FIM4R v 2 - Indico · Research Community PerspecWves – CLARIN Dieter 20m Research Community...
Transcript of FIM4R v 2 - Indico · Research Community PerspecWves – CLARIN Dieter 20m Research Community...
FIM4Rv2.0
Presenters
JohannesReetz• EUDAT• h<ps://www.rd-alliance.org/users/johannesreetz
DieterVanUytvanck• CLARIN• h<ps://www.rd-alliance.org/users/dietervu
HannahShort• CERN/WLCG• h<ps://www.rd-alliance.org/users/hannah-short
Agenda
BackgroundofFIM4R Hannah 10m
EvoluWonofFIMinthelast5years Hannah 10m
ResearchCommunityPerspecWves–CLARIN Dieter 20m
ResearchCommunityPerspecWves–EUDAT Johannes 20m
FIM4Rv2keypoints Hannah 10m
Discussion&NextSteps 20m
ObjecWves• RaiseawarenessoftheupcomingFIM4Rv2whitepaper
• GainfeedbackoncontentforFIM4Rv2whitepaper
Whatdoesyourresearchcommunityneed?Discussion
attheend
BACKGROUNDOFFIM4R
FederatedIdenWtyManagement• FederatedIdenWtyMangement(FIM)istheconceptofgroupsofServiceProviders(SPs)andIdenWtyProviders(IdPs)agreeingtointeroperateunderasetofpolicies.
• FederaWonsaretypicallyestablishednaWonallyandusetheSAML2protocolforinformaWonexchange
• EachenWtywithinthefederaWonisdescribedbymetadata
6h<ps://www.switch.ch/aai/about/federaWon/
CredittoAlessandraScicchitano–GEANTforthisslide
• eduGAINisaformofinterfederaWon• ParWcipaWngfederaWonsshareinformaWon(metadata)aboutenWWesfromtheirown
federaWonwitheduGAIN• eduGAINbundlesthismetadataandpublishesitinacentrallocaWon.
7
FederatedIdenWtyManagementWorldwide
CredittoAlessandraScicchitano–GEANTforthisslide
• ResearchCommuniWestypicallyjointhroughanSP-IdPproxy– Fromtheoutside(eduGAIN)
itlookslikeanSP– Fromtheinsideitlookslike
anIdP• Wedependonthestabilityof
eduGAINasanauthenWcaWoninfrastructure
8
OurInteracWonwithIdenWtyFederaWons
Source:GEANT,GN3PLUS13-642-23
• The1stworkshopwasheldatCERNinJune2011(h<ps://indico.cern.ch/event/129364),• the2ndatRALinNovember2011(h<ps://indico.cern.ch/event/157486),• the3rdatISGCinFebruary2012(h<ps://indico.cern.ch/event/177418),• the4thatMPIPsycholinguisWcsNijmegeninJune2012(h<p://www.clarin.eu/events/3501),• the5thatPSIVilligeninMarch2013(h<p://indico.psi.ch/event/2230),• the6thatCSCinHelsinkiinOctober2013(h<ps://refeds.org/meeWngs/oct13/index.html),• the7thatESRINinFranscaWinApril2014(h<ps://indico.cern.ch/event/301888/),• the8thatCERNon3-4thFebruary2015(h<ps://indico.cern.ch/event/358127).• the9thFIM4RmeeWng30thNovember2015(h<ps://indico.cern.ch/event/450600/).• the10thFIM4RmeeWng20thFebruary2017(h<ps://indico.cern.ch/event/605369/)Throughtheseworkshops,theresearchcommuniWeshaveconvergedonacommonvisionforFIM,enumeratedasetofrequirementsandproposedanumberofrecommendaWonsforensuringaroadmapfortheuptakeofFIMisachieved.Thesepointshavebeendocumentedinapaper(h<ps://cdsweb.cern.ch/record/1442597). 9
BackgroundofFIM4R
Requirementsdocumentpublishedin2012andnowdueanupdate
10
BackgroundofFIM4R
h<ps://cdsweb.cern.ch/record/1442597
2012Requirements
• Userfriendliness(high)• Browser&non-browserfederatedaccess(high).• BridgingcommuniWes(medium).• MulWpletechnologieswithtranslatorsincludingdynamicissueofcredenWals(medium).• ImplementaGonsbasedonopenstandardsandsustainablewithcompaGblelicenses(high).• DifferentLevelsofAssurancewithprovenance(high).• AuthorisaGonundercommunityand/orfacilitycontrol(high).• WelldefinedsemanWcallyharmoniseda<ributes(medium).• FlexibleandscalableIdPa<ributereleasepolicy(medium).• ANributesmustbeabletocrossnaGonalborders(high).• A<ributeaggregaWonforauthorisaWon(medium).• PrivacyanddataprotecWontobeaddressedwithcommunity-wideindividual
idenWWes(medium)
11
2012RecommendaWons
• RecommendaWonstotheresearchcommuniWes– ConductRiskAnalysis– RunPilotStudiescoordinatedbyexperts
• RecommendaWonstothetechnologyproviders– SeparaWonofAuthorizaWonandAuthenWcaWon– CredenWalsrevocaWon– A<ributedelegaWontotheresearchcommunity– StandardiseeffortsinLevelsofSecurity/Assurance
• RecommendaWonstofundingagencies– FundFIMtechnologiesthatarefocusedonsolvingthedescribedneedsoftheresearch
communiWes
12
EVOLUTIONOFFIMINTHELAST5YEARS
Summaryfrom10thFIM4RWorkshop• Significantprogressmade
– Strongsupportfromfundingbodies– “WeareherehavingraWonaldiscussionsbetweenRCs,FedOps,eduGAINetc!”– Manysuccesses
• Somerequirementsremain,• Somearesolved,• Forotherswehavefoundwork-arounds,• Somearebrandnew
2012RecommendaWons
• RecommendaWonstotheresearchcommuniWes– ConductRiskAnalysis– RunPilotStudiescoordinatedbyexperts
• RecommendaWonstothetechnologyproviders– SeparaWonofAuthorizaWonandAuthenWcaWon– CredenWalsrevocaWon– A<ributedelegaWontotheresearchcommunity– StandardiseeffortsinLevelsofSecurity/Assurance
• RecommendaWonstofundingagencies– FundFIMtechnologiesthatarefocusedonsolvingthedescribedneedsoftheresearch
communi=es
15
AARCI&II• BuildingonexisGngtools,avoidingfragmentaGonandbringingFIMtoResearch
CollaboraWons• Manypilotsproduced,toshowthatthetechnologyworks,andthenworktomakethem
sustainable,e.g.cerWficateprovisioning,tokentranslaWon• LookingatmanypolicyaspectsandtheirinteracWonwithexisWnggroups• AARC2approved2017-19
– Supportmoreresearchcommunityusecases– Communityengagement->conWnuouslytalkwithresearchcommuniWes,helpand
idenWfynewrequirements– Competencecentreforlarger/e-infrastructurestoco-developnewsoluWons
• FIM4Risakeycommunity
h<ps://aarc-project.eu
2012RecommendaWons
• RecommendaWonstotheresearchcommuniWes– ConductRiskAnalysis– RunPilotStudiescoordinatedbyexperts
• RecommendaWonstothetechnologyproviders– Separa=onofAuthoriza=onandAuthen=ca=on– CredenWalsrevocaWon– A@ributedelega=ontotheresearchcommunity– StandardiseeffortsinLevelsofSecurity/Assurance
• RecommendaWonstofundingagencies– FundFIMtechnologiesthatarefocusedonsolvingthedescribedneedsoftheresearch
communiWes
17
AARCBlueprintArchitecture• AnalysisofexisWngarchitectures,andcommon
componentsplo<ed• ProducWonreadyopWonsforcomponentsidenWfied• AimstoaddressthespecificdifficulGesthatRCs
havewhenoperaWnginternaWonally• BlueprintarchitectureproposesbestpracWces
– AuthorisaGonlayerexplicitanddesignedtobeintegratedwithcommunitymembershiptools
– FocusonpragmaGcguidelines,producWon-readysuggesWonsthatdon’trequire10yearsofdeploymenthistory(e.g.commandlineaccess,tokentranslaWonetc)
DeliverabledueMay2017ath<ps://aarc-project.eu
2012RecommendaWons
• RecommendaWonstotheresearchcommuniWes– ConductRiskAnalysis– RunPilotStudiescoordinatedbyexperts
• RecommendaWonstothetechnologyproviders– SeparaWonofAuthorizaWonandAuthenWcaWon– CredenWalsrevocaWon– A<ributedelegaWontotheresearchcommunity– StandardiseeffortsinLevelsofSecurity/Assurance
• RecommendaWonstofundingagencies– FundFIMtechnologiesthatarefocusedonsolvingthedescribedneedsoftheresearch
communiWes
19
Securityincidentresponse(Siroi)• ProblemswithsecurityinfederaWons
– Highlydistributed,e.g.logsaresplit– Badguydoesn’tsleepbutIdPoperatorsdo– NomandatetoinvesWgateexternalorganisaWons
• SiroiREFEFDSWG,~2yearsdone,~2yearsleq– Producedframeworktobuildtrustandsetabaseline
inoperaWonalsecuritybestpracWces• FutureWorkplanincludes
– HelpingfederaWonstoadoptprocedures– ReachingouttocommuniGese.g.TF-CSIRT,REFEDS,FOG,FIM4R
h<ps://refeds.org/siroi
h<ps://aarc-project.eu/wp-content/uploads/2017/02/DNA3.2-Security-Incident-Response-Procedure-v1.0.pdf
MinimumLoA• WorkinAARC,nowbeingextendedthroughREFEDS• InterviewedCLARIN,DARIAH,ELIXIR,LIGO,Photon/Neutron,WLCG,EGI,PRACEandcameup
withaminimummutualsetofrequirements– TheaccountsintheHomeOrganisaWonsmusteachbelongtoaknownindividualperson– PersistentuseridenWfiers(i.e.,nore-assignmentofuseridenWfiers)– DocumentedidenWtyvesngprocedures(notnecessarilyface-to-face)– PasswordauthenWcaWon(withsomegoodpracWces)– DeparWnguser’seduPersonAffiliaWonmustchangepromptly
h<ps://aarc-project.eu/wp-content/uploads/2015/11/MNA31-Minimum-LoA-level.pdf
2012Requirements
• Userfriendliness(high)• Browser&non-browserfederatedaccess(high).• BridgingcommuniWes(medium).• MulWpletechnologieswithtranslatorsincludingdynamicissueofcredenWals(medium).• ImplementaGonsbasedonopenstandardsandsustainablewithcompaGblelicenses(high).• DifferentLevelsofAssurancewithprovenance(high).• AuthorisaGonundercommunityand/orfacilitycontrol(high).• WelldefinedsemanWcallyharmoniseda<ributes(medium).• FlexibleandscalableIdPa<ributereleasepolicy(medium).• A@ributesmustbeabletocrossna=onalborders(high).• A<ributeaggregaWonforauthorisaWon(medium).• Privacyanddataprotec=ontobeaddressedwithcommunity-wideindividual
iden==es(medium)
22
PoliciesforProcessingPersonalData• NewGDPRgoesintoforceMay2018–legallybindingformemberstates• NotlegaladvicebuthasbeenreadbylawyersJ• Scopeisrestrictedtodatacollectedonusage(logs),doesnotcovera<ributereleaseor
personaldatainresearchsets.• BindingCorporateRules(BCRs)arearecommendedframeworktobindanorganisaWon,
thoughonlyapplicabletolegalenWWes(manyinfrastructuresarenot)• Conclusions
– InEUlegiGmateinterest&consentok– OutsideEU,BCR-likeapproachmightwork.AnenforceableCoComightbealternaWve
togesngspecificauthorisaWon
h<ps://aarc-project.eu/wp-content/uploads/2016/12/AARC-DNA3.5_RecommendaWons-for-Processing-Personal-Data_2016_11_07_v4_DG.pdf
DataProtecWonCodeofConduct• V1Released2013
– ScopeisrestrictedtoaNributes– 106SPssupport(Feb‘17)– 112IdPsclaimtoreleasea<ributestothem(Feb’17)
• AskedWP29forblessing.Results:– WecanuseitJ– ItcannotbeendorsedbyWP29sincedoesn’tprovideaddedvalue(e.g.explainingdata
minimisaWonincontextofFIM)L• V2addressesWP29requirements,GDPRchanges,releaseoutsideEU(inc.internaWonal
organisaWons)– 2monthconsultaWonstarWngWednesdayatTIIME– AimtosubmitforapprovalinMay2018
h<ps://wiki.refeds.org/display/CODE/Data+ProtecWon+Code+of+Conduct+Home
2012Requirements
• Userfriendliness(high)• Browser&non-browserfederatedaccess(high).• BridgingcommuniWes(medium).• MulWpletechnologieswithtranslatorsincludingdynamicissueofcredenWals(medium).• ImplementaGonsbasedonopenstandardsandsustainablewithcompaGblelicenses(high).• DifferentLevelsofAssurancewithprovenance(high).• AuthorisaGonundercommunityand/orfacilitycontrol(high).• Welldefinedseman=callyharmoniseda@ributes(medium).• FlexibleandscalableIdPa<ributereleasepolicy(medium).• ANributesmustbeabletocrossnaGonalborders(high).• A<ributeaggregaWonforauthorisaWon(medium).• PrivacyanddataprotecWontobeaddressedwithcommunity-wideindividual
idenWWes(medium)
25
Research&ScholarshipEnWtyCategory• Mutuallyagreeda<ributebundle,widecommunityconsultaWon• ResearchSPsencouragedtolimitrequirementstoR&S• IdPsencouragedtoreleaseR&SaNributes• “TheR&Sa>ributebundleconsists(abstractly)ofthefollowingrequireddataelements:
– ShareduseridenNfier– Personname– Emailaddress
• andoneopNonaldataelement:– AffiliaNon”
h<ps://refeds.org/category/research-and-scholarship
CLARINPERSPECTIVE
EUDATPERSPECTIVE
FIM4RV2KEYPOINTS
CommunityUpdates• Atthe10thworkshopweheardupdatesfrom
– 6ResearchCommuniWes(LIGO,WLCG,DARIAH,INAF,ELIXIR,Umbrella)
– 2Infrastructures(EUDAT,EGI)– Slidesareinappendix
• Excellentdiscussiononcommonthemesandchallenges• Summaryat
h<ps://indico.cern.ch/event/605369/contribuWons/2440465/a<achments/1415673/2167445/FIM4R_Summary.pdf
CommonThemesfromCommuniWes
ProxyModel A<ributeEnrichment Outsourcing Off-the-shelf
components
ORCID SocialLoginCommunityControlled
AuthorisaWon
FederaWonGovernanceLimitaWons
CommunityPerspecNveSlidesinAppendix
• Addresscommandlineandnon-webusecases• IntegrateFIMwithexisWngCommunityMembershipManagementTools• BuildoperaWonalsupportin(inter)federaWon(securityandoperaWons)• SupportGDPRadequacycerWficaWonforintergovernmentalorganisaWons• MakeFIMaproducWonserviceandacornerstoneoftheEuropeanOpen
ScienceCloud,includingcommercialIaaSinteracWon• IntegraWonwitheID(GovernmentalIDprograms)• GreatercollaboraWonwithnon-EUpartners(e.g.US)• …
32
ExampleRecommendaWons2017
Whatwouldyouadd?
REQUIREMENTSDISCUSSION
NEXTSTEPS
FIM4RDocumentPlans–Proposal
• RepresentaWvesfromcommuniWes/infrastructures• DefinesurveyQs(firstdraqmadeinFebruary,spearheadedbyNikhef)• WritesummaryofprogresssinceFIM4Rv1• CombinecontribuWonsfromcommuniWes/infrastructures
Editorialboard
• Statementonownprogressandchallenges• Completesurvey
Community/Infrastructureinput
FIM4RDocumentPlans-Strategy
• Whitepaper• IncludetargetedrecommendaWonstoplayers,e.g.Fundingagencies,SPs,IdPs,FederaWonOperators
Output?
• Keepmomentum• Beawareofcallsforfunding
Timeline?
• Opendatapublisher• Communitydocumentrepository• Conferenceproceedings2018
Where?
Howtogetinvolved?• Catchusthisweek• Mailinglist
h<ps://e-groups.cern.ch/e-groups/EgroupsSubscripWon.do?egroupName=fim4r-members
• Cometothenextworkshop,probablyUSA,probablyAutumn
CommunityNoWces• Fim4r.orgcomingsoon!ThankstoLIGOandGEANT• HighEnergyPhysicsSecurity&AccessManagementWhitepaper
– LookingformoreparWcipants– MoreinformaWonath<p://hepsoqwarefoundaWon.org
• ThisRDAFIMIGislookingforasecondChair–knowsomeonewhocouldfitthepost?
QUESTIONS?
APPENDIX–ADDITIONALPERSPECTIVES
COMMUNITIES
LIGO(GravitaWonalWavePhysics)• SPsindividuallyregisteredinincommon• IdPoflastresort=Google,UnitedID,NCSA• MovingtoCIlogon2(marriageofCILogonandComanage)– outsourceIDlayer• ConsideringmovetoOIDCinsteadofSAML,howeverthecostisintegraWngwithfederaWons.• Wantedtoencouragea<ributereleaseandavoiduseofaproxy,howeverthisdoesn’tseemto
work,mayhavetomovetoproxymodel• HopingtomoveenWrelytoFIM,removeLIGOIdP• Challenges
– Budgetconstraints,pushedtoworkonvisualaspects,e.g.GraceDB– SiroiadopWonstalledbyincommon’srequirementforClevelapproval– SomeeduGAINpartnersnottotally“in”eduGAINe.g.,Australia,Japan– NoroleforresearchcommuniGesingovernanceoffederaGons,perhapsthesoluWonistocreateanIGTFfederaGon
ELIXIR(Biosciences)• ProxyIdP,SAML2plussupportforOIDC• ORCIDasanIdP,plussocialopWons– researcherLoAenrichedseparately• IfthechosenIdPdoesnotprovidea<ributebundle,helpfulmessageisdisplayed– userpassedto
localsupportgroup,e.g.ELIXIRGermany,whowillfollowupwiththeIdP• GroupManagement
– Perun– UserdrivenwithcustomapplicaWonformspergroup– BonaFidemanagementontoptograntaddiWonalaccess,e.g.checkORCIDIDagainstpublicaWon,userscan
endorseotherusers• Example.BeaconNetwork(queryforDNAdatasets),requiresBonaFideResearchStatus• VMscreatedbyuserscannotbetrusted,onlyallowmounWngofdatathatwasapprovedby
commi<ee
WLCG(HighEnergyPhysics)• ExisWngcerWficatebasedfederaWon• NewsoluWonfollowsproxymodelforauthenWcaWon,allWLCGservicesbehindCERNSSO.• TokentranslaGononperservicebasis,notclassicalblueprintarchitecture• Someprogressoverlastyear,includingoneexperimentmovingmonitoringportalbehindSSO• DifficultyisgesnguserstoadoptnewtechnologieswhenexisWngsoluWon“works”,albeitina
clunkyfashion• RequirementsforFIM
– HelpdeskessenGal– Siroirequirednow,restricttoknownresearchersregisteredwithVOMS– CommandlinesoluWonwithminimalbrowserinteracWon
• ImplementaWonusesSTS,notmaintainedandsubopWmal• ReconsideringtheroleofVOMS,opWonsinc.AA,tokentranslator,etc
DARIAH(HumaniWes)• 3774users,idenWfiedbyEPPN(possibleweakpoint)• SecondaryauthenWcaWontrackthatgetsOAuth2authorisaGontoken– OAuth2chosenforinternalauthorizaWonratherthanECP,followingatrialinwhichanumberofproblemsemerged.OAuth2muchmoresimple(plusfuture-proof)
• CentralPolicyDecisionPoint,withaccessrightscentrallymanaged
INAF(Astronomy)• DistributedcommuniWes,rolebasedaccess,projectforseveraldecadessowant
simplicity&sustainability,useOTScomponents• Fundamentalconstraint=opentoallastronomycommunity(achievedbyenabling
eduGAIN)• MemberofAARC2 • CTA
– EnrichingaNributesthemselves,sinceIdPsinsufficient.Usinggrouperformembershipmanagement
– InternallyaddingisMemberOfa<ributelist&enGtlementforaccesscontrol– eduPersonUniqueIDchosen
• Consentmanagement• 3mainexperimentsbuthavingseparatesoluWonsforeachexperimentseemed
simplerthancreaWngsinglesoluWon
Umbrella(Photon&NeutronPhysics)• UsedbyphotonandneutronfaciliWesinEurope(14partners+2pending)–allbasicallyproducWonstatus
• IntegraWngORCID&pushingumbrellaIDIdPineduGAIN– Only3a<ributes->noproblemfordataprotecWonsinceitisallopaque– willjoinJISCinsteadofSWITCHduetoregistraWonrequirements
• MemberofAARC2• UsingmoonshotatDiamond• UsingeduTeamsforAAsinceusersspreadbetweenmulWplejurisdicWons• PRpush,funded• JustIdP,noSP–projectcallededuGAINbridgetoprovideeduGAINaccess
toumbrellaregisteredservices
INFRASTRUCTURES
EGI• DiversityofVOsraisescomplicaWons• Numberofservices&IdPsrequiressignificant,scalablepolicywork• Checkin,soluWondeployedinEGIin2016
– MulGpleIdPtypesthroughsingleendpoint(inc.social&x509)– Minimiseoverheadforserviceproviders– Notallservicesbehindproxybutmovingslowly– Central,unique,opaque,persistentuserIDcreatedonfirstlogin.UniqueIDcanbefreelysharedsince
opaquebutremainsusefulforcentrallogs– PreviouslyhadLoABirch(IGTF),nowLoAcalculatedbasedonuserinformaWon– SteppedLoArequirementsfordifferentriskprofiles,incSiroiforPaaS– CheckingovernslistoftrustedANributeAuthoriGes,thosetrustedareharmonised&communicatedwith
services– UnityconnectortogetLToSVOmembershipinformaWon
• CheckinintegratedwithRCAuthtoprovidex509– UsersfromtrustedIdPsabletogeneratecerWficates
• ExplicitaccountlinkingviaCOmanage