Research Community Requirements (FIM4R) David Kelsey (STFC-RAL) VAMP Workshop 6 Sep 2012

Overview FIM4R –“Federated Identity Management for Research” Some background FIM4R workshops and our paper Communities –And some use cases Vision and Common Requirements –More details later today Advert: other activities in IGTF and Grids 6 Sep 12FIM4R Overview, Kelsey2

About me Head of Particle Physics Computing Group at STFC-RAL, UK Many roles in Grids, Security, AAI, IdM etc –Including EGI, GridPP, WLCG, IGTF, SCI, TERENA, FIM4R 6 Sep 12FIM4R Overview, Kelsey3

Background Issue of IdM raised by IT leaders from EIROforum labs (Jan 2011) –CERN, EFDA-JET, EMBL, ESA, ESO, ESRF, European XFEL and ILL These laboratories, as well as national and regional research organizations, are facing similar challenges –Scientific data deluge means massive quantities of data –needs to be accessed by expanding user bases in dynamic collaborations across organisational and national boundaries “Facebook” generation demands all the tools (work & social) integrate smoothly Also encouraged by EEF and eIRG Global problem, not just EU “Science” changed to “Research” to include Humanities 6 Sep 12FIM4R Overview, Kelsey4

Federated IdM for Research (FIM4R) A collaborative effort started in June 2011 Not just EIROForum. include many ESFRI projects and providers and infrastructures –Be inclusive Involves photon & neutron facilities, social science & humanities, high energy physics, climate science, life sciences and fusion energy Workshops included participation by HTC and HPC infrastructures, TERENA, IGTF, Geant/eduGAIN, middleware developers … 6 Sep 12FIM4R Overview, Kelsey5

Workshops (2) 4 workshops to date –link to Jun 2012 agenda below (other links contained within) Prepared a paper that documents common requirements, a common vision and recommendations –To research communities, identity federations, funding bodies Paper: CERN-OPEN : Sep 12FIM4R Overview, Kelsey6

The communities 6 Sep 12FIM4R Overview, Kelsey7

Life Sciences Large community – millions of scientists ELIXIR (an ESFRI project) –Infrastructure for secure collection, storage and management of bio data Enable linking of bimolecular data to biomedical/clinical data Challenges of ELSI data (restricted access because of ethical, legal, societal or other reasons) – Data Access Committees (DAC) –E.g. European Genome-phenome Archive (EGA) - ~ 50 DACs Pilot projects –Users authenticate with FIM to access ELSI data –Automated electronic workflow for authenticated user to be granted access to a dataset by a DAC 6 Sep 12FIM4R Overview, Kelsey8

Photon & Neutron Facilities > 30,000 users at ~24 facilities Largest community is structural biology – all protein structures for drug development, determined here Significant commercial activity Confidentiality and fine-grained access control essential Users are very mobile – facilities highly overbooked Increasingly complex analysis Data archival and curation should not be left to end users Need to manage all aspects, including proposals, travel etc EU PaNdata and CRISP both working on a federated open infrastructure for this large community Umbrella system being developed –Federated IdM system with all facility User Offices linked More details in the local web-based User Office 6 Sep 12FIM4R Overview, Kelsey9

Humanities Several infrastructure projects identified the need for AAI, SSO & federated IdM –CLARIN, DARIAH, CESSDA, DASISH, Project Bamboo Small numbers of users but growing fast CLARIN is valiantly making contracts with national Identity Federations –Challenges of negotiating attribute release (ePPN or ePTID + cn, mail, o,...) –Many IdPs do not release (IDF has no control) –Some IDFs require opt-in – does not scale –Many “homeless” researchers (either country or institute) 6 Sep 12FIM4R Overview, Kelsey10

Climate Science Researchers use data from many sources Management of access control and IdM between multiple domains –Is a barrier – many datasets underused CMIP5 – international coupled models –Tackling many of these issues –~50 modeling centres Earth System Grid Federation (ESGF) –Deployed to meet needs of CMIP5 –Includes a complete FIM solution OpenID for browser-based interactions and MyProxyCA and short-lived certificates SAML used for attribute management and AuthZ –Access control essential for wider use by Earth Sciences community New UK Climate and Environmental Monitoring from Space (CEMS) will use cloud technologies and dynamic trust & credentials 6 Sep 12FIM4R Overview, Kelsey11

High Energy Physics > 10,000 physicists in >60 countries WLCG, EGI, Open Science Grid and others provide a very successful federation (for Grid apps) with SSO and delegation –National CA accredited by IGTF and growing use of the TCS –VOMS Attribute Certs for AuthZ HEP community has many other collaborative tools (wikis, portals, mail lists, etc) where Federated IdM would help a lot Credential translation will be needed –E.g. the EMI Security Token Service Need to tackle LoA Concerned about security risks and establishing Trust –Role for IGTF (or others) in defining best practice 6 Sep 12FIM4R Overview, Kelsey12

A recent example use of the WLCG infrastructure (CERN event 4 July 12) –2 slides (ATLAS & CMS) 6 Sep 12FIM4R Overview, Kelsey13

Combined results: the excess 5σ5σ Expected from SM Higgs at given m H Global significance: σ (for LEE over or GeV) Maximum excess observed at Local significance (including energy-scale systematics) m H = GeV 5.0 σ Expected from SM Higgs m H = σ Probability of background up-fluctuation 3 x Expected from SM Higgs at given m H

6 Sep 12FIM4R Overview, Kelsey15

Speedy analysis of so much data only possible because of the success of WLCG, EGI, OSG and other related infrastructures –Including the Grid AAI !! –Not forgetting the accelerator, the experiments, the physicists, the engineers etc etc! 6 Sep 12FIM4R Overview, Kelsey16

Common vision statement A common policy and trust framework for Identity Management based on existing structures and federations either presently in use by or available to the communities. This framework must provide researchers with unique electronic identities authenticated in multiple administrative domains and across national boundaries that can be used together with community defined attributes to authorize access to digital resources 6 Sep 12FIM4R Overview, Kelsey17

Common Requirements User friendliness –Many users use infrequently Browser and non-browser federated access Bridging between communities Multiple technologies and translators –Translation will often need to be dynamic Open standards and sustainable licenses –For interoperability and sustainability Different Levels of Assurance –When credentials are translated, LoA provenance to be preserved Authorisation under community and/or facility control –Externally managed IdPs cannot fulfil this role Well defined semantically harmonised attributes –For interoperable authorisation –Likely to be very difficult to achieve! 6 Sep 12FIM4R Overview, Kelsey18

Requirements (2) Flexible and scalable IdP attribute release policy –Different communities and different SPs need different attributes –Negotiate with IdF not all IdPs – for scaling Attributes must be able to cross national borders –Data protection/privacy considerations Attribute aggregation for authorisation Privacy and data protection to be addressed with community- wide individual identities –We need to identify individuals E.g. ethical committees can require names, addresses, supervisors to grant access 6 Sep 12FIM4R Overview, Kelsey19

Operational Requirements Risk analysis Traceability –Audit trails include IdPs Security incident response –To include all IdPs and SPs Transparency of policies –To gain trust of SPs and users Reliability and resilience Smooth transition (from today’s production) Easy integration with local SP –SP likely to want to support multiple AuthN technologies 6 Sep 12FIM4R Overview, Kelsey20

Legal, Policy & Trust Contracts or SLAs between communities and IDFs must be scalable –Include maximum number of participants –Bi-lateral agreements will not scale Standards of Trust (or Codes of Conduct) similar to IGTF approach is an attractive scalable solution 6 Sep 12FIM4R Overview, Kelsey21

Other efforts to build Trust International Grid Trust Federation –Guidelines for Attribute Authority Service Provider Operations – Grids (EGI Security Policy Group) –VO Membership Management Policy – 6 Sep 12FIM4R Overview, Kelsey22

Questions? 6 Sep 12FIM4R Overview, Kelsey23