Presentation is loading. Please wait.

Presentation is loading. Please wait.

An authorization service for Virtual Organizations (VO)

Published byLawrence Todd Modified over 6 years ago

Similar presentations

Presentation on theme: "An authorization service for Virtual Organizations (VO)"— Presentation transcript:

1 An authorization service for Virtual Organizations (VO)
using Sympa group manager Rafael Diaz Maurin, RENATER 15 June 2015, Porto Federation Identity permits : -to delegate authentication for a user to its home institution -to manage authorization within a same institution (using user attributes)

2 How to easily grant access on VO web resource for VO members ?
Federated Identities Institution A IdP VO web resource Institution B IdP SYMPA VO 1 Guest IdP IdP At RENATER we have FedID + Sympa infra Many VOs Vos whith little budgets Need to manage groups Authenticate and authorize An opportunist approach Use case for the VO authorization service VOs need to provide access control to their web resources for the VO members. Users' home institution don't know about VO members. Which institution will host the VO? Authorization Service for VOs is the solution found by RENATER to meet this need With reuse of existant VO 2 VO 3 TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

3 Sympa’s user friendly web interface to manage groups
Add a member Edit roles Sympa’s main asset All in one place The web interface group management is easy to use -for research communities -for teachers -for Jane Doe -for John Doe Add multiple members TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

4 Other Sympa assets to manage groups
Sympa has various connectors to populate the groups: SQL, LDAP, SMTP, flat files, Sympa, SOAP, VOOT… Sympa natively offers 4 different roles RENATER is in charge of developing Sympa project Sympa has been used to manage groups since 18 years TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

5 RENATER’s Sympa statistics
Number of groups by domain (most active groups) Sympa is used by many VOs as their main group manager : 1608 VOs 930 VOs with more than 10 members with up to members Here is the chart of the grouth since fiveteen years TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

6 French Federation statistics
243 Identity Providers (IdP) 613 Services Providers (SP) 22243 guests accounts activated plus RENATER runs a guest Identity Provider TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

7 An AuthZ service for VOs using Sympa group manager
The service workflow Institution B IdP groups 2 SP 6 VO web resource Institution A 1 IdP 5 RENATER groups AA Sympa Caption workflow 1. The user accesses the resource and is redirected to its home IdP by the SP 2. The user is authenticated on it’s home IdP 3. The SP requests the Attribute Authority (AA) with the user’s adress SP --> AA : attribute Query with 4. The AA gets the user’s groups membership from Sympa AA : Atribute resolving 5. The AA sends back the user’s groups membership AA sends attributes to the SP 6. Given his group membership, the user grants access to the resource How to use the service The VO administrator creates a group on Sympa plateform. The VO administrator allows the protected resource to request Sympa. The VO administrator populates the group in Sympa. The resource manager configures the SP to query the RENATER's Attribute Authority for Sympa The resource manager restricts access to the group 3 groups Guest IdP IdP VO SAML2 flow 4 SQL flow TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

8 An AuthZ service for VOs using Sympa group manager
Implementation Based on Sympa Shibboleth IdP 2.4.4 Sympa standard installation Shibboleth IdP configured as an Attribute Authority attribute isMemberOf provided through SAML protocol DataConnector to request Sympa database Migration to Shibboleth IdP V3 expected in July TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

9 An AuthZ service for VOs using Sympa group manager
FileSender Premium RENATER will shortly launch its FileSender Premium service (with extra quotas) Access control will make use of our authorization service for VOs. The service will be allowed for a metagroup that includes various groups Each group (with limited members) will be managed by the institution that paid for the service TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

10 An AuthZ service for VOs using Sympa group manager
Some resources A demo is available to test the service : Find documentation here : Contact me IRL : during the conference at poster’s session By mail at: TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

11 Thank you for your attention
Thanks to Lukas Hämmerle from Switch for his work at RENATER ;-) I will upload an complete presentation with technical overview (howto) for : -federation & web masters -groupmanagers TNC2015, Porto, 15th June An AuthZ service for VOs using Sympa group manager

Download ppt "An authorization service for Virtual Organizations (VO)"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Sympa Mailing List Server

Sympa Mailing List Server
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
The DSpace Course Module – User management and authentication options.

The DSpace Course Module – User management and authentication options.
Shibboleth for Real Dave Kennedy

Shibboleth for Real Dave Kennedy
Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.

Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.
LGfL Update Stewart Duncan LGfL Technical Manager Ian Lehmann LGfL Operations Manager.

LGfL Update Stewart Duncan LGfL Technical Manager Ian Lehmann LGfL Operations Manager.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Similar presentations

Ads by Google