AAI in EGI Current status

Similar documents
EGI Check-in service. Secure and user-friendly federated authentication and authorisation

WP JRA1: Architectures for an integrated and interoperable AAI

The EGI AAI CheckIn Service

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

INDIGO AAI An overview and status update!

EGI federated e-infrastructure, a building block for the Open Science Commons

AARC. Christos Kanellopoulos AARC Architecture WP Leader GRNET. Authentication and Authorisation for Research and Collaboration

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

AARC Blueprint Architecture

Outline. Infrastructure and operations architecture. Operations. Services Monitoring and management tools

WP3: Policy and Best Practice Harmonisation

Open Science Commons: A Participatory Model for the Open Science Cloud

The challenges of (non-)openness:

2. HDF AAI Meeting -- Demo Slides

Coupled Computing and Data Analytics to support Science EGI Viewpoint Yannick Legré, EGI.eu Director

SLCS and VASH Service Interoperability of Shibboleth and glite

EGI Applications Database VM Operations dashboard

Deliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI

EUDAT. Towards a pan-european Collaborative Data Infrastructure

Leveraging the InCommon Federation to access the NSF TeraGrid

European Grid Infrastructure

EGI AAI Platform Architecture and Roadmap

Can R&E federations trust Research Infrastructures? - The Snctfi Trust Framework

Federated Services for Scientists Thursday, December 9, p.m. EST

Federated Authentication with Web Services Clients

Introduction to Grid Infrastructures

Managed Access Gateway. Request Management Guide (For Administrators)

RCauth.eu / MasterPortal update

GÉANT Community Programme

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Interfacing Operational Grid Security to Site Security. Eileen Berman Fermi National Accelerator Laboratory

EUDAT - Open Data Services for Research

Pilots to support guest users solutions

Federated access to e-infrastructures worldwide

E u r o p e a n G r i d I n i t i a t i v e

Scalable Negotiator for a Community Trust Framework in Federated Infrastructures (Snctfi)

A VOSpace deployment: interoperability and integration in big infrastructure

A VO-friendly, Community-based Authorization Framework

GrIDP: Grid IDentity Pool Federation

Higher Education PKI Initiatives

EGI-InSPIRE. Security Drill Group: Security Service Challenges. Oscar Koeroo. Together with: 09/23/11 1 EGI-InSPIRE RI

Federated Identities and Services: the CHAIN-REDS vision

The LHC Computing Grid

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Prof. Christos Xenakis

Introduction to EGI. Mission Services Governance International collaborations Contribution to DSM and EOSC.

Sustainability in Federated Identity Services - Global and Local

Scientific data processing at global scale The LHC Computing Grid. fabio hernandez

1. Publishable Summary

Troubleshooting Grid authentication from the client side

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

EGI-InSPIRE. Cloud Services. Steven Newhouse, EGI.eu Director. 23/05/2011 Cloud Services - ASPIRE - May EGI-InSPIRE RI

Prototype DIRAC portal for EISCAT data Short instruction

A Simplified Access to Grid Resources for Virtual Research Communities

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

eidas cross-sector interoperability

INDIGO-Datacloud Identity and Access Management Service

Presented by Wolfgang Ziegler, Open Grid Forum

Trust Services for Electronic Transactions

Juliusz Pukacki OGF25 - Grid technologies in e-health Catania, 2-6 March 2009

UNICORE Globus: Interoperability of Grid Infrastructures

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

ELIXIR Compute platform

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Lesson 6: Portlet for job submission

EUDAT and Cloud Services

The EUDAT Collaborative Data Infrastructure

Storage Management in INDIGO

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Prof. Christos Xenakis

EGI-Engage: Impact & Results. Advanced Computing for Research

SAML-Based SSO Solution

Chapter 2 Introduction to the WS-PGRADE/gUSE Science Gateway Framework

A Guanxi Shibboleth based Security Infrastructure for e-social Science

glite Grid Services Overview

Workflow applications on EGI with WS-PGRADE. Peter Kacsuk and Zoltan Farkas MTA SZTAKI

Authentication. Katarina

Grid Computing. MCSN - N. Tonellotto - Distributed Enabling Platforms

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

Deliverable DSA1.4: Pilots to improve access to R&E-relevant resources

Creating a MyAlberta Digital ID for Business Account

Facilitating the Attribute Economy. David W Chadwick George Inman, Kristy Siu 2011 University of Kent

The LGI Pilot job portal. EGI Technical Forum 20 September 2011 Jan Just Keijser Willem van Engen Mark Somers

National R&E Networks: Engines for innovation in research

Introduction to SciTokens

South African Science Gateways

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

THEBES: THE GRID MIDDLEWARE PROJECT Project Overview, Status Report and Roadmap

Federated Authentication for E-Infrastructures

EGEE and Interoperation

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

INDIGO-DataCloud Architectural Overview

13241 Woodland Park Road, Suite 400 Herndon, VA USA A U T H O R : E X O S T A R D ATE: M A R C H V E R S I O N : 3.

irods Security Aspects Willem Elbers CLARIN-ERIC, Netherlands

E X O S T A R, LLC D A T E : M AY V E R S I O N : 4.0

Trusting External Identity Providers for Global

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Policy and Best Practice Harmonisation ( NA3 ) from the present to the future

EU Policy Management Authority for Grid Authentication in e-science Charter Version 1.1. EU Grid PMA Charter

Transcription:

AAI in EGI Current status Peter Solagna EGI.eu Operations Manager www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142

User authentication in a federated environment Local environment (e.g. one institution, one cluster) Users have local accounts, validated often in a F2F verification with the system administrator All the needed information are filled in at the moment of the registration Federated environment (e.g. distributed infrastructure) Users do not have local accounts on every service/cluster/ centre Users own credentials that are recognized by all the service providers in the federation Identity providers and service providers must agree on the: Information provided to the SP Level of assurance of the credentials Operations of the IdP 2

User s identity A user must be able to authenticate with the same identity on the distributed services From the user s point of view Uniform authentication enable cross-site workflows Use of distributed resources using the same credential From the service provider s point of view Uniform authentication improves security operations in a federated environment Easier management of users, and their access to resources 3

Delegation For some workflows and use cases, delegation is an important capability Applications that in general need to: access data stored by the user and not publicly accessible or to save data in the user s storage area Portals and scientific gateways do actions on behalf of the user, like job submission to compute resources. This is usually implemented by impersonating and delegating Impersonation: the application/service acts as the user (using user s temporary credentials). Done at authentication level. Delegation: the user enables the service to work on his/her behalf. Done at authorization level 4

Level of assurance Not all the credentials are the same! Examples: Very high level of assurance: eid High level of assurance with ID verification: X509 certificates, many institutional IdP Social media credentials Everyone with an email account can have one Not always the highest LoA is required: for some low-risk activities low assurance credentials are usable! The minimum LoA required is determined by the user community and the service provider requirements 5

Level of assurance: examples of use cases Strong authentication Ø Submit and manage virtual machines Ø Access sensitive protected data Medium authentication Ø Submit pre-defined applications through science gateways Ø Use PaaS on the cloud Low authentication Ø Access open data Ø Perform read-only operation on non-sensitive data 6

Authorization in a federated environment In a federated environment individual user authorization cannot be handled by the service provider Service provider does not know the user and if him/her should be allowed to perform a specific action Rules for the authorization must use information associated with the user Provided by the IdP Provided by the research collaboration who grants users access to resources 7

Distribute collaboration management in EGI: Virtual Organization Virtual Organization: A group of researchers with common interests, requirements and applications, who need to work collaboratively and/or share resources. Service providers enable users to access services and resources based on the VO membership and additional attributes such as roles within the VO and sub-groups of users within the VO The VO membership is managed by the VO Manager(s) who is the main contact with EGI and who knows the users and the groups in the collaboration New users can be added and removed enabling/disabling their access rights, without direct intervention of service providers VO Manager usually does not manage users credential, a VO is not an IdP 8

EGI user authentication: X509 certificates X509 certificates are the main authentication technology used in EGI Trust network of certification authorities (IGTF/ EUGridPMA) EGI services are configured to accept certificates released by the Certification Authorities federated within IGTF You have one IGTF personal certificate à you can authenticate wherever in EGI 9

Authentication and Authorization workflow Virtual Organization 10

Robot certificates and science gateways Portals and Scientific Gateways can hide the complexity of X509 certificates to the users?? X509 Cer2ficate SciGW X509 Robot Cer2ficate 11

Improving the use of robot certificates Addi2onal extension added by the science gateway. User UID? Robot VO Info 12

Extend the X509 mechanism For some users approaching EGI, the X509 mechanism is a barrier They do not have easy access to a Certification Authority They would prefer to continue using their institutional credentials VOs and Resource Providers implement portals to ease the access to the resources The most effective solution is to bridge other identity federations (edugain, institutional IdP) with the EGI AAI Technical bridge: credentials translation, support in the middleware for other AuthN protocols Policy bridge: build trust between SP and IdP, enable different level of trust More in the next talk! 13

Summary: Current EGI Services for AAI EUGridPMA network of Certification Authorities operated by the NGIs All EGI services are configured to accept EUGridPMA certificates Certificates enable: web authentication, command line authentication and delegation VOMS services to manage VO membership and attributes Science gateways to use other types of authentication (username/password) and robot certificates to access EGI services 14

Thank you for your attention. Questions? www.egi.eu This work by Parties of the EGI-Engage Consortium is licensed under a Creative Commons Attribution 4.0 International License.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback