Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014.

Slides:

Advertisements

Similar presentations

EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.

Advertisements

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

WebFTS as a first WLCG/HEP FIM pilot

SWITCHaai Team Federated Identity Management.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.

Integrating with UCSF’s Shibboleth system

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Towards Interconnecting the Nordic Identity Federations TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide.

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

Géant-TrustBroker project overview Slides assembled by the Géant-TrustBroker team at Leibniz Supercomputing Centre, Germany for a short presentation by.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Federation as a Service Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October

Innovation through participation eduGAIN policy: A worm report TF-EMC2 Vienna Mikael Linden, CSC The worm farmer.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Géant-TrustBroker Project Overview Daniela Pöhn 7 th FIM4R meeting Frascati, Italy April 24 th, 2014.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.

Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.

AAI/Federated Identity Training Ann Harding, SWITCH Cambridge July 2014.

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Possibilities for Grouper in a cross/inter organizational use Andrea Biancini, Consortium GARR GN3+ F-2-F meeting Stockholm, April.

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.

Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Access Policy - Federation March 23, 2016

WLCG Update Hannah Short, CERN Computer Security.

Applying eduGAIN to network operations The perfSONAR case

Cross-sector and user-centric AAI

LIGO Identity and Access Management

Scholarly Workflow: Federal Prototype and Preprints

Mechanisms of Interfederation

Overall Roadmap and Timeline

eduTEAMS platform for collaboration Niels Van Dijk

eduTEAMS – Current status & Future Plans

University of Stuttgart University of Murcia

Identity Federations - Overview

Identity Management and Authorization

Géant-TrustBroker Dynamic inter-federation identity management

InCommon Steward Program: Community Review

Scalability of trust and metadata exchange across federations

GakuNin: Federated Identity Management Activities in Japan

GÉANT 4-2 JRA3 T1 and T2 Federations and Campus (CaFe) e-Infrastructures and Service Providers (RASP) Daniela Pöhn JRA3 T1 LRZ/DFN-AAI Technology Exchange.

Choosing the Discovery Model Martin Forsberg

ESA Single Sign On (SSO) and Federated Identity Management

UK Federation 101 Ian A. Young EDINA, University of Edinburgh (and the UK Federation) Internet2 Fall Member Meeting, 7 Dec Shibboleth Development.

Björn Erik Abt :: Paul Scherrer Institut

eIDAS-enabled Student Mobility

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014

2 Connect | Communicate | Collaborate Background: Where are we today without GNTB? Current situation: Two types of federations: National federations operated by NRENs Community federations operated by research communities / projects Inter-federations, e.g., eduGAIN

3 Connect | Communicate | Collaborate Background: Where are we today without GNTB? The resulting problem: SP and the user’s IDP need to be in same federation or inter-federation  Communities need to participate in national federations or  need to join eduGAIN as a federation  IDPs/SPs might need to join several federations  Research partners outside eduGAIN / national federation cannot make use of Federated Identity Management

4 Connect | Communicate | Collaborate Background: Where are we today without GNTB? Further Issues: Complexity: Additional contracts increase the overall complexity for IDPs and SPs. Limitation through schema: Inter-federation schema is only the common denominator of NREN federations  SPs may not get all required attributes Manual work: IDPs need to set up technical stuff, e.g., attribute filters/release policies, manually.  Users may have to wait Trust: IDPs have to trust SPs  SPs may not get all required attributes

5 Connect | Communicate | Collaborate Géant-TrustBroker [GNTB]: The basic idea Our goal: SPs connected to user’s identity provider (IDP) Independent of federation borders Dynamic establishing technical trust and automated configuration  No manual setup work for IDPs  No waiting time for users  Reuse of attribute conversion rules  less work for IDPs  Only needed: registration + plugin  Complements existing approaches

6 Connect | Communicate | Collaborate Géant-TrustBroker [GNTB]: The basic idea More technical: GNTB facilitates the user-triggered, on-demand exchange of IDP and SP metadata as basis for SAML-based AuthNZ GNTB therefore complements existing  NREN and community federations  inter-federations (e.g., eduGAIN) GNTB will automate the setup of IDP-SP communication  including user attribute conversion  excluding organizational aspects GNTB will extend Shibboleth by IDP/SP plugins in order to  integrate the central metadata repository automatically  use attribute conversion rules  update the configurations of IDPs/SPs

7 Connect | Communicate | Collaborate Advantages of GNTB: metadata registry: SPs and IDPs can download metadata. user attribute conversion rule repository: IDPs can share and re-use conversion rules.  reduces manual work of IDPs  conversion rules automated integrated into local configuration virtual IDP and SP: GNTB workflow seamlessly integrates into standard SAML workflows to “connect” SPs and IDPs on demand.  SPs / IDPs only need a plugin Géant-TrustBroker‘s Scope

8 Connect | Communicate | Collaborate Géant-TrustBroker‘s Scope Conversion Rule Handling: Typical conversion rules:  Renaming: attribute is named differently  Transforming: attribute transformed into another format, e.g., using yyyymmdd instead of yyyy-mm-dd  Splitting / Merging:  source attribute needs to be split by a regex, e.g., we need an attribute role (“Administrator”) of a given DN entry “cn=Administrator, ou=Groups, ou=application, o=lrz, c=de”  Merging two source attributes, e.g., givenName and surname, into a new one, e.g., commonName, is also possible.

9 Connect | Communicate | Collaborate Géant-TrustBroker‘s Scope Conversion Rule Handling: Typical conversion rules:  Renaming: attribute is named differently for example gecos -> displayname

10 Connect | Communicate | Collaborate Géant-TrustBroker‘s Scope Conversion Rule Handling: Typical conversion rules:  Renaming  Transforming  Splitting / Merging Rules can be searched and reused, e.g., within a federation Rules can be fetched by API calls by plugins Rule automatically added to local configuration  Less manual work for IDPs  SPs receive all requested attributes

11 Connect | Communicate | Collaborate Géant-TrustBroker‘s Workflow 1.Alice wants to use a service at SP. She chooses her IDP at GNTB. 2.a) Alice triggers the technical setup. b) SP has to register at GNTB. 3.GNTB redirects Alice to her IDP for authentication. 4.a) IDP fetches metadata of SP. B) Configuration is automatically updated. IDP looks for attribute conversion rules. 5.IDP sends assertion to SP. Alice gets access to service at SP.

12 Connect | Communicate | Collaborate Géant-TrustBroker Mockup - Standard

13 Connect | Communicate | Collaborate Géant-TrustBroker Mockup - Standard

14 Connect | Communicate | Collaborate Géant-TrustBroker Mockup - New

15 Connect | Communicate | Collaborate Géant-TrustBroker Mockup - Standard

16 Connect | Communicate | Collaborate GN3+ Open Call project (10/2013 – 03/2015) Internet-Draft to IETF in summer 2014 Shibboleth-based prototype Pilot operations hopefully start early 2015 What have we done so far: Workflows Requirements Data Model and Data Access Layer Started with Protocols and Implementation What we still need to do: Protocols and Implementation Internet-Draft The GNTB project

17 Connect | Communicate | Collaborate | | Connect | Communicate | Collaborate For more details, please see the documents published on TrustBroker’s Géant Intranet website: To contact the project team, please