1. A uthentication & A uthorization for R esearch & C ollaboration Pilots in SA1 Paul van Dijk, SURFnet AARC

2. Connecting People and Devices

3. AARC Work Packages

5. The Netherlands: research apps SURFconext ecosystem Drive WeNMR Portal Identity Providers ±300 Service Providers commercial / non-commercial SURFconext AAI Hub Trust Framework University Dirk Stap dirkstap@vu.nl Staff member ID#: 2989289283921 SP stores attributes

6. SURFconext for WeNMR VRC Knowledge Help Center Tutorials, Wiki Consultancy Services Portals Third-party aggregation Grid SAML Identity Providers Service ProvidersSURFconext AAI Hub WeNMR VRC portal SAML

7. Status? Non-web SSO ✗ Attribute management for AuthZ ✗ “Guest” access ✗ / ✔ Int’l AuthN ✗ / ✔

8. IdPs – extend coverage National IdPs VU eduGAIN IdPs TC “Guest access” TC All SAML but differences in attribute management need policies and formats Lower barriers for non academia Use of Gov e-ID, social IDs, linking accounts Support scalable LoA for guest accounts Deal with “library walk-in users” All SAML, national policies and formats Any issues? perhaps promote opt-out approach

9. Authorizations Attribute Management Framework Attribute management...solutions are emerging but not really adopted by researchers yet Pilot with: Attribute providers/management Attribute aggregators SPs able to do attribute based authorisations (or enable SPs)

10. PoC EGI and SURFnet Attr provider Verifies authenticity Adds attributes Provides workflows Self Asserted +31(6) 120202020 Skype: DirkStap LinkedIn: DirkHStap Collab Organisation CO- admin CO- researcher Self Asserted +31(6) 120202020 Skype: DirkStap LinkedIn: DirkHStap Collab Organisation CO- admin CO- researcher University Dirk Stap dirkstap@uvk.nl Staff member ID#: 2989289283921 keystone Aggregate attributes Forward with ARP to SP add. attr. at logon add. attr. by query University Dirk Stap dirkstap@uvk.nl Staff member ID#: 2989289283921 UVK Authenticate Add attributes

11. SPs Improve access to research infra Webservices: SAML World Can we apply a similar setup to e-infrastructures like EGI, PRACE, EUDAT, ESFRI clusters...so these providers can offer there resources in a more user-friendly, controlled and consolidated way? Users can access different web-based services with the same set of credentials E-infrastructures non-web X.509

12. Non-Web SSO Moonshot (EAP, RADIUS, GSS-API, SASL) SAML ECP Workarounds – SAML enabled portal -Provision application specific passwords -OAuth -X.509 Unity-idm.eu Facius Kerberos or other solutions (?)

13. Description of Work SA1 Driven by user requirements Strong focus on integration of existing building blocks Main focus on: -Solutions for guest users (task 1 - GARR) -Attribute management, aggregation and consumption (task 2 - EGI) -Access to non-web and commercial (cloud) resources (task 3 - PSNC) Together with user communities: evaluate whether the solutions proposed by JRA1 and NA3 are effective?  feedback to JRA1 and NA3

14. paul.vandijk[at]surfnet.nl @paulcwvandijk paulcwvandijk www.surfnet.nl +31 6 13328090 Creative Commons “Attribution” license: http://creativecommons.org/licenses/by/3.0/ W