openconext: authentication & authorization infrastructure for virtual research communities
DESCRIPTION
EGI Community Forum 2014 Paul van Dijk presented at the EGI Community Forum in Helsinki how OpenConext can be deployed to support and enhance scientific cooperation. Among other things he went into the wishes and requirements of scientific collaboration in the field of authentication and authorization. OpenConext is particularly suitable for centralized management of users of cooperative organizations.TRANSCRIPT
![Page 1: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/1.jpg)
Authentication & Authorization Infrastructure for Virtual Research Communities
Paul van Dijk, SURFnet Alexandre Bonvin, WeNMR
![Page 2: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/2.jpg)
SURFnet: the Dutch NREN
• SURFnet is the Dutch National Research & Education Network (NREN) - Services, innovation, knowledge - Not for profit - Task organisation of Stichting SURF = ICT collaboration of higher education &
research
• A small operation serving a large community: - 85 employees - 160 connected institutions - 1 million end-users - Turnover 35 million Euro; 1/3 innovation subsidies
![Page 3: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/3.jpg)
Connecting people and devices collaborate and share – how to facilitate VRCs
![Page 4: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/4.jpg)
The wenmr virtual research community!
eScience hub for NMR and structural biology!
![Page 5: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/5.jpg)
the wenmr VRC!
A Drupal powered rich web based experience !
Knowledge!
Help Center!
Tutorials, Wiki!
Consultancy!
Services!
Portals!
VRC!
Third-party aggregation!
Grid!
Exposure!
Marketplace!
Blogs, news,!events..!
Facebook!
![Page 6: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/6.jpg)
or...!
Done ✔!
![Page 7: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/7.jpg)
WeNMR VRC"How to deal with Authentication?!
For the end-user!• How to provide as easy as possible access!
• Use institutional account!• Single Sign-On to all kind of NMR resources!
For WeNMR administrators!• How to verify users? ([email protected]) !• How to deal with burden of account management?!• How to bridge authentication across domains and
resources?!
![Page 8: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/8.jpg)
AAI for research observations, questions, challenges
• AAI one of the cornerstones (or at least a key starting point) for international collaboration and system integration
• Ever growing space.......with many issues
• More than technique and engineering ! policies, procedures and a lot of human interaction (!)
• Can we build on existing building blocks?
![Page 9: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/9.jpg)
The Netherlands: research apps SURFconext ecosystem
Drive
WeNMR Portal
Identity Providers
>200 Service Providers commercial / non-commercial
SURFconext Authentication
Hub
Trust Framework University Dirk Stap [email protected] Staff member ID#: 2989289283921
SP stores attributes
![Page 10: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/10.jpg)
No-brainer Connect WeNMR portal to SURFconext
Knowledge!
Help Center!Tutorials, Wiki!
Consultancy!
Services!
Portals!
Third-party aggregation!
Grid!
SAML
SA
ML
SA
ML
SAML
SAML
SAML
SAML
Identity Providers Service Providers SURFconext Authentication
Hub
WeNMR!VRC portal!
SAML
![Page 11: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/11.jpg)
WeNMR SSO Drupal module see: bit.ly/1oc3Gu3
provides a closed and self-contained solution for everything related to authentication, authorization and accounting for a service, without any need for additional modules or external services.
![Page 12: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/12.jpg)
Crossing national borders via eduGAIN
Knowledge!
Help Center!Tutorials,
Wiki!
Consultancy!
Services!
Portals!
Third-party aggregation!
Grid!
SAML
SA
ML
SA
ML
SAML
SAML
SAML
SAML
Identity Providers Service Providers SURFconext Authentication
Hub
WeNMR!VRC!
SAML
SAML
SAML
![Page 13: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/13.jpg)
It (almost) works
![Page 14: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/14.jpg)
or...
Done ✔
![Page 15: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/15.jpg)
Can we take it one step further?
AI ! AAI
Can we organize AuthZ in a centralized (and generic) way?
![Page 16: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/16.jpg)
Needed: additional attributes
Dirk Stap [email protected] Staff member ID#: 2989289283921
CO- admin CO- researcher
UVK
@university @Collab Org @Dirk Stap
+31(6) 120202020 Skype: DirkStap LinkedIn: DirkHStap
Self asserted
Dirk Stap [email protected] Staff member ID#: 2989289283921
Dirk Stap [email protected] Staff member ID#: 2989289283921
CO- admin CO- researcher
![Page 17: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/17.jpg)
Needed: attribute source(s)
Dirk Stap [email protected] Staff member ID#: 2989289283921
CO- admin CO- researcher
![Page 18: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/18.jpg)
Needed: attribute release management
Self Asserted +31(6) 120202020 Skype: DirkStap LinkedIn: DirkHStap
University Dirk Stap [email protected] Staff member ID#: 2989289283921
CO- admin CO- researcher
TC VidConf
UVK Storage
Google APPS
Dirk Stap [email protected] ID#: 2989289283921
Dirk Stap [email protected] Staff member ID#: 2989289283921
+31(6) 120202020 Skype: DirkStap
Dirk Stap [email protected] Staff member ID#: 2989289283921
Collab Organisation CO- admin CO- researcher
![Page 19: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/19.jpg)
OpenConext for Collaborative Organisations
• Groups
• Distributes Services
• Attributes, roles and rights Groups are core to collaboration
Any collaboration is based on groups. In eScience these groups are dynamic and international
Distributed Services COs collaborate around distributes services. Managing and maintaining many SP - IdP interconnections is tough
Attributes, roles and rights Roles and rights are based on Attributes. COs need very different attributes as compared to the attributes provided by the IdPs
![Page 20: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/20.jpg)
How OpenConext helps
• Groups
• Distributed Services
• Attributes, roles and rights
Centralized and external group providers OpenConext provides a centralized group provider and allows linking external group providers
Manage services CO SP and IdP connections can be managed centrally, including Access Policies and Attribute Release Policies
Attributes Can be transformed and filtered both at logon as well as when queried out-of-band
![Page 21: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/21.jpg)
PoC EGI and SURFnet (Q2/Q3) in a SAML world
A CO manager • Verifies authenticity • Adds attributes • Provides workflows
Self Asserted +31(6) 120202020 Skype: DirkStap LinkedIn: DirkHStap
Collab Organisation CO- admin CO- researcher
Self Asserted +31(6) 120202020 Skype: DirkStap LinkedIn: DirkHStap
Collab Organisation CO- admin CO- researcher
University Dirk Stap [email protected] Staff member ID#: 2989289283921
keystone
• Aggregate attributes • Forward with ARP to SP
add. attr. at logon
add. attr. by query
University Dirk Stap [email protected] Staff member ID#: 2989289283921
UVK
• Authenticate • Add attributes
![Page 22: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/22.jpg)
Conclusion
Authentication infrastructure • Identity federations: Works well on a national level ! run-of-
the-mill in many countries, UX could be better
• Interfederation: will it scale? requires a lot of effort ! streamline and harmonize procedures, improve discovery of endpoint representatives ! on the radar of organizations like REFEDS and GEANT (eduGAIN)
Authorization infrastructure • Still in development, some solutions/approaches available !
collaborate, just do it, run PoCs with community & improve
![Page 23: OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559b14d61a28ab8e308b4595/html5/thumbnails/23.jpg)
paul.vandijk[at]surfnet.nl or niels.vandijk[at]surfnet for OpenConext @paulcwvandijk paulcwvandijk www.surfnet.nl +31 30 2 305 305 Creative Commons “Attribution” license: http://creativecommons.org/licenses/by/3.0/
W