GÉANT-TrustBroker project overview

Similar documents
Géant-TrustBroker Project Overview

Géant-TrustBroker Dynamic inter-federation identity management

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

Géant-TrustBroker: Dynamic, Scalable Management of SAML-Based Inter-federation Authentication and Authorization Infrastructures

REFEDS Minutes, 22 April 2012

Connect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team

Topology of Dynamic Metadata Exchange via a Trusted Third Party

The AAF - Supporting Greener Collaboration

GÉANT Community Programme

Deliverable D14.1 (DJ3.0.1) Report on the Achievements and Recommendations for any Future Work

JRA5: Roaming and Authorisation

EAPlab the ultimate EAP testing facility developed within the SENSE project

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

Google Auto User Provisioning

Open Call Deliverable OCJ-DS4.1.1 GÉANT-TrustBroker Implementation with Documentation (GÉANT-TrustBroker)

GÉANT: Supporting R&E Collaboration

New trends in Identity Management

1. General requirements

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Configuration Guide - Single-Sign On for OneDesk

eidas cross-sector interoperability

FeduShare Update. AuthNZ the SAML way for VOs

Community Connection Service for escience. Ronald van der Pol, SURFnet TNC May 2014

Attribute Release Update

Pilots to support guest users solutions

Attribute Release. Contractual Matters

Single Logout with the SWITCH edu-id IdP

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

RSA SecurID Access SAML Configuration for Datadog

GÉANT Time Compendium Project and Service Updates

Integration Documentation. Automated User Provisioning Common Logon, Single Sign On or Federated Identity Local File Repository Space Pinger

Attribute Release in SWITCHaai

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Next-Generation Identity Federations. Andreas Åkre Solberg

GN2 JRA5: Roaming and Authorisation

SAML Admin Guide. Version 1.0

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

GN3 Plus NA3-T3 Greening of ICT Services. Andrew Mackarel GN3+ NA3 T3 15th September 2014 Workshop Budapest

2010 Kerberos Conference

Embedded Discovery Service Or how to save some clicks during AAI authentication. Lukas Hämmerle

SAML2 Metadata Exchange & Tagging

REFEDS Year End Report 2015

ComponentSpace SAML v2.0 Okta Integration Guide

SAML-Based SSO Solution

eduroam und andere Themen in GN2-JRA5

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Diamond Moonshot Pilot Participation

Arizona Immunization Registry Program Training Documentation

NRENum.net Update. Rui Ribeiro, FCT FCCN educonf training 13 March, 2014

Virginia Immunization Registry Program Training Documentation

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Liferay Fundamentals Course Overview

Moonshot. Workshop on Federated Identity and (OpenStack) Cloud Services - SWITCH

Michigan Immunization Registry Program and Training Documentation

IAM for Workday: How to Embrace an 800 Pound Gorilla. Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management

Salesforce External Identity Implementation Guide

Canadian Fire Community of Practice

RSA SecurID Access SAML Configuration for Kanban Tool

Towards a Federated Collaborative Platform - From OGC Testbed13 to the Future

SAML-Based SSO Solution

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

BELNET R&E federation Technical policy

Multi-Domain VPN service, a seamless infrastructure for Regional Network, NRENs and GEANT

Shibboleth authentication for Sync & Share - Lessons learned

The challenges of (non-)openness:

Salesforce External Identity Implementation Guide

Trust and Identity Services an introduction

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

Shibboleth Plumbing: Implementation and Architecture

Add OKTA as an Identity Provider in EAA

Call for Participation in AIP-6

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

ORCID UPDATE. JISC Workshop, 16 June 2017

Secure Access Manager (SAM) Administrator Guide December 2017

Job Aid How to SUBMIT a Confirmation / Invoice / Advance in 6 steps

OneLogin SCIM. Table of Contents. Summary... 2 System Requirements... 2 Installation & Setup... 2 Contact Us... 6

What happens...when a current affiliation ends?

SAML Metadata Signing gpolicy and Aggregation Practice Statement

SOFTWARE DEMONSTRATION

Federated XDMoD Requirements

SAML-Based SSO Configuration

SLCS and VASH Service Interoperability of Shibboleth and glite

Maryland Immunization Registry Program and Training Documentation

Signing Authority Manual

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

EUDAT. Towards a pan-european Collaborative Data Infrastructure

MyWorkDrive SAML v2.0 Okta Integration Guide

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

13241 Woodland Park Road, Suite 400 Herndon, VA USA A U T H O R : E X O S T A R D ATE: M A R C H V E R S I O N : 3.

PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

GÉANT Mission and Services

Federated Identification Architecture

National Identity Exchange Federation. Terminology Reference. Version 1.0

Cloud Secure Integration with ADFS. Deployment Guide

FEDERICA Federated E-infrastructure Dedicated to European Researchers Innovating in Computing network Architectures

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Transcription:

GÉANT-TrustBroker project overview Slides assembled by the Géant-TrustBroker team at Leibniz Supercomputing Centre, Germany for a short presentation by Licia Florio at the TF-EMC2 meeting Zurich, Switzerland February 11 th, 2014

GÉANT-TrustBroker [GNTB]: The basic idea Our goal from the user s perspective: Let users login to and use federation-external service providers (SPs) by connecting them to their identity provider (IDP) independent of federation borders and without involving manual setup work by SP and IDP admins. More technical: GNTB facilitates the user-triggered, on-demand exchange of IDP and SP metadata as basis for SAML-based AuthNZ GNTB therefore complements existing NREN and community federations inter-federations (e.g., edugain) GNTB will automate the setup of IDP-SP communication including user attribute conversion when data schemas differ excluding organizational aspects such as the need for written contracts between certain (commercial) SPs and IDPs 2

Background: Where are we today without GNTB? Historically, we have two types of federations: National federations operated by NRENs Community federations operated by research communities / projects The resulting problem: Users can only access a service when its SP and the user s IDP are members in the same federation. The edugain solution approach: Build a federation-of-federations-style inter-federation. edugain is great, but inter-federations bring new issues: Additional contracts increase the overall complexity. The inter-federation schema (i.e., available user attributes) is only the common denominator of NREN federations; thus, edugain SPs may not get all the attributes they require for full service functionality. IDPs still need to set up technical stuff, e.g., attribute filters/release policies, manually. Therefore, users cannot use new SPs immediately. 3

GÉANT-TrustBroker s scope GNTB is a metadata registry: SPs and IDPs upload their metadata just like in other federations. a user attribute conversion rule repository: Inter-federation conversion rules can be shared and re-used by other IDPs. a virtual IDP and SP: GNTB seamlessly integrates into standard SAML workflows to connect SPs and IDPs on demand. Connecting entities includes the exchange of metadata and the automated setup of user attribute conversion rules. GNTB automates the technical setup of IDP-SP communication as far as possible. Manual approval steps are optional. GNTB does not handle organizational aspects, such as the demand for written contracts with commercial SPs. edugain and GNTB complement each other: edugain is the organizationally profound, long-term solution GNTB allows for the quick setup of all technical aspects 4

The GNTB project GNTB is a GN3+ Open Call project (10/2013 03/2015) A milestone document describing GNTB s technical workflows in detail is available on the GN intranet. GNTB s SAML-based core workflow will be submitted as Internet-Draft to the IETF in summer 2014. We re working on a Shibboleth-based prototype. Pilot operations can hopefully start before summer 2015. GNTB functionality may be interesting for some other use cases, e.g., rapid provisioning of Shibboleth testbeds (suggested by Moonshot developers). GNTB includes some more features, such as AccountChooser functionality. Please contact us or check out the GNTB documents for details. 5

To contact the project team, please email geant-trustbroker@lists.lrz.de www.geant.net www.twitter.com/geantnews www.facebook.com/geantnetwork www.youtube.com/geanttv 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback