Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorization and Authentication Infrastructure Daan Broeder & Dieter Van Uytvanck Max Planck Institute for Psycholinguistics

Published byRolf Gallagher Modified over 9 years ago

Similar presentations

Presentation on theme: "Authorization and Authentication Infrastructure Daan Broeder & Dieter Van Uytvanck Max Planck Institute for Psycholinguistics"— Presentation transcript:

1 Authorization and Authentication Infrastructure Daan Broeder & Dieter Van Uytvanck Max Planck Institute for Psycholinguistics Firstname.lastname@mpi.nl CLARIN-NL Info Session Nijmegen 2009-07-01

2 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Overview  CLARIN and the holy grail  Traditional Federations  AAI prototype  Planning

3 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu CLARIN and the Holy Grail (1)  A researcher authenticates at his/her own organization and creates a “virtual” collection of resources from different repositories.

4 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu CLARIN and the Holy Grail (2)  browsing a catalogue, searching through metadata, or searching in resource content.  workflow specification tool to process this virtual collection with possibly a mix of home grown and remote service components.  Resulting data can be added to the origin repositories (with “virtual” collection)  For our domain this is very ambitious and challenging, but even a partial realization is worthwhile!

5 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Traditional Federations (1) FederationExternal Local DB HTTP LDAP SAML (HTTP) IDP DB IDP SP B BB HTTP From a local user store to a traditional federation…

6 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Traditional Federations (2) IdP SPIdP SP IdPSP

7 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu CLARIN AAI prototype (1) IDP SPIDP SP IDPSP IDP SPIDP SP IDPSP (Identity) Federation

8 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu CLARIN AAI Prototype (2)  7 Service Providers:  INL, Meertens Instituut, MPI  IDS, DFKI, BBAW  CSC / U Helsinki  3 national Identity Federations:  SurfFederatie (NL)  DFN (DE)  HAKA (FI)

9 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI prototype agreements  Two options:  One SP signs on behalf of all participating SPs (1xN, preferred)  Every SP signs a separate contract with each national Identity Federation (NxN, more fuss but feasible)

10 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Planning  Before end 2009: prototype federation  WP7: contractual issues  WP2: technical aspects  Keep good contacts with GEANT3/TERENA/eduGAIN  Talks with CSC about implementing a common code of conduct service

11 Thank you for your attention CLARIN has received funding from the European Community's Seventh Framework Programme under grant agreement n° 212230

12 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Backup slides

13 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu References  http://www.terena.org/activities/tf-emc2/meetings/12/slides/eduGAINstatus.pdf http://www.terena.org/activities/tf-emc2/meetings/12/slides/eduGAINstatus.pdf  http://www2.surfnet.nl/bijeenkomsten/rd2008/sheets/zandbelt.ppt http://www2.surfnet.nl/bijeenkomsten/rd2008/sheets/zandbelt.ppt  http://www.clarin.eu/events/aai-hands-on-workshop http://www.clarin.eu/events/aai-hands-on-workshop

14 CLARIN SP Metadata DFN Metadata HAKA SurfFederatie Push SP metadata to national IdF via protocol as chosen by the specific IdF SMTP SWITCH system Include MD about IdPs within national IdF ?

15 CLARIN SP Metadata DFN Metadata HAKA SurfFederatie Include MD about national IdPs in SP MD eduGAIN Metadata hub With eduGAIN 2.0

16 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Beyond the Traditional Federations: SPO IDP SPIDP SP IDPSP IDP SPIDP SP IDPSP Service Provider Federation/ Organization

17 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI Issues & Challenges (1)  CLARIN is not an IdF  Our intended clientele is too wide spread  No special IdP configuration can be expected  So, only a SP organization relying on national IdFs  What forms the SP organization (wrt. AAI)?  LRT Community  Standard contracts with the (national) IdFs  Common set of CCs / licenses  Attribute requirements  Shallow versus deep federation  SPs specify auditing level  No penalties

18 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI Issues & Challenges (2)  Attribute harmonization  eduGAIN solves it all?  WAYF (& WFAYF)  AAI software  Shibboleth and SimpelSamlPhp  Is there more needed?  Guest accounts for the homeless

19 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI Issues & Challenges (3)  SSO for client applications  E.g. downloading distributed virtual collections  SSO for web services  Deal with workflows chaining web services from different providers  SSO when dealing with CCs, 3 options:  Leave it to the SP  User attribute (~ IdP)  Separate service, external attribute authorities.  Use of GRID resources  Data GRID & Compute GRID

20 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu eduGAIN confederation  Connect national AAI on a pan-European level  GEANT (2,3) workgroup: TF-EMC2  CLARIN: excellent use case!

21 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu CLARIN Federation Infrastructure CLARIN wants to be a LR&T “service federation” simplified and unified rules for licensing, accessing agreements with national identity federations must make sure all necessary attributes are available cater also for A&A of non-web applications and web services interaction with GRID AAI national Identity Federations eJournal Service Providers LRT Service Providers Trust Agreement Trust Agreements

22 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu DAM-LR EU project (1) Small EU project (2005-2007) on archive integration of 4 partners  corpus/computational linguistics and endangered language documentation  Resource discovery: sharing a single metadata set for searching & browsing  Authentication & Authorization: single user identity, single sign-on by using Shibboleth.  Referencing and citing “archived resources” using a single persistent identifier system.

23 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu DAM-LR EU project (2)  Experiences:  Standard eduPerson attribute set is probably sufficient, (but CCs …)  Shibboleth is nice when using web applications, but applications need access too!  Shibboleth efficient when dealing with groups e.g. staff, student, … But our domain has also to deal with individuals => store user IDs in authorization records  DAM-LR federation of both IdPs & SPs, CLARIN aims at a much larger potential user group whose home organizations do not want to run a CLARIN specific IdP => use the national IDFs

24 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Applications need Authentication too IdP Shib. apache userapplication User scenario: Copying resources from different repositories to the local machine archiveA The application speaks only HTTP with basic authentication It does not understand form based authentication employed by the Shib. IdP Shib. apache archiveB The application is also not able to profit from the SSO over archives IMDI copier Possible solution: Use certificates for authentication Obtained by SLCS (But can auth. handshake be mimicked by software?)

25 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu CHAT EAF Shoebox MPI Archive DB/SE Search service Parsers “normalize” the structural format Content search in one archive: no problem (check single DB) Searching through annotations Auth DB IdP

26 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu CHAT EAF Shoebox MPI Archive Archive B DB/SE CHAT Search service Search service Specialized web portal Federative search scenario Parsers “normalize” the structural format Searching through annotations AuthZ DB IdP AuthN AuthZ DB The web portal app would like to act on behalf of the user and access the search services.

27 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu What do we aim for?  blah-blah

28 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Licenses & Code of conducts 1 IdP SPa SPb user SP requires CC signed and takes care of this but only for its own domain This can break the SSO if the user is required to sign the same CC several times browser CC DB CLARIN will harmonize the CCs and licenses to a limited number

29 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Licenses & Code of conducts 2 IdP SPa SPb user browser Store the CC DB info in the user attributes at the IdP (cfr Switch aaiUapprove) But how does it get there? Special app? Not every IdP will/can run this CC DB

30 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Licenses & Code of conducts 3 IdP SPa SPb user browser Create special CC service. This is part of the SPF independent of the IDFs CC DB CC service

31 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu What do we aim for?  blah-blah

32 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI Planning (1)  Training courses for AAI: support of SimplSAMLPhp, Shibboleth

33 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI Planning (2)  Centers should make their policies explicit:  Integration of SP with AAI  IdP support for their users  Is there potential for a “fire brigade”?  Help with configuration & integration  MPG (RZG) does something there, who else?  Contracts with national IdFs (WP7)  What role has eduGAIN?

34 CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu What‘s next?  SLCS with SURFnet (preliminary research)  Direct interaction with GEANT 3 (May 5/6)  Talks with CSC about implementing a CC service

Download ppt "Authorization and Authentication Infrastructure Daan Broeder & Dieter Van Uytvanck Max Planck Institute for Psycholinguistics"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Building metadata components Dieter Van Uytvanck Max Planck Institute for Psycholinguistics CLARIN-NL Info Session Nijmegen 2009-07-01.

Building metadata components Dieter Van Uytvanck Max Planck Institute for Psycholinguistics CLARIN-NL Info Session Nijmegen
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
Interoperability aspects in the The Virtual Language Observatory Dieter Van Uytvanck Max Planck Institute for Psycholinguistics

Interoperability aspects in the The Virtual Language Observatory Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
User Attributes; who, where, how many? Daan Broeder TLA – MPI for Psycholinguistics.

User Attributes; who, where, how many? Daan Broeder TLA – MPI for Psycholinguistics.
Advanced Metadata Usage Daan Broeder TLA - MPI for Psycholinguistics / CLARIN Metadata in Context, APA/CLARIN Workshop, September 2010 Nijmegen.

Advanced Metadata Usage Daan Broeder TLA - MPI for Psycholinguistics / CLARIN Metadata in Context, APA/CLARIN Workshop, September 2010 Nijmegen.
Steven KrauwerLREC20081 CLARIN: Common Language Resources and Technology Infrastructure for the Humanities and Social Sciences Kimmo Koskenniemi (University.

Steven KrauwerLREC20081 CLARIN: Common Language Resources and Technology Infrastructure for the Humanities and Social Sciences Kimmo Koskenniemi (University.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
EduGAIN Code of Conduct Workshop, 2012-02-09, Brussels GEANT eduGAIN Data Protection Code of Conduct Workshop Dieter Van Uytvanck

EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck
CLARIN Common Language Resources and Technology Infrastructure Daan Broeder & Dieter van Uytvanck Max-Planck Institute for Psycholinguistics TF-EMC2 Meeting,

CLARIN Common Language Resources and Technology Infrastructure Daan Broeder & Dieter van Uytvanck Max-Planck Institute for Psycholinguistics TF-EMC2 Meeting,
CLARIN and the Humanities Daan Broeder The Language Archive – MPI for Psycholinguistics CLARIN EU/NL Workshop on Federated Identity Management CERN, June.

CLARIN and the Humanities Daan Broeder The Language Archive – MPI for Psycholinguistics CLARIN EU/NL Workshop on Federated Identity Management CERN, June.
Max Planck Institute for Psycholinguistics Tool development report H. Brugman MPI Nijmegen.

Max Planck Institute for Psycholinguistics Tool development report H. Brugman MPI Nijmegen.
The Language Archive – Max Planck Institute for Psycholinguistics Nijmegen, The Netherlands Why should we invest in DWF? Peter Wittenburg CLARIN Research.

The Language Archive – Max Planck Institute for Psycholinguistics Nijmegen, The Netherlands Why should we invest in DWF? Peter Wittenburg CLARIN Research.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
CLARIN Infrastructure Vision (and some real needs) Daan Broeder CLARIN EU/NL Max-Planck Institute for Psycholinguistics.

CLARIN Infrastructure Vision (and some real needs) Daan Broeder CLARIN EU/NL Max-Planck Institute for Psycholinguistics.

Similar presentations

Ads by Google