CLARIN Federated Identity Vision

Slides:

Advertisements

Similar presentations

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Advertisements

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

CLARIN AAI, Web Services Security Requirements

User Attributes; who, where, how many? Daan Broeder TLA – MPI for Psycholinguistics.

Advanced Metadata Usage Daan Broeder TLA - MPI for Psycholinguistics / CLARIN Metadata in Context, APA/CLARIN Workshop, September 2010 Nijmegen.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

EMI INFSO-RI Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH

Widely Distributed Access Management Tom Barton University of Chicago.

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

FIM-ig Federated Identity Management Interest Group.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

SWITCHaai Team Federated Identity Management.

EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck

CLARIN Common Language Resources and Technology Infrastructure Daan Broeder & Dieter van Uytvanck Max-Planck Institute for Psycholinguistics TF-EMC2 Meeting,

CLARIN and the Humanities Daan Broeder The Language Archive – MPI for Psycholinguistics CLARIN EU/NL Workshop on Federated Identity Management CERN, June.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

CLARIN Infrastructure Vision (and some real needs) Daan Broeder CLARIN EU/NL Max-Planck Institute for Psycholinguistics.

CLARIN Metadata Infrastructure Component Metadata and intermediate solutions Daan Broeder Claus Zinn Dieter van Uytvanck - Max-Planck Institute for Psycholinguistics.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

FIM, , Nijmegen CLARIN: status of FIM Dieter Van Uytvanck 1.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

7 th FIM 4 R meeting April 2014 ESRIN Frascati.

Recent Developments in CLARIN-NL Jan Odijk P11 LREC, Istanbul, May 23,

ON YOUR TERMS Business needs * Enhanced by upcoming Azure IAAS features GoodBetterBest * * GoodBetterBestGoodBetterBestGoodBetterBestGoodBetterBestGoodBetterBest.

Authorization and Authentication Infrastructure Daan Broeder & Dieter Van Uytvanck Max Planck Institute for Psycholinguistics

DNS DNS changes required to validate domains in Office 365 UPN – User Principal Name Every user must have a UPN UPN suffixes must match a validated.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

CLARIN EUDAT2020 uptake plan Dieter Van Uytvanck CLARIN ERIC EUDAT User Forum, Rome.

AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Web SSO with Cloud Resources using AD Federation Services

Secure Connected Infrastructure

Accessing the VI-SEEM infrastructure

LIGO Identity and Access Management

Mechanisms of Interfederation

AAI for a Collaborative Data Infrastructure

User Community Driven Development in Trust and Identity

Federation Systems, ADFS, & Shibboleth 2.0

eduTEAMS platform for collaboration Niels Van Dijk

eduTEAMS – Current status & Future Plans

Identity Federations - Overview

Identity Management and Authorization

Géant-TrustBroker Dynamic inter-federation identity management

Federated Identity Management for Researchers (FIM4R)

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

THE STEPS TO MANAGE THE GRID

Federated Identity Management for Scientific Collaborations

ELIXIR Safeguarding the results of life science research in Europe

Identity Management and Authorization

ESA Single Sign On (SSO) and Federated Identity Management

DATA SPHINX & EUDAT Collaboration

SharePoint Online Hybrid – Configure Outbound Search

Krister Lindén and Ville Oksanen FINCLARIN / University of Helsinki

Multi-Domain User Applications Research (JRA3)

AARC Blueprint Architecture and Pilots

WP 5 Shared Data Access & Enrichment

AAI Architectures – current and future

Common Solutions to Common Problems

SharePoint Online Authentication Patterns

Storing and Accessing G-OnRamp’s Assembly Hubs outside of Galaxy

Shibboleth 2.0 IdP Training: Introduction

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

AAI in EGI Status and Evolution

The Attribute and the ecosystem

eIDAS-enabled Student Mobility

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Microsoft Virtual Academy

Presentation transcript:

CLARIN Federated Identity Vision Dieter van Uytvanck, Daan Broeder Federated Identity Workshop at RAL on 2-3 November 2011

CLARIN Fed Id Vision A set of well defined semantically harmonized user attributes is released by all IdPs in the inter-federation Perhaps by user consent … not by IdP consent, which scales badly In an inter-federation all agreed attributes may pass national borders Metadata exchange by eduGain Library walk-ins distinguished by attributes LoA for credentials distinguished by attributes Specific community required attributes are stored in ‘external’ community specific attribute store; VO-Platform Non-browser based resource access still enabled by federated identity: SLICS, OAUTH2,…

Dieter van Uytvanck, Daan Broeder CLARIN Use Case Dieter van Uytvanck, Daan Broeder Federated Identity Workshop at RAL on 2-3 November 2011

CLARIN “Holy Grail” User Scenario A researcher authenticates at his own organization and creates a “virtual” collection of resources from different repositories. He does this on the basis of browsing a catalogue, searching through metadata, or searching in resource content. To be granted access to this distributed dataset he signs the appropriate licenses He is then able to use a workflow specification tool and process this virtual collection using LT tools in the form of reliable distributed web services which he is authorized to use. (Intermediate) results are stored in a user specific workspace After evaluation, the resulting data (including metadata) can be added to a repository and the “virtual” collection specification can be stored for future reference using PIDs. What CLARIN wants to achieve is perhaps best illustrated with an use case where may aspects of the infrastructure come into play Virtual collection is “virtual” because it is kind of accidental in the sense that it is defined by the user rather than the producer. With respect to infrastructure CLARIN wants to solve: (1) authentication & identity issues for a user wanting to access resources distributed over several archives (2) Finding resources in the joint domain of interoperable metadata (3) Process resources using tools and services that are also distributed and store the result. Metadata is essential without it you cannot locate the resources you need. For our domain this is ambitious and challenging, but even a partial realization is worthwhile

Use case: creating & using Virtual Collections user selects suitable resources at center A using a specific app at center A after logging in via his organizational account user selects suitable resources at center B using a center specific app making use of SSO references are added to a Virtual Collection registry via a VC registry app for future reference and use The VC is processed by a workflow of LT Web services The identity of the user is delegated to shielded WSs that can use it to access resources. Center A Center B 2 1 IdP VC Registry 3 (5) Is perhaps not directly connected to Federated Identity but the connection between FedId and WS security must be made. 4 WorkFlow manager 5 WS 1 WS 2 WS 2

Obstacles How do we get the user’s IdP in the national federation and make the IdP release the right attribute(s) to all the CLARIN SPs? Difficult to choose an always available attribute uniquely identifying the user for autz. Some use ePPN others … ePTID Our IdPs and SPs are distributed over Europe, any assumptions about available attributes are necessarily EU wide. CLARIN (CLARIN SPF) itself distributes the CLARIN SP metadata, every national IDF has its own requirements for this. We need a way to delegate a users identity to (REST) web services which are widely used in CLARIN. Test setup is being build with BiG-Grid based on OAUTH2