Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

Similar documents
GÉANT: Supporting R&E Collaboration

GÉANT : e-infrastructure connectivity for the data deluge

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

GÉANT and other projects Update

GÉANT-TrustBroker project overview

Connect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team

Géant-TrustBroker Project Overview

Towards Horizon The Enabling Users

Attribute Release. Contractual Matters

Géant-TrustBroker Dynamic inter-federation identity management

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

AARC. Christos Kanellopoulos AARC Architecture WP Leader GRNET. Authentication and Authorisation for Research and Collaboration

GÉANT Community Programme

The challenges of (non-)openness:

FEDERICA Federated E-infrastructure Dedicated to European Researchers Innovating in Computing network Architectures

Interconnected NRENs in Europe & GÉANT: Mission & Governance Issues

JRA5: Roaming and Authorisation

Federated Identities and Services: the CHAIN-REDS vision

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Multi-Domain VPN service, a seamless infrastructure for Regional Network, NRENs and GEANT

GÉANT Mission and Services

Federated access to e-infrastructures worldwide

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

e-infrastructures in FP7 INFO DAY - Paris

Sustainability in Federated Identity Services - Global and Local

Milestone MS83 (DS5.4.1): Federation as a Service - Market Analysis and Pilot Service Definition

WP JRA1: Architectures for an integrated and interoperable AAI

GÉANT: A Defense in Depth Approach

Attribute Release Update

GÉANT Services Supporting International Networking and Collaboration

Enabling BigData Workflows in Earth Observation Science

TERENA, the NRENs, GÉANT & promoting Campus Best Practice

User Community Driven Development in Trust and Identity Services

EUMEDCONNECT3 and European R&E Developments

IaaS Framework Agreements Pan-European Cloud Services ready for adoption

GÉANT IP Service Description. High Performance IP Services to Support Advanced Research

Connectivity Services, Autobahn and New Services

GN2 JRA5: Roaming and Authorisation

GÉANT Open Service Description. High Performance Interconnectivity to Support Advanced Research

Federated E-infrastructure Dedicated to European Researchers Innovating in Computing network Architectures

A collaboration overview: From TF-VSS to GN2 SA6

Oman Research & Education Network (OMREN)

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

EUDAT - Open Data Services for Research

GÉANT Open Service Description. High Performance Interconnectivity to Support Advanced Research

GÉANT network and applications PENS workshop J-L Dorel European Commission

New trends in Identity Management

Advancing European R&E through collaboration

Network Virtualization for Future Internet Research

Strategy for SWITCH's next generation optical network

Advanced architecture and services Implications of the CEF Networks workshop

GÉANT Enabling Global R&E Collaboration. Thomas Fryer, DANTE AMERICAS Conference, CUDI Friday, 4 th October 2013

GÉANT L3VPN Service Description. Multi-point, VPN services for NRENs

GÉANT: Supporting R&E Collaboration with North America

EUDAT. Towards a pan-european Collaborative Data Infrastructure

EGI federated e-infrastructure, a building block for the Open Science Commons

GN3plus External Advisory Committee. White Paper on the Structure of GÉANT Research & Development

Trust and Identity Services an introduction

Multi Domain Service Architecture for Heterogonous Networks A view from GÉANT 3 - SA2: Task 1

eidas cross-sector interoperability

GRIDS INTRODUCTION TO GRID INFRASTRUCTURES. Fabrizio Gagliardi

GÉANT Plus Service Description. High Performance Cost-effective Connectivity

Attribute Release in SWITCHaai

Federated Authentication for E-Infrastructures

The National Research and Education Network. Problems and Solutions

The AAF - Supporting Greener Collaboration

AAI in EGI Current status

WP3: Policy and Best Practice Harmonisation

AMRES Combining national, regional and & EU efforts

National R&E Networks: Engines for innovation in research

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

SAML2 Metadata Exchange & Tagging

Greek e-infrastructures Short report

EUDAT & AAI. Daan Broeder MPI for Psycholinguistics

The Future of the Internet

e-infrastructure for Research and Education in Georgia

EUDAT. Towards a pan-european Collaborative Data Infrastructure. Damien Lecarpentier CSC-IT Center for Science, Finland EUDAT User Forum, Barcelona

Now SAML takes it all:

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Community Connection Service for escience. Ronald van der Pol, SURFnet TNC May 2014

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014

Federated Identity Management

e-infrastructure: objectives and strategy in FP7

Pilots to support guest users solutions

REFEDS Minutes, 22 April 2012

GÉANT Time Compendium Project and Service Updates

Outline. Infrastructure and operations architecture. Operations. Services Monitoring and management tools

AARC Blueprint Architecture

Recommendations on the grouping of entities and their deployment mechanisms in scalable policy negotiation

EUDAT- Towards a Global Collaborative Data Infrastructure

Integration of Network Services Interface version 2 with the JUNOS Space SDK

SWITCHaai Service Description

2. HDF AAI Meeting -- Demo Slides

STORK PRESENTATION 07/04/2009. Frank LEYMAN. Manager International Relations. Stork is an EU co-funded project INFSO-ICT-PSP

Network Disaggregation

INSPIRE status report

Moonshot. Workshop on Federated Identity and (OpenStack) Cloud Services - SWITCH

Transcription:

Options for Joining edugain Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

Outline 1. GE ANT and the Enabling Users task 2. Options to Join edugain 3. Discussion 2

GÉANT (GN3plus) - vital to the EU s e-infrastructure strategy Key Facts GN3plus Start date April 1 2013 Duration 24 months Total budget 84,283,018 EC contribution 41,800,000 Participants 250+ 41 Project Partners: 38 NRENs, DANTE, TERENA, NORDUnet (representing 5 Nordic countries) GN3plus: extension and expansion to 3rd term of the successful GÉANT networking project, vital to the EU s e-infrastructure strategy. GÉANT vision: to become the unified European Communications Commons - driving knowledge creation as the global hub for research networking excellence GÉANT Mission: to deliver world-class services with the highest levels of operational excellence Co-funded: by the EU and Europe s NRENs 3

Europe s 100Gbps Network - e-infrastructure for the data deluge Latest transmission and switching technology Routers with 100Gbps capability Optical transmission platform designed to provide 500Gbps super-channels Hybrid network GÉANT IP: packet routed and VPNs GÉANT Plus: switched point-to-point circuits GÉANT Lambda: dedicated wavelengths 12,000km of dark fibre over 100,000km of leased capacity (inc. transatlantic links) 28 main sites covering European footprint 4

Delivering world-class services to R&E communities JRA1: Network Architectures for Horizon 2020 JRA2: Technology Testing for Specific Service Applications JRA3: Identity & Trust Technologies for GÉANT Services SA1: Core Backbone Services SA2: Testbeds as a Service SA3: Network Service Delivery SA4: Network Support Services SA5: Application Services SA7: Support to Clouds SA6: Service Management & Operations NA1: Management NA2: Communications & Promotion NA3: Status & Trends NA4: International & Business Devpt 5

SA5 Application Services For global collaboration Service Tasks: (Moonshot pilot) Non-service Tasks: Federation-as-a-Service Enabling Users <= That's us, ~6 people, present today Wolfgang and me 6

"Enabling Users" Objectives Be expert partner for large EU projects with AAI requirements Actively collaborate with large international user communities Based on well-defined, replicable use cases Increase the practical use of AAI infrastructure Extend interfederation technology and AAI functionalities Help communities integrate their services into edugain Incorporating adoption and dissemination of Federation current best- practice solutions 7 7

11 Use-Cases Submitted by FIM4R group Initial focus on 3, later more to follow (Umbrella) CLIPC 8 8

DARIAH how we see it DARIAH community (and other DASISH communities) are likely to operate many services (SPs) in different countries In contrast to other research communities which probably will operate only few SPs Hand-full of services and Homeless IdP are already SAML-enabled Including a mechanism to deal with users where only the persistentid attribute is available DARIAH LDAP and Admin Portal for permission and authorization management Main questions are: How to best integrate services/sps into edugain? How to ensure SPs receive required attributes? 9

Situation from AAI/SAML perspective Geobrowswer SP Research Project Entities IdP SIMA Registry SP SP SP Home for the homeless IdP Portal Connection Reg. Entities typically operated by a research community: Multiple Service Providers DARIAH has so far about 5-10 Service Providers Number is likely to grow One Identity Provider (home for the home-less) Unless it relies on the guest Identity Provider of somebody else 10

Priorities To make use of edugain, it's primarily the Service Providers that have to be added to edugain from one communities' point of view. Allows researchers accessing a service using their university/research institution account Adding the Identity Provider(s) to edugain is less important Allows users managed by that community to access other edugain services outside of that community Allows bridging different communities 11

Options to join edugain Option A: Join via existing federation Let each service join edugain via an existing federation (e.g. the national federation that already exists) Option B: Create your own federation Organize all services in an own federation and join with the whole federation Option C: Use a hub/proxy Place all services behind a hub/proxy and add that proxy via an existing federation to edugain 12

edugain Membership edugain (GEANT) Contract Federation Operator Contract Contract Contract Organisation Organisation Organisation SP IdP SP SP IdP SP SP IdP SP Only federations can become edugain members edugain is an interfederation service and not a federation itself It is not possible for an SP or IdP to directly join edugain edugain operations team and efforts can be kept small 13

Requirements to become edugain member federation Formal requirements: http://www.edugain.org/technical/joining_checklist.php Sign and agree with edugain policy/constitution Provide upstream metadata according to edugain MD profile Name representative and deputy for edugain steering group Federation has to primarily serve research and education Must be accepted by edugain steering group Federations usually also: Have a name, logo, web page Operates registration service to manage SPs /IdPs Process and provide edugain downstream metadata Maintains support and helpdesk for their members Provides central discovery service and home for the homeless IdP 14

Option A: Add SPs via existing federation 15

Option A: Characteristics Pros/Cons: Technically straight-forward Re-use know-how, infrastructure, documentation, guides, policies, legal framework, processes of existing federations Transparent from the user's point of view and not different from accessing any other service within the local federation Deployment/registration procedures vary from federation to federation Home-less-IdP might not be easy to add to edugain (depends on federation: fees, liability,...) Examples: Currently in edugain metadata are science gateways from African Grid community, INDICATE E-Culture, aginfra, DECIDE, EarthServer, EUMEDGRID, GISELA and IGI 16

Option B: Create an own federation 17

Federation Types Three federation architectures are currently used for national federations: Full-mesh federation Hub-and-spoke with distributed login Hub-and-spoke with central login Choice depended on: Political/financing situation in a country (Trust) Relation between participating organisations and federation operator Same models could be used by a research community that decided to create an own federation. 18

Full Mesh Federation ~80% of all NREN Federations (June 2013) E.g InCommon UKAMF SWAMID HAKA DFN-AAI SWITCHaai... 19

Hub-and-Spoke Federation with Distributed Login ~15% of all NREN Federations (June 2013) SURFconext WAYF.dk SIR TAAT Confia 20

Hub-and-Spoke Federation with Central Login ~5% of all NREN Federations (June 2013) FEIDE AAI@EduHr 21

Option B: Characteristics Pros/Cons: Influence on edugain via the edugain Steering Group Consistent registration of SPs/IdPs across national boundaries Potentially beneficial for getting more user attributes Transparent from the user's point of view and not different from accessing any other service within the local federation Technically straight forward. No problem adding IdPs to edugain. Potentially quite some overhead to manage the federation (metadata management, deployment guides, helpdesk/support, policies). Will require some permanent service unit Examples: CLARIN Service Provider Federation (SPF). Not in edugain as a federation currently. 22

Option C1: Join via a Hub 23

Option C1 Characteristics Similar like model B (Own federation) using a hub-and-spoke federation with a central login. Pros/Cons: Extend/Transform/enrich user data at the hub Bridging communities becomes easier if hub supports multiple protocols Unique identifier attribute sufficient for a user Registration of only a single SP (and potentially an IdP) Requires development work because no out-of-the-box solution exists Hub becomes single point-of-failure Hub hides all services behind it -> intransparent for user Examples: Umbrella (CRISP/PaNdata) large photon and neutron research community 24

Option C2: Join via a (Web) Proxy 25

Option C2 Characteristics One (Web) proxy with an SP protects multiple applications on different hosts behind the proxy. Sub-type of C1. Relatively easy to deploy using Apache and Shibboleth. Also combines with Options A,B and C1. Pros/Cons: Operate only one SP with a moderately complex configuration. Can be operated completely transparent or hide all applications Unique identifier attribute sufficient for a user Registration of only a single SP (and potentially an IdP) Proxy becomes single point-of-failure If applications are hidden -> intransparent for user Increased complexity and harder to debug problems Examples: Number of universities chose this approach for their services. 26

3 Recommendations for DARIAH 1. Choose option A or B It's basically a question of commitment: How much long-term financial and personal resources are available to operate an own federation? 1. Implement the GE ANT Data Protection Code of Conduct No silver bullet to get all attributes immediately but currently the best chance. DARIAH already has a technical solution to cope with missing attributes issue 2. Be patient 27

Thank you! www.geant.net www.twitter.com/geantnews www.facebook.com/geantnetwork www.youtube.com/geanttv 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback