Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Published byScot Chandler Modified over 8 years ago

Similar presentations

Presentation on theme: "Authentication and Authorization in a federated environment Jules Wolfrat (SARA)"— Presentation transcript:

1 Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

2 2 Overview Introduction Federation initiatives Trust building PRACE federation 2

3 Introduction Authentication and Authorisation are different activities but highly related, so can be confusing Identity mgmt is basis for authentication Access mgmt is separate but depends on the identity mgmt Different technologies: LDAP, Kerberos, GSI (X.509), SAML, etc. 3

4 Identity Provider (IdP) Provides electronic information about an entity (user) –Can be anything: employer, state (electronic id card), science community, infrastructure Information is released based on authentication by user and/or service Authentication based on: login/password, e-tokens (SecureId, X.509, Kerberos, SAML assertion) Difference between IdPs and AAs (Attribute Authorities) but basically both release information about an entity –AA used for authorisation 4

5 Federated IdPs 5 Identity Provider (IdP) IdP Discovery Service Service User (1) WAYF (2) Token (3) (4) Service examples: eduroam, TCS, ….

6 Federation of IdPs Enables sharing of attributes (e-mail address, telephone number, organisation, etc.) Single Sign-On (SSO), based on single IdP, e.g. your organisation For sharing of data in different domains Merging of information may be needed –For authorisation, e.g. for access to PRACE system authentication by your organisation won’t be enough –Example: VOMS service will add additional information to your proxy certificate –Problem of different formats 6

7 FIM for research collaborations (FIM4R) Issue of IdM raised by IT leaders from EIROforum labs (Jan 2011) –CERN, EFDA-JET, EMBL, ESA, ESO, ESRF, European XFEL and ILL These laboratories, as well as national and regional research organizations, are facing similar challenges – Scientific data deluge means massive quantities of data –needs to be accessed by expanding user bases in dynamic collaborations across organisational and national boundaries “Facebook” generation demands all the tools (work & social) integrate smoothly Also encouraged by EEF and eIRG Global problem, not just EU This and following based on slides courtesy of David Kelsey (STFC-RAL, UK) 7

8 FIM4R (2) A collaborative effort started in June 2011 Not just EIROForum. includes many ESFRI projects and providers and infrastructures (including PRACE) Involves photon & neutron facilities, social science & humanities, high energy physics, climate science, life sciences and fusion energy Workshops included participation by HTC and HPC infrastructures, TERENA, IGTF, Geant/eduGAIN, middleware developers … 8

9 FIM4R (3) Four workshops held with representatives of research communities and infrastructures 4 th : https://indico.cern.ch/conferenceDisplay.py?confId=191892https://indico.cern.ch/conferenceDisplay.py?confId=191892 Paper produced with requirements and recommendations: Federated Identity Management for Research Collaborations https://cdsweb.cern.ch/record/1442597 9

10 FIM4R vision statement A common policy and trust framework for Identity Management based on existing structures and federations either presently in use by or available to the communities. This framework must provide researchers with unique electronic identities authenticated in multiple administrative domains and across national boundaries that can be used together with community defined attributes to authorize access to digital resources 10

11 Federation requirements User friendliness –Many users use infrequently Browser and non-browser federated access Bridging between communities Multiple technologies and translators –Translation will often need to be dynamic Open standards and sustainable licenses –For interoperability and sustainability Different Levels of Assurance –When credentials are translated, LoA provenance to be preserved –Authorisation under community and/or facility control –Externally managed IdPs cannot fulfil this role 11

12 Federation requirements (2) Well defined semantically harmonised attributes –For interoperable authorisation –Likely to be very difficult to achieve! Flexible and scalable IdP attribute release policy –Different communities and different SPs need different attributes –Negotiate with IdF not all IdPs – for scaling Attributes must be able to cross national borders –Data protection/privacy considerations Attribute aggregation for authorisation Privacy and data protection to be addressed with communitywide individual identities –We need to identify individuals E.g. ethical committees can require names, addresses, supervisors to grant access 12

13 Study on AAA Platforms For Scientific data/information Resources in Europe Project by consortium of four partners, led by TERENA, funded by EU. Report published: https://confluence.terena.org/download/attachments/304 74266/AAA-Study-Report- 0907.pdf?version=1&modificationDate=1341850616400https://confluence.terena.org/download/attachments/304 74266/AAA-Study-Report- 0907.pdf?version=1&modificationDate=1341850616400 The goal of this study, prepared for the European Commission, is to evaluate the feasibility of delivering an integrated AAI, to help the emergence of a robust platform for access and preservation of scientific information within a Scientific Data Infrastructure (SDI). 13

14 Trust building Trust needed between IdPs/federations and service providers –LoA for provided data IGTF for policy management authorities for trusted Certificate Authorities –Privacy requirements must be respected by SPs –TERENA/GEANT produced a Code of Conduct document. https://refeds.terena.org/images/4/45/GN3-12- 215_GEANT_Data_Protection_Code_of_Conduct_21Jun2012.pdf https://refeds.terena.org/images/4/45/GN3-12- 215_GEANT_Data_Protection_Code_of_Conduct_21Jun2012.pdf Signed by an SP it should enable the release of attributes by IdPs No need of individual contracts. 14

15  European HPC-facilities at the top of an HPC provisioning pyramid –Tier-0: 3-6 European Centres for Petaflop –Tier-0: ? European Centres for Exaflop –Tier-1: National Centres –Tier-2: Regional/University Centres  Creation of a European HPC ecosystem –Scientific and industrial user communities –HPC service providers on all tiers –Grid Infrastructures –The European HPC hard- and software industry 15 The ESFRI Vision for a European HPC service Tier-0 Tier-1 Tier-2 PRACE DEISA/PRACE capability # of systems

16 Tier-0/Tier-1 infrastructure 16 Tier-0 Tier-1 infrastructure 22 sites by the end of 2012 Tier-0: All > Pflops. 4 are in the top 10 of the June Top500 list

17 PRACE federation User attributes are shared using LDAP facilities Based on trust between partners –Operational procedures are documented in AAA administration guide –All partners have access to the data Advantage is easy to add or adapt attributes (e.g. new values). SSO based on X.509 certificates, using IGTF as trust basis 17

18 There is still some work to be done 18

19 References Fourth workshop on Federated Identity Management for Scientific Collaborations (FIM4R) https://indico.cern.ch/conferenceDisplay.py?confId=191892 –Vision document: https://cdsweb.cern.ch/record/1442597 https://cdsweb.cern.ch/record/1442597 TERENA workshop on AAA study https://confluence.terena.org/display/aaastudy/AAA+Study+Workshop report: https://confluence.terena.org/download/attachments/30474266/AAA- Study-Report-0907.pdf?version=1&modificationDate=1341850616400 https://confluence.terena.org/download/attachments/30474266/AAA- Study-Report-0907.pdf?version=1&modificationDate=1341850616400 19

Download ppt "Authentication and Authorization in a federated environment Jules Wolfrat (SARA)"

Similar presentations

Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC 2014 20 May 2014 Dublin.

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte

The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
Www.egi.eu EGI-Engage www.egi.eu EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.

EGI-Engage EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.
BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.

BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.

Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop 09.06.2011, CERN,

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
EMI INFSO-RI-261611 AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.

EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
European Life Sciences Infrastructure for Biological Information www.elixir-europe.org Life science community update for the 7 th Federated Identity Management.

European Life Sciences Infrastructure for Biological Information Life science community update for the 7 th Federated Identity Management.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Similar presentations

Ads by Google