The EGI AAI CheckIn Service
|
|
- Alvin Richards
- 6 years ago
- Views:
Transcription
1 The EGI AAI CheckIn Service Kostas Koumantaros- GRNET On behalf of EGI-Engage JRA1.1 EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number
2 EGI CheckIn Goals Attribute Authority IdP EGI CheckIn EGI Services Mandatory Attributes EGI UID First name, last name affiliation 2
3 EGI AAI CheckIn Service May 2015: Introduction of the EGI AAI Roadmap and Architecture 3
4 Why Proxy? All EGI SPs can have one statically configured IdP. No need to run an IdP Discovery Service on each EGI SP. Connected SPs get consistent/harmonised user identifiers and accompanying attribute sets from one or more AAs that can be interpreted in a uniform way for authz purposes. External IdPs only deal with a single EGI SP proxy. In a nutshell: EGI services will not have to deal with the complexity of multiple IdPs/Federations/Attribute Authorities/technologies. This complexity will be handled centrally by the proxy. 4
5 EGI CheckIn Service Today Production Available via edugain IdP Discovery User Enrolment User Consent Support for LoA Attribute Aggregation Support for OIDC/OAuth2 IdPs Ready for production Alpha SAML2.0 Attribute Query, REST, LDAP, SQL Google, Facebook, LinkedIn, ORCID Support for OIDC/OAuth2 SPs Experimental support for eidas 5
6 Levels of Assurance Proposal under discussion LoA: 0 This category groups the credentials with basically no LoA associated. Examples are social-identity credentials with no vetting and no uniqueness of the ID guaranteed. LoA: 1 This category groups the credentials that are usable in a federated environment, but may require additional attributes to be used in all applications. 6
7 Levels of Assurance Proposal under discussion LoA: 2 This category groups the credentials that have a level of assurance that is considered aligned with all the EGI policies and allows to access all EGI services. LoA: 3 This category groups credentials with an higher LoA for both the authentication and the attributes distributed in the assertion. 7
8 Use cases for the LoA in EGI Allow an IdP to advertise those LoAs for which it is able to meet the associated requirements. Allow an IdP to indicate the actual LoA in its responses. Allow a SP to express its expectations for the LoA at which a user should be authenticated. 8
9 EGI Unique Identifier requirements EGI User Identifier The EGI User ID should be: personal - used by a single person. persistent - used for an extended period of time across multiple sessions. non-reassignable - assigned exclusively to a specific person, and never reassigned to another individual. non-targeted - not intended for a specific relying party (or parties), i.e. should be shared. globally unique - unique beyond the namespace of the IdP and the namespace of the SP(s) with which the ID is shared. opaque - should (by itself) provide no information about the user, i.e. should be privacy-preserving. 9
10 EGI User Identifier implementation EGI Unique User Id Generation EGI User ID is created by the CheckIn service at the moment of the user s first connection The IdP/SP Proxy adds (or replaces) the edupersonuniqueid attribute, based on the first non-empty value from this attribute list: epuid, eppn, eptid The selected attribute value, combined with the entityid of the authn authority, is hashed and the egi.eu scope portion is added to the generated epuid, e.g.: ef ffe53c39b75bdcef46689f5d26ddfa cc4fb5ce97e9ca87@egi.eu 10
11 IdP/SP Proxy technical architecture and deployment High Availability & Load Balancing. SimpleSAMLphp caches user sessions in Memcached, an in-memory key-value store for small chunks of arbitrary data. COmanage maintains EGI user profile information in PostgreSQL DB cluster: Data are synced between master (read/write) and hot standby slave (read-only queries). Sessions are distributed and replicated among different Memcached servers, enabling load-balancing and failover. User requests are load balanced among multiple SimpleSAMLphp web front-ends that use the back-end matrix of Memcached servers. 11
12 IdP/SP Proxy: Integrated IdPs IdPs: EGI SSO ELIXIR research infrastructure AAI ORCID Virtual Home Organization (VHO) edugain Social networks: Google Facebook Linkedin 12
13 Integration with attribute authorities Connection with Perun - DONE Connection with GOCDB - DONE Connection with COmanage - DONE Connection with the new OpenConnext Attribute Aggregator: Pilot in collaboration with AARC project 13
14 Attribute aggregation The EGI CheckIn supports attribute aggregation through: SAML 2.0 AttributeQuery Attribute Aggregator (SimpleSAMLphp module) LDAP Attribute Aggregator (SimpleSAMLphp module) Allows SSP to issue LDAP queries for retrieving attributes REST Attribute Aggregator (SimpleSAMLphp module) Enables SSP to issue SAML 2.0 attribute queries to Attribute Authorities that support SAML 2.0 SOAP binding Allows SSP to retrieve attributes from a RESTful web service OpenConext attribute aggregation (Java application) Handles attribute aggregation and provides REST API for accessing attribute information 14
15 CoCo & R&S compliance CheckIn compliances Compliant with R&S Not compliant with CoCo but this will happen soon as the needed policies are put in place Identifiers edupersonuniqueid edupersonprincipalname edupersontargetedid Mail attribute mail Name attributes displayname givenname sn (surname) Authorization attribute edupersonscopedaffiliation 15
16 Token Translation: CILogon + RC Auth 16
17 User Enrollment EGI CheckIn supports different user enrollment flows depending on the attributes released by the user s Home Identity Provider: Self-service Sign Up: Allows joining the EGI User Community without approval by an administrator if all the information below is asserted by the Home Organisation: at least one of the following unique user identifiers: pseudonymous, non-reassignable identifier (edupersonuniqueid attribute); name-based identifier (edupersonprincipalname attribute); pseudonymous identifier (edupersontargetedid attribute or SAML persistent identifier) first name (givenname attribute) and surname (sn attribute) address (mail attribute) role (affiliation) at Home Organisation (edupersonscopedaffiliation attribute) 17
18 User Enrollment Sign Up: If any of the required information cannot be released by the Home Organisation: user needs to self-assert the values of the missing attributes request must then be approved by an EGI User Sponsor Identity linking: Allows access to EGI resources with a single personal EGI ID, using any of the linked login credentials organisational or social 18
19 OpenID Connect Support Service Providers can connect to the EGI AAI using OpenID Connect (OIDC) as an alternative to SAML2 EGI AAI OIDC Provider allows users to sign in using any of the supported backend authentication mechanisms, i.e institutional IdPs (edugain) or Social Providers Easy OIDC client registration through Client Management UI: Obtain OAuth 2.0 credentials Register one or more redirect URIs Register required scopes (e.g. openid, profile, ) 19
20 Thank you for your attention. Questions? This work by Parties of the EGI-Engage Consortium is licensed under a Creative Commons Attribution 4.0 International License.
21 AARC Blueprint Architecture 21
22 IdP/SP Proxy technical architecture High Availability & Load Balancing SimpleSAMLphp caches user sessions in Memcached, an in-memory key-value store for small chunks of arbitrary data COmanage maintains EGI user profile information in PostgreSQL DB cluster; Data are synced between master (read/write) and hot standby slave (read-only queries) Sessions are distributed and replicated among different Memcached servers, enabling load-balancing and fail-over User requests are load balanced among multiple SimpleSAMLphp web front-ends that use the back-end matrix of Memcached servers 22
23 User Enrollment EGI CheckIn supports different user enrollment flows depending on the attributes released by the user s Home Identity Provider: Self-service Sign Up: Allows joining the EGI User Community without approval by an administrator if all the information below is asserted by the Home Organisation: at least one of the following unique user identifiers: pseudonymous, non-reassignable (edupersonuniqueid attribute); identifier name-based identifier (edupersonprincipalname attribute); pseudonymous identifier (edupersontargetedid attribute or SAML persistent identifier) first name (givenname attribute) and surname (sn attribute) address (mail attribute) role (affiliation) at Home Organisation (edupersonscopedaffiliation attribute) 23
24 IdP/SP Proxy: SP integration flow Development instance EGI SP: Central/Core service IaaS fedcloud... Register SP IF OK Production instance EGI SP: Central/Core service IaaS fedcloud... Register SP 24
EGI AAI Platform Architecture and Roadmap
EGI AAI Platform Architecture and Roadmap Christos Kanellopoulos - GRNET Nicolas Liampotis - GRNET On behalf of EGI-Engage JRA1.1 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme
More informationEGI Check-in service. Secure and user-friendly federated authentication and authorisation
EGI Check-in service Secure and user-friendly federated authentication and authorisation EGI Check-in Secure and user-friendly federated authentication and authorisation Check-in provides a reliable and
More informationBest practices and recommendations for attribute translation from federated authentication to X.509 credentials
Best practices and recommendations for attribute translation from federated authentication to X.509 credentials Published Date: 13-06-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1
More informationAAI in EGI Current status
AAI in EGI Current status Peter Solagna EGI.eu Operations Manager www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 User authentication
More informationAARC Blueprint Architecture
AARC Blueprint Architecture Published Date: 18-04-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1 AARC-BPA-2017 https://aarc-project.eu/blueprint-architecture AARC Blueprint Architecture
More informationRCauth.eu / MasterPortal update
RCauth.eu / MasterPortal update Mischa Sallé msalle@nikhef.nl 5 th AARC face-to-face meeting, Aθηνα 21 March 2017 Mischa Sallé (Nikhef) 1 / 11 Reminder of motivation Access to X.509 resources made easy
More informationIntroduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan
Introduction of Identity & Access Management Federation Motonori Nakamura, NII Japan } IP networking } The network enables a variety type of attractive applications } Communication E-mail Video conferencing
More informationAARC. Christos Kanellopoulos AARC Architecture WP Leader GRNET. Authentication and Authorisation for Research and Collaboration
Authentication and Authorisation for Research and Collaboration AARC Christos Kanellopoulos AARC Architecture WP Leader GRNET Open Day Event: Towards the European Open Science Cloud January 20, 2016 AARC
More informationWP JRA1: Architectures for an integrated and interoperable AAI
Authentication and Authorisation for Research and Collaboration WP JRA1: Architectures for an integrated and interoperable AAI Christos Kanellopoulos Agenda Structure and administrative matters Objectives
More informationGuidelines on non-browser access
Published Date: 13-06-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1 AARC-JRA1.4F https://aarc-project.eu/wp-content/uploads/2017/03/aarc-jra1.4f.pdf 1 Table of Contents 1 Introduction
More informationDeliverable DSA1.4: Pilots to improve access to R&E-relevant resources
07-05-2017 : Deliverable: DSA1.4 Contractual Date: 31-03-2017 Actual Date: 07-05-2017 Grant Agreement No.: 653965 Work Package: SA1 Task Item: Task 3 Lead Partner: PSNC Document Code: DSA1.4 Authors: M.
More informationPilots to support guest users solutions
08-12-2016 Deliverable DSA1.1 Contractual Date: 31-07-2016 Actual Date: 08-12-2016 Grant Agreement No.: 653965 Work Package: SA1 Task Item: SA1.1 Pilot on Guest Identities Partner: GARR Document Code:
More informationBest Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,
Best Practices: Authentication & Authorization Infrastructure Massimo Benini HPCAC - April, 03 2019 Agenda - Common Vocabulary - Keycloak Overview - OAUTH2 and OIDC - Microservices Auth/Authz techniques
More informationINDIGO-Datacloud Identity and Access Management Service
INDIGO-Datacloud Identity and Access Management Service RIA-653549 Presented by Andrea Ceccanti (INFN) andrea.ceccanti@cnaf.infn.it WLCG AuthZ WG Meeting Dec, 14th 2017 IAM overview INDIGO IAM The Identity
More informationeidas cross-sector interoperability
eidas cross-sector interoperability Christos Kanellopoulos GRNET edugain SG October 13 th, 2016 Background information 2013 - STORK-2 collaboration (GN3Plus) 2014-07 Adoption of the eidas Regulation 2014-09
More informationDeliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI
20-09-2018 Deliverable DJRA1.1 Contractual Date: 28-02-2018 Actual Date: 220-09-2018 Grant Agreement No.: 653965 Work Package: JRA1 Task Item: 1.1 Lead Partner: EGI Authors: Diego Scardaci (EGI Foundation),
More informationAttributes for Apps How mobile Apps can use SAML Authentication and Attributes
Attributes for Apps How mobile Apps can use SAML Authentication and Attributes Lukas Hämmerle lukas.haemmerle@switch.ch TNC 2013, Maastricht Introduction App by University of St. Gallen Universities offer
More informationHigher Education external Attribute Authority. Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015
Higher Education external Attribute Authority Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015 Problems in Collaboration Problems in Collaboration Problems in Collaboration Why we need Attribute Authorities?
More informationAttribute Release Update
Attribute Release Update Upcoming changes for IdP administrators Lukas Hämmerle lukas.haemmerle@switch.ch Berne, 30. June 2016 IdP Attribute Release Changes 1. edugain SPs without
More informationManagement der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.
Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen 58. DFN- Betriebstagung, Berlin, 12.3.2013 Peter Gietz, DAASI International GmbH DARIAH EU VCC 1 e-infrastructure
More informationREFEDS Assurance Framework ver 1.0 (DRAFT 2 May 2018)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 REFEDS Assurance Framework ver 1.0 (DRAFT 2 May 2018) REFEDS Assurance working group Abstract The Relying Parties
More informationINDIGO AAI An overview and status update!
RIA-653549 INDIGO DataCloud INDIGO AAI An overview and status update! Andrea Ceccanti (INFN) on behalf of the INDIGO AAI Task Force! indigo-aai-tf@lists.indigo-datacloud.org INDIGO Datacloud An H2020 project
More informationAARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef AARC? Authentication and Authorisation for Research and Collaboration support the collaboration model across institutional
More informationEUDAT - Open Data Services for Research
EUDAT - Open Data Services for Research Johannes Reetz EUDAT operations Max Planck Computing & Data Centre Science Operations Workshop 2015 ESO, Garching 24-27th November 2015 EUDAT receives funding from
More information2. HDF AAI Meeting -- Demo Slides
2. HDF AAI Meeting -- Demo Slides Steinbuch Centre for Computing Marcus Hardt KIT University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association www.kit.edu Introduction
More informationAuthentication & Authorization systems developed for CTA
Authentication & Authorization systems developed for CTA Mathieu Servillat Observatoire de Paris Paris Astronomical Data Centre IVOA Cape Town meeting 1 Context: the CTA Science Gateway @ David Sanchez,
More informationMajor SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007
Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007 Tokens, Protocols, Bindings, and Profiles Tokens are requests and assertions Protocols bindings are communication
More informationEnhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation
Enhancing cloud applications by using external authentication services After you complete this section, you should understand: Terminology such as authentication, identity, and ID token The benefits of
More informationProf. Christos Xenakis
From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control Device-Centric Authentication for Future Internet Prof. Christos Xenakis H2020 Clustering
More informationIdentity Provider for SAP Single Sign-On and SAP Identity Management
Implementation Guide Document Version: 1.0 2017-05-15 PUBLIC Identity Provider for SAP Single Sign-On and SAP Identity Management Content 1....4 1.1 What is SAML 2.0.... 5 SSO with SAML 2.0.... 6 SLO with
More informationUser Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017
User Management Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017 Agenda Introduction User Management Federation Objectives 1 Introduction NextGEOSS High-Level Architecture DataHub harvest
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationDARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.
DARIAH Update 9th FIM4R Workshop Vienna, Novemer 30, 2015 Peter Gietz, DAASI International GmbH www.dariah.eu What is DARIAH? DARIAH: Digital Research Infrastructure for the Arts and Humanities One of
More informationAccount Checking on a SP
Account Checking on a SP Based on SAML AttributeQuery Berne, 13 August 2014 SWITCHaai Team aai@switch.ch Why do account checking? Organization A Organization B User Accounts Identity Provider SP SWITCH
More informationForgeRock Access Management Core Concepts AM-400 Course Description. Revision B
ForgeRock Access Management Core Concepts AM-400 Course Description Revision B ForgeRock Access Management Core Concepts AM-400 Description This structured course comprises a mix of instructor-led lessons
More informationProf. Christos Xenakis
From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control Device-Centric Authentication for Future Internet Prof. Christos Xenakis SAINT Workshop
More informationIntroducing Shibboleth. Sebastian Rieger
Introducing Shibboleth Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford eresearch Center
More informationThe challenges of (non-)openness:
The challenges of (non-)openness: Trust and Identity in Research and Education. DEI 2018, Zagreb, April 2018 Ann Harding, SWITCH/GEANT @hardingar Who am I? Why am I here? Medieval History, Computer Science
More informationDo I Really Need Another Account? External Identities for Campus Applications
Do I Really Need Another Account? External Identities for Campus Applications Dedra Chamberlin, Cirrus Identity Eric Goodman, University of California Todd Haddaway, UMBC Tom Jordan, University of Wisconsin-Madison
More informationGÉANT Community Programme
GÉANT Community Programme Building the community Klaas Wierenga Chief Community Support Officer GÉANT Information day, Tirana, 5 th April 1 Membership Association = very large community to serve GÉANT
More informationConfiguration Guide - Single-Sign On for OneDesk
Configuration Guide - Single-Sign On for OneDesk Introduction Single Sign On (SSO) is a user authentication process that allows a user to access different services and applications across IT systems and
More informationIn Section 4 we discuss the proposed architecture and analyse how it can match the identified 2
AARC: First draft of the Blueprint Architecture for Authentication and Authorisation Infrastructures A. Biancini 12, L. Florio 1, M. Haase 2, M. Hardt 3, M. Jankowsi 13, J. Jensen 4, C. Kanellopoulos 5,
More informationGreek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet
Greek Research and Technology Network Authentication & Authorization Infrastructure Faidon Liambotis faidon@.gr Networking Research and Education February 22 nd, 2011 1 Who am I? Servers & Services Engineer,
More informationExtending Services with Federated Identity Management
Extending Services with Federated Identity Management Wes Hubert Information Technology Analyst Overview General Concepts Higher Education Federations eduroam InCommon Federation Infrastructure Trust Agreements
More informationTutorial: Building the Services Ecosystem
Tutorial: Building the Services Ecosystem GlobusWorld 2018 Steve Tuecke tuecke@globus.org What is a services ecosystem? Anybody can build services with secure REST APIs App Globus Transfer Your Service
More informationglobus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory
globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory Computation Institute (CI) Apply to challenging problems Accelerate by building the research
More informationEUDAT. Towards a pan-european Collaborative Data Infrastructure
EUDAT Towards a pan-european Collaborative Data Infrastructure Giuseppe Fiameni (g.fiameni@cineca.it) Claudio Cacciari SuperComputing, Application and Innovation CINECA Johannes Reatz RZG, Germany Damien
More informationEGI federated e-infrastructure, a building block for the Open Science Commons
EGI federated e-infrastructure, a building block for the Open Science Commons Yannick LEGRÉ Director, EGI.eu www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union
More informationShibboleth authentication for Sync & Share - Lessons learned
Shibboleth authentication for Sync & Share - Lessons learned Enno Gröper Abteilung 4 - Systemsoftware und Kommunikation Computer- und Medienservice Humboldt-Universität zu Berlin 30 Jan 2018 Overview Introduction
More informationWarm Up to Identity Protocol Soup
Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital
More informationAllowing the user to define the attribute release 21 May 2014
Allowing the user to define the attribute release policy @TNC2014 21 May 2014 Program Introduction to User Managed Access (UMA) Demo A GN3+ JRA3T2 work item User Managed Access Kantara project.. address
More informationWP3: Policy and Best Practice Harmonisation
Authentication and Authorisation for Research and Collaboration WP3: Policy and Best Practice Harmonisation David Groep AARC2 2018 AL/TL meeting 12-13 September, 2018 Amsterdam 0.4 Policy and best practice
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationEGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti
EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/
More informationBEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE
BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE OUR ORGANISATION AND SPECIALIST SKILLS Focused on delivery, integration and managed services around Identity and Access Management.
More informationDARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,
DARIAH-AAI DASISH AAI Meeting Nijmegen, March 9th, 2014 www.dariah.eu What is DARIAH? DARIAH: Digital Research Infrastructure for the Arts and Humanities One of the few ESFRI research infrastructures for
More informationFeduShare Update. AuthNZ the SAML way for VOs
FeduShare Update AuthNZ the SAML way for VOs FeduShare Goals: Provide transparent sharing of campus resources in support of (multiinstitutional) collaboration Support both HTTP and non-web access using
More informationSustainability in Federated Identity Services - Global and Local
Sustainability in Federated Identity Services - Global and Local What works and what doesn t with eduroam and edugain Ann Harding @hardingar Activity Lead, Trust & Identity Development, GÉANT Person who
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Royal Society of Chemistry Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they
More informationTrusting External Identity Providers for Global
Trusting External Identity Providers for Global MIND THE GAP Research Collaborations Jim Basney jbasney@ncsa.illinois.edu IGTF at CERN (Sep 19 2016) slideshare.net/jbasney National Center for Supercomputing
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Portage Network 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources
More informationPolicy and Best Practice Harmonisation ( NA3 ) from the present to the future
Authentication and Authorisation for Research and Collaboration Policy and Best Practice Harmonisation ( NA3 ) from the present to the future David Groep NA3 activity coordinator Nikhef AARC2 Kick-Off
More informationdcache integration into HDF
dcache integration into HDF Storage service at DESY for Helmholtz Data Federation (HDF) Paul Millar Karlsruhe, 2018-08-30 This project has received funding from the European Union s Horizon 2020 research
More informationIntegrating VMware Workspace ONE with Okta. VMware Workspace ONE
Integrating VMware Workspace ONE with Okta VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this
More informationFacilitating the Attribute Economy. David W Chadwick George Inman, Kristy Siu 2011 University of Kent
Facilitating the Attribute Economy David W Chadwick George Inman, Kristy Siu University of Kent 2011 University of Kent Internet 2 Fall 2011 Member Meeting 1 (Some) Attribute AuthzRequirements Attributes
More informationIBM Security Access Manager Version 9.0 October Product overview IBM
IBM Security Access Manager Version 9.0 October 2015 Product overview IBM IBM Security Access Manager Version 9.0 October 2015 Product overview IBM ii IBM Security Access Manager Version 9.0 October 2015:
More informationAttribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent Acknowledgements Project originally funded by UK JISC, called Shintau http://sec.cs.kent.ac.uk/shintau/
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Lynda.com Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative
More informationBuilding the Modern Research Data Portal. Developer Tutorial
Building the Modern Research Data Portal Developer Tutorial Thank you to our sponsors! U. S. DEPARTMENT OF ENERGY 2 Presentation material available at www.globusworld.org/workshop2016 bit.ly/globus-2016
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name:_Gale_Cengage Learning Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University
Identity Management and Federated ID (Liberty Alliance) ISA 767, Secure Electronic Commerce Xinwen Zhang, xzhang6@gmu.edu George Mason University Identity Identity is the fundamental concept of uniquely
More informationShibboleth User Verification Customer Implementation Guide Version 4.3
Shibboleth User Verification Customer Implementation Guide 2017-12-12 Version 4.3 TABLE OF CONTENTS Introduction... 1 Purpose and Target Audience... 1 Commonly Used Terms... 1 Overview of Shibboleth User
More informationEvolving the trust fabric with AARC and EGI
Authentication and Authorisation for Research and Collaboration Evolving the trust fabric with AARC and EGI The AARC CILogon pilot and redistributed responsibility David Groep AARC NA3 Activity Lead Nikhef,
More informationIBM Security Access Manager Version January Federation Administration topics IBM
IBM Security Access Manager Version 9.0.2.1 January 2017 Federation Administration topics IBM IBM Security Access Manager Version 9.0.2.1 January 2017 Federation Administration topics IBM ii IBM Security
More informationGoal. TeraGrid. Challenges. Federated Login to TeraGrid
Goal Federated Login to Jim Basney Terry Fleury Von Welch Enable researchers to use the authentication method of their home organization for access to Researchers don t need to use -specific credentials
More informationFederated access to e-infrastructures worldwide
Federated access to e-infrastructures worldwide Marco Fargetta, INFN Catania - Italy (marco.fargetta@ct.infn.it) DCIs developed in the last decade 2 Evolution Research organisations are moving to cloud
More informationEUDAT & AAI. Daan Broeder MPI for Psycholinguistics
EUDAT & AAI Daan Broeder MPI for Psycholinguistics Initially six research communities on Board EPOS: European Plate Observatory System CLARIN: Common Language Resources and Technology Infrastructure ENES:
More informationAuthorization Survey Results & Use Cases Presentation to Concordia Working Group
Authorization Survey Results & Use Cases Presentation to Concordia Working Group Identity and Authorization Services Working Group (IAS-WG) John Tolbert (Boeing) Gavin Illingworth (BMO Financial Group)
More informationRSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013
Ping Identity RSA SecurID Ready Implementation Guide Partner Information Last Modified: December 13, 2013 Product Information Partner Name Ping Identity Web Site www.pingidentity.com Product Name PingFederate
More informationGDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0
GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0 Eve Maler VP Innovation & Emerging Technology, ForgeRock @xmlgrrl eve.maler@forgerock.com Chair and founder, Kantara UMA Work Group @UMAWG tinyurl.com/umawg
More informationDelegated authentication Electronic identity: delegated and federated authentication, policy-based access control
Delegated authentication Electronic identity: delegated and federated authentication, policy-based access control Antonio Lioy < lioy @ polito.it > several RPs (Replying Party) may decide to delegate authentication
More informationThis talk aims to introduce the Shibboleth web authentication/authorization framework and its intended deployment in the UK academic community and
This talk aims to introduce the Shibboleth web authentication/authorization framework and its intended deployment in the UK academic community and the University. Shibboleth named after an event in the
More informationA VOSpace deployment: interoperability and integration in big infrastructure
ASTERICS DADI ESFRI Forum A VOSpace deployment: interoperability and integration in big infrastructure S. Bertocco Trieste 13-14 December 2017 Scope Provide our users with a local data storage and computation
More informationCheck to enable generation of refresh tokens when refreshing access tokens
VERSION User: amadmin Server: sp.example.com LOG OUT OAuth2 Provider Save Reset Back to Services Realm Attributes Indicates required field Authorization Code Lifetime Refresh (seconds) If this field is
More informationBuilding the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017
Building the Modern Research Data Portal using the Globus Platform Rachana Ananthakrishnan rachana@globus.org GlobusWorld 2017 Platform Questions How do you leverage Globus services in your own applications?
More informationNext-Generation Identity Federations. Andreas Åkre Solberg
Next-Generation Identity Federations Andreas Åkre Solberg Identity Federations GÉANT3 JRA3 Task 2 Solving current challenges, and exploring next generation Identity Management Systems. 3 Research Activity
More informationopenid connect all the things
openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017-2017-07-01 Problem - More Client Devices per-human - Many Cloud Accounts - More Apps: yay k8s - More Distributed Teams - VPNs aren
More informationSA1 CILogon pilot - motivation and setup
SA1 CILogon pilot - motivation and setup Tamas Balogh & Mischa Sallé tamasb@nikhef.nl msalle@nikhef.nl AARC General Meeting, Milan 4 November 2015 Tamas Balogh & Mischa Sallé (Nikhef) 1 / 11 Outline 1
More informationGéant-TrustBroker Dynamic inter-federation identity management
Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014 Agenda Introduction Motivation GNTB Overview GNTB in Details Workflow Initiation of GNTB
More informationInside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1
Inside Symantec O 3 Sergi Isasi Senior Manager, Product Management SR B30 - Inside Symantec O3 1 Agenda 2 Cloud: Opportunity And Challenge Cloud Private Cloud We should embrace the Cloud to respond to
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: University of Guelph Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationGrIDP: Grid IDentity Pool Federation
GrIDP: Grid IDentity Pool Federation WebSSO Identity Providers Appendix Authors Marco Fargetta, Roberto Barbera Last Modified 12 August 2016 Version 2.6 Based on COFRE WebSSO Identity Providers Organizations
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name:_Unversity of Regina Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationCA SiteMinder Federation
CA SiteMinder Federation Partnership Federation Guide 12.52 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationUser Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, April 2018
User Management Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, April 2018 Agenda Introduction User Management Roadmap Related Activities 1 Introduction NextGEOSS High-Level Architecture DataHub harvest and
More informationDigital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2
Digital Identity Guidelines aka NIST SP 800-63 March 1, 2017 Ken Klingenstein, Internet2 Topics 800-63 History and Current Revision process Caveats and Comments LOA Evolution Sections: 800-63A (Enrollment
More informationConnect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team
GN2 JRA5 update Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille eduroam Working on the eduroam database and a new dissemination look (maps) RadSec release 1.0 Beta is out - reasonable stable and
More informationCoupled Computing and Data Analytics to support Science EGI Viewpoint Yannick Legré, EGI.eu Director
Coupled Computing and Data Analytics to support Science EGI Viewpoint Yannick Legré, EGI.eu Director yannick.legre@egi.eu Credit slides: T. Ferrari www.egi.eu This work by EGI.eu is licensed under a Creative
More informationIdentity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014
Identity management Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014 Outline 1. Single sign-on 2. SAML and Shibboleth 3. OpenId 4. OAuth 5. (Corporate IAM) 6. Strong identity 2
More informationDeliverable D9.3 Best Practice for User-Centric Federated Identity
12-03-2018 Best Practice for User-Centric Federated Identity Contractual Date: 31-10-2017 Actual Date: 12-03-2018 Grant Agreement No.: 731122 Work Package/Activity: 9/JRA3 Task Item: Task 3 Nature of Deliverable:
More information