AARC Blueprint Architecture

Similar documents
WP JRA1: Architectures for an integrated and interoperable AAI

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

AARC. Christos Kanellopoulos AARC Architecture WP Leader GRNET. Authentication and Authorisation for Research and Collaboration

The EGI AAI CheckIn Service

The challenges of (non-)openness:

Scalable Negotiator for a Community Trust Framework in Federated Infrastructures (Snctfi)

Guidelines on non-browser access

Deliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

2. HDF AAI Meeting -- Demo Slides

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

Can R&E federations trust Research Infrastructures? - The Snctfi Trust Framework

RCauth.eu / MasterPortal update

Deliverable DSA1.4: Pilots to improve access to R&E-relevant resources

AAI in EGI Current status

INDIGO AAI An overview and status update!

In Section 4 we discuss the proposed architecture and analyse how it can match the identified 2

WP3: Policy and Best Practice Harmonisation

Higher Education external Attribute Authority. Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015

Warm Up to Identity Protocol Soup

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

INDIGO-Datacloud Identity and Access Management Service

Next-Generation Identity Federations. Andreas Åkre Solberg

Recommendations on the grouping of entities and their deployment mechanisms in scalable policy negotiation

GÉANT Community Programme

Kerberos for the Web Current State and Leverage Points

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

eidas cross-sector interoperability

EUDAT - Open Data Services for Research

Authentication & Authorization systems developed for CTA

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Sustainability in Federated Identity Services - Global and Local

Policy and Best Practice Harmonisation ( NA3 ) from the present to the future

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

EGI AAI Platform Architecture and Roadmap

Outline. Infrastructure and operations architecture. Operations. Services Monitoring and management tools

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

Federated Authentication for E-Infrastructures

5 OAuth EssEntiAls for APi AccEss control layer7.com

SLCS and VASH Service Interoperability of Shibboleth and glite

SAP Security in a Hybrid World. Kiran Kola

SELF SERVICE INTERFACE CODE OF CONNECTION

edugain Policy Framework SAML Profile

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

EUDAT. Towards a pan-european Collaborative Data Infrastructure

SAML-Based SSO Solution

DEPLOYING MULTI-TIER APPLICATIONS ACROSS MULTIPLE SECURITY DOMAINS

A VOSpace deployment: interoperability and integration in big infrastructure

SOFTWARE DEMONSTRATION

National Identity Exchange Federation. Terminology Reference. Version 1.0

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

Deliverable D14.1 (DJ3.0.1) Report on the Achievements and Recommendations for any Future Work

5 OAuth Essentials for API Access Control

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

Federated access to e-infrastructures worldwide

GN3plus External Advisory Committee. White Paper on the Structure of GÉANT Research & Development

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Project Moonshot. IETF 77, Anaheim. Sam Hartman, Painless Security LLC Josh Howlett, JANET(UK) Image Viatour Luc (

SAML-Based SSO Solution

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

Enterprise Adoption Best Practices

Federated authentication for e-infrastructures

Standards-based Secure Signon for Cloud and Native Mobile Agents

Federated Authentication with Web Services Clients

Access Management Handbook

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Configuration Guide - Single-Sign On for OneDesk

Deliverable D9.3 Best Practice for User-Centric Federated Identity

Authorization Strategies for Virtualized Environments in Grid Computing Systems

The Future of Indoor Plumbing. Dr Ken Klingenstein Director, Internet2 Middleware and Security

Liferay Security Features Overview. How Liferay Approaches Security

National R&E Networks: Engines for innovation in research

The AAF - Supporting Greener Collaboration

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

ELIXIR Compute platform

Extending Services with Federated Identity Management

[GSoC Proposal] Securing Airavata API

SWAMID Person-Proofed Multi-Factor Profile

Sirtfi for Security Incidents in a Federated Context. Tom Barton, UChicago & Internet2

Authentication. Katarina

A Guanxi Shibboleth based Security Infrastructure for e-social Science

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Trust Services for Electronic Transactions

Need eduperson SCHAC. eduperson and SCHAC. sending attributes outside your organization. Victoriano Giralt

Pilots to support guest users solutions

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Cloud-based Identity and Access Control for Diagnostic Imaging Systems

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

Introducing Shibboleth. Sebastian Rieger

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Canadian Access Federation: Trust Assertion Document (TAD)

How to use or not use the AWS API Gateway for Microservices

Federated Services for Scientists Thursday, December 9, p.m. EST

GN2 JRA5: Roaming and Authorisation

Transcription:

AARC Blueprint Architecture Published Date: 18-04-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1 AARC-BPA-2017 https://aarc-project.eu/blueprint-architecture

AARC Blueprint Architecture - AARC-BPA-2017 1 Introduction The way researchers collaborate within scientific communities can vary significantly from community to community. On the one hand, there are highly structured communities with thousands of researchers who can be virtually anywhere in the world. These communities have been working together for a long time, they want to share and have access to a wide range of resources, and they have had to put in place practical solutions to make the collaborations work. On the other hand, one finds a number of smaller and more diverse research communities working within specific or across scientific disciplines. Typically, these are either nascent communities being established around new scientific domains, or they are communities in specific domains that did not have to promote widespread and close collaboration among the researchers. And of course, in between these two extremes, there are many scientific communities of varying size, structure, history etc. During the last two years of the AARC project we have been working together with e-infrastructures, research infrastructures, research communities, AAI architects, and implementers to get a better understanding of their experiences and needs in sharing and accessing resources within research collaborations. Our goal has been to collectively define a set of architectural building blocks and implementation patterns, which we call the AARC Blueprint Architecture, that will allow the development of interoperable technical solutions for international intra- and inter-disciplinary research collaborations. The first version of the AARC Blueprint Architecture [AARC-BPA-2016] was published in July 2016. In that document, we analysed the architectures of existing designs and implementations and extracted a high-level architecture that encapsulated common patterns and building blocks. The second version [AARC-BPA-2017] was published in April 2017 and builds upon AARC-BPA-2016. AARC-BPA-2017 extends the previous version and provides guidance on topics such as access to non-web based services, token translation services (TTS), best practices for managing authorization, harmonized expression of group membership and role information, attribute aggregation and credential delegation. 2

AARC Blueprint Architecture - AARC-BPA-2017 2 AARC-BPA-2017 This version of the AARC Blueprint Architecture (AARC-BPA-2017), builds upon the previous one and provides a more detailed layered architecture, while retaining full backwards compatibility. AARC-BPA-2017 retains the same four layers, each of which includes one or more functional components, grouped by their complementary functional roles. The User Identities layer and the End Services layer are still there, while the Attribute Enrichment layer has been renamed to User Attributes layer and the Translation layer has been renamed to Identity Access Management (IAM) Layer and has a prominent role in the architecture. In AARC-BPA-2017, we introduce a new layer for the centralised Authorisation. Figure 5: AARC Blueprint Architecture 2017 The User Identity Layer includes services which provide electronic identities that can be used by users participating in International Research Collaborations. Typically, identity services in this layer are outside of the administrative boundaries of the International Research Collaborations. Services in the layer are expected to use secure authentication mechanisms, in order to bind physical persons to their electronic identities, which are then made available to services in the other layers via secure protocols. 3

The AARC Blueprint Architecture is meant to be technology agnostic by design and has been verified against production implementations that use SAML2, OpenID Connect, OAuth2, or combinations of these. Identity service providers, might utilise single factor or multi factor authentication schemes. In AARC-BPA-2016, we have incorporated also the traditional flows, which linked directly service and identity providers, in order to denote the different possibilities and the change towards the proxy implementations. In AARC-BPA-2017, we have kept only the flows relevant for the proxy architecture and thus users are shown to access services only via the EI/RI proxy component. In this version of the architecture we also introduced the points where user consent is expected. The Identity Access Management Layer is a new layer, introduced in AARC-BPA-2017, which replaces the Translation Layer. The components in the Identity Access Management Layer are operated by (or on behalf of) the RI/EI and thus reside within the administrative and policy boundaries of the EI/RI. The Identity Access Management Layer, defines an administrative, policy and technical boundary between the internal services and resources of the RI/EI and any other external services and resources. In AARC-BPA-2016, this layer was marked as an optional layer, but in AARC-BPA-2017, the Identity Access Management Layer is an integral part of the architecture as its functionality is required for all the use cases that go beyond the basic Web SSO scenarios. The components in this layer allow the RIs/EIs to (a) take full advantage of edugain and the national identity federations, (b) reduce the administrative overhead of introducing new services and (c) have the flexibility to choose the appropriate security protocols and mechanisms for delivering internal services to their users. Furthermore, the Identity Access Management Layer enables the implementation of a single point where the RI/EI can provide an IdP discovery service for all its internal services, along with other required functionalities, such as integration with community based group management systems and consistent and scalable central management of user consent. Finally, it enables the infrastructure to provide guarantees that may not be met by the external IdPs alone, such as unique, persistent identifiers, multi-loa management, infrastructure-specific attributes, account linking, etc. The Attribute Enrichment Layer has been renamed to User Attribute Services Layer and it groups components related to managing and providing information (attributes) about users, such as group memberships and community roles, on top of the information that might be provided directly by the Identity Providers from the User Identities Layer. In AARC-BPA-2017, we have moved this layer on the left side of the Identity Access Management and the End Service layers to make clearer the interactions between components of this layer and the layers of Identity Access Management, Authorisation and the End Services. In contrast with the proxy-managed attributes, responsibility for managing attributes provided by these services rests with the user communities. Note also the presence of two new components with dotted border, the AUP (Acceptable Use Policy) and Reputation attribute services. The former denotes a service which specifically records whether the user has accepted the AUP of the infrastructure (as required by many NRENs, RIs, EIs, and by SIRTFI). The latter is a service which records the user s reputation as discussed in [AARC-MJRA1.2]. These components will be further analysed in the next versions of the AARC-BPA in AARC2. The Authorisation Layer is a new layer introduced in AARC-BPA-2017. Authorisation of access to services can take place in many different ways. Typically, in RI/EIs, authorisation can be based (a) on the group membership of the users, (b) on the roles a user might have been granted within the collaboration, (c) on the 4

entitlements users might have been granted, (d) on the affiliations of the users, (e) on the strength of the authentication method used or the quality of the user information or (f) on combinations of these. Although authorisation enforcement always happens on the service side, the AARC-BPA allows the implementers to delegate much of the complex decisions to central components, which can significantly reduce the complexity of managing authorisation policies, and their evaluation on each service individually. For example, the decision whether a user is allowed to access a specific service can be taken centrally and then communicated to the service by adding a service specific attribute to the user s attributes. In this way, a service can rely on the infrastructure to make the authorisation decision based on a number of appropriate factors. Authorization is a topic which will be thoroughly analysed in the next versions of the AARC-BPA and it is a key topic in the Architecture work package of AARC2. The End Services Layer contains the services users actually want to use. Access to these services is AAIprotected (possibly using different technologies, see Footnote 2). These services can range from simple web services, such as wikis or portals for accessing computing and storage resources, to non-web resources such as a login shell, an FTP transfer- or a workload management system. A notable change from AARC-BPA-2016 to AARC-BPA-2017 is the removal of the Token Translation Services from the End Services Layer. Credential translation or token translation can happen centrally and/or within a service, although the latter is outside of the scope of the AARC Blueprint Architecture. AARC-BPA-2017 addresses most of the requirements that were still open in AARC-BPA-2017. Namely, in AARC-BPA-2017 we have provided: guidelines for expressing group membership and role information in a consistent manner across RIs/EIs; best practices for managing authorization, specifically targeting practices for community based authorization; guidelines for scalable attribute aggregation implementations; guidelines for the implementation of credential translation via token translation services; implementation scenarios and guidelines for credential delegation; implementation scenarios and guidelines for non-browser access; guidelines for implementing SAML authentication proxies for social media IdPs; use case scenarios for account linking and LoA elevation via step-up authentication. Figure 6: Progression of the requirements covered in AARC-BPA-2016 (left) to AARC-BPA-2017 (right). 5

Blue are the requirements, which are already being addressed by the AARC. With blue-green colour, we have marked those requirements on which we have been partially addressed, but there is still work to be done. and with green colour, the requirements which will be addressed in the next iterations of the AARC Blueprint Architecture 6

3 Glossary AA AAI EGI FQDN IdP MACE NSS OIDCre POSIX REFEDS R&S SCIM SP URL URI URN VO VOMS VOOT Attribute Authority Authentication and Authorisation Infrastructure European Grid Infrastructure Fully Qualified Domain Name Identity Provider Middleware Architecture Committee for Education Namespace Specific String OpenID Connect for Research and Education Portable Operating System Interface Research and Education FEDerations group Research and Scholarship System for Cross-domain Identity Management Service Provider Uniform Resource Locator Uniform Resource Identifier Uniform Resource Name Virtual Organization Virtual Organization Membership Service Virtual Organization Orthogonal Technology 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback