addressed by the pilots makes a difference for libraries:

20 https://aarc-project.eu 2. Proposal for JUSP extension outside the UK 20

21 https://aarc-project.eu JUSP is an SP currently provided by the UK-federation offering centralised access to journal usage statistical data Currently limited to UK libraries JUSP collects the data coming from IDPs, elaborates them, and publishes them for libraries (as an SP in the UK Federation) We would like to propose a simple pilot to evaluate the extension of JUSP to libraries outside the UK JUSP should interface to IDPs also outside the UK, in the EU Check with JUSP the actual possibility to provide this service outside UK Benefit for AARC and the community: if offered through eduGAIN, this would be an additional boost for libraries to join eduGAIN itself. 21 JUSPJUSP - Journal Usage Statistics Portal

22 https://aarc-project.eu 4. Cloud IDP Pilot 22

23 https://aarc-project.eu A pilot on Cloud IDP should: Provide support material and documentation Provide Packaging – Deployment suites Test the automatic deployment procedures Include branding and possible required customizations for the IDP Cloud solution currently provided to many institutions in Italy The basic idea would be to pilot the automatic deployment of IDP cloud by other interested institutions Make this approach thus adoptable by other federations in Europe 23 Cloud IDP Pilot

24 https://aarc-project.eu Summary on on-going discussions within AARC on other pilots 24

25 https://aarc-project.eu Reputation scenarios to be exploited as mechanism to enroll social IDs and make them available in a Federated AAI Pilot functional components an SP (eg based on SimpleSAMLphp), some account management (eg Postgres) Support for reputation (ie an extra attribute) plus some simple customizable scripts to do some basic reputation management Goal would be to explore different scenarios for reputation management 25 Bridging towards social IDs (Reputation)

26 https://aarc-project.eu On going discussion on having a catch-all federation A possible candidate can be be the GrIDP pool ( used by some Science Gateways https://gridp.garr.it/ Getting GrIDP in eduGAIN- on going discussions / process Questions to everyone: Do you think this is useful to boost/support spawning of Identity Federations in countries where they are still completely missing ? What kind of IDP - Catch-All-Fed interaction/policies should be enforced/expected ? Temporary solution for some countries until a new ID-Fed is spawned ? 26 Catch-all Federation for homeless IDPs / SPs

Download ppt "Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration SA1 - Pilots on the Integrated R&E AAI TSA1.1 - Pilots on Guest."

Similar presentations

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Christopher Lewis - EBSCO Information Services Robert Jacobs - Swets How will subscription agents help you manage your e-resources in a constantly changing.

Christopher Lewis - EBSCO Information Services Robert Jacobs - Swets How will subscription agents help you manage your e-resources in a constantly changing.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth: Improving Access for Library Users InCommon Library/Shibboleth Project Holly Eggleston, UC San Diego.

Shibboleth: Improving Access for Library Users InCommon Library/Shibboleth Project Holly Eggleston, UC San Diego.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
AAI with simpleSAMLphp

AAI with simpleSAMLphp
AAF Middleware update February16 2012 Presented by Terry Smith Technical Manager and Heath Marks Manager.

AAF Middleware update February Presented by Terry Smith Technical Manager and Heath Marks Manager.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
SUNY System Administration Federation Overview Gavin Hogan July 15th, 2009 A work in progress….

SUNY System Administration Federation Overview Gavin Hogan July 15th, 2009 A work in progress….
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project.

David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.

Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.

Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Similar presentations

Ads by Google