Higher Education external Attribute Authority. Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015

Similar documents
Open Call Deliverable OCK-DS1.1 Final Report (HEXAA)

The EGI AAI CheckIn Service

AARC Blueprint Architecture

RCauth.eu / MasterPortal update

Deliverable D14.1 (DJ3.0.1) Report on the Achievements and Recommendations for any Future Work

WP JRA1: Architectures for an integrated and interoperable AAI

2. HDF AAI Meeting -- Demo Slides

Workflow applications on EGI with WS-PGRADE. Peter Kacsuk and Zoltan Farkas MTA SZTAKI

Authentication & Authorization systems developed for CTA

Moonshot. Workshop on Federated Identity and (OpenStack) Cloud Services - SWITCH

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

Deliverable DSA1.4: Pilots to improve access to R&E-relevant resources

INDIGO AAI An overview and status update!

FeduShare Update. AuthNZ the SAML way for VOs

Chapter 2 Introduction to the WS-PGRADE/gUSE Science Gateway Framework

EGI AAI Platform Architecture and Roadmap

EGI-InSPIRE. Cloud Services. Steven Newhouse, EGI.eu Director. 23/05/2011 Cloud Services - ASPIRE - May EGI-InSPIRE RI

Federated access to e-infrastructures worldwide

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

GN2 JRA5: Roaming and Authorisation

Coupled Computing and Data Analytics to support Science EGI Viewpoint Yannick Legré, EGI.eu Director

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

GÉANT Community Programme

Guidelines on non-browser access

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

AAI in EGI Current status

Pilots to support guest users solutions

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

Liferay Security Features Overview. How Liferay Approaches Security

INDIGO-DataCloud Architectural Overview

Now SAML takes it all:

Federated Authentication with Web Services Clients

Warm Up to Identity Protocol Soup

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

EUDAT - Open Data Services for Research

One small step for the Shib admin, one giant leap for the SAML community?

FEDERATED IDENTITY AT ARGONNE NATIONAL LABORATORY

2010 Kerberos Conference

WSO2 Identity Management

Integration of the guse/ws-pgrade and InSilicoLab portals with DIRAC

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

Thebes, WS SAML, and Federation

Géant-TrustBroker Project Overview

Overview about the SCI-BUS Project (Communities and sustainability)

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

EGI federated e-infrastructure, a building block for the Open Science Commons

AARC. Christos Kanellopoulos AARC Architecture WP Leader GRNET. Authentication and Authorisation for Research and Collaboration

A Simplified Access to Grid Resources for Virtual Research Communities

SA1 CILogon pilot - motivation and setup

Do I Really Need Another Account? External Identities for Campus Applications

Deliverable D9.3 Best Practice for User-Centric Federated Identity

LionShare: A Hybrid Secure Network for Academic Collaboration. Michael J. Halm, Marek Hatala, Derek Morr and Alex Valentine

Outline. Infrastructure and operations architecture. Operations. Services Monitoring and management tools

INDIGO-Datacloud Identity and Access Management Service

TextExpander Okta SCIM Configuration

Géant-TrustBroker Dynamic inter-federation identity management

SAP Security in a Hybrid World. Kiran Kola

Regional e-infrastructures

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

National R&E Networks: Engines for innovation in research

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

SAFARI Montage v6.5.28

Connect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team

Challenges in Authenticationand Identity Management

PoS(ISGC 2011 & OGF 31)119

Introduction on Science Gateway

CAS s IDP system and resources in Education Cloud

Enabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Oman Research & Education Network (OMREN)

SLCS and VASH Service Interoperability of Shibboleth and glite

The Trusted Attribute Aggregation Service (TAAS)

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

Apache Rave Enterprise Social Networking Out Of The Box. Ate Douma, Hippo B.V. Matt Franklin, The MITRE Corporation November 9, 2011

Kerberos on the Web Thomas Hardjono

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

TF-WebRTC. 12/15/14 Paris / France. Mihály Mészáros

SAML 2.0 Software comparison Andreas Åkre Solberg EuroCAMP, Athens,

The challenges of (non-)openness:

eidas cross-sector interoperability

Allowing the user to define the attribute release 21 May 2014

Authentication in the Cloud. Stefan Seelmann

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Przejmij kontrolę nad użytkownikiem, czyli unifikacja dostępu do aplikacji w zróżnicowanym środowisku

Intro to the Identity Experience Engine. Kim Cameron, Microsoft Architect of Identity ISSE Paris November 2016

MITA s approach to Open Standards. Presented by: Noel Cuschieri 24 th November 2015

Federated AAI and the World of Tomorrow. Rion Dooley

The Future of Indoor Plumbing. Dr Ken Klingenstein Director, Internet2 Middleware and Security

GÉANT-TrustBroker project overview

Sustainability in Federated Identity Services - Global and Local

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

MOC 20416B: Implementing Desktop Application Environments

Deliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent

Federated Identity Management

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Grouper Working Group

[GSoC Proposal] Securing Airavata API

EUDAT & AAI. Daan Broeder MPI for Psycholinguistics

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

Transcription:

Higher Education external Attribute Authority Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015

Problems in Collaboration

Problems in Collaboration

Problems in Collaboration

Why we need Attribute Authorities? Motivations for HEXAA SP s attribute requirements grow but the IdPs capabilities are constrained and differ in terms of Procedures Bureaucracy Scope Flexibility Authority

Why we need Attribute Authorities? Motivations for HEXAA It is possible to outsource some of the administrative burden of the IdPs in federation External Attribute Provider (EAP)/ Attribute Authority (AA) Separation of AuthN and AuthZ Delegating AuthZ in the hands of the community Providing additional profile attributes e.g. ORCID, X.509 cert, e-mail, etc. Manage attributes where it is least cumbersome and fits best At virtual organizations by VO managers By the users themselves who knows always best

Why we need Attribute Authorities? Motivations for HEXAA AA is a focal point for provisioning services in a federation by keeping attributes Consistent Coherent Consolidated and centralized in an independent place

HEXAA Project Use case discovery User survey User community requirement assessment Legal research/study Common guidelines for AA software developers HEXAA software development HEXAA dissemination

HEXAA results Research on the Legal Framework Generic guidelines: EAP shall manage Level of Assurance/Level of Confidence (LOA/LOC). EAP shall manage Consents. Users should be able to: prohibit release, revoke attributes, self-delete. Users should be able to see their attribute release history. The requirements analyses and the development were carried out hand-in-hand.

HEXAA results Software development core functionality HEXAA core functionality in a nutshell: Virtual Organization manager Profile Attribute manager Data protection by design Consent Data expiration Regular data re-checks API call separated SAML frontend and back-end 3rd party GUI is an option User profile attributes SAML Attribute Authority HEXAA API VO management Integration plugins Consent

HEXAA results Software development - HEXAA architecture

HEXAA results Software development - HEXAA architecture

HEXAA results Software development - integration SimpleSamlPHP modules AA provider and consumer Specific integration plugins Liferay (WS-Pgrade/gUSE Portal), Drupal (e-science gateways) OpenNebula (3.8-4.10.1), OpenStack (juno) (clouds) edujabber, Racktables, MediaWiki Hungarian NREN (NIIFI) HPC portal, custom apps through API Software development results available from GitHub with Apache licence

HEXAA results Software development - integration SimpleSamlPHP modules AA provider and consumer Specific integration plugins Liferay (WS-Pgrade/gUSE SSP Portal), Drupal (e-science gateways) OpenNebula (3.8-4.10.1), OpenStack (juno) (clouds) edujabber, Racktables, MediaWiki Hungarian NREN (NIIFI) HPC portal, custom apps through API.. Liferay Software development results available from GitHub with Apache licence

HEXAA results HEXAA and e-science environments Apache Web Server Shibboleth SAML federation SAML IdP SAML Authentication Liferay portal Liferay SSO plugin Community specific user environments User provisioning and update SAML Attribute Query guse/ws-pgrade Science Gateway Community specific attributes Community specific software deployments Authentication by federation (edugain, eduid,..) Authorization and profile Attributes by HEXAA Standard based (SAML2) interworking using SAML Attribute Request European Grid Federated Cloud

HEXAA results HEXAA and Cloud services Apache Web Server Shibboleth SAML federation SAML IdP SAML Authentication OpenNebula web access OpenNebula plugin User provisioning and update SAML Attribute Query OpenNebula service Community specific attributes Authentication by federation (edugain, eduid,..) Authorization and profile Attributes by HEXAA Standard based (SAML2) interworking using SAML Attribute Request Openstack uses the same operational model

HEXAA and Openstack

HEXAA and Openstack

HEXAA and Openstack

HEXAA and Openstack The plugin is availabe on GitHub!

edujabber example

edujabber example

edujabber example

Plans Sustainability- Collaboration Plans: Several ideas to extend features (VOOT, SCIM, etc.) Interworking with other AA-s Perun, Unity, OpenConext Collaborating in large scale projects AARC, MAGIC, EGI Sustainability: edugain integration Any edugain member is able to use it Eduid.hu NIIFI/Hungarnet operationally secures HEXAA final version Community support

HEXAA overall status HEXAA is fully functional, demonstrated at November 2014 Demos are available at: http://hexaa.eduid.hu hexaa.eduid.hu is fully integrated into Hungarian identity federation and since May-2015 also in edugain e-science gateway /guse-ws-pgrade/ operational Institutional OpenNebula cloud operational OpenStack Juno plugin operational Kilo underway NIIFI NREN HPC portal is operational edugain integration DONE HEXAA software modules and plugins are available at GitHub

The HEXAA team greets you!

Thank you and any questions? Hello! You can add your own text here

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback