Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos David Groep 9 th FIM4R Meeting The AARC Project.

Published byGwendolyn Woods Modified over 7 years ago

Similar presentations

Presentation on theme: "Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos David Groep 9 th FIM4R Meeting The AARC Project."— Presentation transcript:

1 http://aarc-project.eu Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos David Groep 9 th FIM4R Meeting The AARC Project – First 7 months Vienna, 30 November 2015 JRA1 – Architecture WP Leader NA3 – Policy WP Leader GRNET NIKHEF

2 http://aarc-project.eu 2 AARC Facts Two-year EC-funded project 20 partners NRENs, e-Infrastructure providers and Libraries as equal partners About 3M euro budget Starting date 1st May, 2015 https://aarc-project.eu/ Authentication and Authorisation for Research and Collaboration

3 http://aarc-project.eu AARC Vision and Objectives 3 Impacts Create a cross-e-infrastructure ‘network’ for identities Reduce duplication of efforts in the service delivery Improve the penetration of federated access Outputs Design of integrated AAI built on federated access Harmonised policies to easy cross-discipline collaboration Pilot selected use-cases Offer a diversified training package Avoid a future in which new research collaborations develop independent AAIs

4 http://aarc-project.eu Integration, policy harmonisation, piloting and training 4 Approach Use existing e- infrastructures in the delivery chain Work with e-infras and user communities to solve existing challenges, pilot use-cases and get feedback on the results Design an integrated AAI built on production infrastructures

5 http://aarc-project.eu 5 AARC Work areas

6 http://aarc-project.eu 6 First Results

7 http://aarc-project.eu First document describing the approach to the training: https://aarc-project.eu/documents/milestones/ Report on the identified target groups for training and their requirements https://aarc-project.eu/wp-content/uploads/2015/04/AARC-DNA2.1.pdf End of the month the first online module on federated access https://aarc-project.eu/documents/training-modules/federations-101/ 7 Training and Outreach Repackage and add what is missing

8 http://aarc-project.eu Security Incident on FIM To agree on a generic security incident response procedure for federations Sirtfi Trust Framework was finalised at the next I2 Tech Exc Sirtfi WG: https://wiki.refeds.org/display/GROUPS/ SIRTFI 8 Policy and Best Practices Harmonisation LoA work To agree on a sustainable LoA framework AARC (through surveys and FIM4R) looking at immediate and longer-term need by SPs and RPs: https://wiki.geant.org/display/AARC/LoA+sur vey+for+SP+communities Key challenge is cost of operation, and who bears this costs R&E federations and their IdPs looking at the ‘service aspect’ of providing assurance MNA3.1 Recommendations on minimal assurance level relevant for low-risk use cases MNA3.2 Community requirements on Accounting data

9 http://aarc-project.eu Many groups and many (proposed) policies, but they leave also many open issues via AARC Policy and Best Practice Harmonisation we try tackling a sub-set of these “Levels of Assurance” – a minimally-useful profile and a differentiated set, for ID and attributes “Sustainability models and Guest IdPs”– how can assurance be offered in the long run? “Scalable policy negotiation” – beyond bilateral discussion “Protection of (accounting) data privacy” – aggregation of PI-like data in collaborative infrastructures “Incident Response”– encouraging ‘expression’ of engagement by (federation) partners and a common understanding https://wiki.refeds.org/display/GROUPS/SIRTFI AARC supports the SirTFi activity – of which Hannah will tell you a lot later!https://wiki.refeds.org/display/GROUPS/SIRTFI 9 The Policy Puzzle IGTF SCI REFEDS FIM4R GN4 AARC SIRTFI...

10 http://aarc-project.eu What do relying parties need, and what can IdPs provide? Recommendations on Minimal Assurance Level Relevant for Low-risk Research Use Cases 1.The accounts in the Home Organisations must each belong to a known individual person 2.Persistent user identifiers (i.e., no re-assignment of user identifiers) 3.Documented identity vetting procedures (not necessarily face-to-face) 4.Password authentication (with some good practices) 5.Departing user’s eduPersonAffiliation must change promptly 6.Self-assessment (supported with specific guidelines) See Mikael presentation hereafter – community consultation open LoA capabilities are closely linked to a sustainability model … 10 ILoA requirements and ‘achievability’

11 http://aarc-project.eu Sustainable operating models Who supports such a service? Central national funding, the RPs using it, subscribers/user paying a subscription fee, community-centric funding, … Does it need specific promotion, and by whom? (to get subscriber/user buy-in for sustainable funding) Over time, no generic - non-community-based - identity provider seems to survive… ProtectNetwork: now pay-per-use (SPs need to pay $ now), Feide OpenIdP: phase out by Jan 1 st, 2016 Other open identity providers are sustained because they serve a dedicated community – e.g. IGTF Identity Providers are (co)supported by national funding and by community groups But homeless users exist (and need IdPs of Last Resort or “Guest IdPs”) with a defined assurnance Policies for ‘homeless user’ accounts lifecycles Traceability and assignment of persistent non-reassigned identifiers Policies for translating social network identities into SAML federation users – effect on LoA? 11 IISustainable models

12 http://aarc-project.eu Some existing ‘scalable’ policy mechanisms around now Coordinated ‘policy bridge’ trust anchor/meta-data distributions (e.g. IGTF trust fabric*) eduGAIN is policy-free, but there are Entity Categories (‘ECs’) Geant CoCo, iCoco, REFEDS R&S, and some evaluation of extent to which currently used https://technical.edugain.org/entities.php https://met.refeds.org/ Gaps or problems to be addressed Federations not exposing IdPs to eduGAIN, or lack of EC support (or willing IdPs with metadata got it re-written by their federation operator …) What about expressing SIRTFI trust compliance, should that be an EC? Should policies and ECs be single global definitions (like CoCo, R&S), or should we prepare for many ‘community trust marks’ - already some countries have scoped entity categories Remember TACAR* – where the registry is neutral but anchors can be ‘qualified’ Do service providers/RPs ‘on the ground’ actually understand LoA? 12 IIIScaling Policies and Assurance * www.igtf.net, * www.tacar.orgwww.igtf.net

13 http://aarc-project.eu infrastructures need to be able to process data and meta-data about the users and their interaction with the systems accounting and for assigning use data to allocations, and to be able to follow up on incidents in the infrastructure Now: classification and inventory of data types and roles MNA3.2 available on http://www.aarc-project.eu/http://www.aarc-project.eu/ Developing recommendations for data protection template policy as next step in AARC https://wiki.geant.org/x/voEVAw 13 IVAccounting and infrastructure data protection

14 http://aarc-project.eu 14 Architecture Design Analysis of requirements Analysis of AA technologies Guest Identities Attribute Authorities – Token Translation Blueprint Architecture Sep15Dec15Apr15Apr17Jul16

15 http://aarc-project.eu 15 Architecture Design – Analysis of requirements AARC Surveys BioVel, CLARIN, D4Science, DARIAH, EISCAT, EUDAT, FMI, PSNC, UMBRELLA, … AARC Interviews EGI, ELIXIR, EUDAT, GN4, LIBRARIES (UKB), … Past Activities FIM4R & TERENA AAA Study AARC Requirement Analysis (available end of Sept.)

16 http://aarc-project.eu 1.User Friendliness 2.Homeless Users 3.Different Levels of Assurance 4.Community based authorization 5.Flexible and scalable attribute release policies 6.Attribute Aggregation & Account Linking 7.Federation solutions based on open and standards based technologies 8.Persistent & Unique User Identifiers 9.User managed Identity Information 10.Up to date identity information 11.User groups and roles 12.Step up authentication 16 Architecture Design – Analysis of requirements 13.Browser and non-browser based federated access 14.Delegation 15.Social media identities 16.Integration with e-Government infrastructures 17.Service Provider Friendliness 18.Effective Accounting 19.Policy Harmonization 20.Federated Incident report Handling 21.Sufficient Attribute release 22.Awareness about R&E Federations 23.Semantically harmonized identity attributes 24.Simplified process for joining identity federation 25.Best practices for terms and conditions

17 http://aarc-project.eu 1.User Friendliness 2.Homeless Users 3.Different Levels of Assurance 4.Community based authorization 5.Flexible and scalable attribute release policies 6.Attribute Aggregation & Account Linking 7.Federation solutions based on open and standards based technologies 8.Persistent & Unique User Identifiers 9.User managed Identity Information 10.Up to date identity information 11.User groups and roles 12.Step up authentication 17 Architecture Design – Analysis of requirements 13.Browser and non-browser based federated access 14.Delegation 15.Social media identities 16.Integration with e-Government infrastructures 17.Effective Accounting 18.Policy Harmonization 19.Federated Incident report Handling 20.Sufficient Attribute release 21.Awareness about R&E Federations 22.Semantically harmonized identity attributes 23.Simplified process for joining identity federation 24.Service Provider Friendliness 25.Best practices for terms and conditions

18 http://aarc-project.eu Continue the interviews with the AARC stakeholders and the parallel work on Guest Identities and Attribute Authorities (AA) & Token Translation Services (TTS) End of October first internal draft release of AARC High Level Architecture End of December: Analysis of available AA technologies January – February: Consultation with stakeholders around the AARC High Level Architecture Arpil: Release work on Guest Identities, AAs and TTS July: 1 st version of the AARC AAI Architecture Framework 18 Architecture Design – Next steps

19 http://aarc-project.eu Although the AARC project has only started for a few months, we have started the preparation for AARC2 focus on user-driven innovation and pilots on existing e-Infrastructures to respond to user-community challenges Help us identifying use-cases: https://docs.google.com/a/terena.org/forms/d/1xHaCINRaizjWfY6K-4- 1O9z81NAyBsmxtJNSNGXSICU/viewform 19 Preparation for AARC 2

20 http://aarc-project.eu © GEANT on behalf of the AARC project. The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC). Thank you Any Questions? skanct@grnet.gr

Download ppt "Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos David Groep 9 th FIM4R Meeting The AARC Project."

Similar presentations

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC 2014 20 May 2014 Dublin.

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.

BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Updates Licia Florio, TERENA REFEDS Meeting 5 Sept 2012.

Updates Licia Florio, TERENA REFEDS Meeting 5 Sept 2012.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.

Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.

Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Milan, Italy Training and Outreach Authentication and Authorisation.

Authentication and Authorisation for Research and Collaboration Milan, Italy Training and Outreach Authentication and Authorisation.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos https://wiki.geant.org/display/AARC/AARC+Architecture+-+private.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.

Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.

Similar presentations

Ads by Google