AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ......
Transcript of AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ......
![Page 1: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/1.jpg)
https://aarc-project.eu
AuthenticationandAuthorisationforResearchandCollaboration
NicolasLiampotis
DigitalInfrastructuresforResearch2017,Brussels
AuthenticationandAuthorisationforResearchandCollaboration
AARCblueprintguidelines
30November2017
JRA1:IntegratedAAIDevelopments,AARC2GRNET
![Page 2: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/2.jpg)
https://aarc-project.eu
• [AARC-JRA1.4A] Guidelinesonexpressinggroupmembershipandroleinformation
• [AARC-JRA1.4B] Guidelinesonattributeaggregation
• [AARC-JRA1.4C] Guidelinesontokentranslationservices
• [AARC-JRA1.4D] Guidelinesoncredentialdelegation
• [AARC-JRA1.4E] Bestpracticesformanagingauthorisation
• [AARC-JRA1.4F] Guidelinesonnon-browseraccess
• [AARC-JRA1.4G] GuidelinesforimplementingSAMLauthenticationproxiesforsocialmediaidentityproviders
• [AARC-JRA1.4H] AccountlinkingandLoAelevationusecasesandcommonpracticesforinternationalresearchcollaboration
• [AARC-JRA1.4I] BestpracticesandrecommendationsforattributetranslationfromfederatedauthenticationtoX.509credentials
2
AARCrecommendations&bestpracticesOverview
2
![Page 3: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/3.jpg)
https://aarc-project.eu
• Standardising thewaygroupmembershipinformationisexpressedforcross-infrastructureexchange• Indicatingtheentitythatisauthoritativeforeachpieceofgroupmembershipinformation• ExpressingVOmembershipandroleinformation• Supportinggrouphierarchiesingroupmembershipinformation• Revision(201710) signedoffbyAEGIS
3
GuidelinesonexpressinggroupmembershipandroleinformationAARC-JRA1.4A
<NAMESPACE>:group:<GROUP>[:<SUBGROUP>*][:role=<ROLE>]#<GROUP-AUTHORITY>
![Page 4: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/4.jpg)
https://aarc-project.eu
• ModelsforAttributeAggregation(“pull”vs”push”vs“preprovision”)• Persistent,uniqueidentifiersforlinkingrecords• Explicitconsentfordatasharing• Centralising aggregation“BusinessLogic”awayfromtheSP• Scopingattributevalues• Filteringattributesaccordingtosource• Harmonising attributevocabularies
4
GuidelinesonattributeaggregationAARC-JRA1.4B
![Page 5: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/5.jpg)
https://aarc-project.eu
• OperationmodesforTTSservices(“embedded”vs“standalone”)• Consistencyofuserinformation• Deploymentconsiderations• Securityconsiderations• Transparency,dataprotectionanddataminimisation
5
GuidelinesontokentranslationservicesAARC-JRA1.4C
![Page 6: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/6.jpg)
https://aarc-project.eu
• Typesofdelegation(“rights”vs“access”vs“credential”)• Exampleflows:• OAuth2/OIDC• SAMLauthentication• OAuth2tokenexchange• GSIproxies• CombineduseofX.509andOIDC
• Implementationguidelines• Risksassociatedwithdelegations
6
GuidelinesoncredentialdelegationAARC-JRA1.4D
![Page 7: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/7.jpg)
https://aarc-project.eu
• Authorizationinformationsources• IdPs• AAs
• Authorisation attributes• Affiliation• Entitlement• Assurance
• Trustrelationships
7
BestpracticesformanagingauthorisationAARC-JRA1.4E
![Page 8: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/8.jpg)
https://aarc-project.eu 8
Guidelinesonnon-browseraccessAARC-JRA1.4F
• CLI:SSH/SFTP• GSIenabledSSH• SSHkeyprovisioningwithwebportal
• AccessingHTTPAPIsusing:• OIDC/OAuth2• X.509certificates• servicespecificAPItokens
![Page 9: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/9.jpg)
https://aarc-project.eu 9
GuidelinesforimplementingSAMLauthenticationproxiesforsocialmediaidentityprovidersAARC-JRA1.4G
• GeneratingSAMLeduPersonUniqueIdsbasedonsocialmediaprofileidentifiers•MappingsocialidentityprofilefieldstoSAMLattributes:• Google/OpenIDConnect• Facebook• LinkedIn
![Page 10: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/10.jpg)
https://aarc-project.eu 10
AccountlinkingandLoA elevationusecasesandcommonpracticesforinternationalresearchcollaborationAARC-JRA1.4H
• Accountlinkingusecases• Consistentuseridentification/representation• Accountingofresourceusage• Traceabilityandsecurityincidentresponse
• Accountlinkingprocess(“Explicit”vs“Automatic”)• Reconcilingidentityinformation• LoA elevation• LinkingHigh-LoA Identity• Step-UpAuthentication• AttributeoriginInformation
![Page 11: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/11.jpg)
https://aarc-project.eu
• TranslatingSAMLattributesintoasubjectDN• DefiningtheuserCommonName(CN)componentfromIdPattributes• DefiningtheOrganisation (O)componentfromIdPattributes• Translatinggroupinformation usingVOMSAttributeCertificates(ACs)
11
BestpracticesandrecommendationsforattributetranslationfromfederatedauthenticationtoX.509credentialsAARC-JRA1.4I
![Page 12: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/12.jpg)
https://aarc-project.eu 12
AARC2recommendations&bestpracticesOverview
• [AARC2-JRA1.1x]GuidelinesforinteroperableexchangeofuserandcommunityinformationbetweenAAIs
• [AARC2-JRA1.2C] Guidelinesforstep-upauthenticationviaTwo-FactorAuthentication
• [AARC2-JRA1.3A] Guidelinesforevaluatingthecombinedassuranceoflinkedidentities
• [AARC2-JRA1.4A] Roles,responsibilitiesandsecurityconsiderationsforVOs
![Page 13: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/13.jpg)
https://aarc-project.eu 13
InteroperableexchangeofuserandcommunityinformationacrossinfrastructuresAARC2-JRA1.1x
• AARC2-JRA1.1A:GuidelinesforinteroperableexchangeofuserandcommunityinformationbetweenAAIs:Assuranceinformation–Finaldraft
• AARC2-JRA1.1F:Guidelinesforuniquelyidentifyingusersacrossinfrastructures(ePUID +subjectID)– Finaldraft
• AARC2-JRA1.1X:Guidelinesforexchanginghomeorganisation andaffiliationinformationbetweeninfrastructures– NEW
![Page 14: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/14.jpg)
https://aarc-project.eu 14
Step-upauthenticationviaMulti-FactorAuthenticationAARC2-JRA1.2C
• Identifiedcurrentusecasesandexampleimplementations(e.g.HAKA,SURFnet)• Manydiscussionsaroundthevariousassurance-relatedconceptsandterms:components,profiles,etc.• InputfortheupcomingGÉANTtwo-factorauthenticationsolutionforresearchcommunities
![Page 15: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/15.jpg)
https://aarc-project.eu 15
GuidelinesforevaluatingthecombinedassuranceoflinkedidentitiesAARC2-JRA1.3A
• Initialversionoftheevaluationmodelalreadyinplace• Identifiedmainusecases• Identitylinkingrisks
![Page 16: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/16.jpg)
https://aarc-project.eu 16
Roles,responsibilitiesandsecurityconsiderationsforVOsAARC2-JRA1.4A
• Technicalrequirementsto:• supportpolicies(e.g.,involvingVOsecuritycontactsinincidentsrelatingtotheirVO)• improveoperations(e.g.delegatingrightsandresponsibilitiestodeputieswhentheprimarypersonintheroleisnotavailable)inascalablemanner
![Page 17: AARC blueprint guidelines - EGI (Indico) · 2017-11-30 · Final draft •AARC2-JRA1.1F ... components, profiles, etc. •Input for the upcoming GÉANT two-factor authentication solution](https://reader034.fdocuments.in/reader034/viewer/2022050117/5f4e05c6a33cf576227ebbff/html5/thumbnails/17.jpg)
https://aarc-project.eu
©GÉANTonbehalfoftheAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeunderGrantAgreementNo.730941(AARC2).
ThankyouAnyQuestions?
https://aarc-project.eu