a uthentication a uthorization for r esearch c ollaboration pilots in sa1 paul van dijk, surfnet...
DESCRIPTION
AARC Work PackagesTRANSCRIPT
Authentication & Authorization for Research & CollaborationPilots in SA1
Paul van Dijk, SURFnet
AARC
Connecting People and Devices
AARC Work Packages
AARC Work Packages
The Netherlands: research appsSURFconext ecosystem
Drive
WeNMR
Portal
Identity Providers
±300 Service Providerscommercial / non-commercial
SURFconext AAI Hub
Trust FrameworkUniversityDirk [email protected] Staff memberID#: 2989289283921
SP stores attributes
SURFconext for WeNMR VRC
Knowledge
Help CenterTutorials,
Wiki
Consultancy
Services
Portals
Third-party aggregation
Grid
SAML
SAML
SAML
SAML
SAML
SAML
SAML
Identity Providers Service ProvidersSURFconext AAI Hub
WeNMRVRC portal
SAML
Status?
Non-web SSO ✗
Attribute management for AuthZ ✗
“Guest” access ✗/✔
Int’l AuthN ✗/✔
IdPs – extend coverage
National IdPs
VU
eduGAIN IdPs
TC
“Guest access”
TC
All SAML but differences in attribute management need policies and formats
• Lower barriers for non academia• Use of Gov e-ID, social IDs, linking accounts• Support scalable LoA for guest accounts• Deal with “library walk-in users”
All SAML, national policies and formatsAny issues? perhaps promote opt-out approach
AuthorizationsAttribute Management Framework
Attribute management...solutions are emerging but not really adopted by researchers yet
Pilot with:• Attribute providers/management• Attribute aggregators• SPs able to do attribute based authorisations (or enable SPs)
PoC EGI and SURFnet
Attr provider• Verifies authenticity• Adds attributes• Provides workflows
Self Asserted+31(6) 120202020Skype: DirkStapLinkedIn: DirkHStap
Collab OrganisationCO- adminCO- researcher
Self Asserted+31(6) 120202020Skype: DirkStapLinkedIn: DirkHStap
Collab OrganisationCO- adminCO- researcher
UniversityDirk [email protected] memberID#: 2989289283921
keystone
• Aggregate attributes• Forward with ARP to SP
add. attr. at logon
add. attr. by query
UniversityDirk [email protected] memberID#: 2989289283921
UVK
• Authenticate• Add attributes
SPsImprove access to research infra
Webservices: SAML World
Can we apply a similar setup to e-infrastructureslike EGI, PRACE, EUDAT, ESFRI clusters...so theseproviders can offer there resources in a more user-friendly, controlled and consolidated way?
Users can access different web-based services with the same set of credentials
E-infrastructures
non-webX.509
Non-Web SSO
• Moonshot (EAP, RADIUS, GSS-API, SASL) • SAML ECP• Workarounds – SAML enabled portal
- Provision application specific passwords - OAuth- X.509
• Unity-idm.eu• Facius• Kerberos or other solutions (?)
Description of Work SA1
• Driven by user requirements • Strong focus on integration of existing building blocks
• Main focus on:- Solutions for guest users (task 1 - GARR)
- Attribute management, aggregation and consumption (task 2 - EGI)
- Access to non-web and commercial (cloud) resources (task 3 - PSNC)
• Together with user communities: evaluate whether the solutions proposed by JRA1 and NA3 are effective? feedback to JRA1 and NA3
paul.vandijk[at]surfnet.nl
@paulcwvandijk
paulcwvandijk
www.surfnet.nl
+31 6 13328090
Creative Commons “Attribution” license: http://creativecommons.org/licenses/by/3.0/
W