Authentication and Authorisation for Research and Collaboration Workshop

Authentication and Authorisation for Research and Collaboration Workshop: AARC Training: Defining a training module for scalable attribute release in federation and interfederation Maria Laura Mantovani, Simona Venuti, Marco Malavolti, Irina Mikhailava NA 2, AARC GARR, GÉANT TNC 2016, Prague 16 June 2016 https: //aarc-project. eu

Material for today • The Federation Operator role (download this slide deck) https: //goo. gl/u. Oy. JP 6 • AARC Id. P Attribute Release training (download slide deck) https: //goo. gl/H 5 Ro 1 k • Work group questions (collaborate on Google doc on line) https: //goo. gl/AALu 7 i https: //aarc-project. eu 2

Welcome to Workshop • Round table presentations https: //aarc-project. eu 3

Agenda https: //aarc-project. eu Time 14: 00 – 14: 15 Topic Welcome to Workshop 14: 15 – 14: 50 Introduction & Goals The Federation Operator role Q&A 14: 50 – 15: 00 a break 15: 00 – 16: 00 Presentation of the training material (summary): Part I: Attribute release - understanding the problem Part II: Solutions – theory and practice of entity categories Part III: Solutions – federation registry 16: 00 – 16: 10 a break 16: 10 – 16: 40 Workgroups: review the material and answer the questions 16: 40 – 17: 00 Report from the groups Debriefing & Summary 4

Introduction & Goals • I love federated access. • Federated access is an essential mechanism for efficient, safe and secure access to shared resources and services. • Can others (Id. Ps, SPs, users, research collaborations, e-infrastructures) say the same? • Federations look after federated access • Identity federations ensure that federated access runs smoothly and seamlessly for the user. • Federations have not completed their job (Does someone remember Brook’s edu. GAIN KPI? ) https: //aarc-project. eu 5

https: //aarc-project. eu 6

Campaigns for “edu. GAIN works” 100% of the federations Is the entity in edu. GAIN? Does it talk with “friends”? 0. 3 0. 5 0. 7 1 Co. Co and R&S https: //aarc-project. eu Does it release attributes? Matches security practices?

Introduction & Goals • I love federated access. • Federated access is an essential mechanism for efficient, safe and secure access to shared resources and services. • Can others (Id. Ps, SPs, users, research collaborations, e-infrastructures) say the same? • Federations look after federated access • Identity federations ensure that federated access runs smoothly and seamlessly for the user. • Federations have not completed their job (Does someone remember Brook’s edu. GAIN KPI? ) • The main issue currently perceived is: • Service providers and research collaborations experience a poor/insufficient attribute release that could deny access to federated resources. • All this may lead to a belief: edu. GAIN doesn’t work https: //aarc-project. eu 8

Introduction & Goals • Encourage federation operators (not only people present here) to be more pro-active toward the identity providers registered in their federation • Pro-active means: provide configurations, tools, trainings, audits, support, raise the level of requirements. • In the specific: • Encourage the use of a Federation Registry in order to help setting up Entity Category support • Encourage the use of a Federation Registry in order to ease the ARP definition for the Id. P Manager https: //aarc-project. eu 9

edu. GAIN Service Providers 1197 DP Co. Co 83 May 2016 https: //aarc-project. eu 41 R&S 91 10

Introduction & Goals • Encourage federation operators (not only people present here) to be more pro-active toward the identity providers registered in their federation • Pro-active means: provide configurations, tools, trainings, audits, support, raise the level of requirements. • In the specific: • Encourage the use of a Federation Registry in order to help setting up Entity Category support • Encourage the use of a Federation Registry in order to ease the ARP definition for the Id. P Manager • seek feedback on usefulness for Federations in general (not only for you, also for less skilled federations) of the proposed training package to support Identity Providers in the attribute release process • Seek feedback for improvements of the proposed training package (will be collected here and in the future via email) https: //aarc-project. eu 11

THE FEDERATION OPERATOR’S ROLE https: //aarc-project. eu 12

The IDEM use case • IDEM also until May 2016 has done nothing to push entity category support for Id. Ps and the result was that 0 Id. Ps support R&S and 0 Id. Ps support DP_Co. Co • On the other hand we have begun to promote EC towards SPs and the result is that 7 SPs support R&S and 12 SPs support DP_Co. Co • Fed. Ops involvement care! https: //aarc-project. eu 13

Fed. Ops involvement care! • https: //technical. edugain. org/entities • SWITCHaai and In. Common have done a lot Id. P Co. Co-support from Switch = 33 (100% !!!) Id. P R&S-support from In. Common = 39 (9%) • Why In. Common Id. Ps don’t support DP_Co. Co? • All the rest of edu. GAIN, not su much Id. P DP_Co. Co-support from edu. GAIN-Switch = 41 (2%) Id. P R&S-support from edu. GAIN-Switch-In. Common = 36 (1, 7%) • (from only 9 federations. 4 -5 per federation on average) • Of 38 federations in edu. GAIN, 27 of them don’t have Id. Ps that support R&S and Co. Co EC (73%) https: //aarc-project. eu 14

How the Fed. Ops can take care of their Id. Ps? • => An active role of Federation Operators is needed in order Id. Ps support R&S and Co. Co EC • IDEM delivered the training to their Id. Ps on the 7 th of June • 40 people attended in presence + 70 via streaming • IDEM wants to measure inside the Federation, after pushing and helping for support the 2 categories, which will be the result after 1 year. https: //aarc-project. eu 15

Differences between Mesh and H&S federations with respect to the attribute release • Mesh • H&S (easier issues) • In the following for H&S only some hints will be provided edu. GAIN Federations (38, 7 without enough information) Hub & Spoke Federations (5) SURFconext(The Netherlands) - SIR!(Spain) TAAT(Estonia) - WAYF(Denmark) AAI@Edu. Hr(Croatia) https: //aarc-project. eu Mesh Federations (26) Mainly Shibboleth (22) Mainly Simple. SAMLphp (4) AFIRE(Armenia) - AAF(Australia) - ACOnet(Austria) Belnet(Belgium) - Ca. Fe!(Brazil) - Canadian Access Federation(Canada) - COFRe(Chile) edu. ID. cz(Czech Republic) - HAKA!(Finland) Fédération Éducation-Recherche(France) - DFN AAI(Germany) - GRNET(Greece) edu. Id. hu(Hungary) - Edugate(Ireland) - IDEM(Italy) - Gaku. Nin(Japan) - PIONIER. Id(Poland) RCTSaai(Portugal) - SWAMID(Sweden) SWITCHaai(Switzerland) - In. Common(U. S. ) - UK federation(United Kingdom) LAIFE(Latvia) - LITNET FEDI(Lithuania) - edu. ID Luxembourg(Luxembourg) - Arnes. AAI Slovenska izobraževalno raziskovalna federacija(Slovenia) 16

A Proactive Federation Operator • Provide Home Organisations with a value proposition and trainings about R&S and DP_Co. Co support in order to clarify which are the benefits of releasing attributes and move out of fear about legal implications. • Setup the federation registry (Jagger) • Define the workflow to be adopted in order to add the ECs-support to Id. Ps and advertise Id. Ps of this procedure (will see in the training) • If necessary, provide with paperwork and/or registry functions in order to make Id. Ps able to declare to support Entity Category https: //aarc-project. eu 17

A Proactive Federation Operator Help the Id. Ps by providing a correct set of configuration file for attribute releasing • Define a Default Attribute Release Policy that an Id. P have to follow for releasing the minimal set of mandatory attributes decided by the federation and provide the Id. Ps with a skel or working example or template • Provide a working configuration for releasing the correct attributes for R&S and Co. Co SPs in edu. GAIN • Train the Id. Ps on the registry usage in order to create any other specific Attribute Release Policy https: //aarc-project. eu 18

Proposal for Federations: central distribution of filters and registry usage Federation can choose to use: 1. Default ARP: • Default Federation ARP: attribute filter that releases a very small set of attributes to all resources and allows to use only few essential federation resources. 2. EC ARP: • R&S EC ARP: attribute filter that implement the rules established for all resources compliant with Research and Scholarship entity category. • Co. Co EC ARP: attribute filter that implement the rules established for all resources compliant with Code Of Conduct entity category. 3. Registry ARP: • Custom Id. P ARP: An Id. P Manager maintains the decisional power to release or not the attributes to the SPs by building his attribute filter with the help of IDEM Entity Registry. https: //aarc-project. eu 19

Thank you Any Questions? marialaura. mantovani@garr. it simona. venuti@garr. it marco. malavolti@garr. it https: //aarc-project. eu © GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC).