1. www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu

2. www.egi.eu EGI-InSPIRE RI-261323 Authentication: –X.509 personal certificates from IGTF Certification Authorities CA available in every country –Supported by several Registration Authorities distributed Terena Certificate Service for eduGAIN users Catch-all CA provided by EGI.eu Authorization: –Based on attributes provided by the user communities Virtual Organization membership Roles and groups within the VO Cloud services: –Use an extension of the Openstack Keystone module to enable X509 on Openstack and Opennebula Authentication and Authorization in EGI - 1

3. www.egi.eu EGI-InSPIRE RI-261323 Authentication and Authorization in EGI - 2 Virtual Organization TRUST

4. www.egi.eu EGI-InSPIRE RI-261323 Extend the X509 mechanism For some users approaching EGI the X509 mechanism is a barrier –They do not have easy access to a Certification Authority –They would prefer to continue using their institutional credentials –VOs and Resource Providers implement portals to ease the access to the resources EGI services must evolve in order to use other authentication mechanisms –Starting where there are clear use cases, e.g. Cloud services

5. www.egi.eu EGI-InSPIRE RI-261323 Leverage on federated authentication The best case scenario is where users can use the credentials they already own –E.g. from their institutional IdPs –IdPs can not release attributes to qualify VO membership or other community specific roles The additional attributes must be provided by other external attribute authorities –The attributes should be managed by the user communities themselves

6. www.egi.eu EGI-InSPIRE RI-261323 AAI PoC for the Fedcloud Joint activity between EGI and SURFnet –EGI cloud service providers from the Fedcloud production sites –SURFnet will provide the attribute management services (OpenConext) to integrate the attribute authorities with the IdPs to produce assertions that can be consumed by service providers

7. www.egi.eu EGI-InSPIRE RI-261323 © Paul Van Dijk

8. www.egi.eu EGI-InSPIRE RI-261323 Activities of the PoC Openstack “Icehouse” enables Shibboleth authentication in Keystone –Porting of EGI tools to support the new keystone release Use IdP and attribute authorities attributes (through OpenConext) to map users into the VO groups. Involve user communities to test the framework with real use cases

9. www.egi.eu EGI-InSPIRE RI-261323 Timeline Start: now New version of Keystone is supported in EGI: end of October Begin the tests with OpenConext and other AA (REMS, CoManage, HEXAA): end of October Involve user communities: end of November

10. www.egi.eu EGI-InSPIRE RI-261323 Not 100% production services These activities aim to demonstrate the technical feasibility of this solution –And the support for the user communities use cases It does not necessarily fulfill all the EGI security policies and requirements –This will need a wider approach, which will be carried on in EGI-Engage

11. www.egi.eu EGI-InSPIRE RI-261323 Thanks Questions?