OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities

Authentication & Authorization Infrastructure for Virtual Research Communities

Paul van Dijk, SURFnet Alexandre Bonvin, WeNMR

SURFnet: the Dutch NREN

•  SURFnet is the Dutch National Research & Education Network (NREN) -  Services, innovation, knowledge -  Not for profit -  Task organisation of Stichting SURF = ICT collaboration of higher education &

research

•  A small operation serving a large community: -  85 employees -  160 connected institutions -  1 million end-users -  Turnover 35 million Euro; 1/3 innovation subsidies

Connecting people and devices collaborate and share – how to facilitate VRCs

The wenmr virtual research community!

eScience hub for NMR and structural biology!

the wenmr VRC!

A Drupal powered rich web based experience !

Knowledge!

Help Center!

Tutorials, Wiki!

Consultancy!

Services!

Portals!

Third-party aggregation!

Exposure!

Marketplace!

Blogs, news,!events..!

Facebook!

or...!

Done ✔!

WeNMR VRC"How to deal with Authentication?!

For the end-user!•  How to provide as easy as possible access!

•  Use institutional account!•  Single Sign-On to all kind of NMR resources!

For WeNMR administrators!•  How to verify users? (albert.einstein@gmail.com) !•  How to deal with burden of account management?!•  How to bridge authentication across domains and

resources?!

AAI for research observations, questions, challenges

•  AAI one of the cornerstones (or at least a key starting point) for international collaboration and system integration

•  Ever growing space.......with many issues

•  More than technique and engineering ! policies, procedures and a lot of human interaction (!)

•  Can we build on existing building blocks?

The Netherlands: research apps SURFconext ecosystem

WeNMR Portal

Identity Providers

>200 Service Providers commercial / non-commercial

SURFconext Authentication

Trust Framework University Dirk Stap dirkstap@vu.nl Staff member ID#: 2989289283921

SP stores attributes

No-brainer Connect WeNMR portal to SURFconext

Knowledge!

Help Center!Tutorials, Wiki!

Consultancy!

Services!

Portals!

Identity Providers Service Providers SURFconext Authentication

WeNMR!VRC portal!

WeNMR SSO Drupal module see: bit.ly/1oc3Gu3

provides a closed and self-contained solution for everything related to authentication, authorization and accounting for a service, without any need for additional modules or external services.

Crossing national borders via eduGAIN

Knowledge!

Help Center!Tutorials,

Consultancy!

Services!

Portals!

Identity Providers Service Providers SURFconext Authentication

WeNMR!VRC!

It (almost) works

Done ✔

Can we take it one step further?

AI ! AAI

Can we organize AuthZ in a centralized (and generic) way?

Needed: additional attributes

Dirk Stap dirkstap@uvk.nl Staff member ID#: 2989289283921

CO- admin CO- researcher

@university @Collab Org @Dirk Stap

+31(6) 120202020 Skype: DirkStap LinkedIn: DirkHStap

Self asserted

Needed: attribute source(s)

Needed: attribute release management

Self Asserted +31(6) 120202020 Skype: DirkStap LinkedIn: DirkHStap

University Dirk Stap dirkstap@uvk.nl Staff member ID#: 2989289283921

TC VidConf

UVK Storage

Google APPS

Dirk Stap dirkstap@uvk.nl ID#: 2989289283921

+31(6) 120202020 Skype: DirkStap

Collab Organisation CO- admin CO- researcher

OpenConext for Collaborative Organisations

•  Groups

•  Distributes Services

•  Attributes, roles and rights Groups are core to collaboration

Any collaboration is based on groups. In eScience these groups are dynamic and international

Distributed Services COs collaborate around distributes services. Managing and maintaining many SP - IdP interconnections is tough

Attributes, roles and rights Roles and rights are based on Attributes. COs need very different attributes as compared to the attributes provided by the IdPs

How OpenConext helps

•  Groups

•  Distributed Services

•  Attributes, roles and rights

Centralized and external group providers OpenConext provides a centralized group provider and allows linking external group providers

Manage services CO SP and IdP connections can be managed centrally, including Access Policies and Attribute Release Policies

Attributes Can be transformed and filtered both at logon as well as when queried out-of-band

PoC EGI and SURFnet (Q2/Q3) in a SAML world

A CO manager •  Verifies authenticity •  Adds attributes •  Provides workflows

keystone

•  Aggregate attributes •  Forward with ARP to SP

add. attr. at logon

add. attr. by query

•  Authenticate •  Add attributes

Conclusion

Authentication infrastructure •  Identity federations: Works well on a national level ! run-of-

the-mill in many countries, UX could be better

•  Interfederation: will it scale? requires a lot of effort ! streamline and harmonize procedures, improve discovery of endpoint representatives ! on the radar of organizations like REFEDS and GEANT (eduGAIN)

Authorization infrastructure •  Still in development, some solutions/approaches available !

collaborate, just do it, run PoCs with community & improve

paul.vandijk[at]surfnet.nl or niels.vandijk[at]surfnet for OpenConext @paulcwvandijk paulcwvandijk www.surfnet.nl +31 30 2 305 305 Creative Commons “Attribution” license: http://creativecommons.org/licenses/by/3.0/

OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities

Software

Authentication and Authorization in Asp.Net

Extending Authentication and Authorization

25 Lightweight Authentication and Authorization

UAG Authentication and Authorization- part1

Authentication & Authorization Assaf Gottlieb

JavaTM Authentication and Authorization Service

Forms Authentication, Authorization, User Accounts, and Roles :: …€¦ · Forms Authentication, Authorization, User Accounts, and Roles :: User-Based Authorization Introduction

Authentication Authorization and Accounting Configuration ...AAA Authentication General Configuration Procedure 4 RADIUS Change of Authorization 5 Change-of-Authorization Requests

Authentication, Authorization, and Accounting

Identification, Authentication and Authorization on the ... · Identification, Authentication and Authorization on the ... these concerns focus on identification, authentication and

ESPC15 - Extending Authentication and Authorization

Authorization, Authentication, And Security

Authentication / Authorization with Drupal...Authentication / Authorization with Drupal Authorization: Drupal LDAP Good BAD Pros • Uses CornellAD Cons • Only applies application

Opensource Authentication and Authorization

Password authentication - Santa Monica Collegehomepage.smc.edu/morgan_david/linux/a21-passwords.pdf · authentication != authorization – authorization establishes what user can

Client authentication and authorization

AAI - Authentication and Authorization Infrastructure ... · AAI - Authentication and Authorization Infrastructure Attribute Specification 11 April 2017 Version 1.6

Introduction to centralized Authentication, Authorization ... · PDF fileIntroduction to centralized Authentication, Authorization and Accounting ... –RADIUS (RFC 2865) –The

12. ASP.net Authentication and Authorization

Authorization and Authentication in gLite