The EGI AAI CheckIn Service

Size: px
Start display at page:

Download "The EGI AAI CheckIn Service"

Transcription

1 The EGI AAI CheckIn Service Kostas Koumantaros- GRNET On behalf of EGI-Engage JRA1.1 EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number

2 EGI CheckIn Goals Attribute Authority IdP EGI CheckIn EGI Services Mandatory Attributes EGI UID First name, last name affiliation 2

3 EGI AAI CheckIn Service May 2015: Introduction of the EGI AAI Roadmap and Architecture 3

4 Why Proxy? All EGI SPs can have one statically configured IdP. No need to run an IdP Discovery Service on each EGI SP. Connected SPs get consistent/harmonised user identifiers and accompanying attribute sets from one or more AAs that can be interpreted in a uniform way for authz purposes. External IdPs only deal with a single EGI SP proxy. In a nutshell: EGI services will not have to deal with the complexity of multiple IdPs/Federations/Attribute Authorities/technologies. This complexity will be handled centrally by the proxy. 4

5 EGI CheckIn Service Today Production Available via edugain IdP Discovery User Enrolment User Consent Support for LoA Attribute Aggregation Support for OIDC/OAuth2 IdPs Ready for production Alpha SAML2.0 Attribute Query, REST, LDAP, SQL Google, Facebook, LinkedIn, ORCID Support for OIDC/OAuth2 SPs Experimental support for eidas 5

6 Levels of Assurance Proposal under discussion LoA: 0 This category groups the credentials with basically no LoA associated. Examples are social-identity credentials with no vetting and no uniqueness of the ID guaranteed. LoA: 1 This category groups the credentials that are usable in a federated environment, but may require additional attributes to be used in all applications. 6

7 Levels of Assurance Proposal under discussion LoA: 2 This category groups the credentials that have a level of assurance that is considered aligned with all the EGI policies and allows to access all EGI services. LoA: 3 This category groups credentials with an higher LoA for both the authentication and the attributes distributed in the assertion. 7

8 Use cases for the LoA in EGI Allow an IdP to advertise those LoAs for which it is able to meet the associated requirements. Allow an IdP to indicate the actual LoA in its responses. Allow a SP to express its expectations for the LoA at which a user should be authenticated. 8

9 EGI Unique Identifier requirements EGI User Identifier The EGI User ID should be: personal - used by a single person. persistent - used for an extended period of time across multiple sessions. non-reassignable - assigned exclusively to a specific person, and never reassigned to another individual. non-targeted - not intended for a specific relying party (or parties), i.e. should be shared. globally unique - unique beyond the namespace of the IdP and the namespace of the SP(s) with which the ID is shared. opaque - should (by itself) provide no information about the user, i.e. should be privacy-preserving. 9

10 EGI User Identifier implementation EGI Unique User Id Generation EGI User ID is created by the CheckIn service at the moment of the user s first connection The IdP/SP Proxy adds (or replaces) the edupersonuniqueid attribute, based on the first non-empty value from this attribute list: epuid, eppn, eptid The selected attribute value, combined with the entityid of the authn authority, is hashed and the egi.eu scope portion is added to the generated epuid, e.g.: ef ffe53c39b75bdcef46689f5d26ddfa cc4fb5ce97e9ca87@egi.eu 10

11 IdP/SP Proxy technical architecture and deployment High Availability & Load Balancing. SimpleSAMLphp caches user sessions in Memcached, an in-memory key-value store for small chunks of arbitrary data. COmanage maintains EGI user profile information in PostgreSQL DB cluster: Data are synced between master (read/write) and hot standby slave (read-only queries). Sessions are distributed and replicated among different Memcached servers, enabling load-balancing and failover. User requests are load balanced among multiple SimpleSAMLphp web front-ends that use the back-end matrix of Memcached servers. 11

12 IdP/SP Proxy: Integrated IdPs IdPs: EGI SSO ELIXIR research infrastructure AAI ORCID Virtual Home Organization (VHO) edugain Social networks: Google Facebook Linkedin 12

13 Integration with attribute authorities Connection with Perun - DONE Connection with GOCDB - DONE Connection with COmanage - DONE Connection with the new OpenConnext Attribute Aggregator: Pilot in collaboration with AARC project 13

14 Attribute aggregation The EGI CheckIn supports attribute aggregation through: SAML 2.0 AttributeQuery Attribute Aggregator (SimpleSAMLphp module) LDAP Attribute Aggregator (SimpleSAMLphp module) Allows SSP to issue LDAP queries for retrieving attributes REST Attribute Aggregator (SimpleSAMLphp module) Enables SSP to issue SAML 2.0 attribute queries to Attribute Authorities that support SAML 2.0 SOAP binding Allows SSP to retrieve attributes from a RESTful web service OpenConext attribute aggregation (Java application) Handles attribute aggregation and provides REST API for accessing attribute information 14

15 CoCo & R&S compliance CheckIn compliances Compliant with R&S Not compliant with CoCo but this will happen soon as the needed policies are put in place Identifiers edupersonuniqueid edupersonprincipalname edupersontargetedid Mail attribute mail Name attributes displayname givenname sn (surname) Authorization attribute edupersonscopedaffiliation 15

16 Token Translation: CILogon + RC Auth 16

17 User Enrollment EGI CheckIn supports different user enrollment flows depending on the attributes released by the user s Home Identity Provider: Self-service Sign Up: Allows joining the EGI User Community without approval by an administrator if all the information below is asserted by the Home Organisation: at least one of the following unique user identifiers: pseudonymous, non-reassignable identifier (edupersonuniqueid attribute); name-based identifier (edupersonprincipalname attribute); pseudonymous identifier (edupersontargetedid attribute or SAML persistent identifier) first name (givenname attribute) and surname (sn attribute) address (mail attribute) role (affiliation) at Home Organisation (edupersonscopedaffiliation attribute) 17

18 User Enrollment Sign Up: If any of the required information cannot be released by the Home Organisation: user needs to self-assert the values of the missing attributes request must then be approved by an EGI User Sponsor Identity linking: Allows access to EGI resources with a single personal EGI ID, using any of the linked login credentials organisational or social 18

19 OpenID Connect Support Service Providers can connect to the EGI AAI using OpenID Connect (OIDC) as an alternative to SAML2 EGI AAI OIDC Provider allows users to sign in using any of the supported backend authentication mechanisms, i.e institutional IdPs (edugain) or Social Providers Easy OIDC client registration through Client Management UI: Obtain OAuth 2.0 credentials Register one or more redirect URIs Register required scopes (e.g. openid, profile, ) 19

20 Thank you for your attention. Questions? This work by Parties of the EGI-Engage Consortium is licensed under a Creative Commons Attribution 4.0 International License.

21 AARC Blueprint Architecture 21

22 IdP/SP Proxy technical architecture High Availability & Load Balancing SimpleSAMLphp caches user sessions in Memcached, an in-memory key-value store for small chunks of arbitrary data COmanage maintains EGI user profile information in PostgreSQL DB cluster; Data are synced between master (read/write) and hot standby slave (read-only queries) Sessions are distributed and replicated among different Memcached servers, enabling load-balancing and fail-over User requests are load balanced among multiple SimpleSAMLphp web front-ends that use the back-end matrix of Memcached servers 22

23 User Enrollment EGI CheckIn supports different user enrollment flows depending on the attributes released by the user s Home Identity Provider: Self-service Sign Up: Allows joining the EGI User Community without approval by an administrator if all the information below is asserted by the Home Organisation: at least one of the following unique user identifiers: pseudonymous, non-reassignable (edupersonuniqueid attribute); identifier name-based identifier (edupersonprincipalname attribute); pseudonymous identifier (edupersontargetedid attribute or SAML persistent identifier) first name (givenname attribute) and surname (sn attribute) address (mail attribute) role (affiliation) at Home Organisation (edupersonscopedaffiliation attribute) 23

24 IdP/SP Proxy: SP integration flow Development instance EGI SP: Central/Core service IaaS fedcloud... Register SP IF OK Production instance EGI SP: Central/Core service IaaS fedcloud... Register SP 24

EGI AAI Platform Architecture and Roadmap

EGI AAI Platform Architecture and Roadmap EGI AAI Platform Architecture and Roadmap Christos Kanellopoulos - GRNET Nicolas Liampotis - GRNET On behalf of EGI-Engage JRA1.1 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme

More information

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

EGI Check-in service. Secure and user-friendly federated authentication and authorisation EGI Check-in service Secure and user-friendly federated authentication and authorisation EGI Check-in Secure and user-friendly federated authentication and authorisation Check-in provides a reliable and

More information

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials Best practices and recommendations for attribute translation from federated authentication to X.509 credentials Published Date: 13-06-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1

More information

AAI in EGI Current status

AAI in EGI Current status AAI in EGI Current status Peter Solagna EGI.eu Operations Manager www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 User authentication

More information

AARC Blueprint Architecture

AARC Blueprint Architecture AARC Blueprint Architecture Published Date: 18-04-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1 AARC-BPA-2017 https://aarc-project.eu/blueprint-architecture AARC Blueprint Architecture

More information

RCauth.eu / MasterPortal update

RCauth.eu / MasterPortal update RCauth.eu / MasterPortal update Mischa Sallé msalle@nikhef.nl 5 th AARC face-to-face meeting, Aθηνα 21 March 2017 Mischa Sallé (Nikhef) 1 / 11 Reminder of motivation Access to X.509 resources made easy

More information

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan Introduction of Identity & Access Management Federation Motonori Nakamura, NII Japan } IP networking } The network enables a variety type of attractive applications } Communication E-mail Video conferencing

More information

AARC. Christos Kanellopoulos AARC Architecture WP Leader GRNET. Authentication and Authorisation for Research and Collaboration

AARC. Christos Kanellopoulos AARC Architecture WP Leader GRNET. Authentication and Authorisation for Research and Collaboration Authentication and Authorisation for Research and Collaboration AARC Christos Kanellopoulos AARC Architecture WP Leader GRNET Open Day Event: Towards the European Open Science Cloud January 20, 2016 AARC

More information

WP JRA1: Architectures for an integrated and interoperable AAI

WP JRA1: Architectures for an integrated and interoperable AAI Authentication and Authorisation for Research and Collaboration WP JRA1: Architectures for an integrated and interoperable AAI Christos Kanellopoulos Agenda Structure and administrative matters Objectives

More information

Guidelines on non-browser access

Guidelines on non-browser access Published Date: 13-06-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1 AARC-JRA1.4F https://aarc-project.eu/wp-content/uploads/2017/03/aarc-jra1.4f.pdf 1 Table of Contents 1 Introduction

More information

Deliverable DSA1.4: Pilots to improve access to R&E-relevant resources

Deliverable DSA1.4: Pilots to improve access to R&E-relevant resources 07-05-2017 : Deliverable: DSA1.4 Contractual Date: 31-03-2017 Actual Date: 07-05-2017 Grant Agreement No.: 653965 Work Package: SA1 Task Item: Task 3 Lead Partner: PSNC Document Code: DSA1.4 Authors: M.

More information

Pilots to support guest users solutions

Pilots to support guest users solutions 08-12-2016 Deliverable DSA1.1 Contractual Date: 31-07-2016 Actual Date: 08-12-2016 Grant Agreement No.: 653965 Work Package: SA1 Task Item: SA1.1 Pilot on Guest Identities Partner: GARR Document Code:

More information

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April, Best Practices: Authentication & Authorization Infrastructure Massimo Benini HPCAC - April, 03 2019 Agenda - Common Vocabulary - Keycloak Overview - OAUTH2 and OIDC - Microservices Auth/Authz techniques

More information

INDIGO-Datacloud Identity and Access Management Service

INDIGO-Datacloud Identity and Access Management Service INDIGO-Datacloud Identity and Access Management Service RIA-653549 Presented by Andrea Ceccanti (INFN) andrea.ceccanti@cnaf.infn.it WLCG AuthZ WG Meeting Dec, 14th 2017 IAM overview INDIGO IAM The Identity

More information

eidas cross-sector interoperability

eidas cross-sector interoperability eidas cross-sector interoperability Christos Kanellopoulos GRNET edugain SG October 13 th, 2016 Background information 2013 - STORK-2 collaboration (GN3Plus) 2014-07 Adoption of the eidas Regulation 2014-09

More information

Deliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI

Deliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI 20-09-2018 Deliverable DJRA1.1 Contractual Date: 28-02-2018 Actual Date: 220-09-2018 Grant Agreement No.: 653965 Work Package: JRA1 Task Item: 1.1 Lead Partner: EGI Authors: Diego Scardaci (EGI Foundation),

More information

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes Attributes for Apps How mobile Apps can use SAML Authentication and Attributes Lukas Hämmerle lukas.haemmerle@switch.ch TNC 2013, Maastricht Introduction App by University of St. Gallen Universities offer

More information

Higher Education external Attribute Authority. Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015

Higher Education external Attribute Authority. Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015 Higher Education external Attribute Authority Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015 Problems in Collaboration Problems in Collaboration Problems in Collaboration Why we need Attribute Authorities?

More information

Attribute Release Update

Attribute Release Update Attribute Release Update Upcoming changes for IdP administrators Lukas Hämmerle lukas.haemmerle@switch.ch Berne, 30. June 2016 IdP Attribute Release Changes 1. edugain SPs without

More information

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3. Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen 58. DFN- Betriebstagung, Berlin, 12.3.2013 Peter Gietz, DAASI International GmbH DARIAH EU VCC 1 e-infrastructure

More information

REFEDS Assurance Framework ver 1.0 (DRAFT 2 May 2018)

REFEDS Assurance Framework ver 1.0 (DRAFT 2 May 2018) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 REFEDS Assurance Framework ver 1.0 (DRAFT 2 May 2018) REFEDS Assurance working group Abstract The Relying Parties

More information

INDIGO AAI An overview and status update!

INDIGO AAI An overview and status update! RIA-653549 INDIGO DataCloud INDIGO AAI An overview and status update! Andrea Ceccanti (INFN) on behalf of the INDIGO AAI Task Force! indigo-aai-tf@lists.indigo-datacloud.org INDIGO Datacloud An H2020 project

More information

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef. AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef AARC? Authentication and Authorisation for Research and Collaboration support the collaboration model across institutional

More information

EUDAT - Open Data Services for Research

EUDAT - Open Data Services for Research EUDAT - Open Data Services for Research Johannes Reetz EUDAT operations Max Planck Computing & Data Centre Science Operations Workshop 2015 ESO, Garching 24-27th November 2015 EUDAT receives funding from

More information

2. HDF AAI Meeting -- Demo Slides

2. HDF AAI Meeting -- Demo Slides 2. HDF AAI Meeting -- Demo Slides Steinbuch Centre for Computing Marcus Hardt KIT University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association www.kit.edu Introduction

More information

Authentication & Authorization systems developed for CTA

Authentication & Authorization systems developed for CTA Authentication & Authorization systems developed for CTA Mathieu Servillat Observatoire de Paris Paris Astronomical Data Centre IVOA Cape Town meeting 1 Context: the CTA Science Gateway @ David Sanchez,

More information

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007 Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007 Tokens, Protocols, Bindings, and Profiles Tokens are requests and assertions Protocols bindings are communication

More information

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation Enhancing cloud applications by using external authentication services After you complete this section, you should understand: Terminology such as authentication, identity, and ID token The benefits of

More information

Prof. Christos Xenakis

Prof. Christos Xenakis From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control Device-Centric Authentication for Future Internet Prof. Christos Xenakis H2020 Clustering

More information

Identity Provider for SAP Single Sign-On and SAP Identity Management

Identity Provider for SAP Single Sign-On and SAP Identity Management Implementation Guide Document Version: 1.0 2017-05-15 PUBLIC Identity Provider for SAP Single Sign-On and SAP Identity Management Content 1....4 1.1 What is SAML 2.0.... 5 SSO with SAML 2.0.... 6 SLO with

More information

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017 User Management Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017 Agenda Introduction User Management Federation Objectives 1 Introduction NextGEOSS High-Level Architecture DataHub harvest

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications

More information

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH. DARIAH Update 9th FIM4R Workshop Vienna, Novemer 30, 2015 Peter Gietz, DAASI International GmbH www.dariah.eu What is DARIAH? DARIAH: Digital Research Infrastructure for the Arts and Humanities One of

More information

Account Checking on a SP

Account Checking on a SP Account Checking on a SP Based on SAML AttributeQuery Berne, 13 August 2014 SWITCHaai Team aai@switch.ch Why do account checking? Organization A Organization B User Accounts Identity Provider SP SWITCH

More information

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B ForgeRock Access Management Core Concepts AM-400 Course Description Revision B ForgeRock Access Management Core Concepts AM-400 Description This structured course comprises a mix of instructor-led lessons

More information

Prof. Christos Xenakis

Prof. Christos Xenakis From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control Device-Centric Authentication for Future Internet Prof. Christos Xenakis SAINT Workshop

More information

Introducing Shibboleth. Sebastian Rieger

Introducing Shibboleth. Sebastian Rieger Introducing Shibboleth Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford eresearch Center

More information

The challenges of (non-)openness:

The challenges of (non-)openness: The challenges of (non-)openness: Trust and Identity in Research and Education. DEI 2018, Zagreb, April 2018 Ann Harding, SWITCH/GEANT @hardingar Who am I? Why am I here? Medieval History, Computer Science

More information

Do I Really Need Another Account? External Identities for Campus Applications

Do I Really Need Another Account? External Identities for Campus Applications Do I Really Need Another Account? External Identities for Campus Applications Dedra Chamberlin, Cirrus Identity Eric Goodman, University of California Todd Haddaway, UMBC Tom Jordan, University of Wisconsin-Madison

More information

GÉANT Community Programme

GÉANT Community Programme GÉANT Community Programme Building the community Klaas Wierenga Chief Community Support Officer GÉANT Information day, Tirana, 5 th April 1 Membership Association = very large community to serve GÉANT

More information

Configuration Guide - Single-Sign On for OneDesk

Configuration Guide - Single-Sign On for OneDesk Configuration Guide - Single-Sign On for OneDesk Introduction Single Sign On (SSO) is a user authentication process that allows a user to access different services and applications across IT systems and

More information

In Section 4 we discuss the proposed architecture and analyse how it can match the identified 2

In Section 4 we discuss the proposed architecture and analyse how it can match the identified 2 AARC: First draft of the Blueprint Architecture for Authentication and Authorisation Infrastructures A. Biancini 12, L. Florio 1, M. Haase 2, M. Hardt 3, M. Jankowsi 13, J. Jensen 4, C. Kanellopoulos 5,

More information

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet Greek Research and Technology Network Authentication & Authorization Infrastructure Faidon Liambotis faidon@.gr Networking Research and Education February 22 nd, 2011 1 Who am I? Servers & Services Engineer,

More information

Extending Services with Federated Identity Management

Extending Services with Federated Identity Management Extending Services with Federated Identity Management Wes Hubert Information Technology Analyst Overview General Concepts Higher Education Federations eduroam InCommon Federation Infrastructure Trust Agreements

More information

Tutorial: Building the Services Ecosystem

Tutorial: Building the Services Ecosystem Tutorial: Building the Services Ecosystem GlobusWorld 2018 Steve Tuecke tuecke@globus.org What is a services ecosystem? Anybody can build services with secure REST APIs App Globus Transfer Your Service

More information

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory Computation Institute (CI) Apply to challenging problems Accelerate by building the research

More information

EUDAT. Towards a pan-european Collaborative Data Infrastructure

EUDAT. Towards a pan-european Collaborative Data Infrastructure EUDAT Towards a pan-european Collaborative Data Infrastructure Giuseppe Fiameni (g.fiameni@cineca.it) Claudio Cacciari SuperComputing, Application and Innovation CINECA Johannes Reatz RZG, Germany Damien

More information

EGI federated e-infrastructure, a building block for the Open Science Commons

EGI federated e-infrastructure, a building block for the Open Science Commons EGI federated e-infrastructure, a building block for the Open Science Commons Yannick LEGRÉ Director, EGI.eu www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union

More information

Shibboleth authentication for Sync & Share - Lessons learned

Shibboleth authentication for Sync & Share - Lessons learned Shibboleth authentication for Sync & Share - Lessons learned Enno Gröper Abteilung 4 - Systemsoftware und Kommunikation Computer- und Medienservice Humboldt-Universität zu Berlin 30 Jan 2018 Overview Introduction

More information

Warm Up to Identity Protocol Soup

Warm Up to Identity Protocol Soup Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital

More information

Allowing the user to define the attribute release 21 May 2014

Allowing the user to define the attribute release 21 May 2014 Allowing the user to define the attribute release policy @TNC2014 21 May 2014 Program Introduction to User Managed Access (UMA) Demo A GN3+ JRA3T2 work item User Managed Access Kantara project.. address

More information

WP3: Policy and Best Practice Harmonisation

WP3: Policy and Best Practice Harmonisation Authentication and Authorisation for Research and Collaboration WP3: Policy and Best Practice Harmonisation David Groep AARC2 2018 AL/TL meeting 12-13 September, 2018 Amsterdam 0.4 Policy and best practice

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/

More information

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE OUR ORGANISATION AND SPECIALIST SKILLS Focused on delivery, integration and managed services around Identity and Access Management.

More information

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th, DARIAH-AAI DASISH AAI Meeting Nijmegen, March 9th, 2014 www.dariah.eu What is DARIAH? DARIAH: Digital Research Infrastructure for the Arts and Humanities One of the few ESFRI research infrastructures for

More information

FeduShare Update. AuthNZ the SAML way for VOs

FeduShare Update. AuthNZ the SAML way for VOs FeduShare Update AuthNZ the SAML way for VOs FeduShare Goals: Provide transparent sharing of campus resources in support of (multiinstitutional) collaboration Support both HTTP and non-web access using

More information

Sustainability in Federated Identity Services - Global and Local

Sustainability in Federated Identity Services - Global and Local Sustainability in Federated Identity Services - Global and Local What works and what doesn t with eduroam and edugain Ann Harding @hardingar Activity Lead, Trust & Identity Development, GÉANT Person who

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Royal Society of Chemistry Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they

More information

Trusting External Identity Providers for Global

Trusting External Identity Providers for Global Trusting External Identity Providers for Global MIND THE GAP Research Collaborations Jim Basney jbasney@ncsa.illinois.edu IGTF at CERN (Sep 19 2016) slideshare.net/jbasney National Center for Supercomputing

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Portage Network 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources

More information

Policy and Best Practice Harmonisation ( NA3 ) from the present to the future

Policy and Best Practice Harmonisation ( NA3 ) from the present to the future Authentication and Authorisation for Research and Collaboration Policy and Best Practice Harmonisation ( NA3 ) from the present to the future David Groep NA3 activity coordinator Nikhef AARC2 Kick-Off

More information

dcache integration into HDF

dcache integration into HDF dcache integration into HDF Storage service at DESY for Helmholtz Data Federation (HDF) Paul Millar Karlsruhe, 2018-08-30 This project has received funding from the European Union s Horizon 2020 research

More information

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE Integrating VMware Workspace ONE with Okta VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this

More information

Facilitating the Attribute Economy. David W Chadwick George Inman, Kristy Siu 2011 University of Kent

Facilitating the Attribute Economy. David W Chadwick George Inman, Kristy Siu 2011 University of Kent Facilitating the Attribute Economy David W Chadwick George Inman, Kristy Siu University of Kent 2011 University of Kent Internet 2 Fall 2011 Member Meeting 1 (Some) Attribute AuthzRequirements Attributes

More information

IBM Security Access Manager Version 9.0 October Product overview IBM

IBM Security Access Manager Version 9.0 October Product overview IBM IBM Security Access Manager Version 9.0 October 2015 Product overview IBM IBM Security Access Manager Version 9.0 October 2015 Product overview IBM ii IBM Security Access Manager Version 9.0 October 2015:

More information

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent Acknowledgements Project originally funded by UK JISC, called Shintau http://sec.cs.kent.ac.uk/shintau/

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Lynda.com Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative

More information

Building the Modern Research Data Portal. Developer Tutorial

Building the Modern Research Data Portal. Developer Tutorial Building the Modern Research Data Portal Developer Tutorial Thank you to our sponsors! U. S. DEPARTMENT OF ENERGY 2 Presentation material available at www.globusworld.org/workshop2016 bit.ly/globus-2016

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name:_Gale_Cengage Learning Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University Identity Management and Federated ID (Liberty Alliance) ISA 767, Secure Electronic Commerce Xinwen Zhang, xzhang6@gmu.edu George Mason University Identity Identity is the fundamental concept of uniquely

More information

Shibboleth User Verification Customer Implementation Guide Version 4.3

Shibboleth User Verification Customer Implementation Guide Version 4.3 Shibboleth User Verification Customer Implementation Guide 2017-12-12 Version 4.3 TABLE OF CONTENTS Introduction... 1 Purpose and Target Audience... 1 Commonly Used Terms... 1 Overview of Shibboleth User

More information

Evolving the trust fabric with AARC and EGI

Evolving the trust fabric with AARC and EGI Authentication and Authorisation for Research and Collaboration Evolving the trust fabric with AARC and EGI The AARC CILogon pilot and redistributed responsibility David Groep AARC NA3 Activity Lead Nikhef,

More information

IBM Security Access Manager Version January Federation Administration topics IBM

IBM Security Access Manager Version January Federation Administration topics IBM IBM Security Access Manager Version 9.0.2.1 January 2017 Federation Administration topics IBM IBM Security Access Manager Version 9.0.2.1 January 2017 Federation Administration topics IBM ii IBM Security

More information

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Goal. TeraGrid. Challenges. Federated Login to TeraGrid Goal Federated Login to Jim Basney Terry Fleury Von Welch Enable researchers to use the authentication method of their home organization for access to Researchers don t need to use -specific credentials

More information

Federated access to e-infrastructures worldwide

Federated access to e-infrastructures worldwide Federated access to e-infrastructures worldwide Marco Fargetta, INFN Catania - Italy (marco.fargetta@ct.infn.it) DCIs developed in the last decade 2 Evolution Research organisations are moving to cloud

More information

EUDAT & AAI. Daan Broeder MPI for Psycholinguistics

EUDAT & AAI. Daan Broeder MPI for Psycholinguistics EUDAT & AAI Daan Broeder MPI for Psycholinguistics Initially six research communities on Board EPOS: European Plate Observatory System CLARIN: Common Language Resources and Technology Infrastructure ENES:

More information

Authorization Survey Results & Use Cases Presentation to Concordia Working Group

Authorization Survey Results & Use Cases Presentation to Concordia Working Group Authorization Survey Results & Use Cases Presentation to Concordia Working Group Identity and Authorization Services Working Group (IAS-WG) John Tolbert (Boeing) Gavin Illingworth (BMO Financial Group)

More information

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013 Ping Identity RSA SecurID Ready Implementation Guide Partner Information Last Modified: December 13, 2013 Product Information Partner Name Ping Identity Web Site www.pingidentity.com Product Name PingFederate

More information

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0 GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0 Eve Maler VP Innovation & Emerging Technology, ForgeRock @xmlgrrl eve.maler@forgerock.com Chair and founder, Kantara UMA Work Group @UMAWG tinyurl.com/umawg

More information

Delegated authentication Electronic identity: delegated and federated authentication, policy-based access control

Delegated authentication Electronic identity: delegated and federated authentication, policy-based access control Delegated authentication Electronic identity: delegated and federated authentication, policy-based access control Antonio Lioy < lioy @ polito.it > several RPs (Replying Party) may decide to delegate authentication

More information

This talk aims to introduce the Shibboleth web authentication/authorization framework and its intended deployment in the UK academic community and

This talk aims to introduce the Shibboleth web authentication/authorization framework and its intended deployment in the UK academic community and This talk aims to introduce the Shibboleth web authentication/authorization framework and its intended deployment in the UK academic community and the University. Shibboleth named after an event in the

More information

A VOSpace deployment: interoperability and integration in big infrastructure

A VOSpace deployment: interoperability and integration in big infrastructure ASTERICS DADI ESFRI Forum A VOSpace deployment: interoperability and integration in big infrastructure S. Bertocco Trieste 13-14 December 2017 Scope Provide our users with a local data storage and computation

More information

Check to enable generation of refresh tokens when refreshing access tokens

Check to enable generation of refresh tokens when refreshing access tokens VERSION User: amadmin Server: sp.example.com LOG OUT OAuth2 Provider Save Reset Back to Services Realm Attributes Indicates required field Authorization Code Lifetime Refresh (seconds) If this field is

More information

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017 Building the Modern Research Data Portal using the Globus Platform Rachana Ananthakrishnan rachana@globus.org GlobusWorld 2017 Platform Questions How do you leverage Globus services in your own applications?

More information

Next-Generation Identity Federations. Andreas Åkre Solberg

Next-Generation Identity Federations. Andreas Åkre Solberg Next-Generation Identity Federations Andreas Åkre Solberg Identity Federations GÉANT3 JRA3 Task 2 Solving current challenges, and exploring next generation Identity Management Systems. 3 Research Activity

More information

openid connect all the things

openid connect all the things openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017-2017-07-01 Problem - More Client Devices per-human - Many Cloud Accounts - More Apps: yay k8s - More Distributed Teams - VPNs aren

More information

SA1 CILogon pilot - motivation and setup

SA1 CILogon pilot - motivation and setup SA1 CILogon pilot - motivation and setup Tamas Balogh & Mischa Sallé tamasb@nikhef.nl msalle@nikhef.nl AARC General Meeting, Milan 4 November 2015 Tamas Balogh & Mischa Sallé (Nikhef) 1 / 11 Outline 1

More information

Géant-TrustBroker Dynamic inter-federation identity management

Géant-TrustBroker Dynamic inter-federation identity management Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014 Agenda Introduction Motivation GNTB Overview GNTB in Details Workflow Initiation of GNTB

More information

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1 Inside Symantec O 3 Sergi Isasi Senior Manager, Product Management SR B30 - Inside Symantec O3 1 Agenda 2 Cloud: Opportunity And Challenge Cloud Private Cloud We should embrace the Cloud to respond to

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: University of Guelph Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

GrIDP: Grid IDentity Pool Federation

GrIDP: Grid IDentity Pool Federation GrIDP: Grid IDentity Pool Federation WebSSO Identity Providers Appendix Authors Marco Fargetta, Roberto Barbera Last Modified 12 August 2016 Version 2.6 Based on COFRE WebSSO Identity Providers Organizations

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name:_Unversity of Regina Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

CA SiteMinder Federation

CA SiteMinder Federation CA SiteMinder Federation Partnership Federation Guide 12.52 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, April 2018

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, April 2018 User Management Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, April 2018 Agenda Introduction User Management Roadmap Related Activities 1 Introduction NextGEOSS High-Level Architecture DataHub harvest and

More information

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2 Digital Identity Guidelines aka NIST SP 800-63 March 1, 2017 Ken Klingenstein, Internet2 Topics 800-63 History and Current Revision process Caveats and Comments LOA Evolution Sections: 800-63A (Enrollment

More information

Connect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team

Connect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team GN2 JRA5 update Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille eduroam Working on the eduroam database and a new dissemination look (maps) RadSec release 1.0 Beta is out - reasonable stable and

More information

Coupled Computing and Data Analytics to support Science EGI Viewpoint Yannick Legré, EGI.eu Director

Coupled Computing and Data Analytics to support Science EGI Viewpoint Yannick Legré, EGI.eu Director Coupled Computing and Data Analytics to support Science EGI Viewpoint Yannick Legré, EGI.eu Director yannick.legre@egi.eu Credit slides: T. Ferrari www.egi.eu This work by EGI.eu is licensed under a Creative

More information

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014 Identity management Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014 Outline 1. Single sign-on 2. SAML and Shibboleth 3. OpenId 4. OAuth 5. (Corporate IAM) 6. Strong identity 2

More information

Deliverable D9.3 Best Practice for User-Centric Federated Identity

Deliverable D9.3 Best Practice for User-Centric Federated Identity 12-03-2018 Best Practice for User-Centric Federated Identity Contractual Date: 31-10-2017 Actual Date: 12-03-2018 Grant Agreement No.: 731122 Work Package/Activity: 9/JRA3 Task Item: Task 3 Nature of Deliverable:

More information