Presentation is loading. Please wait.

Presentation is loading. Please wait.

Christos Kanellopoulos

Published byVerity Murphy Modified over 6 years ago

Similar presentations

Presentation on theme: "Christos Kanellopoulos"— Presentation transcript:

1 Christos Kanellopoulos
TCB AAI Roadmap Christos Kanellopoulos

2 The TCB AAI Established in January 2017 and includes representatives from various EGI service areas, UCST, EGI operations, EGI Security Group and technology providers. Owns, defines and updates the EGI technical roadmap in the areas of Identity Provisioning, Authentication and Authorization in consultation with service providers, user communities and technology providers. Advises on the features, the architecture and the technologies used in the EGI AAI platform The TCB AAI roadmap is a live document, updated regularly based on the feedback received EGI Conference 2017

3 TCB AAI Membership Chairman: C. Kanellopoulos/GRNET*
Co-chairman: Peter Solagna/EGI Technology Providers of critical components A. Ceccanti/INFN VOMS, ARGUS, INDIGO AAI Michal Prochazka/CESNET PERUN Service Providers D. Groep/NIKHEF RCAuth and EUGridPMA C. Kanellopoulos*/GRNET CheckIn (chairman) Service area coordinators D. Scardaci/EGI Collaboration platforms & Ops Tools E. Fernadez/EGI Cloud area M. Viljoen/EGI Data area Security Policies and coordination, operations D. Kelsey/STFC EGI Security Coordination Group P. Solagna/EGI Foundation EGI operations/AARC T. Ferrari/EGI Technical Direction of EGI Gergely Sipos/EGI UCST, user requirements * N. Liampotis/GRNET will be taking over Christos’ responsibilities EGI Conference 2017

4 Timeline January 2017 Formation of the AAI TCB February 2017
Two meetings focusing on input from TCB members. Initial version of the roadmap March 2017 Follow up meeting with TCB member. Updated version of the roadmap May 2017 Face to face meeting at the EGI conference. Published version of the TCB AAI roadmap EGI Conference 2017

5 EGI AAI Goals Enable users to access EGI services and resources using their existing credentials from their Home Organisations (via eduGAIN when possible) Institutional IdPs must provide a unique user identifier Support “homeless” users, who cannot rely on a reliable institutional IdP Support authorised access to protected resources based on VO/group membership and role information Aggregate user attributes from different sources, including community-managed attribute providers Support the linking of multiple external identities to a persistent, non-reassignable, unique user identifier within the EGI infrastructure Associate a Level of Assurance (LoA) to each authenticated identity in the EGI infrastructure Provide protocol translation mechanisms to hide the complexity of different protocols/technologies from EGI services EGI Conference 2017

6 Current status Identity Providers: Service Providers:
SAML2.0: eduGAIN OIDC/OAuth2: Google, Facebook, LinkedIn, ORCID X.509: IGTF Service Providers: SAML2.0 & OIDC Attribute Authorities SAML2.0 Attr. Query, REST, LDAP, SQL Token Translation Services SAML2.0-to-X.509: Master Portal to RCauth.eu Online CA Support for Levels of Assurance User enrolment & account linking IdP Discovery User Consent EGI Conference 2017

7 Short term (2017) 1/4 Requirement
Translation of VO information into VOMS proxies The EGI AAI platform, through the integration with the RCAuth CA, enables users to access services, which require certificate based authentication. For those services that require VOMS proxy certificates, the AAI platform needs to be able translate SAML assertions or OIDC claims to VOMS proxy extensions. Having this capability, users without a personal certificate or users whose VO is not managed by VOMS, will be able to use certificate based services. Priority High Status In progress Partners GRNET, Nikhef EGI Conference 2017

8 Short term (2017) 2/4 Requirement
Provisioning of VOMS information through SAML and OIDC interfaces Although we expect many new communities to use the group management system provided by the CheckIn service, still many communities will continue to be using VOMS as their preferred VO management systems. These users need to be able to access SAML/OIDC services, regardless of the group management system users. VOMS VO membership should be translated into entitlements that included in SAML attribute assertions / OIDC claims Priority High Status In progress Partners GRNET, CESNET EGI Conference 2017

9 Short term (2017) 3/4 Requirement
Provide user documentation - sample code for getting certificates through RCauth.eu Although, the RCAuth CA is already integrated with the CheckIn service and the EGI AAI platform, there is lack of documentation guiding developers how to integrate science portals with the RCAuth CA and the Master portal. The AARC project has already produced sample code and examples. We need to evaluate them, refine them for the purposes of the EGI AAI platform and make them available to the developers. Priority High Status In progress Partners GRNET, Nikhef, LIP EGI Conference 2017

10 Short term (2017) 4/4 Requirement User enrolment and account linking
Users need to register for an EGI account to obtain a personal EGI ID, which can then be used to identify them consistently across all EGI tools and services. Specifically, each user must be associated with one persistent, non-reassignable, non-targeted, unique identifier within the EGI environment. In addition to this identifier, there is a set of attributes required during registration to collect basic information about the user. Ideally, these attributes should be provided by the user’s Home Organisation. Account linking allows registered users to access EGI resources with their existing personal EGI ID, so they can use any of the login credentials they have linked to their account Priority High Status In progress Partners GRNET EGI Conference 2017

11 Longer term (2018 – 2020) 1/10 Requirement (New) RCAuth CA
The RCAuth CA service generates X.509 certificates upon user request making available through the delegation service long-lived X.509 proxies. The RCAuth CA is already accredited as an IOTA CA in IGTF and the delegation portal is and will remain R&S and SIRTFI compliant. The EGI AAI platform relies on the RCAuth CA for enabling federated access to services which require certificate based authentication. The current RCAuth CA service is operated by Nikhef at a limited capacity. The operation of the RCAuth CA will be taken over jointly by EGI, EUDAT and GÉANT and will be operated in highly available environment that will meet the security and scalability requirements of the EGI AAI platform and the rest of the EI/RIs. Priority Medium Status Accepted Partners GRNET, Nikhef + FZJ, STFC EGI Conference 2017

12 Longer term (2018 – 2020) 2/10 Requirement
Master Portal Enhanced High Availability Support The Master Portal is a critical component for the use of PKI based services via the EGI AAI. It is an infrastructure service, offered by the EGI AAI platform and used by all the communities that leverage federated access but require access to PKI based services. The current implementation of the Master Portal does not have support for HA or load balancing configuration. The Master Portal service needs to be able to support HA configurations with automatic failover and load balancing across the HA instances. Priority Medium Status Accepted Partners Nikhef EGI Conference 2017

13 Longer term (2018 – 2020) 3/10 Requirement
Web interface harmonization and branding support for the EGI CheckIn Service The CheckIn Service should be provided "as a Service" to the research communities. The existing service needs to be enhanced, so that it can have community branding when it is used "as a Service". Furthermore, all the user facing web interfaces should have a common, customizable look and feel. Priority Medium Status Accepted Partners GRNET EGI Conference 2017

14 Longer term (2018 – 2020) 4/10 Requirement
Evolution of the Discovery Service to support enhanced filtering capabilities The Discovery Service already supports basic filtering capabilities. The Discovery Service to be able to mask inconsistencies in the identity federations and protect the EGI services from being exposed to them Priority Medium Status Accepted Partners GRNET EGI Conference 2017

15 Longer term (2018 – 2020) 5/10 Requirement
Support for (de-)provisioning and continuous update of user account information Many services require accounts to be provisioned before the users access the service. Even for services, which can provision accounts at the time of the first user access, the account information needs to be kept up to date (e.g. VO/groups/roles) and the services needs to be notified to deprovision the accounts when they become inactive. We need a solution based on standardized protocols, that will allow services that require it, to be notified for account provisioning, deprovisioning and updates. Investigate the use of the EGI Messaging Service as a reliable transport mechanism for the delivery of such notifications. Priority Medium Status Accepted Partners GRNET, CESNET EGI Conference 2017

16 Longer term (2018 – 2020) 6/10 Requirement
Interoperability with EUDAT B2ACCESS Many research communities are or will be using resources and service provided by EGI and EUDAT. The EGI CheckIn service is the AAI gateway for service operated on the EGI infrastructure, while B2AACCESS is a similar AAI gateway for all the EUDAT services. Users should be able to share data, access services and roam across infrastructures in a seamless manner. A pilot activity has already started in the context of the EGI-Engage project with support from AARC. Priority Medium Status Accepted Partners GRNET, Nikhef, STFC, FZJ, KIT EGI Conference 2017

17 Longer term (2018 – 2020) 7/10 Requirement
Self-service interface for managing OIDC access tokens For users to be able to access non-browser accessible services, they need to retrieve OIDC access tokens from the EGI CheckIn Service. Today, there is no automated way to do this and the users are required to build their own OIDC client to be able to retrieve OIDC access tokens. The EGI AAI platform needs a central service that will allow users to generate and manage OIDC general or per service access tokens in a user friendly and secure way. This capability will be required if/when non-web based services start using OIDC access tokens instead of (proxy) certificates, which is the current case. The priority of this requirement will be affected by with plans of TCB-Cloud to adopt OIDC as the means of accessing the Fedcloud APIs. Priority Medium Status Accepted Partners GRNET EGI Conference 2017

18 Longer term (2018 – 2020) 8/10 Requirement
Self-service web interface Web interface for registering OIDC & SAML based SPs The EGI CheckIn Service should provide a secure web interface through which service operators can register their OpenID Connect and SAML based services Priority Low Status Discussion Partners EGI Conference 2017

19 Longer term (2018 – 2020) 9/10 Requirement
Standalone VO/Group Management Service The EGI CheckIn Service comes with a customized integration of the COmanage portal, which provides User Enrolment and VO Management capabilities. There are communities that prefer to operate their own group management system either for retaining certain level of autonomy or because they require dedicated services Priority Low Status Discussion Partners EGI Conference 2017

20 Longer term (2018 – 2020) 10/10 Requirement
Support for centralised fine grained authorization Access to most services is granted based on the roles a user holds or the groups {s}he is member of. Group and role based information and service access rights are made available to the EGI services in the form of eduPersonEntitlements. In the current scheme, authorization policies are typically managed on the service side. There are discussions within Fedcloud about the possible need of a centralised authorization service based on XACML. Such a service would allow to support fine grained authorization policies, which could be uniformly applied across the EGI services. Investigate ARGUS as a potential solution. Priority Low Status Discussion Partners EGI Conference 2017

21

Download ppt "Christos Kanellopoulos"

Similar presentations

EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.
Www.eudat.eu EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No. 654065 B2ACCESS LSDMA.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People www.geant.org Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.

David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.
EGI-Engage EGI-Engage WP3 e-Infrastructure Commons Diego Scardaci EGI.eu/INFN 6/18/2016 EGI-Engage – First.

EGI-Engage EGI-Engage WP3 e-Infrastructure Commons Diego Scardaci EGI.eu/INFN 6/18/2016 EGI-Engage – First.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.

Similar presentations

Ads by Google