Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networks ∙ Services ∙ People www.geant.org Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.

Published byRodger Allen Modified over 8 years ago

Similar presentations

Presentation on theme: "Networks ∙ Services ∙ People www.geant.org Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization."— Presentation transcript:

1 Networks ∙ Services ∙ People www.geant.org Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization June 16 th, 2015 JRA3 T1 - Possibilities for Grouper in a cross/inter organizational use R&D Project Manager @ Consortium GARR and IDEM Part of the GÉANT Project (GN4-1) distributed workshop

2 Networks ∙ Services ∙ People www.geant.org Currently, the goals of an Identity Federation are: give a delegated mechanism to manage user identification among different entities and within different subjects; provide a set of attributes to an authenticated users to be used by the final application. Federations today We decided to extend the success of current identity federation to the field of user authorization.

3 Networks ∙ Services ∙ People www.geant.org Traditionally, identity federations have solved the authorization problems with two opposite approaches: SP managed authorization IdP managed authorization A different approach may be followed (leveraging Attributes Authorities and implementing tools like Grouper) where authorization is delegated to a specific system designed for that purpose. How to reach that goal?

4 Networks ∙ Services ∙ People www.geant.org We want to evaluate the introduction of Grouper for a cross/inter organizational use. Grouper will be used to manage in a centralized way (yet permitting delegation): Groups of users Authorization attributes for users. Tools

5 Networks ∙ Services ∙ People www.geant.org To prove real use cases, three SPs will be integrated with Grouper in a Proof of Concept: A MediaWiki application: Grouper will manage user groups for read/write access; A Moodle application: Grouper will provide course list and manage students/teachers enrolment to courses; A custom application (not covered within this presentation). Proof of Concept

6 Networks ∙ Services ∙ People www.geant.org MediaWiki – 1/3 To implement this use case we had to define access groups within MediaWiki. MediaWiki defines standard groups which are always present: Administrators: administrators of the wiki Bureaucrats: technical personnel of the wiki Users: registered users of the wiki Besides, it is possible to define new groups as needed.

7 Networks ∙ Services ∙ People www.geant.org Inside Grouper we can define a coherent group structure and we can assign different users (even from different VOs) to these groups. In this way the group membership of a user is described in Grouper and will be retrieved by MediaWiki during the login operation of accessing users. MediaWiki – 2/3

8 Networks ∙ Services ∙ People www.geant.org At login time user groups are retrieved from the Attribute Authority. MediaWiki uses the Shibboleth Authentication module, modified within this activity, to manage the attribute describing group memberships. MediaWiki – 3/3

9 Networks ∙ Services ∙ People www.geant.org Moodle This use case needs to retrieve groups and attributes for authorization during the login phase (as the case for the wiki). Besides, Moodle also needs some off-line interfaces (executed not only at login time) to query Grouper and retrieve: a list of courses; a list of teachers; and a list of students for each course.

10 Networks ∙ Services ∙ People www.geant.org VOOT is a protocol for exchanging group information externally to applications. Very simple API: The VOOT protocol

11 Networks ∙ Services ∙ People www.geant.org Moodle integration – 1/2 In Grouper we create a group for each course that must be activated on the Moodle platform. User members of these groups can be of two kinds: 1. the «admin» members will be teachers of the course 2. all other members will be students of the course.

12 Networks ∙ Services ∙ People www.geant.org Moodle integration – 2/2 Moodle will use an enrollment plugin to retrieve the group information from Grouper. For this purpose, a specific enrollment plugin has been developed. It is able to retrieve information form a VOOT server.

13 Networks ∙ Services ∙ People www.geant.org The wiki page for the JRA3 T1 activity: https://wiki.terena.org/display/gn3pjra3/Grouper+in+a+cross+organisational+context The code developed to integrate MediaWiki with Grouper: https://www.mediawiki.org/wiki/Extension:Shibboleth_Authentication The code developed to integrate Moodle with Grouper: https://github.com/ConsortiumGARR/moodle-enrol_voot The VOOT connector for Grouper: https://github.com/Internet2/grouper/tree/master/grouper-misc/grouper-voot References

14 Networks ∙ Services ∙ People www.geant.org The architecture explored is being rolled out into two production environments: 1. To model access of the GN4 project, phase 1 activities. 2. To model authorization for the applications operating IDEM (the Italian Identity Federation). During the PoC it we had the opportunity to address problems and future activities, in particular: AAs still have some issue regarding privacy and security. User enrolment must be supported to reduce effort. Conclusion

15 Networks ∙ Services ∙ People www.geant.org Thank you Networks ∙ Services ∙ People www.geant.org This work is part of a project that has applied for funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 691567 (GN4-1). 15

Download ppt "Networks ∙ Services ∙ People www.geant.org Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization."

Similar presentations

CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
Secure Communication Architectures.

Secure Communication Architectures.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo

Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Helsinki Institute of Physics (HIP) - 2003 Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
The DSpace Course Module – User management and authentication options.

The DSpace Course Module – User management and authentication options.
INFRASTRUCTURE FOR GIS INTEROPERABLITY APPLICATION FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY (FTMK) THE TECHNICAL UNIVERSITY OF MALAYSIA MELAKA.

INFRASTRUCTURE FOR GIS INTEROPERABLITY APPLICATION FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY (FTMK) THE TECHNICAL UNIVERSITY OF MALAYSIA MELAKA.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.

Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Electronic data collection system eSTAT in Statistics Estonia: functionality, authentication and further developments issues 4th June 2007 Maia Ennok,

Electronic data collection system eSTAT in Statistics Estonia: functionality, authentication and further developments issues 4th June 2007 Maia Ennok,
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.

Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.
© 2006 The University of Chicago Grouper Backgrounder for Authorization WG Tom Barton, U Chicago.

© 2006 The University of Chicago Grouper Backgrounder for Authorization WG Tom Barton, U Chicago.

Similar presentations

Ads by Google