eidas cross-sector interoperability

Similar documents
AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

WP JRA1: Architectures for an integrated and interoperable AAI

Cross border eservices STORK 2.0

AARC. Christos Kanellopoulos AARC Architecture WP Leader GRNET. Authentication and Authorisation for Research and Collaboration

STORK Secure Identity Across Borders Linked

The EGI AAI CheckIn Service

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

Deliverable D3.5 Harmonised e-authentication architecture in collaboration with STORK platform (M40) ATTPS. Achieving The Trust Paradigm Shift

eidas Regulation eid and assurance levels Outcome of eias study

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

The challenges of (non-)openness:

Liberty Alliance Project

STORK PRESENTATION 07/04/2009. Frank LEYMAN. Manager International Relations. Stork is an EU co-funded project INFSO-ICT-PSP

Pilots to support guest users solutions

SAT for eid [EIRA extension]

The EUReID Observatory. Brussels 2009_09_29

Next-Generation Identity Federations. Andreas Åkre Solberg

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Electronic ID at work: issues and perspective

Sustainability in Federated Identity Services - Global and Local

AARC Blueprint Architecture

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

STORK PRESENTATION. STORK Overview STePS workshop, 17 June Herbert Leitold. Stork is an EU co funded project INFSO ICT PSP

Mobile Connect Driving Global Economic Growth Through Secure Mobile Identity

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014

Data Privacy in the Cloud E-Government Perspective

ITU Workshop on Security Aspects of Blockchain (Geneva, Switzerland, 21 March 2017) Blockchains risk or mitigation?

Deliverable D9.3 Best Practice for User-Centric Federated Identity

GÉANT Community Programme

Géant-TrustBroker Dynamic inter-federation identity management

REFEDS Year End Report 2015

eid building block Introduction to the Connecting Europe Facility DIGIT Directorate-General for Informatics

Polymorphic Encryption and Pseudonymization in the Dutch eid scheme. IRMA meeting, 23 September 2016

CEF eid SMO The use of eid in ehealth. ehealth Network meeting 7 June 2016 Amsterdam

RA21. Resource Access in the 21 st Century

Géant-TrustBroker Project Overview

Federated Authentication for E-Infrastructures

USC esignature and Interoperability. Daniel Sánchez Martínez University of Murcia

Trust and Identity Services an introduction

On integration of academic attributes in the eidas infrastructure to support cross-border services

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

AAI in EGI Current status

Establishing Trust Across International Communities

Trusted National Identity Schemes. Coralie MESNARD

Connect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Entity authentication assurance framework

Federated authentication for e-infrastructures

Canadian Access Federation: Trust Assertion Document (TAD)

Registry for identifiers assigned by the Swedish e-identification board

SAML Metadata Signing gpolicy and Aggregation Practice Statement

The Future of Indoor Plumbing. Dr Ken Klingenstein Director, Internet2 Middleware and Security

In Section 4 we discuss the proposed architecture and analyse how it can match the identified 2

Can R&E federations trust Research Infrastructures? - The Snctfi Trust Framework

Policy and Best Practice Harmonisation ( NA3 ) from the present to the future

EGI AAI Platform Architecture and Roadmap

Orange Liberty-enabled solution for 71 million subscribers. Aude Pichelin Orange Group Standardisation Manager

eidas Interoperability Architecture Version November 2015

e-sens Electronic Simple European Networked Services

eidas-node Error Codes

The AAF - Supporting Greener Collaboration

The adoption of cloud services

GÉANT-TrustBroker project overview

Scalable Negotiator for a Community Trust Framework in Federated Infrastructures (Snctfi)

How to Survive the Zombie Apocalypse

Deliverable D14.1 (DJ3.0.1) Report on the Achievements and Recommendations for any Future Work

Deliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Federated Identity Management

Oman Research & Education Network (OMREN)

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Extending Services with Federated Identity Management

1. Publishable Summary

Digital Austria = egov best practice in d Europe

Instructions. Arion bank ebanking pilot

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

Federated Authentication with Web Services Clients

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

WP3: Policy and Best Practice Harmonisation

APAN 25 Middleware Session, Hawaii Jan.24, 2008 Japanese University PKI (UPKI) Update and Shibboleth using PKI authentication

Canadian Access Federation: Trust Assertion Document (TAD)

SWITCHaai Service Description

ENHANCING CROSS-BORDER EID FEDERATIONS BY USING A MODULAR AND FLEXIBLE ATTRIBUTE MAPPING SERVICE TO MEET NATIONAL LEGAL AND TECHNICAL REQUIREMENTS

Enterprise Identity Management 101. Phillip J. Windley Brigham Young University

2. HDF AAI Meeting -- Demo Slides

U.S. E-Authentication Interoperability Lab Engineer

Overview October 2014

Recommendations on the grouping of entities and their deployment mechanisms in scalable policy negotiation

Interoperability Infrastructure Services

GN2 JRA5: Roaming and Authorisation

Towards an integrated regulation platform in Luxembourg. Information Security Education Day th of april

Trust Services for Electronic Transactions

Canadian Access Federation: Trust Assertion Document (TAD)

DATA MATCHING IN THE IDENTITY ECOSYSTEM

REFEDS Minutes, 22 April 2012

Stakeholder and community feedback. Trusted Digital Identity Framework (Component 2)

New trends in Identity Management

Federated Access Management Futures

RCS Business Messaging: Recommended Good Practices

The Internet of Things

Transcription:

eidas cross-sector interoperability Christos Kanellopoulos GRNET edugain SG October 13 th, 2016

Background information 2013 - STORK-2 collaboration (GN3Plus) 2014-07 Adoption of the eidas Regulation 2014-09 edugain STORK-2 Profile comparison and interoperation scenarios (GN3Plus) 2015 - Proof of concept pilot of the edupeps Proxy (GN4-1) Access an SP at GRNET federation using a spanish eidvia the edupeps Proxy Access a STORK-2 SP in Spain using an account at the GRNET VHO IdP via the edupeps Proxy 2015-09 Uses cases involving eids for International Research Collaboration (AARC) Use of eids as a potential solution for Guest Identities Use of eids for use cases that require high level of assurance 2015-11 eidas Proxy production deployment at the MS 2018-09 Cross border recognition of eid means 2

Cross-sector interoperation with eidas 2016-07 1 st meeting in Brussels between AARC, GN4 and eidas Reps Investigate the possibility of an interoperation pilot between edugain and eidas 2016-09 2 nd meeting in London (AARC, GN4, Internet2, eidas Reps) Draft proposal for an interoperability pilot between 3 Use cases: Use case 1: authenticate to edugain service with eidas eid Use case 2: authentication to an edugain service where a higher LoA is required Use case 3: registering at a university online with cross-border attribute provision [** This use case is only going to be a study and not an actual implementation ] 3

Proposed time plan Preparatory phase [Nov 2016 - Dec 2016] + Confirm pilot participants and use cases Alpha phase 1 [Jan 2017 - Mar 2017] Develop testing process for each use case Define interoperability architecture and standards Analysis of potential security and fraud risks + Analysis of privacy and consent requirements Analysis of potential legal issues Alpha phase 2 [Apr 2017 - Oct 2017] Technical connectivity between eidas and edugain Use case 1: authenticate to edugain service with eidas eid Use case 2: authentication to an edugain service where a higher LoA is required Use case 3: registering at a university online with cross-border attribute provision [** This use case is only going to be a study and not an actual implementation ] Alpha evaluation [Nov 2017 - Dec 2017] 4

Use cases 1. The use of eidas eids in the context of academic research services. The use case scenario is a researcher participating in an international collaboration, who will be accessing services available in edugain using eidas eid assertions as a means of identifying herself. There is an important benefit here for edugain as there are cases in which researchers do not have eids from an academic institution but may have access to national eid through eidas 2. The use of eidasas a mean to access services that require higher LoA The use case scenario is a researcher participating in an international collaboration (e.g. a Bio-bank), who will be accessing services available in edugain using eidas eid assertions as a mean to elevate the LoA of the identity assertion. This is an existing problem for edugain as there are no higher levels of assurance currently. 3. The combination of eidas eid assertions and user attributes coming from a university The use case scenario will mimic the user journey of an individual registering at a university in country B (eidas eid assertion- from IDPs) and asserting proof of their academic attributes from an institution in country A (attribute enrichment). The user will register to enrol at a university in country A by asserting an identity and additional attributes established in country B. It is noted that the US does not currently have a national eid service meaning that **this element of the alpha will focus on user research rather than technical implementation aspects**. 5

Next steps Confirmation of pilot participants and use cases Confirmed participants: GRNET & SURFNET Any other federation interested in participating? Internal analysis and decision on the interoperation scenarios: Establish bridge/proxy at the national level? A distributed bridge/proxy at the GÉANT/eduGAIN level? eidas as an Identity Federation in edugain? 6

skanct@grnet.gr Thank you and any questions 7

Background Material edugain STORK2 Interoperability Pilot 8

edugain STORK2 Interoperability Pilot Some similarities, but enough differences to hinder direct interoperability: SAML edugain Federations are using the SAML2Int SAML profile STORK is using STORKsaml, which has custom SAML extensions Attributes edugain Federations use the eduperson schema STORK2 has defined attribute schemas for various verticals (including academia) Trust relationship In the edugain Federations, Service Providers typically interact directly with the Identity & Attribute Providers. In the STORK architecture cross-border authentication and attribute exchange goes through proxies that are operated at the member state level Levels of Assurance In edugain Federations LoA is not used at the moment, but will be introduced soon STORK introduces custom SAML2 extensions to communicate per attribute LoA Attribute Release Policies In edugain Federations IdPs have very strict Attribute Release policies. FAM is considered as a privacy enhancing tool. Considerations about forced vs freely given consent In the STORK pilot: Liberal attribute release policies based on user consent 9

edugain STORK2 High Level Architecture 10

edugain STORK2 High Level Architecture SAML2 Interoperability Profile Full Mesh Federations and Hub and Spoke Central Metadata Service Dynamic Trust Attributes based on eduperson Production infrastructure SAML STORK Profile Proxied architecture Static Trust between Proxies (PEPS) Attribute Authorities & Attribute Aggregation Levels of Assurance STORK defined Attributes (?) 11

Scenario A: Middleware adaptors for C/S-PEPS 12

Scenario B: edupeps ProxyingEntity 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback