Authorization and Authentication Infrastructure Daan Broeder & Dieter Van Uytvanck Max Planck...
-
Upload
rolf-gallagher -
Category
Documents
-
view
223 -
download
0
Transcript of Authorization and Authentication Infrastructure Daan Broeder & Dieter Van Uytvanck Max Planck...
Authorization and Authentication Infrastructure
Daan Broeder & Dieter Van UytvanckMax Planck Institute for Psycholinguistics
CLARIN-NL Info Session
Nijmegen
2009-07-01
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
Overview
CLARIN and the holy grail Traditional Federations AAI prototype Planning
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
CLARIN and the Holy Grail (1)
A researcher authenticates at his/her own organization and creates a “virtual” collection of resources from different repositories.
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
CLARIN and the Holy Grail (2)
browsing a catalogue, searching through metadata, or searching in resource content.
workflow specification tool to process this virtual collection with possibly a mix of home grown and remote service components.
Resulting data can be added to the origin repositories (with “virtual” collection)
For our domain this is very ambitious and challenging, but even a partial realization is worthwhile!
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
Traditional Federations (1)
FederationExternalLocal
DB
HTTP
HTTP
HTTP
LDAP LDAP LDAP
SAML(HTTP)
IDP
DB
IDP
SP
B
SP
B B
SP
HTTP
From a local user store to a traditional federation…
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
Traditional Federations (2)
IdP
SPIdP
SP
IdP SP
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
CLARIN AAI prototype (1)
IDP
SPIDP
SP
IDP SP
IDP
SPIDP
SP
IDP SP
(Identity) Federation
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
CLARIN AAI Prototype (2)
7 Service Providers: INL, Meertens Instituut, MPI IDS, DFKI, BBAW CSC / U Helsinki
3 national Identity Federations: SurfFederatie (NL) DFN (DE) HAKA (FI)
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
AAI prototype agreements
Two options: One SP signs on behalf of
all participating SPs (1xN, preferred)
Every SP signs a separate contract with each national Identity Federation (NxN, more fuss but feasible)
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
Planning
Before end 2009: prototype federation WP7: contractual issues WP2: technical aspects
Keep good contacts with GEANT3/TERENA/eduGAIN Talks with CSC about implementing a common code of
conduct service
Thank you for your attention
CLARIN has received funding fromthe European Community's Seventh Framework Programme
under grant agreement n° 212230
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
Backup slides
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
References
http://www.terena.org/activities/tf-emc2/meetings/12/slides/eduGAINstatus.pdf
http://www2.surfnet.nl/bijeenkomsten/rd2008/sheets/zandbelt.ppt http://www.clarin.eu/events/aai-hands-on-workshop
CLARIN SP
Metadata
DFNMetadata
Metadata
Metadata
HAKA
SurfFederatie
Push SP metadata to national IdFvia protocol as chosen by the specific IdF
SMTP
SWITCH system
Include MD about IdPs within national IdF
?
CLARIN SP
Metadata
DFNMetadata
Metadata
Metadata
HAKA
SurfFederatie
Include MD about national IdPs in SP MD
eduGAINMetadata hub
With eduGAIN 2.0
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
Beyond the Traditional Federations:SPO
IDP
SPIDP
SP
IDP SP
IDP
SPIDP
SP
IDP SP
ServiceProviderFederation/Organization
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
AAI Issues & Challenges (1)
CLARIN is not an IdF Our intended clientele is too wide spread No special IdP configuration can be expected So, only a SP organization relying on national IdFs
What forms the SP organization (wrt. AAI)? LRT Community Standard contracts with the (national) IdFs Common set of CCs / licenses Attribute requirements
Shallow versus deep federation SPs specify auditing level No penalties
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
AAI Issues & Challenges (2)
Attribute harmonization eduGAIN solves it all?
WAYF (& WFAYF) AAI software
Shibboleth and SimpelSamlPhp Is there more needed?
Guest accounts for the homeless
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
AAI Issues & Challenges (3)
SSO for client applications E.g. downloading distributed virtual collections
SSO for web services Deal with workflows chaining web services from
different providers SSO when dealing with CCs, 3 options:
Leave it to the SP User attribute (~ IdP) Separate service, external attribute authorities.
Use of GRID resources Data GRID & Compute GRID
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
eduGAIN confederation
Connect national AAI on a pan-European level GEANT (2,3) workgroup: TF-EMC2 CLARIN: excellent use case!
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
CLARIN Federation Infrastructure
CLARIN wants to be a LR&T “service federation”• simplified and unified rules for licensing, accessing• agreements with national identity federations• must make sure all necessary attributes are available• cater also for A&A
• of non-web applications • and web services
• interaction with GRID AAI
national Identity Federations
eJournal Service Providers
LRT Service Providers
TrustAgreement
TrustAgreements
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
DAM-LR EU project (1)
Small EU project (2005-2007) on archive integration of 4 partners
corpus/computational linguistics and endangered
language documentation Resource discovery: sharing a single metadata set
for searching & browsing Authentication & Authorization: single user identity,
single sign-on by using Shibboleth. Referencing and citing “archived resources” using a
single persistent identifier system.
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
DAM-LR EU project (2)
Experiences: Standard eduPerson attribute set is probably sufficient,
(but CCs …) Shibboleth is nice when using web applications, but
applications need access too! Shibboleth efficient when dealing with groups e.g. staff,
student, … But our domain has also to deal with individuals => store user IDs in authorization records
DAM-LR federation of both IdPs & SPs, CLARIN aims at a much larger potential user group whose home organizations do not want to run a CLARIN specific IdP => use the national IDFs
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
Applications need Authentication too
IdP
Shib.apache
user application
User scenario:Copying resources from different repositories to the local machine
archiveA
The application speaks only HTTP with basic authenticationIt does not understand form based authentication employed by the Shib. IdP
Shib.apache
archiveB
The application is also not able to profit from the SSO over archives
IMDIcopier
Possible solution:Use certificates for authenticationObtained by SLCS(But can auth. handshake be mimicked by software?)
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
CHAT
EAF
Shoebox
MPI Archive
DB/SE
Search service
Parsers “normalize” the structural format
Content search in one archive: no problem (check single DB)
Searching through annotations
Auth DB
IdP
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
CHAT
EAF
Shoebox
MPI ArchiveArchive B
DB/SEDB/SE
CHAT
Search service Search
service
Specialized web portal
Federative search scenario
Parsers “normalize” the structural format
Searching through annotations
AuthZ DB
IdPAuthN
AuthZ DB
The web portal app would like to act on behalf of the user and access the search services.
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
What do we aim for?
blah-blah blah-blah
blah-blah blah-blah
blah-blah
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
Licenses & Code of conducts 1
IdP
SPa
SPb
user
SP requires CC signed and takes care of this but only for its own domain
This can break the SSO if the user is required to sign the same CC several times
browser
CC DB
CC DB
CLARIN will harmonize the CCs and licenses to a limited number
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
Licenses & Code of conducts 2
IdP
SPa
SPb
user
browser
Store the CC DB info in the user attributes at the IdP (cfr Switch aaiUapprove)
But how does it get there?• Special app?• Not every IdP will/can run this
CC DB
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
Licenses & Code of conducts 3
IdP
SPa
SPb
user
browser
Create special CC service. This is part of the SPF independent of the IDFs
CC DB
CCservice
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
What do we aim for?
blah-blah blah-blah
blah-blah blah-blah
blah-blah
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
AAI Planning (1)
Training courses for AAI: support of SimplSAMLPhp, Shibboleth
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
AAI Planning (2)
Centers should make their policies explicit: Integration of SP with AAI IdP support for their users
Is there potential for a “fire brigade”? Help with configuration & integration MPG (RZG) does something there, who else?
Contracts with national IdFs (WP7) What role has eduGAIN?
CLARIN-NL Info SessionNijmegen
2009-07-01
www.clarin.eu
What‘s next?
SLCS with SURFnet (preliminary research) Direct interaction with GEANT 3 (May 5/6) Talks with CSC about implementing a CC service