Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
http://aarc-project.eu
AuthenticationandAuthorisationforResearchandCollaboration
ChristosKanellopoulos(GRNET)
DigitalInfrastructuresforResearch2016
AARCBlueprintArchitectureforinteroperableAAIs
28September,2016Krakow
http://aarc-project.eu 2
Thestartingpoint
• Thescenario:• Thereisatechnicalarchitectofaresearchcommunity
• Hercommunityisdistributedinternationally
• Increasingnumberofservicesneedauthentication
andauthorization
• Herjobistofindasolution
• Shewantstofocusonresearchandnotreinventthewheel
• Shestartsgoogling
• So,therearesomesolutionsavailable,but…
http://aarc-project.eu3
http://aarc-project.eu 4
AARCFacts
• Two-yearEC-fundedproject• 20partners• NRENs,e-InfrastructureprovidersandLibrariesasequalpartners
• About3Meurobudget• Startingdate1stMay,2015• https://aarc-project.eu/
AuthenticationandAuthorisationforResearchandCollaboration
http://aarc-project.eu 5
AARC’sRole- Connectingtheislands
eInfraA
rInfra1
rInfra2
eInfraB
http://aarc-project.eu
AARCVisionandOutputs
6
Impact
• BringfederatedaccessandeScience closetoeachother• Createacross-e-infrastructure‘network’foridentities• Reduceduplicationofeffortsintheservicedelivery
Outputs
• DesignofintegratedAAIbuiltonfederatedaccess• Harmonised policiestoeasycross-disciplinecollaboration• Pilotselecteduse-cases• Offeradiversifiedtrainingpackage
AvoidafutureinwhichnewresearchcollaborationsdevelopindependentAAIs
http://aarc-project.eu 7
AARCandT&Iecosystem
AARC
Requirements•Anchoredinrealusecases•Internationalcollaboration
Pilots•AARCtechnicalandpolicyfindings
Training
REFEDS/FIM4RREFEDS:• FeedbackandvalidationfromFedOperatorsonbestpractices
FIM4R:• FeedbackonpilotsfromAAIusercommunities
• Requirements/feedbackfortrainingandarchitecture
r/e-Infrastructures
Developbusinesscase• Costing• Supplychain
Pilotintegrationresults
Incorporate
• GN4project,REFEDS,FIM4R,RDA,andvariousAAIworkwithinotherprojects• Liaisonswithinternationalcollaborations
http://aarc-project.eu 8
AARCMethodology
Management
CommunityRequirements
CommunityFeedback
http://aarc-project.eu 9
StartingPoint
IDFEDsØMainlynationallyfocusedØ ProvidewebSSO (SAML)toaccessanumberofservices
Ø Supportfine-grainedAuthZ
e-ResearcherØ Typicalinter-feduse-casesØ ProvideSSO(X.509)fore-Researchservices
Ø RequirementforstrongerAuthN(LoA)
http://aarc-project.eu 10
Thegoals
1. Users should be able to access the all services using the credentials from their HomeOrganization
2. Users should have one persistent non-reassignable non-targeted unique identifier.
3. Attempt to retrieve user attributes from the user’s Home Organization. If this is notpossible, then an alternate process should exist.
4. Distinguish (LOA) between self-asserted attributes and the attributes provided by theHome Organization/VO
5. Access to the various services should be granted based on the role(s) the users havewithin the collaboration
6. Services should not have to deal with the complexity of multipleIdPs/Federations/Attribute Authorities/technologies.
http://aarc-project.eu 11
IdentifiedRequirements
Non-web-browser
Guestusers
PersistentUniqueId
Credentialtranslation
AttributeAggregation
AttributeRelease
LevelsofAssurance
CommunitybasedAuthZ
Social&e-Gov IDs
Step-upAuthN
UserManagedInformation
UserFriendliness
IncidentResponse
BestPractices
CredentialDelegation
SPFriendliness
http://aarc-project.eu
TheFunctionalComponentsandavailableAAItools
aarc-project.eu
AvailableAAIComponents
AttributeAuthorities
IdPs
Proxies
TokenTranslation
ServiceProvider
AnalysisofUserCommunities
AndInfrastructureProviders
12
http://aarc-project.eu
AARC:AnalysisofUserCommunitiesande-InfrastructureProviders
Non-web-browser
Guestusers
PersistentUniqueId
Credentialtranslation
AttributeAggregation
AttributeRelease
LevelsofAssurance
CommunitybasedAuthZ
Social&e-Gov IDs
Step-upAuthN
UserManagedInformation
UserFriendliness
IncidentResponse
BestPractices
CredentialDelegation
SPFriendliness
13
http://aarc-project.eu
AARCBlueprintArchitecture(1st Draft)
UserCommunityRequirements
https://wiki.geant.org/display/AARC/AARC+Architecture
https://goo.gl/kSxENp
http://aarc-project.eu
eduGAIN andtheIdentityFederations
AsolidfoundationforfederatedaccessinR&E
AuthenticationandAuthorizationArchitectureforResearchCollaboration
AsetofbuildingblocksontopofeduGAINforInternationalResearchCollaboration
AARCBlueprintArchitecture&eduGAIN
15
http://aarc-project.eu 16
Whytheproxymodel?
•AllinternalServicescanhaveonestaticallyconfiguredIdP
•NoneedtorunanIdP DiscoveryService oneachService
• ConnectedSPsgetconsistent/harmonised useridentifiersand
accompanyingattributesets fromoneormoreAAsthatcanbe
interpretedinauniformwayforauthZ purposes
• ExternalIdPs onlydealwithasingleSP proxy
• Butitcomeswitheachownnewchallenges
http://aarc-project.eu
• SecurityIncidentResponseTrustFrameworkforFederatedIdentityhttps://refeds.org/sirtfi
•MinimalAssuranceLevelforlow-riskresearchusecaseshttps://wiki.geant.org/display/AARC/LoA+-+Level+of+Assurance
• Policyandsustainabilitymodelsforapan-EuropeanTokenTranslationServicehttps://www.rcauth.eu/
• Sustainabilitymodelsfor”GuestIdPs”https://wiki.geant.org/display/AARC/Sustainability+models+for+Guest+IdPs
• RequirementsforAccountingandDataProtectionhttps://wiki.geant.org/display/AARC/Accounting+and+Data+Protection
17
Policies&Sustainabilitymodels
http://aarc-project.eu
Pilots
RequirementsUserCommunity
OverviewAvailableAAIComponents
DraftBlue-PrintArchitecture
aarc-project.eu
https://goo.gl/kSxENp https://goo.gl/NzQA2U https://goo.gl/7dZZF4
PilotsWithCommunities
Plan
Develop
Test
IncludeFeedback
Input fortraining
Package/release
18
http://aarc-project.eu
Pilots
https://goo.gl/7dZZF4
https://goo.gl/NzQA2U
https://goo.gl/kSxENp
AttributeAuthorities
IdPs
Proxy
ServiceProvider
Library,hybridAuthNLibrary,IdP-SPproxyapproach
Perun andCOmanage AAsforBBMRI&EGIOpenConext attributeaggregation
TTSwithCI-logonandVOportalforElixirTokenTranslation
ORCIDSP,LoA Elevation,ReferenceimplementationoftheBPA…
https://wiki.geant.org/display/AARC/AARC+Pilots19
http://aarc-project.eu
Firste-Infrastructureimplementations
• EGICheckIn Servicehttps://wiki.egi.eu/wiki/AAI
• ELIXIRAAIhttps://www.elixir-europe.org/services/compute/aai
• EUDATB2ACCESShttps://www.eudat.eu/services/b2access
• GÉANTeduTEAMShttps://www.eduteams.org
https://goo.gl/7dZZF4
https://goo.gl/NzQA2U
https://goo.gl/kSxENp
20
http://aarc-project.eu
Workforthenextyear
•Policiesandbestpracticesforproxyoperators
•FrameworkrecommendationsforRIsforcoherentpolicysets
•Guidelinedocuments(e.g.groupMembership,non-webaccess,authorizaton)
•FeasibilitystudyfortheuseeGOV/eIDAS e-IDs
•Pilots,pilots,pilots…
•Focusedtrainings
21
http://aarc-project.eu
©GEANTonbehalfoftheAARCproject.TheresearchleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeunderGrantAgreementNo.653965(AARC).
ThankyouAnyQuestions?