24
http://aarc-project.eu Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos WP JRA1: Architectures for an integrated and interoperable AAI
http://aarc-project.eu
AuthenticationandAuthorisationforResearchandCollaboration
ChristosKanellopoulos
WPJRA1:ArchitecturesforanintegratedandinteroperableAAI
http://aarc-project.eu
•Structureandadministrativematters
•Objectives
•TaskAchievements
• JRA1inAARC2
2
Agenda
http://aarc-project.eu
ActivityStructure
ActivityLead
ChristosKanellopoulos
Partners
RequirementsAnalysis
PeterSolagnaEGI
BlueprintArchitectures
MarcusHardtKIT
Modelsforsupportingguest
Identities
JensJensenSTFC
ModelsforimplementingAPs
andTTS
Davide VaghettiGARR
T1 T2 T3 T4
3
http://aarc-project.eu
ActivityStructure
M04 M08 M12 M15 M24
AnalysisofUserRequirements
AnalysisofAATechnologies
GuestIdentities
AttributeAuthorities&TokenTranslation
DraftBlueprintArchitecture
FinalBlueprintArchitecture
T1 T1
T3
T4
T2 T2
4
http://aarc-project.eu 5
Resources(1May2016– 30April2017)anddeliveries
1of1deliverablesdeliveredinPY2 DJRA1.2– BlueprintArchitectures ü
TotalYear2effort
75PMfor2years:Y2(upd)forecast:40.2PM(????? FTE)
????PMused???%ofresourcesinflatdistribution
OtherkeydocumentsandresultsRecommendationsonexpressingGroupMembershipandroleinformationGuidelinesonattributeaggregationGuidelinesontokentranslationservicesBestpracticesformanagingauthorizationGuidelinesonnonweb-accessRecommendationsonimplementingSAMLauthenticationproxiesforsocialIdPsRecommendationsoncredentialdelegationAccountlinkingusescasesandLoA elevation
üüüüüüüü
http://aarc-project.eu
High-levelobjectives(1/2)
AnalysehowmuchhasbeendevelopedtoleveragefederatedaccesswithotherauthenticationsystemsusedintheR&Ecommunities,intheeGov spaceandinthecommercialsector;üResearchapossiblesolutiontolinkidentitiesinthecontestofhigherlevelsofassurance,attributeprovidersandguestidentities;üAssessexistingtechnologiestoprovideSSOfornon-Webapplications(cloud,storageandsoon)andofferrecommendationsfortheirusage;üDeveloparisk-basedmodelforexistingAAIsolutions;ü
7
http://aarc-project.eu 7
High-levelobjectives(2/2)
Proposemodelsforsupportingguestidentities(NRENs’in-housesolutionsvscommercially-offeredsolutionsshouldbeexplored);üDefineablueprintarchitecturetoenablewebandnon-webSSOcapabilitiesacrossdifferentinfrastructures,integratingattributeproviders/groupmanagementtoolsoperatedbyuser-communities;üProvidemodelsforfederatedauthorisation:howtointegrateattributesandpermissionsfromdiversecommunities,makingthemavailableatthefederationlevelinaconsistentandsecureway.ü
http://aarc-project.eu
• CommentsoneID• InteropissueswithEUeGov andactivitiesoutsideofEU(Brazil,Korea)• ArticulateacleargoalforeGov IDsinthecontextofAARC(serviceprovideroriented)
• ConsentandhowwehandleitintheAARCArchitecture• LookattheANCHORproject
• Authorization• AuthZ ismissingfromthisversionoftheBlueprintArchitecture• DevelopaplanfordefiningablueprintarchitectureforauthZ afterAARC
8
FeedbackfromPY1Review
http://aarc-project.eu 9
ArchitecturesforanintegratedandinteroperableAAI
Achievements:Task1|RequirementsAnalysis
http://aarc-project.eu 10
ArchitecturesforanintegratedandinteroperableAAIObjectivesfor:Task1Requirementsanalysis
ObjectivesfromTechnicalAnnex
Year1Results
AAtechnologies&Standards
Investigateinteroperation
activitiesandsupportforcrossdomaincollaboration
AAIinR&Esector,LibrariesandeGOV
Completed Completed Completed
ü ü üü
CommunityRequirements
Completed
KPI:Analyzeatleast5e-InfrastructuresandVOs.(14)ü
http://aarc-project.eu
Achievements– TaskJRA1.1RequirementsAnalysis(1/2)
11
Non-web-browser
Guestusers
PersistentUniqueId
Credentialtranslation
AttributeAggregation
AttributeRelease
LevelsofAssurance
CommunitybasedAuthZ
Social&e-Gov IDs
Step-upAuthN
UserManagedInformation
UserFriendliness
IncidentResponse
BestPractices
CredentialDelegation
SPFriendliness
http://aarc-project.eu 12
ArchitecturesforanintegratedandinteroperableAAI
Achievements:Task2|BlueprintArchitectures
Achievements:Task2|BlueprintArchitectures
http://aarc-project.eu 13
ArchitecturesforanintegratedandinteroperableAAIObjectivesfor:Task2BlueprintArchitectures
ObjectivesfromTechnicalAnnex
Year1Results
ExploretheuseofGuestIdentities
SupportformultipleAttributeProviders
andTokenTranslationSystems
ModelsforLoAelevation
Completed Completed Completed
ü ü ü
Architectureforapan-EuropeanintegratedAAI
!!!!!!!!
KPI:Deliveratleast3iterationsoftheBlueprintArchitecture(5)ü
http://aarc-project.eu 14
Achievements- TaskJRA1.2BlueprintArchitectures
3rd iteration(June2016)• TNC2016(Prague– June2016)• MJRA1.41st DraftversionoftheBlueprintArchitecture
4th iteration(November2016)• AARCAll-HandsMeeting(CERN–November2017)• AARCInfoshare ontheBlueprintArchitecture(January2017)• FIM4RWorkshop(Vienna– February2017)
5th iteration(March2017)• 5th AARCGeneralMeeting(Athens–March2017)• Internet2GlobalSummit(WashingtonD.C.– April2017)
http://aarc-project.eu
eduGAIN andtheIdentityFederations
AsolidfoundationforfederatedaccessinR&E
AuthenticationandAuthorizationArchitectureforResearchCollaboration
AsetofbuildingblocksontopofeduGAINforInternationalResearchCollaboration
BlueprintArchitecture
16
http://aarc-project.eu 16
ArchitecturesforanintegratedandinteroperableAAI
Achievements:Task3 |ModelsforsupportingGuestIdentities
http://aarc-project.eu 17
ArchitecturesforanintegratedandinteroperableAAIObjectivesfor:Task3 ModelsforsupportingGuestIdentities
ObjectivesfromTechnicalAnnex
Year1Results
StrategytopermitpublicaccessatlargetoservicesviaAAI
CollaborationwithNA3forthedefinitionofLoA frameworkandariskbased
model
Investigaterisksassociatedwithdelegationofcredentials
Completed Completed Completed
ü ü ü
SolutionsforGuestIdentitiesand
alternativemethodsofidentification
Completed
KPIs:Document,testandcompareexternal(non-federatedIdPs)of5communitiesand3socialmedia(6/4)ü
ü
http://aarc-project.eu 18
Achievements– TaskJRA1.3ModelsforsupportingGuestIdentities
Ø AARCStrategyforenablingpublicaccessatlarge² IncollaborationwithallAARCWPs² https://goo.gl/7kL338
Ø RecommendationsontheuseofGuestIdentities² AvailableinAARC-BPA-2017
Ø Recommendationsoncredentialdelegation(!)² https://goo.gl/i5SZtP
Ø eIDAS andeGOV IDsinthecontextofAARC(?)
http://aarc-project.eu 19
ArchitecturesforanintegratedandinteroperableAAI
Achievements:Task4 |Modelsforimplementingattributeprovidersandtokentranslationservices
http://aarc-project.eu 20
ArchitecturesforanintegratedandinteroperableAAIObjectivesfor:Task4Modelsforimplementingattributeprovidersandtoken
translationservices
ObjectivesfromTechnicalAnnex
Year2Results
IntegrationofCommunitybased
AttributeProviders&Guidelinesfor
expressinggroupmembership
TechnologiesforTokenTranslationServicesandcredentialdelegation
Bestpracticesformanagingauthorization
Completed Completed Completed
ü ü ü
ModelsforimplementingAttributeProviders&GuidelinesforAttributeRelease
Completed
KPIs:Deliveratleast3modelsforimplementingattributeproviders(3)Document,testandassessatleast3delegationschemes/technologies(5)ü
*MJRA1.3wasdeliveredinJune,technicallyinPY2
ü
http://aarc-project.eu 21
Achievements– TaskJRA1.4Modelsforimplementingattributeprovidersandtokentranslationservices
Recommendations&BestPracticesØ ExpressinggroupmembershipandroleinformationØ AttributeaggregationØ TokenTranslationServiceØManagingauthorisationØ CredentialDelegation– OngoingØ Non-browser accessØ Accountlinkingusecases&LoA elevation– OngoingØ SAMLauthenticationproxiesforsocialIDs– Ongoing
http://aarc-project.eu
•Workwithexistinge-infrastructuresandESFRIprojectstodeployandenhance(JRA1)theintegratedAAI• focusontheintegrationaspectsoftheblueprintarchitecturethatwillbedeliveredbytheAARCproject;• providerecommendationsandguidelinesforimplementers,serviceprovidersandinfrastructureoperatorsonimplementingscalableandinteroperableAAIsacrosse-infrastructuresandscientificcommunities
• ExpansionoftheblueprintoftheintegratedAAItoexploreauthorisation anddelegationaspectsinsuchacomplexenvironmentaswellasthesupportforalternativestoSAML.• Expandsupportfornewtechnologiesandpolicies(JRA1 andNA3).• Followauser-drivenapproach:developmentdrivenbyuse-casesandcontinuouscommunityfeedbackonAARC2work
•WorkinclosecollaborationwithNA3,SA1,theCompetenceCentreandthetrainingandoutreachactivitiesofAARC2.
22
JRA1inAARC2
http://aarc-project.eu
JRA1inAARC2
ActivityLead
NicolasLiampotisGRNET
Partners
ToolsandServicesforInteroperableInfrastructures
PeterSolagnaEGI
ServiceProviderArchitecturesand
Authorizationinmulti-SPEnvironments
MarcusHardtKIT
ModelsfortheEvolutionsofAAIsforResearch
CollaborationScalableVOPlatforms
Davide VaghettiGARR
T1 T2 T3 T4
3
JensJensenSTFC
http://aarc-project.eu
©GEANTonbehalfoftheAARCproject.TheresearchleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeunderGrantAgreementNo.653965(AARC).
ThankyouAnyQuestions?
