AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can...
Transcript of AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can...
![Page 1: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/1.jpg)
http://aarc-project.eu
AuthenticationandAuthorisationforResearchandCollaboration
ChristosKanellopoulos(GRNET)
DigitalInfrastructuresforResearch2016
AARCBlueprintArchitectureforinteroperableAAIs
28September,2016Krakow
![Page 2: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/2.jpg)
http://aarc-project.eu 2
Thestartingpoint
• Thescenario:• Thereisatechnicalarchitectofaresearchcommunity
• Hercommunityisdistributedinternationally
• Increasingnumberofservicesneedauthentication
andauthorization
• Herjobistofindasolution
• Shewantstofocusonresearchandnotreinventthewheel
• Shestartsgoogling
• So,therearesomesolutionsavailable,but…
![Page 3: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/3.jpg)
http://aarc-project.eu3
![Page 4: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/4.jpg)
http://aarc-project.eu 4
AARCFacts
• Two-yearEC-fundedproject• 20partners• NRENs,e-InfrastructureprovidersandLibrariesasequalpartners
• About3Meurobudget• Startingdate1stMay,2015• https://aarc-project.eu/
AuthenticationandAuthorisationforResearchandCollaboration
![Page 5: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/5.jpg)
http://aarc-project.eu 5
AARC’sRole- Connectingtheislands
eInfraA
rInfra1
rInfra2
eInfraB
![Page 6: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/6.jpg)
http://aarc-project.eu
AARCVisionandOutputs
6
Impact
• BringfederatedaccessandeScience closetoeachother• Createacross-e-infrastructure‘network’foridentities• Reduceduplicationofeffortsintheservicedelivery
Outputs
• DesignofintegratedAAIbuiltonfederatedaccess• Harmonised policiestoeasycross-disciplinecollaboration• Pilotselecteduse-cases• Offeradiversifiedtrainingpackage
AvoidafutureinwhichnewresearchcollaborationsdevelopindependentAAIs
![Page 7: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/7.jpg)
http://aarc-project.eu 7
AARCandT&Iecosystem
AARC
Requirements•Anchoredinrealusecases•Internationalcollaboration
Pilots•AARCtechnicalandpolicyfindings
Training
REFEDS/FIM4RREFEDS:• FeedbackandvalidationfromFedOperatorsonbestpractices
FIM4R:• FeedbackonpilotsfromAAIusercommunities
• Requirements/feedbackfortrainingandarchitecture
r/e-Infrastructures
Developbusinesscase• Costing• Supplychain
Pilotintegrationresults
Incorporate
• GN4project,REFEDS,FIM4R,RDA,andvariousAAIworkwithinotherprojects• Liaisonswithinternationalcollaborations
![Page 8: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/8.jpg)
http://aarc-project.eu 8
AARCMethodology
Management
CommunityRequirements
CommunityFeedback
![Page 9: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/9.jpg)
http://aarc-project.eu 9
StartingPoint
IDFEDsØMainlynationallyfocusedØ ProvidewebSSO (SAML)toaccessanumberofservices
Ø Supportfine-grainedAuthZ
e-ResearcherØ Typicalinter-feduse-casesØ ProvideSSO(X.509)fore-Researchservices
Ø RequirementforstrongerAuthN(LoA)
![Page 10: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/10.jpg)
http://aarc-project.eu 10
Thegoals
1. Users should be able to access the all services using the credentials from their HomeOrganization
2. Users should have one persistent non-reassignable non-targeted unique identifier.
3. Attempt to retrieve user attributes from the user’s Home Organization. If this is notpossible, then an alternate process should exist.
4. Distinguish (LOA) between self-asserted attributes and the attributes provided by theHome Organization/VO
5. Access to the various services should be granted based on the role(s) the users havewithin the collaboration
6. Services should not have to deal with the complexity of multipleIdPs/Federations/Attribute Authorities/technologies.
![Page 11: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/11.jpg)
http://aarc-project.eu 11
IdentifiedRequirements
Non-web-browser
Guestusers
PersistentUniqueId
Credentialtranslation
AttributeAggregation
AttributeRelease
LevelsofAssurance
CommunitybasedAuthZ
Social&e-Gov IDs
Step-upAuthN
UserManagedInformation
UserFriendliness
IncidentResponse
BestPractices
CredentialDelegation
SPFriendliness
![Page 12: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/12.jpg)
http://aarc-project.eu
TheFunctionalComponentsandavailableAAItools
aarc-project.eu
AvailableAAIComponents
AttributeAuthorities
IdPs
Proxies
TokenTranslation
ServiceProvider
AnalysisofUserCommunities
AndInfrastructureProviders
12
![Page 13: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/13.jpg)
http://aarc-project.eu
AARC:AnalysisofUserCommunitiesande-InfrastructureProviders
Non-web-browser
Guestusers
PersistentUniqueId
Credentialtranslation
AttributeAggregation
AttributeRelease
LevelsofAssurance
CommunitybasedAuthZ
Social&e-Gov IDs
Step-upAuthN
UserManagedInformation
UserFriendliness
IncidentResponse
BestPractices
CredentialDelegation
SPFriendliness
13
![Page 14: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/14.jpg)
http://aarc-project.eu
AARCBlueprintArchitecture(1st Draft)
UserCommunityRequirements
https://wiki.geant.org/display/AARC/AARC+Architecture
https://goo.gl/kSxENp
![Page 15: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/15.jpg)
http://aarc-project.eu
eduGAIN andtheIdentityFederations
AsolidfoundationforfederatedaccessinR&E
AuthenticationandAuthorizationArchitectureforResearchCollaboration
AsetofbuildingblocksontopofeduGAINforInternationalResearchCollaboration
AARCBlueprintArchitecture&eduGAIN
15
![Page 16: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/16.jpg)
http://aarc-project.eu 16
Whytheproxymodel?
•AllinternalServicescanhaveonestaticallyconfiguredIdP
•NoneedtorunanIdP DiscoveryService oneachService
• ConnectedSPsgetconsistent/harmonised useridentifiersand
accompanyingattributesets fromoneormoreAAsthatcanbe
interpretedinauniformwayforauthZ purposes
• ExternalIdPs onlydealwithasingleSP proxy
• Butitcomeswitheachownnewchallenges
![Page 17: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/17.jpg)
http://aarc-project.eu
• SecurityIncidentResponseTrustFrameworkforFederatedIdentityhttps://refeds.org/sirtfi
•MinimalAssuranceLevelforlow-riskresearchusecaseshttps://wiki.geant.org/display/AARC/LoA+-+Level+of+Assurance
• Policyandsustainabilitymodelsforapan-EuropeanTokenTranslationServicehttps://www.rcauth.eu/
• Sustainabilitymodelsfor”GuestIdPs”https://wiki.geant.org/display/AARC/Sustainability+models+for+Guest+IdPs
• RequirementsforAccountingandDataProtectionhttps://wiki.geant.org/display/AARC/Accounting+and+Data+Protection
17
Policies&Sustainabilitymodels
![Page 18: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/18.jpg)
http://aarc-project.eu
Pilots
RequirementsUserCommunity
OverviewAvailableAAIComponents
DraftBlue-PrintArchitecture
aarc-project.eu
https://goo.gl/kSxENp https://goo.gl/NzQA2U https://goo.gl/7dZZF4
PilotsWithCommunities
Plan
Develop
Test
IncludeFeedback
Input fortraining
Package/release
18
![Page 19: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/19.jpg)
http://aarc-project.eu
Pilots
https://goo.gl/7dZZF4
https://goo.gl/NzQA2U
https://goo.gl/kSxENp
AttributeAuthorities
IdPs
Proxy
ServiceProvider
Library,hybridAuthNLibrary,IdP-SPproxyapproach
Perun andCOmanage AAsforBBMRI&EGIOpenConext attributeaggregation
TTSwithCI-logonandVOportalforElixirTokenTranslation
ORCIDSP,LoA Elevation,ReferenceimplementationoftheBPA…
https://wiki.geant.org/display/AARC/AARC+Pilots19
![Page 20: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/20.jpg)
http://aarc-project.eu
Firste-Infrastructureimplementations
• EGICheckIn Servicehttps://wiki.egi.eu/wiki/AAI
• ELIXIRAAIhttps://www.elixir-europe.org/services/compute/aai
• EUDATB2ACCESShttps://www.eudat.eu/services/b2access
• GÉANTeduTEAMShttps://www.eduteams.org
https://goo.gl/7dZZF4
https://goo.gl/NzQA2U
https://goo.gl/kSxENp
20
![Page 21: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/21.jpg)
http://aarc-project.eu
Workforthenextyear
•Policiesandbestpracticesforproxyoperators
•FrameworkrecommendationsforRIsforcoherentpolicysets
•Guidelinedocuments(e.g.groupMembership,non-webaccess,authorizaton)
•FeasibilitystudyfortheuseeGOV/eIDAS e-IDs
•Pilots,pilots,pilots…
•Focusedtrainings
21
![Page 22: AARC Blueprint Architecture for interoperable AAIs · 9/28/2016 · •All internal Services can have one statically configured IdP •No need to run an IdP Discovery Service on](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64e7d23042e60db341178c/html5/thumbnails/22.jpg)
http://aarc-project.eu
©GEANTonbehalfoftheAARCproject.TheresearchleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeunderGrantAgreementNo.653965(AARC).
ThankyouAnyQuestions?