Presentation is loading. Please wait.

Presentation is loading. Please wait.

(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.

Published byKadin Brant Modified over 9 years ago

Similar presentations

Presentation on theme: "(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013."— Presentation transcript:

1 (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013

2 Background Question ePTID

3 Why – Basic Advantages Meet needs of existing user communities Avoiding managing ids and pwds Build on existing work, e/cyber-infra Users get single login (sort of)

4 Security as a 1 st class WP in projects Prev: Build first, secure later – afterthought –Still often is… AAI designed in from the start –But that requires a usable AAI ready to integrate –Supported in useful languages (or SOA) –Still hard problems to solve –Inconsistent between

5 Single Sign-On Single “account” Single password with x-ple resources Single login (subject to timeout) –Typ., 1hr for Shib –Expiry of TGT for K5 –Expiry of GSI proxy (typ. 12 hrs)

6 Single Sign-On Pros: –Improves the user experience –Reduces the password sharing –Single point to re(set) password –Password can be validated Cons: –Phishing problem –Serious if cred stolen –Needs X-site trust –LoA not always well defined –The attribute problem…

7 The attribute problem(s) Attributes not always suitable for service IdP rarely knows AuZ attributes Consistency of naming values (schemata) Users have no control –Cf. mobile phone apps

8 The “Account” Holds user identity –Identity-related attributes (AuC) Holds (sometimes) AuZ attrs/request Accounting information, billing Linked to credential – proof of pos. Single identifier / single persistent identifier

9 Not just true for e-/cyber-I Checking into a hotel –Payment (pre or post) –Customer leaves without… Paying Their jewellery –Process – detailed, brokered

10 Aye, there’s the rub Is the user authorised to access the service? –Has the user paid/can we make the user pay? (“payment” doesn’t have to be money) Can we trace the user if something goes wrong (or very wrong)

11 The Rub How much information do we (RPs) need about the user? How do we ensure it is timely and accurate?

12 Two Approaches Federations Policy defined, processes MinLoA RPs and IdPs Reputations More unilateral, doesn’t scale More ad-hoc

13 How to build a better user? Someone better says something nice –VO, or other trusted –Peers: social Reputation Policies accepted Higher LoA

14 How to build a better user? Combining known statements IdP AA

15 How to build a better user? Combining known statements IdP AA Federation PoliciesP2P trust

16 Why build a better user? “Cloudier” –Less work needed before accessing privileged resource –(Train and grant) vs (grant and enforce) Enable multi-LoA access to resources

17 Policies need more work Users accept RP AUP… how much is that worth? Fed policies: home org says user accepts –Still the education issue Combining policies: site, federation, VO

18 Actual Project Experiences Yes, ePTID is a pain in the bum –But it’s what it is for a reason –Workaround requires tighter integration EUDAT Community Two portals, one presented inside the other Single login actually works! Demonstrated with CLARIN

19 IdP Bridg e Google Yahoo Umbrella WAYF IdP Auz Svr DB Account creation LoA set Attribute update (eg email) Single SP for all IdPs Uniform identity presented to the fed core (OAuth AS)

20 Recommendations Give users more control over attrs Introduce multi-LoA Like data protecion – RPs need adequate (just-about-good-enough LoA) and relevant data Publish data requirements (eg SLAs) –Negotiate (cf WS-AgreementNegotiation)

21 User Control of Personal Attrs Which ones are released from the IdP How they are being used (and where) Data protection guarantees –Not just promises How they are used once released Withdraw the rights-of-use Note the when-is-consent-not-consent from data protection directive

22 Compare Contrail use of OAuth Delegate rights to obtain credential –With AuZ attrs Users access AS to check their delegations

23 Dramatis Personae NRENs, GEANT, eduGain – infrastructure, superfederating, policy e/cyber Projects – build User projects (ESFRI et al) – policy, integration

24 Technology View Shibboleth –Designed to err on the side of caution –Lacks flexibility in practical deployments Moonshot –Superfederation –Carrying attrs from IdP (org), or from AA designated by IdP org.

25 Conclusion Users are not authoritative for their attrs –Except for self assertions (cardspace, non-org email) Users should be able to release and control –Many users, of course, “just want it to work” Multi-fed policies, multi-LoA –Combine in sensible ways: fed, community, site, user Need for AAAaaS (Piyush Harsh) Need Community effort

26 Acks This work partially funded by the Contrail and EUDAT FP7 projects Special thanks to: Shiraz Memon, FZJ, Germany Aleš Černivec, XLAB, Slovenia Willem Elbers, MPI, Netherlands

Download ppt "(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC 2014 20 May 2014 Dublin.

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.
Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.

Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.

Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
EduGAIN Code of Conduct Workshop, 2012-02-09, Brussels GEANT eduGAIN Data Protection Code of Conduct Workshop Dieter Van Uytvanck

EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck
Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh.

ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh.

Similar presentations

Ads by Google