Géant-TrustBroker Dynamic inter-federation identity management

Similar documents
Géant-TrustBroker Project Overview

GÉANT-TrustBroker project overview

Géant-TrustBroker: Dynamic, Scalable Management of SAML-Based Inter-federation Authentication and Authorization Infrastructures

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

Connect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team

Topology of Dynamic Metadata Exchange via a Trusted Third Party

The AAF - Supporting Greener Collaboration

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

New trends in Identity Management

GN2 JRA5: Roaming and Authorisation

REFEDS Minutes, 22 April 2012

IAM for Workday: How to Embrace an 800 Pound Gorilla. Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management

GÉANT Community Programme

JRA5: Roaming and Authorisation

SAML2 Metadata Exchange & Tagging

Deliverable D14.1 (DJ3.0.1) Report on the Achievements and Recommendations for any Future Work

eidas cross-sector interoperability

GÉANT: Supporting R&E Collaboration

SLCS and VASH Service Interoperability of Shibboleth and glite

Open Call Deliverable OCJ-DS4.1.1 GÉANT-TrustBroker Implementation with Documentation (GÉANT-TrustBroker)

Community Connection Service for escience. Ronald van der Pol, SURFnet TNC May 2014

Shibboleth authentication for Sync & Share - Lessons learned

eduroam und andere Themen in GN2-JRA5

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

The challenges of (non-)openness:

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

The EGI AAI CheckIn Service

Oman Research & Education Network (OMREN)

Pilots to support guest users solutions

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

2. HDF AAI Meeting -- Demo Slides

Attribute Release. Contractual Matters

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Morningstar ByAllAccounts SAML Connectivity Guide

bwsync&share: A cloud solution for academia in the state of Baden-Württemberg

1. General requirements

EAPlab the ultimate EAP testing facility developed within the SENSE project

GN3 Plus NA3-T3 Greening of ICT Services. Andrew Mackarel GN3+ NA3 T3 15th September 2014 Workshop Budapest

BELNET R&E federation Technical policy

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Configuration Guide - Single-Sign On for OneDesk

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

RCauth.eu / MasterPortal update

SOFTWARE DEMONSTRATION

EUDAT - Open Data Services for Research

AAI Tutorial. SWITCHaai Team

2010 Kerberos Conference

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

TCS SAML demo background

Federated Identity Management

GN2 JRA5: Roaming and Authorisation - recent results

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Federated Identity Management

Extending Services with Federated Identity Management

LionShare: A Hybrid Secure Network for Academic Collaboration. Michael J. Halm, Marek Hatala, Derek Morr and Alex Valentine

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

GÉANT : e-infrastructure connectivity for the data deluge

Slack Connector. Version 2.0. User Guide

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

GÉANT Time Compendium Project and Service Updates

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

WP JRA1: Architectures for an integrated and interoperable AAI

Investigating the Recursive InterNetwork Architecture as the next generation GÉANT and NREN network architecture

Canadian Access Federation: Trust Assertion Document (TAD)

Add OKTA as an Identity Provider in EAA

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Integrating YuJa Active Learning into ADFS via SAML

Federated Identification Architecture

Canadian Access Federation: Trust Assertion Document (TAD)

ilight/gigapop eduroam Discussion Campus Network Engineering

SAML Admin Guide. Version 1.0

Integrating YuJa Active Learning with ADFS (SAML)

Identity and Access Management Infrastructure for Oxford University

Token-based Payment in Dynamic SAML-based Federations

The Trusted Attribute Aggregation Service (TAAS)

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

Identity Provider for SAP Single Sign-On and SAP Identity Management

ORCID UPDATE. JISC Workshop, 16 June 2017

Single Logout with the SWITCH edu-id IdP

Moonshot. Workshop on Federated Identity and (OpenStack) Cloud Services - SWITCH

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014

Attribute Release Update

Integrating YuJa Active Learning into Google Apps via SAML

Integration Documentation. Automated User Provisioning Common Logon, Single Sign On or Federated Identity Local File Repository Space Pinger

Higher Education external Attribute Authority. Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015

Authentication in Galaxy : let's use what is out there - (National) Identity Providers

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

Introducing Shibboleth. Sebastian Rieger

All about SAML End-to-end Tableau and OKTA integration

Attribute Release in SWITCHaai

Federated access to e-infrastructures worldwide

Authentication in the Cloud. Stefan Seelmann

Federated Authentication with Web Services Clients

TF-WebRTC. 12/15/14 Paris / France. Mihály Mészáros

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Transcription:

Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014

Agenda Introduction Motivation GNTB Overview GNTB in Details Workflow Initiation of GNTB Workflow Metadata Registry Feature Attribute Repository Conclusion 2

GNTB Introduction Géant-TrustBroker (GNTB): Dynamic establishment of technical trust between Identity Provider (IDP) and Service Provider (SP) Dynamic metadata exchange First time contact initiated by the user GN3+ Open Call project (10/2013 03/2015) Internet-Draft to IETF in summer 2014 Shibboleth-based prototype 3

GNTB Motivation Current situation: Two types of federations: National federations operated by NRENs Community federations operated by research communities / projects Inter-federations, e.g., edugain Source: edugain membership status 4

GNTB Motivation The resulting problem: SP and the user s IDP need to be in same federation or inter-federation. Industry Employee Communities need to participate in national federations or need to join edugain as a federation. Researcher German researcher IDPs/SPs might need to join several federations. Research partners outside edugain / national federation cannot make use of Federated Identity Management. IDP Community No trust SP DFN-AAI 5

GNTB Motivation Further Issues: Initial efforts Complexity: Additional contracts increase the overall complexity for IDPs and SPs. Manual work: IDPs need to set up configuration, e.g., attribute filters / release policies, manually. Users may have to wait. Trust: IDPs have to trust SPs. SPs may not get all required attributes. Limitation through schema: Inter-federation schema is only the common denominator of NREN federations. SPs may not get all required attributes. 6

Agenda Introduction Motivation GNTB Overview GNTB in Details Workflow Initiation of GNTB Workflow Metadata Registry Feature Attribute Repository Conclusion 7

GNTB Overview Our goal: SPs connected to user s IDPs. Independent of federation borders. Dynamic establishing technical trust and automated configuration. Configuration Researcher IDP SP Community GÉANT- TrustBroker DFN-AAI 8

GNTB Overview Basic function: Automate established workflows No manual setup work for IDPs No waiting time for users Features: Attribute Conversion Rule Repository + Account Choosing Re-use of attribute conversion rules One rule for all Only needed: registration + plugin Complements existing approaches 9

Agenda Introduction Motivation GNTB Overview GNTB in Details Workflow Initiation of GNTB Workflow Metadata Registry Attribute Repository Conclusion 10

GNTB Workflow 1. Researcher R wants to use a service at SP. R chooses her IDP at GNTB. 2. a) R triggers the technical setup. b) SP has to register at GNTB. 3. GNTB redirects R to his IDP for authentication. 4. a) IDP fetches metadata of SP. b) Configuration is automatically updated. IDP looks for attribute conversion rules. 5. IDP sends assertion to SP. R gets access to service at SP. 4b Researcher 4a IDP 3 Community 2a 5 1 Géant- TrustBroker 2b SP DFN-AAI 11

GNTB Initiation - Mockup User R wants to make use of a service. Since he cannot find his IDP in the list, he chooses GNTB. 12

GNTB Initiation - Mockup User R chooses his IDP at GNTB. 13

GNTB Initiation - Mockup User R is redirected to his IDP for authentication. 14

Agenda Introduction Motivation GNTB Overview GNTB in Details Workflow Initiation of GNTB Workflow Metadata Registry Attribute Repository Conclusion 15

GNTB Metadata Registry IDP/SP first needs to register at GNTB and install the plugin. Ownership and metadata are validated. Exchange of metadata on demand. Automatically added to the local configuration. Technical trust relationship established. 16

Agenda Introduction Motivation GNTB Overview GNTB in Details Workflow Initiation of GNTB Workflow Metadata Registry Attribute Repository Conclusion 17

GNTB Attribute Repository Typical conversion rules: Renaming: attribute is named differently, e.g., Gecos displayname Transforming: attribute transformed into another format, e.g., using yyyymmdd instead of dd.mm.yyyy Splitting / Merging: source attribute needs to be split by a regex, e.g., attribute role ( Administrator ) of a given DN entry cn=administrator, ou=groups, ou=application, o=lrz, c=de Merging two source attributes, e.g., givenname and surname, into a new one, e.g., commonname. 18

GNTB Attribute Repository Rules can be searched and re-used, e.g., within a federation Rules can be fetched by API calls by plugins Rule automatically added to local configuration use conv rule Only one IDP has to create rule SPs receive all requested attributes Rules could be used by other services, e.g., Attribute Authorities IDP write conv rule SP Géant- TrustBroker 19

GNTB Attribute Repository - Mockup Possible Administration Interface for managing conversion rules 20

GNTB Conclusion Advantages of GNTB: Metadata registry: SPs and IDPs can download metadata. User attribute conversion rule repository: IDPs can share and re-use conversion rules. Reduces manual work of IDPs. Conversion rules automated integrated into local configuration. Virtual IDP and SP: GNTB workflow seamlessly integrates into standard SAML workflows to connect SPs and IDPs on demand. SPs / IDPs only need a plugin. 21

GNTB Conclusion Shibboleth-based prototype Further development of GNTB in GN4 Pilot operations hopefully start in GN4 What have we done so far: Workflows and Requirements Data Model and Data Access Layer Started with Protocols What we still need to do: Protocols Implementation Internet-Draft to IETF in summer 2014 Documentation 22

For more details, please see the documents published on TrustBroker s Géant Intranet website: https://intranet.geant.net/jra0/geant-trustbroker To contact the project team, please email geant-trustbroker@lists.lrz.de www.geant.net www.twitter.com/geantnews www.facebook.com/geantnetwork www.youtube.com/geanttv 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback