Check In the AAI platform for EGI Nicolas

Check. In: the AAI platform for EGI Nicolas Liampotis – GRNET www. egi. eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142

Overview July 24, 2017 EOSCpilot Service Pilots AAI meeting 2

Overview Check. In provides a reliable and interoperable AAI solution for the EGI service providers federation, and external service providers. It enables single sign-on to services through edu. GAIN identity providers and other institutional or social media credentials • Check. In development, lead by GRNET, has been supported by the EGIEngage project. The EGI Council supports the long-term operations of the service. • Check. In has been developed in close collaboration with the AARC project, and it implements the recommendations of the AARC Blueprint Architecture and Policy Framework July 24, 2017 EOSCpilot Service Pilots AAI meeting 3

Features • • Supports authorised access to protected resources based on VO/group membership and role information Aggregates user attributes from different sources, including external community-managed attribute providers Supports the linking of multiple external identities to a persistent, nonreassignable, unique user identifier within the EGI infrastructure Associates a Level of Assurance (Lo. A) to each authenticated identity in the EGI infrastructure Reliable and secure: Highly available by design due to its modular architecture. Operated under the strict security policies of the EGI federation, and the EGI Foundation ISO 20 k-certified processes Simple: Check. In hides the complexity of dealing with multiple Id. Ps and sources of authorisation information Low overhead: Service providers do not need to deal with the bureaucracy of integrating with multiple identity providers and attribute authorities Interoperable: Published in edu. GAIN as a service provider compliant with REFEDS R&S and Sirtfi. Supports translation of credentials across the most popular standards: SAML 2. 0, Open. ID Connect, OAuth 2. 0, and X. 509 July 24, 2017 EOSCpilot Service Pilots AAI meeting 4

Architecture • Implementation of the AARC blueprint architecture • All EGI SPs can have one statically configured Id. P • No need to run an Id. P Discovery Service on each SP • Connected SPs get consistent/harmonised user identifiers and accompanying attribute sets from different Id. Ps/AAs that can be interpreted in a uniform way for authorisation purposes • External Id. Ps only deal with a single EGI SP proxy July 24, 2017 EOSCpilot Service Pilots AAI meeting 5

Check. In use cases July 24, 2017 EOSCpilot Service Pilots AAI meeting 6

For the RI using EGI: AAI integration Community operating its own AAI connected as an Id. P to Check. In to allow its users to access EGI services & resources ü Access EGI services without changing your authentication workflow July 24, 2017 Social IDPs edu. GAIN Institutional Id. P AAI Proxy EGI Check. In EGI Infrastructure EOSCpilot Service Pilots AAI meeting Service 7

For the communities: External attribute provider Community managing authorisation information about the users (VO/group memberships and roles) via their own group management service, which is connected to Check. In as an external attribute authority ü Check. In will handle the configuration of the Id. Ps and the aggregation of the attributes for the SPs edu. GAIN Institutional Id. P Social IDPs Virtual Organization Service EGI Check. In EGI Infrastructure ü No need to migrate the group management functionality to an EGI-specific attribute authority July 24, 2017 EOSCpilot Service Pilots AAI meeting Service 8

For the communities: full AAI platform with group management as a service Communities that do not operate their own group management service can leverage the group management capabilities of the Check. In platform edu. GAIN Institutional Id. P Social IDPs ü Ready-to-use solution ü Avoid overhead of deploying a dedicated group management service ü Authorised VO admins will manage the information about their users independently ü Easy connect to both EGI and non-EGI services July 24, 2017 Service EGI Check. In Service Virtual Organization EGI Infrastructure Service EOSCpilot Service Pilots AAI meeting Supported technologies: CΟmanage Perun 9

For service providers: AAI as a service Check. In as an authentication proxy Social IDPs edu. GAIN Institutional Id. Ps ü Enable login from institutional Id. Ps in edu. GAIN and social media ü Minimal overhead for the service development ü All the other Check. In features are available for the SP: account linking, attribute aggregation, . . EGI Check. In EGI Infrastructure • Prerequisites: ü Service provider must accept EGI policies on data protection July 24, 2017 EOSCpilot Service Pilots AAI meeting Service 10

Check. In in production July 24, 2017 EOSCpilot Service Pilots AAI meeting 11

Check. In today • Identity Providers: – SAML 2. 0: edu. GAIN – OIDC/OAuth 2: Google, Facebook, Linked. In, ORCID – X. 509: IGTF • Service Providers: – SAML 2. 0 & OIDC • Attribute Authorities – SAML 2. 0 Attr. Query, REST, LDAP, SQL • Token Translation Services – SAML 2. 0 -to-X. 509: Master Portal to RCauth. eu Online CA • • July 24, 2017 Support for Levels of Assurance User enrolment & account linking Id. P Discovery User Consent EOSCpilot Service Pilots AAI meeting 12

Check. In consumes information from many diverse sources Perun SAML Id. P Open. ID Connect Id. P COmanage e/R-Infra AAI proxy (e. g. ELIXIR) VOMS External VO Management (e. g. Unity IDM) GOCDB Check. In July 24, 2017 EOSCpilot Service Pilots AAI meeting 13

Support for Levels of Assurance • Check. In supports different Levels of Assurance: – Low level: Social Media IDs • Everyone with an email account can have one – Substantial level: IGTF X. 509 certificates, many institutional Id. Ps (e. g. compliant with REFEDS R&S and Sirtfi requirements) – High: e. Gov IDs, Substantial + Multi Factor Authentication (TBD) • Use case – Check. In conveys the Lo. A associated with the authenticated identity to SPs for authorisation purposes • Communicated through the edu. Person. Assurance attribute in SAML or acr clain in OIDC • Translated into entitlements expressing the right of a user to access a particular resource (e. g. access Rcauth Onlince CA) July 24, 2017 EOSCpilot Service Pilots AAI meeting 14

Integration with RCauth. eu Online CA • Check. In has been integrated with the production RCAuth. eu Online CA – Users can retrieve X. 509 proxies by authenticating through Check. In July 24, 2017 EOSCpilot Service Pilots AAI meeting 15

Reliable and secure AAI platform EGI has always invested in improving and maintaining the reliability and security of the services • EGI has a mature and complete set of security policies and the processes to enforce them – Extended with Check. In specific policies: ü Check. In acceptable usage policy ü Check. In data protection policy ü Agreement documents to integrate non-EGI and non-edu. GAIN SPs and Id. Ps and maintain the compliance July 24, 2017 EOSCpilot Service Pilots AAI meeting 16

Work in progress July 24, 2017 EOSCpilot Service Pilots AAI meeting 17

Check. In Next Steps • Align with AARC guidelines on expressing group membership and role information • Align with REFEDS/AARC Assurance Profiles • Allow the use of ssh-public keys to obtain RCauth proxy certs from the EGI Master Portal • Complete integration with EUDAT AAI • Provide user-friendly interfaces for managing Open. ID Connect/OAuth 2. 0 tokens • Support for (de-)provisioning and continuous update of user account information July 24, 2017 EOSCpilot Service Pilots AAI meeting 18

Thank you for your attention. Questions? www. egi. eu This work by Parties of the EGI-Engage Consortium is licensed under a Creative Commons Attribution 4. 0 International License.