AAI needs for IGI On behalf of IGI

AAI needs for IGI On behalf of IGI EGI technical forum 14 -17/9/2010

Current state of AAI in IGI User authentication Our communities use several different methods to authenticate users. They are (in no particular order) Unix Accounts (and LDAP, Kerb, etc…) Certificates Shibboleth federations

Current state of AAI in IGI User authentication: All the listed authentication methods require a de visu authentication first, i. e. the user must prove his identity in person, usually via national authentication (ID cards)

Current state of AAI in IGI Resources accessible: The set of resources accessible by the various members of IGI is extremely varied Storage clusters Computing clusters HPC clusters Digital libraries Scientific data bases Email Help Desk (Not all members offer all accesses)

Current State of AAI INFN: Recently put a new AAI infrastructure in production which covers all INFN members Used to access most services -> will be used to access all services Based on LDAP/Kerberos Auth. N Shibboleth Auth. N supported Uses attributes registered in LDAP for Auth. Z

IGI objectives for AAI Leaning to federate Identities throughout IGI I. e. : Users should be allowed to access IGI resources regardless of the organization with which they are originally registered Shibboleth federations are especially interesting There is already an Italian federation: IDEM Significant but not yet complete overlap between IGI and IDEM members. But in any case, we need effective anonymity!

IGI objectives for AAI But what about access to grid resources? Grids need certificates! Online CAs can translate credentials obtained with different methods into certificates. A project to automate this step is currently under dev. At INFN

IGI Objectives for AAI Some of our members also want the reverse to be possible E. g: map grid credentials (i. e: voms) into other formats, for example Shibboleth Under investigation

IGI Objectives for AAI And what about authorization? Attributes (and thus some form of RBAC) are the way to go. First of all we (IGI) need to standardize the set of attributes we recognize. Agreement within EGI would be nice, too. Several needed. methods of attribute publication

Conclusion We have a very diverse and heterogeneous environment. Quite a bit of work will be needed. Which is what we will be doing!