WP JRA1: Architectures for an integrated and interoperable AAI

Similar documents
AARC. Christos Kanellopoulos AARC Architecture WP Leader GRNET. Authentication and Authorisation for Research and Collaboration

AARC Blueprint Architecture

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

2. HDF AAI Meeting -- Demo Slides

AAI in EGI Current status

WP3: Policy and Best Practice Harmonisation

Pilots to support guest users solutions

The challenges of (non-)openness:

eidas cross-sector interoperability

GÉANT Community Programme

Deliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI

The EGI AAI CheckIn Service

In Section 4 we discuss the proposed architecture and analyse how it can match the identified 2

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

Deliverable DSA1.4: Pilots to improve access to R&E-relevant resources

EGI AAI Platform Architecture and Roadmap

RCauth.eu / MasterPortal update

Can R&E federations trust Research Infrastructures? - The Snctfi Trust Framework

INDIGO AAI An overview and status update!

Scalable Negotiator for a Community Trust Framework in Federated Infrastructures (Snctfi)

Federated Identities and Services: the CHAIN-REDS vision

Federated Identity Management for Research Collaborations. Bob Jones IT dept CERN 29 October 2013

Recommendations on the grouping of entities and their deployment mechanisms in scalable policy negotiation

GÉANT Mission and Services

Higher Education external Attribute Authority. Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015

Deliverable D9.3 Best Practice for User-Centric Federated Identity

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014

EU Liaison Update. General Assembly. Matthew Scott & Edit Herczog. Reference : GA(18)021. Trondheim. 14 June 2018

Sustainability in Federated Identity Services - Global and Local

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

Policy and Best Practice Harmonisation ( NA3 ) from the present to the future

Federated Authentication with Web Services Clients

EUDAT. Towards a pan-european Collaborative Data Infrastructure

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

EGI federated e-infrastructure, a building block for the Open Science Commons

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

Development, testing and quality assurance report

Cross border eservices STORK 2.0

EUDAT - Open Data Services for Research

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

GN2 JRA5: Roaming and Authorisation

Guidelines on non-browser access

Open Science Commons: A Participatory Model for the Open Science Cloud

Business Model for Global Platform for Big Data for Official Statistics in support of the 2030 Agenda for Sustainable Development

Advancing European R&E through collaboration

On the EGI Operational Level Agreement Framework

SLCS and VASH Service Interoperability of Shibboleth and glite

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

TAS 3 Architecture. Sampo Kellomäki Symlabs , ServiceWave, Stockholm

dcache integration into HDF

GN3plus External Advisory Committee. White Paper on the Structure of GÉANT Research & Development

TRUST ELEVATION WITH SAFELAYER TRUSTEDX. David Ruana, Helena Pujol 14Q4

National R&E Networks: Engines for innovation in research

«Prompting an EOSC in Practice»

The EU OPEN meter project

Outline. Infrastructure and operations architecture. Operations. Services Monitoring and management tools

Research Infrastructures and Horizon 2020

User Community Driven Development in Trust and Identity Services

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

An introduc/on to Sir0i

CANARIE Mandate Renewal Proposal

JRA5: Roaming and Authorisation

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Jeremy Olsen (Francis Crick Institute), Jens Jensen (STFC), Steven Newhouse (EBI), Darren

Helix Nebula The Science Cloud

GÉANT Time Compendium Project and Service Updates

SLHC-PP DELIVERABLE REPORT EU DELIVERABLE: Document identifier: SLHC-PP-D v1.1. End of Month 03 (June 2008) 30/06/2008

Deliverable D2.4 AppHub Software Platform

STORK PRESENTATION. STORK Overview STePS workshop, 17 June Herbert Leitold. Stork is an EU co funded project INFSO ICT PSP

EUDAT- Towards a Global Collaborative Data Infrastructure

Coupled Computing and Data Analytics to support Science EGI Viewpoint Yannick Legré, EGI.eu Director

ACCI Recommendations on Long Term Cyberinfrastructure Issues: Building Future Development

Kerberos for the Web Current State and Leverage Points

ELFms industrialisation plans

Beyond Status and plans

Regional e-infrastructures

Now SAML takes it all:

STORK PRESENTATION 07/04/2009. Frank LEYMAN. Manager International Relations. Stork is an EU co-funded project INFSO-ICT-PSP

BECOMING A DATA-DRIVEN BROADCASTER AND DELIVERING A UNIFIED AND PERSONALISED BROADCAST USER EXPERIENCE

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

Authentication in Galaxy : let's use what is out there - (National) Identity Providers

Progress towards the EOSC

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

The Role and Functions of European Grid Infrastructure

Enabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI

Third public workshop of the Amsterdam Group and CODECS European Framework for C-ITS Deployment

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

European Open Science Cloud

Federated access to e-infrastructures worldwide

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

eidas Regulation eid and assurance levels Outcome of eias study

ArcGIS Server and Portal for ArcGIS An Introduction to Security

A collaboration overview: From TF-VSS to GN2 SA6

GÉANT network and applications PENS workshop J-L Dorel European Commission

Interagency Advisory Board Meeting Agenda, August 25, 2009

European digital repository certification: the way forward

EUROPEAN MIDDLEWARE INITIATIVE

Supporting European e-infrastructure service providers to join the European Open Science Cloud

Transcription:

Authentication and Authorisation for Research and Collaboration WP JRA1: Architectures for an integrated and interoperable AAI Christos Kanellopoulos

Agenda Structure and administrative matters Objectives Task Achievements JRA1 in AARC2 2

Activity Structure T1 Activity Lead Christos Kanellopoulos Requirements Analysis Peter Solagna EGI T2 Blueprint Architectures Marcus Hardt KIT T3 Models for supporting guest Identities Jens Jensen STFC T4 Models for implementing APs and TTS Davide Vaghetti GARR Partners 3

Activity Structure Guest Identities T3 Analysis of User Requirements Analysis of AA Technologies Draft Blueprint Architecture Final Blueprint Architecture T1 T1 T2 T2 Attribute Authorities & Token Translation M04 M08 M12 M15 M24 T4 4

Resources (1 May 2016 30 April 2017) and deliveries Total Year 2 effort 75 PM for 2 years: Y2 (upd) forecast: 40.2 PM (????? FTE)???? PM used???% of resources in flat distribution 1 of 1 deliverables delivered in PY2 DJRA1.2 Blueprint Architectures ü Other key documents and results Recommendations on expressing Group Membership and role information Guidelines on attribute aggregation Guidelines on token translation services Best practices for managing authorization Guidelines on non web-access Recommendations on implementing SAML authentication proxies for social IdPs Recommendations on credential delegation Account linking uses cases and LoA elevation ü üü ü 5

High-level objectives (1/2) Analyse how much has been developed to leverage federated access with other authentication systems used in the R&E communities, in the egov space and in the ü commercial sector; Research a possible solution to link identities in the contest of higher levels of ü assurance, attribute providers and guest identities; Assess existing technologies to provide SSO for non-web applications (cloud, storage ü and so on) and offer recommendations for their usage; ü Develop a risk-based model for existing AAI solutions; 7

High-level objectives (2/2) Propose models for supporting guest identities (NRENs in-house solutions vs ü commercially-offered solutions should be explored); Define a blueprint architecture to enable web and non-web SSO capabilities across different infrastructures, integrating attribute providers/group management ü tools operated by user-communities; Provide models for federated authorisation: how to integrate attributes and permissions from diverse communities, making them available at the federation level in a consistent ü and secure way. 7

Feedback from PY1 Review Comments on eid Interop issues with EU egov and activities outside of EU (Brazil, Korea) Articulate a clear goal for egov IDs in the context of AARC (service provider oriented) Consent and how we handle it in the AARC Architecture Look at the ANCHOR project Authorization AuthZ is missing from this version of the Blueprint Architecture Develop a plan for defining a blueprint architecture for authz after AARC 8

Architectures for an integrated and interoperable AAI Achievements: Task 1 Requirements Analysis 9

Architectures for an integrated and interoperable AAI Objectives for: Task 1 Requirements analysis Objectives from Technical Annex Community Requirements AA technologies & Standards Investigate interoperation activities and support for cross domain collaboration AAI in R&E sector, Libraries and egov Year 1 Results ü KPI: Completed Completed Completed ü ü ü ü Analyze at least 5 e-infrastructures and VOs. (14) Completed 10

Achievements Task JRA1.1 Requirements Analysis (1/2) Attribute Release Attribute Aggregation User Friendliness SP Friendliness Persistent Unique Id Credential translation Credential Delegation User Managed Information Levels of Assurance Guest users Step-up AuthN Best Practices Community based AuthZ Non-webbrowser Social & e- Gov IDs Incident Response 11

Architectures for an integrated and interoperable AAI Achievements: Task 2 Blueprint Architectures Achievements: Task 2 Blueprint Architectures 12

Architectures for an integrated and interoperable AAI Objectives for: Task 2 Blueprint Architectures Objectives from Technical Annex Architecture for a pan-european integrated AAI Explore the use of Guest Identities Support for multiple Attribute Providers and Token Translation Systems Models for LoA elevation Year 1 Results Completed Completed Completed ü ü ü!!!!!!!! ü KPI: Deliver at least 3 iterations of the Blueprint Architecture (5) 13

Achievements - Task JRA1.2 Blueprint Architectures 3 rd iteration (June 2016) TNC2016 (Prague June 2016) MJRA1.4 1 st Draft version of the Blueprint Architecture 4 th iteration (November 2016) AARC All-Hands Meeting (CERN November 2017) AARC Infoshare on the Blueprint Architecture (January 2017) FIM4R Workshop (Vienna February 2017) 5 th iteration (March 2017) 5 th AARC General Meeting (Athens March 2017) Internet2 Global Summit (Washington D.C. April 2017) 14

Blueprint Architecture edugain and the Identity Federations A solid foundation for federated access in R&E Authentication and Authorization Architecture for Research Collaboration A set of building blocks on top of edugain for International Research Collaboration 16

Architectures for an integrated and interoperable AAI Achievements: Task 3 Models for supporting Guest Identities 16

Architectures for an integrated and interoperable AAI Objectives for: Task 3 Models for supporting Guest Identities Objectives from Technical Annex Solutions for Guest Identities and alternative methods of identification Strategy to permit public access at large to services via AAI Collaboration with NA3 for the definition of LoA framework and a risk based model Investigate risks associated with delegation of credentials Year 1 Results Completed Completed Completed ü ü ü Completed ü ü KPIs: Document, test and compare external (non-federated IdPs) of 5 communities and 3 social media (6/4) 17

Achievements Task JRA1.3 Models for supporting Guest Identities Ø AARC Strategy for enabling public access at large ² In collaboration with all AARC WPs ² https://goo.gl/7kl338 Ø Recommendations on the use of Guest Identities ² Available in AARC-BPA-2017 Ø Recommendations on credential delegation (!) ² https://goo.gl/i5sztp Ø eidas and egov IDs in the context of AARC (?) 18

Architectures for an integrated and interoperable AAI Achievements: Task 4 Models for implementing attribute providers and token translation services 19

Architectures for an integrated and interoperable AAI Objectives for: Task 4 Models for implementing attribute providers and token translation services Objectives from Technical Annex Models for implementing Attribute Providers & Guidelines for Attribute Release Integration of Community based Attribute Providers & Guidelines for expressing group membership Technologies for Token Translation Services and credential delegation Best practices for managing authorization Year 2 Results Completed Completed Completed ü ü ü Completed ü ü KPIs: Deliver at least 3 models for implementing attribute providers (3) Document, test and assess at least 3 delegation schemes /technologies (5) * MJRA1.3 was delivered in June, technically in PY2 20

Achievements Task JRA1.4 Models for implementing attribute providers and token translation services Recommendations & Best Practices Ø Expressing group membership and role information Ø Attribute aggregation Ø Token Translation Service Ø Managing authorisation Ø Credential Delegation Ongoing Ø Non-browser access Ø Account linking use cases & LoA elevation Ongoing Ø SAML authentication proxies for social IDs Ongoing 21

JRA1 in AARC2 Work with existing e-infrastructures and ESFRI projects to deploy and enhance (JRA1) the integrated AAI focus on the integration aspects of the blueprint architecture that will be delivered by the AARC project; provide recommendations and guidelines for implementers, service providers and infrastructure operators on implementing scalable and interoperable AAIs across e-infrastructures and scientific communities Expansion of the blueprint of the integrated AAI to explore authorisation and delegation aspects in such a complex environment as well as the support for alternatives to SAML. Expand support for new technologies and policies (JRA1 and NA3). Follow a user-driven approach: development driven by use-cases and continuous community feedback on AARC2 work Work in close collaboration with NA3, SA1, the Competence Centre and the training and outreach activities of AARC2. 22

JRA1 in AARC2 T1 Activity Lead Nicolas Liampotis GRNET T2 Tools and Services for Interoperable Infrastructures Service Provider Architectures and Authorization in multi-sp Environments Peter Solagna EGI Marcus Hardt KIT T3 Models for the Evolutions of AAIs for Research Collaboration Davide Vaghetti GARR T4 Scalable VO Platforms Jens Jensen STFC Partners 3

Thank you Any Questions? GEANT on behalf of the AARC project. The research leading to these results has received funding from the European Union s Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC).

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback