Authentication & Authorization for Research & CollaborationPilots in SA1

Paul van Dijk, SURFnet

AARC

Connecting People and Devices

AARC Work Packages

AARC Work Packages

The Netherlands: research appsSURFconext ecosystem

Drive

WeNMR

Portal

Identity Providers

±300 Service Providerscommercial / non-commercial

SURFconext AAI Hub

Trust FrameworkUniversityDirk Stapdirkstap@vu.nl Staff memberID#: 2989289283921

SP stores attributes

SURFconext for WeNMR VRC

Knowledge

Help CenterTutorials,

Wiki

Consultancy

Services

Portals

Third-party aggregation

Grid

SAML

SAML

SAML

SAML

SAML

SAML

SAML

Identity Providers Service ProvidersSURFconext AAI Hub

WeNMRVRC portal

SAML

Status?

Non-web SSO ✗

Attribute management for AuthZ ✗

“Guest” access ✗/✔

Int’l AuthN ✗/✔

IdPs – extend coverage

National IdPs

VU

eduGAIN IdPs

TC

“Guest access”

TC

All SAML but differences in attribute management need policies and formats

• Lower barriers for non academia• Use of Gov e-ID, social IDs, linking accounts• Support scalable LoA for guest accounts• Deal with “library walk-in users”

All SAML, national policies and formatsAny issues? perhaps promote opt-out approach

AuthorizationsAttribute Management Framework

Attribute management...solutions are emerging but not really adopted by researchers yet

Pilot with:• Attribute providers/management• Attribute aggregators• SPs able to do attribute based authorisations (or enable SPs)

PoC EGI and SURFnet

Attr provider• Verifies authenticity• Adds attributes• Provides workflows

Self Asserted+31(6) 120202020Skype: DirkStapLinkedIn: DirkHStap

Collab OrganisationCO- adminCO- researcher

Self Asserted+31(6) 120202020Skype: DirkStapLinkedIn: DirkHStap

Collab OrganisationCO- adminCO- researcher

UniversityDirk Stapdirkstap@uvk.nlStaff memberID#: 2989289283921

keystone

• Aggregate attributes• Forward with ARP to SP

add. attr. at logon

add. attr. by query

UniversityDirk Stapdirkstap@uvk.nlStaff memberID#: 2989289283921

UVK

• Authenticate• Add attributes

SPsImprove access to research infra

Webservices: SAML World

Can we apply a similar setup to e-infrastructureslike EGI, PRACE, EUDAT, ESFRI clusters...so theseproviders can offer there resources in a more user-friendly, controlled and consolidated way?

Users can access different web-based services with the same set of credentials

E-infrastructures

non-webX.509

Non-Web SSO

• Moonshot (EAP, RADIUS, GSS-API, SASL) • SAML ECP• Workarounds – SAML enabled portal

- Provision application specific passwords - OAuth- X.509

• Unity-idm.eu• Facius• Kerberos or other solutions (?)

Description of Work SA1

• Driven by user requirements • Strong focus on integration of existing building blocks

• Main focus on:- Solutions for guest users (task 1 - GARR)

- Attribute management, aggregation and consumption (task 2 - EGI)

- Access to non-web and commercial (cloud) resources (task 3 - PSNC)

• Together with user communities: evaluate whether the solutions proposed by JRA1 and NA3 are effective? feedback to JRA1 and NA3

paul.vandijk[at]surfnet.nl

@paulcwvandijk

paulcwvandijk

www.surfnet.nl

+31 6 13328090

Creative Commons “Attribution” license: http://creativecommons.org/licenses/by/3.0/

W