Presentation is loading. Please wait.

Presentation is loading. Please wait.

OIDC Federation for Infrastructures

Published byKimmo Heino Modified over 5 years ago

Similar presentations

Presentation on theme: "OIDC Federation for Infrastructures"— Presentation transcript:

1 OIDC Federation for Infrastructures
leveraging the IGTF global infrastructure trust framework with OIDC technology David Groep co-supported by the Dutch National e-Infrastructure coordinated by SURF, by EOSC-HUB, and by AARC

2 Trust for global e-Science infrastructures
“establish common policies and guidelines that enable interoperable, global trust relations between providers of e-Infrastructures and cyber-infrastructures, identity providers, and relying parties” EGI OSG PRACE HPCI GEANT WLCG PRAGMA RedCLARA XSEDE . . . 24 December 2018 Interoperable Global Trust Federation

3 Assurance and trust frameworks
Identity Assurance Profiles for R/E-Infra risk scenarios ( “BIRCH” - good quality (federated) identity, “DOGWOOD” - identifier-only, but with traceability (R&S+Sirtfi+a few bits) RFC 6711 Registry: technology-specific ‘trust anchor’ distribution services Policy framework for Relying Parties (‘SP-IdPs-Proxies’) Snctfi - Community Trust Framework in Federated Infras How can we help support RI and e-Infrastructure use cases? technology bridges: TCS, RCauth.eu, IGTF-eduGAIN bridge, … behind the Infrastructure Proxies for research & collaboration, OIDC gains prominence 24 December 2018 Interoperable Global Trust Federation

4 Snctfi: aiding Infrastructures achieve policy coherency
allow SPIdP Proxies to assert ‘qualities’, categories, based on assessable trust Develop recommendations for an Infrastructure’s coherent policy set Snctfi Scalable Negotiator for a Community Trust Framework in Federated Infrastructures Derived from SCI, the framework on Security for Collaboration among Infrastructures Complements Sirtfi with requirements on internal consistent policy sets for Infrastructures Aids Infrastructures to assert existing categories to IdPs REFEDS R&S, Sirtfi, DPCoCo, … Graphics inset: Ann Harding and Lukas Hammerle, GEANT and SWITCH

5 OIDC Fed use cases for research and e-Infrastructures
EOSC-HUB registration of clients goal for EGI and EUDAT is a scalable and trusted form of OIDC usage. Today < O(50) clients; next year maybe O( )? cloud-based services (containers, microservices) could push that to millions CILogon (and XSEDE) use cases see need for a set of policies and practices that support a 'trust anchor distribution'-like service targeting OIDC OPs and RPs and where RPs that are ‘in the community’ can be identified as such ELIXIR (and the Life Sciences) AAI expect growth in # OIDC RPs as AAI extends beyond just ELIXIR and into other biomedical RIs – potentially dynamically created All of these need a policy framework, on both the (infrastructure) OPs and on the RPs This is the community that traditionally also relied on the IGTF trust anchor distribution 24 December 2018 Interoperable Global Trust Federation

6 IGTF OIDC Federation Task Force
The IGTF task force for OIDC Federation will identify specific objectives – I2 TechEx scope needs and requirements for R/E infrastructure OIDC Fed – Prague EUGridPMA 42 verify compatibility of IGTF Assurance Profile framework for ‘technology-agnosticity’ with OpenID Providers (proxies) and RPs test an OIDCFed scenario e.g. starting with use cases: WLCG, RCauth.eu, ELIXIR/LS, EGI CheckIn, … assess structure and needed meta-data in a ‘trust anchor service’, how to address RPDNC links it with (dynamic) client registration liaise with OIDC Fed efforts in AARC and GN*-*, and Roland Hedberg

7 OIDC Fed pilots Based on the spec by Roland Hedberg
scoped to the RP + Proxy case is not very complex, actually Infrastructures can use trusty shortcuts that would be too costly at the general R&E scale leverage existing policy and trust framework ‘pilot’ RPs and proxies will be using scripting and glue to get integration with existing services, based on assessed trust framework we can leverage existing trust

8 Can we do without a single one to rule them all?
today the RIs and EIs trust the IGTF trust anchors and may (but do rarely) add their own Can the ‘federation’ be the community and import a commonly trusted set? Can the IGTF allow devolved registration provided that the trusted organisations implement the same policy controls Snctfi and the proper Assurance Profiles? 24 December 2018 Interoperable Global Trust Federation

9 For the benefit of Research Infras …
IGTF membership process and Snctfi jointly give you the trust of Infra SPs (RPs) use peer-reviewed (self-)assessment as foundation of the ‘scientific process’ of trust technical details on how the IGTF FedOp will sign and distribute meta-data statements – subject to discussion at TIIME, AARC, and IGTF meetings new communities and (proxy) operators can join IGTF any time there is no fee or something like that but we request participation in the peer-review and assessment process … 24 December 2018 Interoperable Global Trust Federation

10 Information sharing Keeping in touch
( but don’t forget everyone else! (REFEDS) TIIME, TNC, TechEx, …

11 Building a global trust fabric
Questions? Building a global trust fabric Interoperable Global Trust Federation

Download ppt "OIDC Federation for Infrastructures"

Similar presentations

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.

A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team

Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.

David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation.
IGTF in 10 years enabling the interoperable global trust federation Nikhef, Amsterdam supported the Dutch national e-Infrastructure funded and coordinated.

IGTF in 10 years enabling the interoperable global trust federation Nikhef, Amsterdam supported the Dutch national e-Infrastructure funded and coordinated.
SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.

SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014.
Building Trust for Research and Collaboration

Building Trust for Research and Collaboration
Introduction to AAI Services

Introduction to AAI Services
David Kelsey STFC-RAL 4th WISE workshop, Nikhef 27 March 2017

David Kelsey STFC-RAL 4th WISE workshop, Nikhef 27 March 2017
Boosting AAI for research and collaboration

Boosting AAI for research and collaboration
RCauth.eu CILogon-like service in EGI and the EOSC

RCauth.eu CILogon-like service in EGI and the EOSC
The Policy Puzzle Many groups and (proposed) policies, but leaving many open issues AARC “NA3” is tackling a sub-set of these “Levels of Assurance” –

The Policy Puzzle Many groups and (proposed) policies, but leaving many open issues AARC “NA3” is tackling a sub-set of these “Levels of Assurance” –

Similar presentations

Ads by Google