http://aarc-project.eu

AuthenticationandAuthorisationforResearchandCollaboration

ChristosKanellopoulos(GRNET)

DigitalInfrastructuresforResearch2016

AARCBlueprintArchitectureforinteroperableAAIs

28September,2016Krakow

http://aarc-project.eu 2

Thestartingpoint

• Thescenario:• Thereisatechnicalarchitectofaresearchcommunity

• Hercommunityisdistributedinternationally

• Increasingnumberofservicesneedauthentication

andauthorization

• Herjobistofindasolution

• Shewantstofocusonresearchandnotreinventthewheel

• Shestartsgoogling

• So,therearesomesolutionsavailable,but…

http://aarc-project.eu3

http://aarc-project.eu 4

AARCFacts

• Two-yearEC-fundedproject• 20partners• NRENs,e-InfrastructureprovidersandLibrariesasequalpartners

• About3Meurobudget• Startingdate1stMay,2015• https://aarc-project.eu/

AuthenticationandAuthorisationforResearchandCollaboration

http://aarc-project.eu 5

AARC’sRole- Connectingtheislands

eInfraA

rInfra1

rInfra2

eInfraB

http://aarc-project.eu

AARCVisionandOutputs

6

Impact

• BringfederatedaccessandeScience closetoeachother• Createacross-e-infrastructure‘network’foridentities• Reduceduplicationofeffortsintheservicedelivery

Outputs

• DesignofintegratedAAIbuiltonfederatedaccess• Harmonised policiestoeasycross-disciplinecollaboration• Pilotselecteduse-cases• Offeradiversifiedtrainingpackage

AvoidafutureinwhichnewresearchcollaborationsdevelopindependentAAIs

http://aarc-project.eu 7

AARCandT&Iecosystem

AARC

Requirements•Anchoredinrealusecases•Internationalcollaboration

Pilots•AARCtechnicalandpolicyfindings

Training

REFEDS/FIM4RREFEDS:• FeedbackandvalidationfromFedOperatorsonbestpractices

FIM4R:• FeedbackonpilotsfromAAIusercommunities

• Requirements/feedbackfortrainingandarchitecture

r/e-Infrastructures

Developbusinesscase• Costing• Supplychain

Pilotintegrationresults

Incorporate

• GN4project,REFEDS,FIM4R,RDA,andvariousAAIworkwithinotherprojects• Liaisonswithinternationalcollaborations

http://aarc-project.eu 8

AARCMethodology

Management

CommunityRequirements

CommunityFeedback

http://aarc-project.eu 9

StartingPoint

IDFEDsØMainlynationallyfocusedØ ProvidewebSSO (SAML)toaccessanumberofservices

Ø Supportfine-grainedAuthZ

e-ResearcherØ Typicalinter-feduse-casesØ ProvideSSO(X.509)fore-Researchservices

Ø RequirementforstrongerAuthN(LoA)

http://aarc-project.eu 10

Thegoals

1. Users should be able to access the all services using the credentials from their HomeOrganization

2. Users should have one persistent non-reassignable non-targeted unique identifier.

3. Attempt to retrieve user attributes from the user’s Home Organization. If this is notpossible, then an alternate process should exist.

4. Distinguish (LOA) between self-asserted attributes and the attributes provided by theHome Organization/VO

5. Access to the various services should be granted based on the role(s) the users havewithin the collaboration

6. Services should not have to deal with the complexity of multipleIdPs/Federations/Attribute Authorities/technologies.

http://aarc-project.eu 11

IdentifiedRequirements

Non-web-browser

Guestusers

PersistentUniqueId

Credentialtranslation

AttributeAggregation

AttributeRelease

LevelsofAssurance

CommunitybasedAuthZ

Social&e-Gov IDs

Step-upAuthN

UserManagedInformation

UserFriendliness

IncidentResponse

BestPractices

CredentialDelegation

SPFriendliness

http://aarc-project.eu

TheFunctionalComponentsandavailableAAItools

aarc-project.eu

AvailableAAIComponents

AttributeAuthorities

IdPs

Proxies

TokenTranslation

ServiceProvider

AnalysisofUserCommunities

AndInfrastructureProviders

12

http://aarc-project.eu

AARC:AnalysisofUserCommunitiesande-InfrastructureProviders

Non-web-browser

Guestusers

PersistentUniqueId

Credentialtranslation

AttributeAggregation

AttributeRelease

LevelsofAssurance

CommunitybasedAuthZ

Social&e-Gov IDs

Step-upAuthN

UserManagedInformation

UserFriendliness

IncidentResponse

BestPractices

CredentialDelegation

SPFriendliness

13

http://aarc-project.eu

AARCBlueprintArchitecture(1st Draft)

UserCommunityRequirements

https://wiki.geant.org/display/AARC/AARC+Architecture

https://goo.gl/kSxENp

http://aarc-project.eu

eduGAIN andtheIdentityFederations

AsolidfoundationforfederatedaccessinR&E

AuthenticationandAuthorizationArchitectureforResearchCollaboration

AsetofbuildingblocksontopofeduGAINforInternationalResearchCollaboration

AARCBlueprintArchitecture&eduGAIN

15

http://aarc-project.eu 16

Whytheproxymodel?

•AllinternalServicescanhaveonestaticallyconfiguredIdP

•NoneedtorunanIdP DiscoveryService oneachService

• ConnectedSPsgetconsistent/harmonised useridentifiersand

accompanyingattributesets fromoneormoreAAsthatcanbe

interpretedinauniformwayforauthZ purposes

• ExternalIdPs onlydealwithasingleSP proxy

• Butitcomeswitheachownnewchallenges

http://aarc-project.eu

• SecurityIncidentResponseTrustFrameworkforFederatedIdentityhttps://refeds.org/sirtfi

•MinimalAssuranceLevelforlow-riskresearchusecaseshttps://wiki.geant.org/display/AARC/LoA+-+Level+of+Assurance

• Policyandsustainabilitymodelsforapan-EuropeanTokenTranslationServicehttps://www.rcauth.eu/

• Sustainabilitymodelsfor”GuestIdPs”https://wiki.geant.org/display/AARC/Sustainability+models+for+Guest+IdPs

• RequirementsforAccountingandDataProtectionhttps://wiki.geant.org/display/AARC/Accounting+and+Data+Protection

17

Policies&Sustainabilitymodels

http://aarc-project.eu

Pilots

RequirementsUserCommunity

OverviewAvailableAAIComponents

DraftBlue-PrintArchitecture

aarc-project.eu

https://goo.gl/kSxENp https://goo.gl/NzQA2U https://goo.gl/7dZZF4

PilotsWithCommunities

Plan

Develop

Test

IncludeFeedback

Input fortraining

Package/release

18

http://aarc-project.eu

Pilots

https://goo.gl/7dZZF4

https://goo.gl/NzQA2U

https://goo.gl/kSxENp

AttributeAuthorities

IdPs

Proxy

ServiceProvider

Library,hybridAuthNLibrary,IdP-SPproxyapproach

Perun andCOmanage AAsforBBMRI&EGIOpenConext attributeaggregation

TTSwithCI-logonandVOportalforElixirTokenTranslation

ORCIDSP,LoA Elevation,ReferenceimplementationoftheBPA…

https://wiki.geant.org/display/AARC/AARC+Pilots19

http://aarc-project.eu

Firste-Infrastructureimplementations

• EGICheckIn Servicehttps://wiki.egi.eu/wiki/AAI

• ELIXIRAAIhttps://www.elixir-europe.org/services/compute/aai

• EUDATB2ACCESShttps://www.eudat.eu/services/b2access

• GÉANTeduTEAMShttps://www.eduteams.org

https://goo.gl/7dZZF4

https://goo.gl/NzQA2U

https://goo.gl/kSxENp

20

http://aarc-project.eu

Workforthenextyear

•Policiesandbestpracticesforproxyoperators

•FrameworkrecommendationsforRIsforcoherentpolicysets

•Guidelinedocuments(e.g.groupMembership,non-webaccess,authorizaton)

•FeasibilitystudyfortheuseeGOV/eIDAS e-IDs

•Pilots,pilots,pilots…

•Focusedtrainings

21

http://aarc-project.eu

©GEANTonbehalfoftheAARCproject.TheresearchleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeunderGrantAgreementNo.653965(AARC).

ThankyouAnyQuestions?

skanct@admin.grnet.gr