1. https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable Policy Negotiation 3 Nov 2015 STFC-RAL

2. https://aarc-project.eu What is the current take-up of mechanisms? Entity Categories seen as a key element in expressing policies in federation Initial survey (by RENATER) showed increasing but still limited take-up – how can this be promoted? Policies in common design patterns? There are new opportunities and issues with scaling policy compliance or expression in ‘proxying’ SP communities – which are appearing as a key design principle Should all hidden services behind an SP proxy be R&S to make the proxy R&S? What happens to (commercial) services used by communities inside their infrastructure (and behind their SP proxy)? Can we define a template policy that communities can sign up to, making it a ‘policy proxy’? 2 Slide from David Groep: Scalable policy negotiation

3. https://aarc-project.eu Develop scalable policy negotiation mechanisms between identity providers, attribute providers and service providers bi-lateral negotiation between SPs and IDPs/AAs will not work Effort funded: 19 PM (CERN 2, FOM-NIKHEF 3, GRNET 2, LIBER 2, RENATER 6, STFC 4) Input required MJRA1.4 – First version of blueprint architecture (M15) But also earlier drafts Milestones and Deliverables DNA3.4 - Recommendations on the grouping of entities and their deployment mechanisms in scalable policy negotiation (M24) Execution Plan The first work will be the identification of the entities that need to be classified and expressed, such as the specific categorisation that may be needed for non-identity attribute providers and for credential translators (M9?) proceed to formulate recommendations on the grouping of entities and on the actual deployable mechanisms that can be evaluated in the proof-of-concepts of SA1 (M12?) The final recommendations will then be provided to the operational infrastructures and federations. (DNA3.4) (M24) 3 Development of scalable policy negotiation mechanisms TNA3.4 – David Kelsey (RAL)

4. https://aarc-project.eu Survey of 2385 eduGAIN entities (Geant CoCo, REFEDS R&S, …) Using exisiting tools https://technical.edugain.org/entities.php https://met.refeds.org/ https://wiki.geant.org/display/AARC/Current+Status+of+SAML+Entity+Categories+Adoption https://wiki.geant.org/display/gn41sa5/1.1+Entity+Categories GÉANT (EU/EEA) Data Protection Code of Conduct: 105 entities in total 42 IdP 63 SP REFEDS Research & Scholarship Category: 85 entities in total 39 IdP 47 SP 4 Initial survey (by RENATER)

5. https://aarc-project.eu Gaps or problems to be addressed Federations not exposing IdP to eduGAIN, willing IdPs with metadata re-written by FO How many AARC SPs are in eduGAIN (do we miss many?) What about SIRTFI trust compliance? How to encourage adoption? (we have to address “deployment mechanisms”) TNC2015 Attribute Release workshop was good How do we extend to general Attribute Authorities and others? Identification of entities to be classified (Non-IdP AA, credential translator, others from JRA1?) What codes of conduct are required? Data Protection? Other operational best practices (IGTF has a profile addressing this for AA) Formulate recommendations on the grouping of entities and on the actual deployable mechanisms (for SA1) 5 How to make progress?

6. https://aarc-project.eu Not bi-lateral contracts! Apply same policy to all (an approach which works if we can deploy) R&S, CoCo, Sirtfi, EU Data Protection Model Contract… Or different policies built on a template Geant/eduGAIN, REFEDs, Sirtfi, EGI SPG, IGTF are all defining and deploying polices and best practices So what do we (AARC TNA2.4) have to do? Do we need to categorise AA and credential translators? What different categories do we have? 6 Scalable Policy Negotiation?

7. https://aarc-project.eu Consider policies and mechanisms for other entities Attribute Authorities, Credential Translators, SP Proxy (gateways) IGTF has a profile for AA – we could build on this? How do we encourage deployment? Test in AARC SA1 Lots of good training and dissemination from NA2 What can NA3 do? Seek appropriate guidance and input from stakeholders Particularly Libraries 7 Proposed TNA3.4 activities

8. https://aarc-project.eu See architecture pictures (use cases) from Marcus/Christos SPs behind proxy want to be registered with federation as R&S Many SPs behind a portal or gateway cannot/do not want to join a federation This was discussed at a session in Internet2/TechX/ACAMP (Cleveland) “Research and Science Gateways” https://spaces.internet2.edu/display/ACAMP2015/ACAMP+2015+Home VO is not a legal entity – cannot sign federation agreements They don’t want to register meta-data Federation holds Gateway responsible Gateway needs a policy to apply to the proxied SPs A template policy would be very useful If we agree this is an interesting use case I propose we work on a template 8 Policies for SP-Proxy?

9. https://aarc-project.eu Thank you Any Questions? © GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC). https://aarc-project.eu david.kelsey@stfc.ac.uk 9