Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Published byGabriella Edwards Modified over 8 years ago

Similar presentations

Presentation on theme: "Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012."— Presentation transcript:

1 Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012

2 Overview Update on Federated Identity Management (FIM) since Prague HEPiX Federated Identity Management for Research (FIM4R) WLCG FIM pilot project 18 Oct 12HEPiX FIM, Kelsey2

3 Introduction to FIM Remove identity management from the service –Identity managed in one place, typically by employer –Benefits (and drawbacks!) of single sign-on Identity Provider (IdP) manages/provides attributes about Users –For AuthN and to some extent AuthZ Service Provider (SP) consumes attributes for access control and offers services to users Federation: a common trust and policy framework between multiple organisations, IdPs and SPs Federations also manage and distribute information (metadata) about the various providers 18 Oct 12HEPiX FIM, Kelsey3

4 18 Oct 12HEPiX FIM, Kelsey4 SP User IdP Many different permutations depending on the technology

5 18 Oct 12HEPiX FIM, Kelsey5 SP User IdP Then add a community operated attribute authority (for AuthZ), e.g. VOMS AA

6 Some example federations Grid X.509 certificates in WLCG and elsewhere –International Grid Trust Federation eduroam European higher education (Shib, SAML etc) –UK Access Management Federation, SWITCHaai, SURFfederatie –And many others USA education and research: InCommon TERENA Cert Service connects national identity federation to a CA for personal certs (and similar CIlogon in USA) eduGAIN is linking national federations Social networking (OpenID, Oauth) 18 Oct 12HEPiX FIM, Kelsey6

7 Federated IdM for “Research” (FIM4R) A collaborative effort started in June 2011 Involves photon & neutron facilities, social science & humanities, high energy physics, climate science and life sciences 4 workshops to date (next one in March 2013) https://indico.cern.ch/conferenceDisplay.py?confId=177418 Documented common requirements, a common vision and recommendations Accepted by the REFEDS community as an important use case for international federation CERN-OPEN-2012-006: https://cdsweb.cern.ch/record/1442597https://cdsweb.cern.ch/record/1442597 18 Oct 12HEPiX FIM, Kelsey7

8 Last 6 months FIM4R presented at REFEDS meeting, TERENA VAMP meeting, TNC2012, CHEP2012 and WLCG GDB/MB HEP (ie WLCG MB) has endorsed the paper FIM4R has prioritised the requirements We await a response from REFEDS Pilot projects by each community are the best way forward –In collaboration with eduGAIN, academic federations,... 18 Oct 12HEPiX FIM, Kelsey8

9 Common Requirements (High priority, Medium) End-User friendliness Browser and non-browser federated access Bridging between communities Multiple technologies and translators Open standards and sustainable licenses Different Levels of Assurance Authorisation under community and/or facility control Well defined semantically harmonised attributes Flexible and scalable IdP attribute release policy Attributes must be able to cross national borders Attribute aggregation for authorisation Privacy and data protection to be addressed with community-wide individual identities 18 Oct 12HEPiX FIM, Kelsey9

10 Federated IdM in HEP X.509 certificates for Grid services –Using TERENA Cert Service in many places But many other services (not just Grid!) –E.g. collaboration tools, wikis, mail lists, webs, agenda pages, etc. Today CERN has to manage 10s of thousands of user accounts, many are “external” eduroam (for wireless) What about other services/federations? –Using Shibboleth, SAML, OpenID, etc Technology appropriate to required level of assurance 18 Oct 12HEPiX FIM, Kelsey10

11 WLCG FIM pilot Romain Wartel (CERN) is leading this Mail list created with current volunteers First meeting happened on 5 th Oct 2012 See next slides from Romain 18 Oct 12HEPiX FIM, Kelsey11

12 18 Oct 12HEPiX FIM, Kelsey12

13 18 Oct 12HEPiX FIM, Kelsey13

14 18 Oct 12HEPiX FIM, Kelsey14

15 18 Oct 12HEPiX FIM, Kelsey15

16 18 Oct 12HEPiX FIM, Kelsey16

17 18 Oct 12HEPiX FIM, Kelsey17

18 Results of the1 st meeting Many issues to look at: requirements, technical feasibility, trust, policy, levels of assurance, etc. Focus of the pilot –The pilot is not just browser-based (need a CLI) –We should incorporate the university-based authentication systems (including SAML) –The end-user never sees the certificate 18 Oct 12HEPiX FIM, Kelsey18

19 1 st meeting (2) Goal of the pilot –a CLI login tool typically a "voms-proxy-init" or "grid-proxy-init" replacement –able to authenticate users based on their home credentials –create X509 credentials and proxy –optionally add voms extension CILogon, EMI Security Token Service (STS), arcproxy –All claim to meet the requirements –To be investigated further 18 Oct 12HEPiX FIM, Kelsey19

20 1 st meeting (3) focus on defining the requirements and options for a proof-of-concept Later two separate subtasks might be defined –A trust, level of assurance, policy subtask –Software and technical issue subtask 18 Oct 12HEPiX FIM, Kelsey20

21 More info – HEP pilot https://twiki.cern.ch/twiki/bin/view/LCG/WLCGFedIdPilot https://indico.cern.ch/getFile.py/access?contribId=7&resId=0&m aterialId=slides&confId=190743https://indico.cern.ch/getFile.py/access?contribId=7&resId=0&m aterialId=slides&confId=190743 https://indico.cern.ch/getFile.py/access?contribId=18&resId=0& materialId=slides&confId=155069https://indico.cern.ch/getFile.py/access?contribId=18&resId=0& materialId=slides&confId=155069 18 Oct 12HEPiX FIM, Kelsey21

22 Next steps FIM4R –Work with REFEDS and GEANT to make progress on pilot projects and solving the requirements WLCG FIM Pilot –Start the agreed plan of work Volunteers still welcome to join –Contact Romain Wartel at CERN 18 Oct 12HEPiX FIM, Kelsey22

23 Questions? 18 Oct 12HEPiX FIM, Kelsey23

Download ppt "Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC 2014 20 May 2014 Dublin.

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.

BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.

Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Connect communicate collaborate GÉANT3plus Enabling Users Pilots Lukas Hämmerle Task Leader Enabling Users

Connect communicate collaborate GÉANT3plus Enabling Users Pilots Lukas Hämmerle Task Leader "Enabling Users"
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
EMI INFSO-RI-261611 AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.

EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Similar presentations

Ads by Google