Authentication and Authorisation for Research and Collaboration AARC

Authentication and Authorisation for Research and Collaboration AARC Blueprint Architecture and Pilots A snapshot of the BPA implementations and its context David Groep AARC NA 3 policy harmonisation coordinator Nikhef NL Open. Stack Federation WS April 4, 2017 https: //aarc-project. eu

https: //aarc-project. eu 2

The goals 1. Users should be able to access the all services using the credentials from their Home Organization 2. Users should have one persistent non-reassignable non-targeted unique identifier. 3. Attempt to retrieve user attributes from the user’s Home Organization. If this is not possible, then an alternate process should exist. 4. Distinguish (LOA) between self-asserted attributes and the attributes provided by the Home Organization/VO 5. Access to the various services should be granted based on the role(s) the users have within the collaboration 6. Services should not have to deal with the complexity of multiple Id. Ps/Federations/Attribute Authorities/technologies – and work with non-web https: //aarc-project. eu 3

AARC: Analysis of User Communities and e-Infrastructure Providers https: //aarc-project. eu Attribute Release Attribute Aggregation User Friendliness SP Friendliness Credential translation Persistent Unique Id User Managed Information Credential Delegation Levels of Assurance Guest users Step-up Auth. N Best Practices Community based Auth. Z Non-webbrowser Social & e. Gov IDs Incident Response

The functional Components User Community Requirements https: //goo. gl/k. Sx. ENp aarc-project. eu https: //aarc-project. eu

Why the proxy model? • All internal Services can have one statically configured Id. P • No need to run an Id. P Discovery Service on each Service • Connected SPs get consistent/harmonised user identifiers and accompanying attribute sets from one or more AAs that can be interpreted in a uniform way for auth. Z purposes • External Id. Ps only deal with a single SP proxy https: //aarc-project. eu 6

The Functional Components and available AAI tools Analysis of User Communities Id. Ps Available AAI Components Attribute Authorities Proxies Token Translation And Infrastructure Providers Service Provider aarc-project. eu https: //aarc-project. eu

edu. GAIN & AARC edu. GAIN and the Identity Federations A solid foundation for federated access in R&E Authentication and Authorization Architecture for Research Collaboration A set of building blocks on top of edu. GAIN for International Research Collaboration https: //aarc-project. eu

AARC Blueprint Architecture & ELIXIR https: //aarc-project. eu

AARC Blueprint Architecture & ELIXIR https: //aarc-project. eu

AARC Blueprint Architecture & EGI https: //aarc-project. eu 11

Aligning policy – should be simpler ‘inside a single country’ Pushing forward best practices and like policies across many participants • • • “Levels of Assurance”– baseline and differentiated profiles, capabilities and grouping “Incident Response” – beyond Sirtfi: a common understanding on operational security “Sustainability, Guest Id. Ps, use models” – how can a service be offered in the long run? “Scalable policy negotiation” – helping SPs move beyond bilateral discussion “Protection of (accounting) data privacy” – necessary aggregation without breaking the law too much IGTF FIM 4 R REFEDS WISE GN 4 AARC Strategy to support and extend established and emergent groups https: //aarc-project. eu . . . SIRTFI 12

First e-Infrastructure implementations for BPA & pilots • EGI Check. In Service https: //wiki. egi. eu/wiki/AAI • ELIXIR AAI https: //www. elixir-europe. org/services/compute/aai • EUDAT B 2 ACCESS https: //www. eudat. eu/services/b 2 access • GÉANT edu. TEAMS https: //www. eduteams. org https: //aarc-project. eu 20

Pilots and demonstrators • • • https: //aarc-project. eu Attribute. Management. Pilot Auth. X 509 to. SAMLDemo BBMRIAAIPilot CILogon-like pilot COmanage. ORCIDPilot COmanage. SSHPilot Libraries. Cockpit. Panel. Consortium. Proxy Libraries. Cockpit. Panel. EZproxy Libraries. Cockpit. Panel. Walk. In. Users. Portal ORCIDpilot. Cockpit. Panel Perun. VOMSCILogon. Pilot Social. IDCockpit. Panel https: //wiki. geant. org/display/AARC/Pilot+results+and+demos 14

Flow for RCauth-like scenarios Built on CILogon and My. Proxy! www. cilogon. org https: //aarc-project. eu • Sirtfi • REFEDS “R&S” see also https: //rcdemo. nikhef. nl/ 15

Comanage pilots – and the OS Attr. Mngt. Pilot https: //aarc-project. eu 16

AARC 2: new engagement mechanisms https: //aarc-project. eu 17

Thank you Any Questions? Christos Kanellopoulos skanct@admin. grnet. gr https: //aarc-project. eu © GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC). https: //aarc-project. eu