EGI AAI Platform Architecture and Roadmap

Similar documents
The EGI AAI CheckIn Service

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

WP JRA1: Architectures for an integrated and interoperable AAI

Introducing Shibboleth. Sebastian Rieger

AARC. Christos Kanellopoulos AARC Architecture WP Leader GRNET. Authentication and Authorisation for Research and Collaboration

RCauth.eu / MasterPortal update

Pilots to support guest users solutions

REFEDS Assurance Framework ver 1.0 (DRAFT 2 May 2018)

AAI in EGI Current status

Session 2.1: Federations: Foundation. Scott Koranda Support provided by the National Institute of Allergy and Infectious Diseases

Guidelines on non-browser access

AARC Blueprint Architecture

Deliverable DSA1.4: Pilots to improve access to R&E-relevant resources

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

Advanced Configuration for SAML Authentication

Deliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI

Attribute Profile. Trusted Digital Identity Framework August 2018, version 1.0

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Attribute Release Update

Research Collaboration IAM Needs

SAML 2.0 Profile. Trusted Digital Identity Framework August 2018, version 1.0

Delegated authentication Electronic identity: delegated and federated authentication, policy-based access control

INDIGO-Datacloud Identity and Access Management Service

SAML 2.0 SSO Extension for Dynamically Choosing Attribute Values

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

Higher Education external Attribute Authority. Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015

Shibboleth authentication for Sync & Share - Lessons learned

Active Directory eduperson

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

eidas cross-sector interoperability

Security Assertion Markup Language (SAML) applied to AppGate XDP

EGI Applications Database VM Operations dashboard

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Trusting External Identity Providers for Global

EUDAT - Open Data Services for Research

INDIGO AAI An overview and status update!

In Section 4 we discuss the proposed architecture and analyse how it can match the identified 2

The challenges of (non-)openness:

EUDAT & AAI. Daan Broeder MPI for Psycholinguistics

Network Security. Chapter 10. XML and Web Services. Part II: II: Securing Web Services Part III: Identity Federation

Request for Comments: ISSN: S. Cantor Shibboleth Consortium August 2018

Enterprise Adoption Best Practices

OIO Bootstrap Token Profile

Leave Policy. SAML Support for PPO

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

AAI Login Demo. SWITCHaai Introduction Course Bern, 1. March Daniel Lutz

Generic Structure of the Treatment Relationship Assertion

SA1 CILogon pilot - motivation and setup

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Kaltura MediaSpace SAML Integration Guide. Version: 5.0

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

Extending Services with Federated Identity Management

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Authentication & Authorization systems developed for CTA

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

This talk aims to introduce the Shibboleth web authentication/authorization framework and its intended deployment in the UK academic community and

Web Based Single Sign-On and Access Control

Directories Services and Single Sign-On for Collaboration

SAML2 Metadata Exchange & Tagging

SAML-Based SSO Solution

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

GÉANT Data Protection Code of Conduct SAML 2.0 profile

Warm Up to Identity Protocol Soup

SAML-Based SSO Solution

SWAMID Person-Proofed Multi-Factor Profile

Attribute Specification for the Swedish eid Framework

Configuration Guide - Single-Sign On for OneDesk

Canadian Access Federation: Trust Assertion Document (TAD)

Shibboleth User Verification Customer Implementation Guide Version 4.3

AD FS CONFIGURATION GUIDE

SAML Profile for Privacy-enhanced Federated Identity Management

Identity Provider for SAP Single Sign-On and SAP Identity Management

Electronic ID at work: issues and perspective

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Configure ISE 2.3 Guest Portal with OKTA SAML SSO

Authentication Context Extension

aueduperson Definition and Attribute Vocabulary 2 Sep 2009

Cyber Authentication Technology Solutions Interface Architecture and Specification Version 2.0: Deployment Profile

Canadian Access Federation: Trust Assertion Document (TAD)

Integration of Identity Provider for Single Sign-On

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

4.2. Authenticating to REST Services. Q u i c k R e f e r e n c e G u i d e. 1. IdentityX 4.2 Updates

PingFederate 5.0. Release Notes

EUDAT. Towards a pan-european Collaborative Data Infrastructure

GÉANT Community Programme

Canadian Access Federation: Trust Assertion Document (TAD)

LionShare: A Hybrid Secure Network for Academic Collaboration. Michael J. Halm, Marek Hatala, Derek Morr and Alex Valentine

IBM Security Access Manager Version 9.0 October Federation Administration topics IBM

BELNET R&E federation Technical policy

Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0

Connect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team

Implement SAML 2.0 SSO in WLS using IDM Federation Services

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

Evolving the trust fabric with AARC and EGI

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

SAML V2.0 Deployment Profiles for X.509 Subjects

IBM Security Access Manager Version January Federation Administration topics IBM

Transcription:

EGI AAI Platform Architecture and Roadmap Christos Kanellopoulos - GRNET Nicolas Liampotis - GRNET On behalf of EGI-Engage JRA1.1 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142

EGI AAI Goals 1. Users should be able to access the EGI Services using the credentials they have from their Home Organizations using edugain when possible a. Users should be able to access the EGI services using credential from an IdP not part of the edugain. As long as the IdP fulfills a certain set of requirements. b. Users that do not have account on one of the IdPs in the edugain Federations, should still be able to access the EGI services as it is the case now. 2. EGI should expect to receive from the user s Home Organization at least an identifier that uniquely identifies the user coming from within the scope of that organization. 3. Within the EGI environment, a user should have one persistent non-reassignable non-targeted unique identifier. 4. EGI should define a set of minimum mandatory attributes, without which a user cannot exist within the EGI environment. 5. EGI should attempt to retrieve these attributes from the user s Home Organization. If this is not possible, then an alternate process should exist in order to acquire and verify the missing user attributes. 6. There should be a distinction (LoA) between self-asserted attributes and the attributes provided by the Home Organization/VO 7. Access to the various services should be granted based on the VO/EGI roles the user have. 8. EGI Services should not have to deal with the complexity of multiple IdPs/Federations/Attribute Authorities/technologies. This complexity should be handled centrally and should be hidden to the EGI Services. 2

AAI Pilot & Architecture May 2015: Introduction of the EGI AAI Roadmap and Architecture 3

Why Proxy? All EGI SPs can have one statically configured IdP No need to run an IdP Discovery Service on each EGI SP Connected SPs get consistent/harmonised user identifiers and accompanying attribute sets from one or more AAs that can be interpreted in a uniform way for authz purposes External IdPs only deal with a single EGI SP proxy In a nutshell: EGI services will not have to deal with the complexity of multiple IdPs/Federations/Attribute Authorities/technologies. This complexity will be handled centrally by the proxy. 4

AAI Pilot & Architecture Milestone 0 - IdP/SP proxy Milestone 1 - Attribute Authorities (Internal) COManage, GOCDB, Perun Milestone 2 - Token Translation CILogon (X509v3 certs, PUSP) Milestone 3 - Onboard EGI Services GOCDB, AppDB, FedCloud, ARGO,... Milestone 4 - Onboard RC/CCs Milestone 5 - Hybrid stack SAML / OpenID Connect 5

IdP/SP Proxy Based on SimpleSAMLphp/OpenConex t modules IdP Discovery User Enrolment User Consent Support for LoA Attribute Aggregation SAML2.0 Attribute Query, REST, LDAP Support for OIDC/OAuth2 Google, Facebook, LinkedIn, ORCID Support for SAML STORK egov IDs (Experimental) 6

IdP/SP Proxy Levels of Assurance EGI AAI proposal for 3 levels of assurance. Each level is represented by a URI: Low: Authentication through a social identity provider https://aai.egi.eu/loa#low Substantial: Password/X.509 authentication at the user's home IdP https://aai.egi.eu/loa#substantial High: Substantial + multi-factor authn (not yet supported, TBD) https://aai.egi.eu/loa#high TODO: Create an appropriate document for each LoA (this may be, but does not have to be, referenced by the URI above). 7

IdP/SP Proxy Levels of Assurance 3 Use cases allow an IdP to advertise those LoAs for which it is able to meet the associated requirements allow an IdP to indicate the actual LoA in its responses allow a SP to express its expectations for the LoA at which a user should be authenticated 8

Levels of Assurance: IdP SAML2 Metadata IdP/SP Proxy <md:entitydescriptor xmlns:md="urn:oasis:names:tc:saml:2.0:metadata" [...] entityid="https://aai. egi.eu/proxy/saml2/idp/metadata.php"> <md:extensions> <mdattr:entityattributes xmlns:mdattr="urn:oasis:names:tc:saml:metadata:attribute"> <saml:attribute xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" Name="urn:oasis:names:tc: SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format: uri"> <saml:attributevalue xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:xs="http: //www.w3.org/2001/xmlschema" xsi:type="xs:string">https://aai.egi.eu/loa#low</saml:attributevalue> <saml:attributevalue xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:xs="http: //www.w3.org/2001/xmlschema" xsi:type="xs:string">https://aai.egi.eu/loa#substantial</saml: AttributeValue> <saml:attributevalue xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:xs="http: //www.w3.org/2001/xmlschema" xsi:type="xs:string">https://aai.egi.eu/loa#high</saml: AttributeValue> </saml:attribute> </mdattr:entityattributes> </md:extensions> 9

IdP/SP Proxy Levels of Assurance: User Attribute Assertions 10

IdP/SP Proxy Levels of Assurance: AuthnContextClassRef <saml:authnstatement AuthnInstant="2016-03-02T16:11:05Z" SessionNotOnOrAfter="2016-03-03T00:11:05Z" SessionIndex=" _a7f1c5f62cc2df3c99ba5bbc4c2dc1aad2adcc8b8a"> <saml:authncontext> <saml:authncontextclassref> https://aai.egi.eu/loa#substantial </saml:authncontextclassref> <saml:authenticatingauthority>https://www. egi.eu/idp/shibboleth</saml:authenticatingauthority> </saml:authncontext> </saml:authnstatement> <saml:attributestatement> 11

IdP/SP Proxy EGI User Identifier The EGI User ID should be: personal - used by a single person (as opposed to shared user accounts) persistent - used for an extended period of time across multiple sessions non-reassignable - assigned exclusively to a specific person, and never reassigned to another individual non-targeted - not intended for a specific relying party (or parties), i.e. should be shared globally unique - unique beyond the namespace of the IdP and the namespace of the SP(s) with which the ID is shared opaque - should (by itself) provide no information about the user, i.e. should be privacy-preserving 12

IdP/SP Proxy Available identifiers edupersonprincipalname (eppn) - A name-based identifier for a person in the form "user@scope" where the "scope" portion is the administrative domain of the identity system where the identifier was created and assigned. edupersontargetedid (eptid) - A persistent, non-reassigned, opaque identifier for a principal. edupersonuniqueid (epuid) - A long-lived, non re-assignable, omnidirectional identifier suitable for use as a principal identifier by authentication providers or as a unique external key by applications. eppn eptid epuid personal persistent non-reassignable non-targeted globally unique opaque 13

EGI Unique User Id Generation IdP/SP Proxy The IdP/SP Proxy adds (or replaces) the edupersonuniqueid (urn:oid: 1.3.6.1.4.1.5923.1.1.1.13) attribute, based on the first non-empty value from this attribute list: epuid eppn eptid The selected attribute value is hashed and the egi.eu scope portion is added to the generated epuid, e.g.: ef72285491ffe53c39b75bdcef46689f5d26ddfa00312365cc4fb5ce97e9ca87@egi.eu 14

IdP/SP Proxy High Availability & Load Balancing SimpleSAMLphp caches user sessions in Memcached, an in-memory key-value store for small chunks of arbitrary data COmanage maintains EGI user profile information in PostgreSQL DB cluster; Data are synced between master (read/write) and hot standby slave (read-only queries) Sessions are distributed and replicated among different Memcached servers, enabling load-balancing and fail-over User requests are load balanced among multiple SimpleSAMLphp web front-ends that use the back-end matrix of Memcached servers 15

Attribute Authorities Use case 1.1 - Connection with Perun - DONE Use case 1.2 - Connection with GOCDB - DONE Use case 1.3 - Connection with COmanage - DONE Use case 1.4 - Connection with the new OpenConnext Attribute Aggregator - In progress 16

Attribute Authorities The EGI SP proxy supports attribute aggregation through: SAML 2.0 AttributeQuery Attribute Aggregator SimpleSAMLphp module Enables SSP to issue SAML 2.0 attribute queries to Attribute Authorities that support SAML 2.0 SOAP binding LDAP Attribute Aggregator SimpleSAMLphp module Allows SSP to issue LDAP queries for retrieving attributes REST Attribute Aggregator SimpleSAMLphp module Allows SSP to retrieve attributes from a RESTful web service OpenConext attribute aggregation Java application Handles attribute aggregation and provides REST API for accessing attribute information 17

Attribute Profile edupersonuniqueid urn:oid:1.3.6.1.4.1.5923.1.1.1.13 edupersonprincipalname urn:oid:1.3.6.1.4.1.5923.1.1.1.6 edupersontargetedid urn:oid:1.3.6.1.4.1.5923.1.1.1.10 displayname urn:oid:2.16.840.1.113730.3.1.241 sn urn:oid:2.5.4.4 givenname urn:oid:2.5.4.42 mail urn:oid:0.9.2342.19200300.100.1.3 edupersonassurance urn:oid:1.3.6.1.4.1.5923.1.1.1.11 edupersonentitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7 edupersonscopedaffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 18

CoCo & R&S compliance Identifiers edupersonuniqueid edupersonprincipalname edupersontargetedid Mail attribute mail Name attributes displayname givenname sn (surname) Authorization attribute edupersonentitlement edupersonscopedaffilia tion <md:entitydescriptor entityid="https://aai.egi. eu/proxy/module.php/saml/sp/metadata.php/sso"> <md:extensions> <mdattr:entityattributes xmlns:mdattr="urn:oasis: names:tc:saml:metadata:attribute"> <saml:attribute xmlns:saml="urn:oasis:names:tc: SAML:2.0:assertion" Name="http://macedir.org/entitycategory" NameFormat="urn:oasis:names:tc:SAML:2.0: attrname-format:uri"> <saml:attributevalue xmlns:xsi="http://www. w3.org/2001/xmlschema-instance" xmlns:xs="http://www. w3.org/2001/xmlschema" xsi:type="xs:string">http: //www.geant.net/uri/dataprotection-code-ofconduct/v1</saml:attributevalue> <saml:attributevalue xmlns:xsi="http://www. w3.org/2001/xmlschema-instance" xmlns:xs="http://www. w3.org/2001/xmlschema" xsi:type="xs:string">http: //refeds.org/category/research-and-scholarship</saml: AttributeValue> </saml:attribute> </mdattr:entityattributes> </md:extensions> 19

Token Translation: CILogon + PUSP 20

AAI Interoperability requirements Interconnecting IdPs with EGI AAI SP proxy: SAML2 Provide the SAML2 metadata of the IdP (served over HTTPS using a CA-signed SSL cert) The SAML2 metadata of the EGI SP proxy are available from: https://aai.egi.eu/proxy/module.php/saml/sp/metadata.php/sso Release user identifier; must be any of epuid, eppn, or eptid Release authorisation information denoting VO/(sub)group membership/role, encapsulated in edupersonentitlement attribute OpenID Connect/OAuth2 Standard OIDC/OAuth2 flows supported (two/three-legged). More exotic flows can be supported if needed Unique, persistent, non-reassignable user identifier (e.g. sub claim in the case of OIDC) 21

Pilot roadmap Timeline Expected Result Required Technical Components Status 2015-Q4 EGI IdP/SP deployed SimpleSamlPHP / OpenConnext Done 2015-Q4 Interconnect the EGI IdP/SP with a SAML 2.0 IdP 2015-Q4 Interconnect the EGI IdP/SP with a SAML 2.0 SP 2015-Q4 Interconnect the EGI IdP/SP with Perun as attribute provider SAML 2.0 SAML 2.0 PERUN, SimpleSAMLphp LDAP Connector Done Done Done 22

Pilot roadmap Timeline Expected Result Required Technical Components Status 2016-Q1 EGI IdP/SP OIDC input interface (OIDC SAML) OIDC Connector DONE 2016 Q1 Interconnect the EGI IdP/SP with GOCDB as attribute provider GOCDB, connector GOCDB DONE 2016 Q1 Interconnect the EGI IdP/SP with CILogon based Token Translation Services CILogon, MyProxy DONE 2016 Q1 Interconnect the EGI IdP/SP with PUSPs based Token Translation Services 2016 Q1 First pilot with EGI operational tools (AppDB, GOCDB) etoken Server and/or MyProxy N.A. DONE DONE 23

Pilot roadmap Timeline Expected Result Required Technical Components Status 2016 Q2 EGI AAI pubslished in edugain In progress 2016 Q2 EGI AAI Enrollment Service COmanage In progress 2016 Q2 EGI IdP/SP Proxy Attribute Aggregation OpenConext In progress 2016 Q2 Pilot with selected use cases from the EGI-Engage Competence Centers (ELIXIR, DARIAH) In progress 2016 Q2 EGI AAI OpenID Connect Provider In progress 2016 Q3 Interconnect the EGI IdP/SP proxy with an OIDC service (OneData?) 2016 Q3 Second pilot with selected use cases from the EGI-Engage Competence Centers Planning Planning 2016 Q3 Technology reassessment and definition of the roadmap until the end of the EGI-Engage project 24

Thank you for your attention. Questions? www.egi.eu This work by Parties of the EGI-Engage Consortium is licensed under a Creative Commons Attribution 4.0 International License.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback