1. https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute management pilots SA1.2 Task leader EGI.eu

2. https://aarc-project.eu Overview SA1.2 introduction and goals Work done so far Next steps 2

3. https://aarc-project.eu SA1.2 Goals 3

4. https://aarc-project.eu Piloting the attributes management services Third party sources of information for: VO membership and group management within the collaboration Extension of the attributes provided by the IdP Increase the LoA *Third party* is important Not attributes managed by the IdP Additional information that can be managed directly by the user communities or research infrastructure 4

5. https://aarc-project.eu Goals of SA1.2 Test solutions for attribute management Test technical feasibility of third party attribute authorities Integration with the end services, how services consume the attributes Workflows for the attributes query Attribute aggregation Test the usability of the attribute authorities In practice how these tools can support group management for the VOs Fulfillment of the user stories gathered in JRA1 Collaboration between SA1.2 and JRA1.4 5

6. https://aarc-project.eu EGI.eu: task leader, integration of AA with resource provisioning services SurfNET: Attribute authorities and aggregators, VOpaas GARR: liaise with JRA1.4 CESNET: Perun, VOpaas GRNET: attribute aggregation DARIAH: shibboleth attribute authorities Nikhef: VOMS 6 Who is contributing to SA1.2

7. https://aarc-project.eu So far attribute management services have been tested in a very basic – test unit – way Are attributes released? Can attributes be managed by VO themselves? 7 When a pilot can be considered successful?

8. https://aarc-project.eu The work so far 8

9. https://aarc-project.eu 9 Attribute authorities workbench IdP Attribute Management Service Aggregator SP

10. https://aarc-project.eu Name Third party attribute authorities for group management in a Cloud Management System Stakeholders EGI and cloud providers Pilot goals: Provide access to cloud resources to users owning federated credentials Allow users to manage their VO membership with federated credentials Required resources Attribute authority IdP Attribute aggregator Non production cloud management system 10 Pilot: Attribute management for Cloud access

11. https://aarc-project.eu Very basic functionality testing performed It works HEXAA currently requires to configure the service providers in the AA itself: Configure IdP authorized to be used to authenticate HEXAA users Configure SP authorized to access attributes Mapping VO -> SP An aggregator/proxy is required to use the AA with a non-static list of service providers 11 Experience with HEXAA

12. https://aarc-project.eu Workflow: Users log in in the web UI of the cloud management system using their federated credentials SAML credentials The service provider supports the user virtual organization The service providers gets confirmation of the user’s VO membership through an attribute contained in the assertion User gets access to resources 12 Integration with cloud management system

13. https://aarc-project.eu Starting from Icehouse release of Keystone (auth component of OpenStack) federated authentication is supported Native support in OpenStack OpenStack supports both SAML (Shibboleth and Mellon) and OpenID Connect Available in the V3 identity API of keystone Users are not mirrored in OpenStack to ensure SSO capabilities Users are mapped into OpenStack groups and roles with rules based on the attributes OS does not support a IdP + Attribute authority scenario At least, not out of the box Attribute aggregator is required 13 Experience with OpenStack so far

14. https://aarc-project.eu No native support for SAML or other federated identity A plugin has been developed by SZTAKI for OpenNebula Sunstone It contains two SimpleSAMLphp modules and a patch to connect these modules with the OpenNebula core AFAIK it has not yet included in ON official release The deployment scenario requires an aggregator 14 Experience with Open Nebula so far

15. https://aarc-project.eu First set of issues to be reported Support for federated authentication at service level Support is increasing but not yet available everywhere Support for a third party attribute authority Even services natively supporting federated user authentication via SAML or other protocols may not support attribute queries to third party services Solution: aggregation services can provide all the attributes in a single query Identification of the authoritative attribute services How can service discover which attribute authorities are authoritative for a virtual organization? Again aggregation can help: services just need to know the authoritative aggregators. Relatively static list Services consuming directly the attributes from the attribute authorities need to know which attributes qualify the users’ VO memnership Some level of uniform attributes naming or attribute mapping serivice 15

16. https://aarc-project.eu First set of issues to be reported /2 Overload of attributes How can services or aggregator handle the situation where IdP and Attribute authority are providing the same attribute Removal of a user from a user community Perhaps more relevant for cloud services, where virtual machines run for long periods If a user does not own the VO attributes anymore, the service provider is not automatically notified And most probably cannot check with the attribute authority In some use cases, it is needed to have mechanisms to have a periodic check of the user’s privileges Or to be notified when user’s attributes change No general solution, yet 16

17. https://aarc-project.eu Next steps 17

18. https://aarc-project.eu Until the end of PY1 Consolidate the workbench End 2015 Have a basic setup of IdP With test users Attribute authorities Different implementations With test VOs and attributes already available Aggregator(s) Run further tests with different type of services and expand the set of Aas tested 1 st quarter 2016 Cloud providers Portals and in general web-based services Pilot also for use cases different than group management 2 nd quarter 2016 Starting from the inputs from JRA1, and the requirements/user stories with/without aggregator scenarios Start to deploy the architecture suggested in the blueprint 2 nd quarter 2016 18

19. https://aarc-project.eu Beyond PY1 How attribute management pilots will evolve Piloting the use cases provided by JRA1 and the blueprint architecture Attribute management for communities with users using mixed credentials Integration with the other pilots Guest users Token translation Attributes to regulate the access of a user to a credential translation service Attributes translation Access to resources Integration of AA in a non-web scenario 19

20. https://aarc-project.eu Feedback? Attribute management service: Which one should we pilot? Use cases: Are there use cases that can be tested in the pilots right now? My naive view is that the use cases are relatively similar Multi-task pilots Should we start planning now, or is it too early? 20