https://aarc-project.eu
AuthenticationandAuthorisationforResearchandCollaboration
NicolasLiampotis
DigitalInfrastructuresforResearch2017,Brussels
AuthenticationandAuthorisationforResearchandCollaboration
AARCblueprintguidelines
30November2017
JRA1:IntegratedAAIDevelopments,AARC2GRNET
https://aarc-project.eu
• [AARC-JRA1.4A] Guidelinesonexpressinggroupmembershipandroleinformation
• [AARC-JRA1.4B] Guidelinesonattributeaggregation
• [AARC-JRA1.4C] Guidelinesontokentranslationservices
• [AARC-JRA1.4D] Guidelinesoncredentialdelegation
• [AARC-JRA1.4E] Bestpracticesformanagingauthorisation
• [AARC-JRA1.4F] Guidelinesonnon-browseraccess
• [AARC-JRA1.4G] GuidelinesforimplementingSAMLauthenticationproxiesforsocialmediaidentityproviders
• [AARC-JRA1.4H] AccountlinkingandLoAelevationusecasesandcommonpracticesforinternationalresearchcollaboration
• [AARC-JRA1.4I] BestpracticesandrecommendationsforattributetranslationfromfederatedauthenticationtoX.509credentials
2
AARCrecommendations&bestpracticesOverview
2
https://aarc-project.eu
• Standardising thewaygroupmembershipinformationisexpressedforcross-infrastructureexchange• Indicatingtheentitythatisauthoritativeforeachpieceofgroupmembershipinformation• ExpressingVOmembershipandroleinformation• Supportinggrouphierarchiesingroupmembershipinformation• Revision(201710) signedoffbyAEGIS
3
GuidelinesonexpressinggroupmembershipandroleinformationAARC-JRA1.4A
<NAMESPACE>:group:<GROUP>[:<SUBGROUP>*][:role=<ROLE>]#<GROUP-AUTHORITY>
https://aarc-project.eu
• ModelsforAttributeAggregation(“pull”vs”push”vs“preprovision”)• Persistent,uniqueidentifiersforlinkingrecords• Explicitconsentfordatasharing• Centralising aggregation“BusinessLogic”awayfromtheSP• Scopingattributevalues• Filteringattributesaccordingtosource• Harmonising attributevocabularies
4
GuidelinesonattributeaggregationAARC-JRA1.4B
https://aarc-project.eu
• OperationmodesforTTSservices(“embedded”vs“standalone”)• Consistencyofuserinformation• Deploymentconsiderations• Securityconsiderations• Transparency,dataprotectionanddataminimisation
5
GuidelinesontokentranslationservicesAARC-JRA1.4C
https://aarc-project.eu
• Typesofdelegation(“rights”vs“access”vs“credential”)• Exampleflows:• OAuth2/OIDC• SAMLauthentication• OAuth2tokenexchange• GSIproxies• CombineduseofX.509andOIDC
• Implementationguidelines• Risksassociatedwithdelegations
6
GuidelinesoncredentialdelegationAARC-JRA1.4D
https://aarc-project.eu
• Authorizationinformationsources• IdPs• AAs
• Authorisation attributes• Affiliation• Entitlement• Assurance
• Trustrelationships
7
BestpracticesformanagingauthorisationAARC-JRA1.4E
https://aarc-project.eu 8
Guidelinesonnon-browseraccessAARC-JRA1.4F
• CLI:SSH/SFTP• GSIenabledSSH• SSHkeyprovisioningwithwebportal
• AccessingHTTPAPIsusing:• OIDC/OAuth2• X.509certificates• servicespecificAPItokens
https://aarc-project.eu 9
GuidelinesforimplementingSAMLauthenticationproxiesforsocialmediaidentityprovidersAARC-JRA1.4G
• GeneratingSAMLeduPersonUniqueIdsbasedonsocialmediaprofileidentifiers•MappingsocialidentityprofilefieldstoSAMLattributes:• Google/OpenIDConnect• Facebook• LinkedIn
https://aarc-project.eu 10
AccountlinkingandLoA elevationusecasesandcommonpracticesforinternationalresearchcollaborationAARC-JRA1.4H
• Accountlinkingusecases• Consistentuseridentification/representation• Accountingofresourceusage• Traceabilityandsecurityincidentresponse
• Accountlinkingprocess(“Explicit”vs“Automatic”)• Reconcilingidentityinformation• LoA elevation• LinkingHigh-LoA Identity• Step-UpAuthentication• AttributeoriginInformation
https://aarc-project.eu
• TranslatingSAMLattributesintoasubjectDN• DefiningtheuserCommonName(CN)componentfromIdPattributes• DefiningtheOrganisation (O)componentfromIdPattributes• Translatinggroupinformation usingVOMSAttributeCertificates(ACs)
11
BestpracticesandrecommendationsforattributetranslationfromfederatedauthenticationtoX.509credentialsAARC-JRA1.4I
https://aarc-project.eu 12
AARC2recommendations&bestpracticesOverview
• [AARC2-JRA1.1x]GuidelinesforinteroperableexchangeofuserandcommunityinformationbetweenAAIs
• [AARC2-JRA1.2C] Guidelinesforstep-upauthenticationviaTwo-FactorAuthentication
• [AARC2-JRA1.3A] Guidelinesforevaluatingthecombinedassuranceoflinkedidentities
• [AARC2-JRA1.4A] Roles,responsibilitiesandsecurityconsiderationsforVOs
https://aarc-project.eu 13
InteroperableexchangeofuserandcommunityinformationacrossinfrastructuresAARC2-JRA1.1x
• AARC2-JRA1.1A:GuidelinesforinteroperableexchangeofuserandcommunityinformationbetweenAAIs:Assuranceinformation–Finaldraft
• AARC2-JRA1.1F:Guidelinesforuniquelyidentifyingusersacrossinfrastructures(ePUID +subjectID)– Finaldraft
• AARC2-JRA1.1X:Guidelinesforexchanginghomeorganisation andaffiliationinformationbetweeninfrastructures– NEW
https://aarc-project.eu 14
Step-upauthenticationviaMulti-FactorAuthenticationAARC2-JRA1.2C
• Identifiedcurrentusecasesandexampleimplementations(e.g.HAKA,SURFnet)• Manydiscussionsaroundthevariousassurance-relatedconceptsandterms:components,profiles,etc.• InputfortheupcomingGÉANTtwo-factorauthenticationsolutionforresearchcommunities
https://aarc-project.eu 15
GuidelinesforevaluatingthecombinedassuranceoflinkedidentitiesAARC2-JRA1.3A
• Initialversionoftheevaluationmodelalreadyinplace• Identifiedmainusecases• Identitylinkingrisks
https://aarc-project.eu 16
Roles,responsibilitiesandsecurityconsiderationsforVOsAARC2-JRA1.4A
• Technicalrequirementsto:• supportpolicies(e.g.,involvingVOsecuritycontactsinincidentsrelatingtotheirVO)• improveoperations(e.g.delegatingrightsandresponsibilitiestodeputieswhentheprimarypersonintheroleisnotavailable)inascalablemanner
https://aarc-project.eu
©GÉANTonbehalfoftheAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeunderGrantAgreementNo.730941(AARC2).
ThankyouAnyQuestions?
https://aarc-project.eu