Authentication and Authorisation for Research and Collaboration SA
Authentication and Authorisation for Research and Collaboration SA 1. 2 Pilots Updates Peter Solagna AARC SA 1. 2 EGI. eu AARC General Meeting, Utrecht 24 -26 May 2016 https: //aarc-project. eu
Goals of SA 1. 2 • Demonstrate the technical feasibility: • Federated attribute management to organise research collaborations, distributed and across multiple institutions • Use of multiple sources of community attributes to access distributed/federated services • Evaluate • Technical maturity of of the attribute management tools, and their capability to support the use cases of the communities https: //aarc-project. eu 2
Pilots currently running 1. Attribute based authorization on cloud services 2. Group management and attribute authorization for BBMRI https: //aarc-project. eu 3
Pilot #1 Integration of community managed attributes with cloud service providers: components • Attribute providers: • Perun, provided by CESNET • Comanage, deployed in the testbed by • Id. P Proxy/Aggregator • Simple. SAMLphp, in the testbed • Service provider • Open. Stack instance deployed in the testbed https: //aarc-project. eu 4
Pilot #: workflow • The user access the SP (Open. Stack service) and has two options: • Login with Keystone credentials (local account) • Login with a SAML Id. P (federated option) • Choosing the SAML option user can choose the authentication source • Id. P proxy that then redirects to the DIY Id. P available in the testbed • The Id. P Proxy sends the attributes from the Id. P and the attribute authority to the SP • The attributes are used by the SP to map the user into authorization groups https: //aarc-project. eu 5
Pilot #1: mapping of attributes to groups • Federated AAI users mapped into ephemeral accounts • Local user eppn • Mapping to local groups: • Static definition of the individual groups in the rules for the mapping of users into groups, e. g: • Group 1 users with an entitlement “cloud: Group 1” • Group 2 users with an entitlement “cloud: Group 2” • Dynamic assignment of groups based on the user’s attributes • Group name = value of an attribute/entitlement, e. g: https: //aarc-project. eu 6
Pilot #1, where are we? • SP configured with the Idp Proxy and the attribute authorities • It took some time to overcome some technical issues with Open. Stack • Testing the different mapping rules and the workflows and behavior • Describing in the wiki the set-up and the issues • Main issues at the moment: • Technical issues in the SP components that support federated AAI • There is documentation available for federated AAI support in the SPs, but it is not as extensive or tested as other use cases • User experience is still not good https: //aarc-project. eu 7
Pilot #2: BBMRI group management • Currently defining the workflows/requirments and building the pilot infrastructure for BBMRI https: //aarc-project. eu 8
Attributes, future work • Please see next presentations! https: //aarc-project. eu 9
Thank you Any Questions? karl. meyer@geant. org https: //aarc-project. eu © GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC). https: //aarc-project. eu
- Slides: 10