Check In the AAI platform for EGI Nicolas

  • Slides: 31
Download presentation
Check. In: the AAI platform for EGI Nicolas Liampotis - GRNET www. egi. eu

Check. In: the AAI platform for EGI Nicolas Liampotis - GRNET www. egi. eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142

Outline • • • Overview The evolution of Check. In Today in production Work

Outline • • • Overview The evolution of Check. In Today in production Work in progress Use cases May 9, 2017 EGI Conference 2017 2

Overview May 9, 2017 EGI Conference 2017 3

Overview May 9, 2017 EGI Conference 2017 3

Overview • Check. In is the new AAI platform for the EGI infrastructure •

Overview • Check. In is the new AAI platform for the EGI infrastructure • Developed in the context of EGI-Engage, task JRA 1. 1, lead by GRNET – Adoption of federation solutions based on open and standards-based technologies: SAML 2. 0, Open. ID Connect/OAuth 2. 0, X. 509 – Integration of off-the-shelf products with some customisations • The work in EGI-Engage has been performed in close collaboration with the AARC project. – Check. In is aligned with the architecture, policies and best practices produced by EGI AARC Conference 2017 May 9, 2017 4

Goals of Check. In • Enable users to access EGI services and resources using

Goals of Check. In • Enable users to access EGI services and resources using their existing credentials from their Home Organisations (via edu. GAIN when possible) – Institutional Id. Ps must provide a unique user identifier • Support “homeless” users, who cannot rely on a reliable institutional Id. P • Support authorised access to protected resources based on VO/group membership and role information • Aggregate user attributes from different sources, including community -managed attribute providers • Support the linking of multiple external identities to a persistent, nonreassignable, unique user identifier within the EGI infrastructure • Associate a Level of Assurance (Lo. A) to each authenticated identity in the EGI infrastructure • Provide translation mechanisms to hide the complexity of different protocols/technologies from EGI services EGI Conference 2017 May 9, 2017 5

The evolution of Check. In May 9, 2017 EGI Conference 2017 6

The evolution of Check. In May 9, 2017 EGI Conference 2017 6

How it all started • May 2015: Introduction of the EGI AAI Roadmap and

How it all started • May 2015: Introduction of the EGI AAI Roadmap and Architecture May 9, 2017 EGI Conference 2017 7

Why proxy? • Because… AARC! May 9, 2017 EGI Conference 2017 8

Why proxy? • Because… AARC! May 9, 2017 EGI Conference 2017 8

Why proxy? • All EGI SPs can have one statically configured Id. P •

Why proxy? • All EGI SPs can have one statically configured Id. P • No need to run an Id. P Discovery Service on each EGI SP • Connected SPs get consistent/harmonised user identifiers and accompanying attribute sets from different Id. Ps/AAs that can be interpreted in a uniform way for auth. Z purposes • External Id. Ps only deal with a single EGI SP proxy May 9, 2017 EGI Conference 2017 9

The road to production Mar 2016 First Alpha Release with support for SAML (institutional)

The road to production Mar 2016 First Alpha Release with support for SAML (institutional) & OIDC/OAuth 2 (social) Id. Ps and SAML SPs May 2015 Introduction of AAI roadmap and architecture Dec 2015 First Po. C with support for SAML Id. Ps/SPs May 9, 2017 Feb 2017 Support for Sirtfi Framework & integration with RCauth. eu online CA Aug 2016 Support for Open. ID Connect/OAuth 2 services Apr 2016 Start of on-boarding activity with user communities (ELXIR) and ops tools (GOCDB, App. DB) EGI Conference 2017 Sep 2016 Registration of SP Proxy with edu. GAIN under REFEDS R&S Entity Category 10

Today in production May 9, 2017 EGI Conference 2017 11

Today in production May 9, 2017 EGI Conference 2017 11

Check. In today • Identity Providers: – SAML 2. 0: edu. GAIN – OIDC/OAuth

Check. In today • Identity Providers: – SAML 2. 0: edu. GAIN – OIDC/OAuth 2: Google, Facebook, Linked. In, ORCID – X. 509: IGTF • Service Providers: – SAML 2. 0 & OIDC • Attribute Authorities – SAML 2. 0 Attr. Query, REST, LDAP, SQL • Token Translation Services – SAML 2. 0 -to-X. 509: Master Portal to RCauth. eu Online CA • • May 9, 2017 EGI Conference 2017 • • Support for Levels of Assurance User enrolment & account linking Id. P Discovery User Consent 12

Sources of attributes • Check. In aggregates attributes from the following sources: – –

Sources of attributes • Check. In aggregates attributes from the following sources: – – SAML attribute authorities and Id. Ps OIDC Id. Ps LDAP/SQL Specific REST interface-based attribute authorities • All the relevant attributes to a service are provided in the authentication assertion released by Check. In to the SP, including: – Attributes stored by Check. In (e. g. EGI UID) – Attributes released by the user’s Id. P – Attributes released by the attribute authorities (e. g. VO membership and role information) • Sources of attributes integrated – – May 9, 2017 COmanage GOCDB Perun Unity IDM (LTo. S) EGI Conference 2017 13

Integration with operational tools • GOCDB - Configuration management database – Integrated as SAML

Integration with operational tools • GOCDB - Configuration management database – Integrated as SAML 2. 0 SP (Shibboleth) • Requires substantial Lo. A – Integrated as Attribute Authority (REST API) • Provides EGI Resource Centre Admin roles • App. DB - Software and Cloud marketplace – Integrated as SAML 2. 0 SP (Simple. SAMLphp) • Requires VO membership and role information from Check. In • GGUS - Helpdesk – Integrated as SAML 2. 0 SP (Shibboleth) • Requires substantial Lo. A May 9, 2017 EGI Conference 2017 14

Open. ID Connect support • Service Providers can connect to the EGI AAI using

Open. ID Connect support • Service Providers can connect to the EGI AAI using Open. ID Connect (OIDC) as an alternative to SAML 2 – allowing integration with a wider range of services built on top of modern web standards (OAuth 2. 0, REST and JSON) – enabling federated access for non-browser based resources, such as CLI tools and APIs in a standardised way (OAuth 2. 0 access & refresh tokens) • The Check. In OIDC Provider allows users to sign in using any of the supported backend authentication mechanisms, i. e institutional Id. Ps (edu. GAIN) or Social Media Id. Ps • OIDC client integration through Client Management UI for: – obtaining OAuth 2. 0 credentials – registering one or more redirect URIs Po. C with cloud – registering required scopes (e. g. openid, profile, email) services under implementation May 9, 2017 EGI Conference 2017 15

Level of Assurance – What is it? • In a nutshell: Level of confidence

Level of Assurance – What is it? • In a nutshell: Level of confidence that the person who is authenticating is actually who they claim to be, based on: – Identifier uniqueness (including the reassignment policy in place) – Identity proofing and credential issuance, renewal and replacement – Authentication strength – Attribute quality and freshness (primarily pertaining to the home organisation and affiliation information) – Operational security of Identity Provider May 9, 2017 EGI Conference 2017 16

Levels of Assurance – What to do with it? • Check. In supports different

Levels of Assurance – What to do with it? • Check. In supports different Levels of Assurance • Examples: – Low level: Social Media IDs • Everyone with an email account can have one – Substantial level: IGTF X. 509 certificates, many institutional Id. Ps (e. g. compliant with REFEDS R&S and Sirtfi requirements) – High: e. Gov IDs, Substantial + Multi Factor Authentication (TBD) • Use case – Check. In conveys the Lo. A associated with the authenticated identity to SPs for authorisation purposes • Communicated through the edu. Person. Assurance attribute in SAML or acr clain in OIDC • Translated into entitlements expressing the right of a user to access a particular resource (e. g. access RCauth) May 9, 2017 EGI Conference 2017 17

Integration with RCauth. eu Online CA RC Auth components May 9, 2017 EGI Conference

Integration with RCauth. eu Online CA RC Auth components May 9, 2017 EGI Conference 2017 18

Integration with RCauth. eu Online CA • Production RCAuth. eu Online CA has been

Integration with RCauth. eu Online CA • Production RCAuth. eu Online CA has been integrated with Check. In – Users can retrieve X. 509 proxies by authenticating through Check. In • So, can I submit grid jobs with my edu. GAIN account? – Not yet – RCAuth can be used only with VOs that are authorized • New version of LCMAPS that implement this condition for user authorization: http: //repository. egi. eu/2016/11/23/lcmapsplugins-1 -7 -1 -2/ May 9, 2017 EGI Conference 2017 19

Policies and procedures • Check. In is published as a Service Provider in edu.

Policies and procedures • Check. In is published as a Service Provider in edu. GAIN compliant with: – REFEDS Research and Scholarship Entity Category sufficient attribute release and unique non-reassignable user identifiers by compliant Identity Providers – Sirtfi Framework v 1. 0 coordination of incident response across federated organisations • EGI Check. In Acceptable Use Policy • EGI Check. In Data Privacy Policy • EGI Check. In integration forms for Id. Ps/SPs May 9, 2017 EGI Conference 2017 20

Work in progress May 9, 2017 EGI Conference 2017 21

Work in progress May 9, 2017 EGI Conference 2017 21

Transparent VO management • Translation of VO information into VOMS proxies (from SAML/OIDC) •

Transparent VO management • Translation of VO information into VOMS proxies (from SAML/OIDC) • Provisioning of VOMS information through SAML and OIDC interfaces X. 509 Credentials SAML/OIDC Credentials May 9, 2017 VOMS Service Attribute service Check. In EGI Conference 2017 22

Translation of group information into VOMS proxies • Use case description – User does

Translation of group information into VOMS proxies • Use case description – User does not have a personal certificate – User VO is not managed by a VOMS, but with a generic attribute management service – User needs to access X. 509 based service • Work in progress – COmanage plugin for VOMS (de)provisioning May 9, 2017 EGI Conference 2017 23

Translation of VO information into VOMS proxy Science Gateway My Proxy VOMS May 9,

Translation of VO information into VOMS proxy Science Gateway My Proxy VOMS May 9, 2017 EGI Conference 2017 RC Auth (Virtual Organization (SAML 2) Check. In 24

Provisioning of VOMS information through SAML and OIDC interfaces • Use case – Classic

Provisioning of VOMS information through SAML and OIDC interfaces • Use case – Classic VOMS-based VO members need to access a SAML/OIDC service – VO membership should be translated into an entitlement included in the authentication assertion • Work in progress: – Record the user DN as an additional identifer associated to the EGI UID – Retrieve VOMS-based VO membership information May 9, 2017 EGI Conference 2017 25

Use cases May 9, 2017 EGI Conference 2017 26

Use cases May 9, 2017 EGI Conference 2017 26

Use case: AAI as a service Social IDPs Check. In as an authentication proxy

Use case: AAI as a service Social IDPs Check. In as an authentication proxy to allow user logins from institutional Id. Ps in edu. GAIN and social media for non EGI services edu. GAIN Institutional Id. P • Minimal overhead for the service development EGI Check. In EGI Infrastructure • Prerequisites: – Service provider must accept EGI policies on data protection Service • See the EDISON portal use case May 9, 2017 EGI Conference 2017 27

Use case: AAI integration Community operating its own AAI connected as an Id. P

Use case: AAI integration Community operating its own AAI connected as an Id. P to Check. In to allow its users to access EGI services & resources • Users can access EGI services without changing their authentication workflow Social IDPs edu. GAIN Institutional Id. P AAI Proxy EGI Check. In EGI Infrastructure Service • See the ELIXIR use case May 9, 2017 EGI Conference 2017 28

Use case: External attribute provider Community managing authorisation information about the users (VO/group memberships

Use case: External attribute provider Community managing authorisation information about the users (VO/group memberships and roles) via their own group management service, which is connected to Check. In as an external attribute authority • Check. In will handle the configuration of the Id. Ps and the aggregation of the attributes for the SPs • edu. GAIN Social IDPs The VO is managing independently the information about their users – No need to migrate the group information into an EGI specific attribute authority • LTOS is one example of VO integrated in this way May 9, 2017 Institutional Id. P Virtual Organization EGI Check. In EGI Infrastructure Service EGI Conference 2017 Service 29

Use case: group management as a service Communities that do not operate their own

Use case: group management as a service Communities that do not operate their own group management service can leverage the group management capabilities of the Check. In platform edu. GAIN Institutional Id. P Social IDPs • Avoid overhead of deploying a dedicated group management service • Authorised VO admins will manage the information about their users independently Service EGI Check. In Service • Can be used with EGI and non -EGI services May 9, 2017 EGI Conference 2017 Virtual Organization EGI Infrastructure Service Supported technologies: CΟmanage Perun 30

Thank you for your attention. Questions? www. egi. eu This work by Parties of

Thank you for your attention. Questions? www. egi. eu This work by Parties of the EGI-Engage Consortium is licensed under a Creative Commons Attribution 4. 0 International License.