Presentation is loading. Please wait.

Presentation is loading. Please wait.

AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park 20-21 October 2015

Published byGertrude Bates Modified over 8 years ago

Similar presentations

Presentation on theme: "AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park 20-21 October 2015"— Presentation transcript:

1 AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park 20-21 October 2015 jens.jensen@stfc.ac.uk

2 AAAI definitions Authentication – the process of establishing that entities are what they claim to be; or, a service that provides assurances of entities being who they claim to be or message origin Identification – establishing the identity of an entity – (a) that the name is a real world name of the entity and (b) that the entity is seeking access is the named entity (from RFC3647)

3 AAAI definitions Authorisation – conveyance of privilege from one entity that holds such privilege, to another entity ; the act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential. Accounting - The act of collecting information on resource usage for the purpose of trend analysis, auditing, billing, or cost allocation (X.509/RFC3281, RFC3539)

4 (Some) Background Studies e-IRG ENISA and NIST CSRC papers Terena AAA study –“Advancing technologies and Federating communities” FIM4R study(ies) PDG cloud comp. for R&I AARC –Similar architectures for AAI in projects

5 Common Requirements Build on existing work –Federations, IGTF, infrastructures Federated identity management –=> Multi-LoA –Identities with policies are stronger –Establish trust in infrastructure –Trust is the Warm and Fuzzy Feeling

6 Securing e-Infrastructures HOWTO Secure endpoints –IGTF (particularly for volume) –Commercial CAs (particularly browser-facing endpoints) – via NRENs Decide end user architecture –Everything-can-talk-to-everything Grid (X.509) –Portals as front ends Federated login – multifederation, multiLoA –Or a hybrid?

7 Securing e-Infrastructures HOWTO Prefer standards based –Promoting interoperation and reuse –Improve sustainability of components –No single technology solves every problem Credential conversions, proxies Plethora of attribute authorities and authorisation managers –Hexaa, VOMS, Perun, Comanage, Gakunin, REMS, Unity, …

8 Example Technologies Authentication – Moonshot, SAML, X.509, OAuth2/OpenID Connect Membership/role mgmt – Authorisation – SAML, X.509, (eduroam) Delegation – X.509/GSI, OAuth2 Account mgmt – SAFE Accounting – SAFE, APEL

9 Example Issues Proxies, certificates, ACs, cookies expire –Tradeoff: short lifetime vs revocation Usability vs security –User motivation to do the Right Thing™ –Understandability of security goals/certifications PEBKACs –End users focus on research not on security –People forget, share credentials Access control granularity Long term support for components

10 Example Problems 1.(EUT0) assign an attribute to people in the room 2.(DiRAC) workaround expiring creds

11 Standards Organisations IETFOGFOASISISOITU/IECETSI

12 Dramatis Personae Entities (which authenticate themselves) –Users –Hosts –Automated agents (monitoring, file movers) Resources –Endpoints –Accounting systems –Resource owners Projects

13 AARC –Common ground: architecture, LoA, … –Training –Policies –Piloting (only) technologies EGI, EUDAT, INDIGO DataCloud Community IdPs –E.g. Umbrella https://aarc-project.eu/documents/

14 Attempted Summary Security is a process Work with what’s there Work with standards –Lowers risk, i Work with reusable and interoperable components

15 Demo, pursued by bear If there is time… (or try it yourself) 1.Upload file to EUDAT using Google id https://b2access.eudat.eu/ 2.Authenticate to JISCMAIL using UKAMF https://www.jiscmail.ac.uk/ Exercise: what does it do? What is missing? Why doesn’t eventbooking.stfc.ac.uk do this?

Download ppt "AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park 20-21 October 2015"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.

Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop 09.06.2011, CERN,

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Similar presentations

Ads by Google