https://aarc-project.eu

AuthenticationandAuthorisationforResearchandCollaboration

Ιnternet22016Global Summit

AARCDraftBlueprintArchitecture

May15– 18,Chicago

Christos KanellopoulosArchitecture (JRA1) WPLeader,GRNET

https://aarc-project.eu 2

Thestartingpoint

• Thescenario:• Thereisatechnicalarchitectofaresearchcommunity

• Hercommunityisdistributedinternationally

• Increasingnumberofservicesneedauthentication

andauthorization

• Herjobistofindasolution

• Shewantstofocusonresearchandnotreinventthewheel

• Shestartsgoogling

• So,therearesomesolutionsavailable,but…

https://aarc-project.eu 3

Thegoals

1. Users should be able to access the all services using the credentials from their HomeOrganization

2. Users should have one persistent non-reassignable non-targetedunique identifier.

3. Attempt to retrieve user attributes from the user’s Home Organization. If this is notpossible, then an alternate process should exist.

4. Distinguish (LOA) between self-asserted attributes and the attributes provided by theHome Organization/VO

5. Access to the various services should be granted based on the role(s) the users havewithin the collaboration

6. Services should not have to deal with the complexity of multipleIdPs/Federations/Attribute Authorities/technologies.

https://aarc-project.eu

AARC:AnalysisofUserCommunitiesande-InfrastructureProviders

Non-web-browser

Guestusers

PersistentUniqueId

Credentialtranslation

AttributeAggregation

AttributeRelease

LevelsofAssurance

CommunitybasedAuthZ

Social&e-Gov IDs

Step-upAuthN

UserManagedInformation

UserFriendliness

IncidentResponse

BestPractices

CredentialDelegation

SPFriendliness

https://aarc-project.eu

ThefunctionalComponents

UserCommunityRequirements

aarc-project.eu

https://goo.gl/kSxENp

https://aarc-project.eu 6

Whytheproxymodel?

•AllinternalServicescanhaveonestaticallyconfiguredIdP

•NoneedtorunanIdP Discovery Service oneachService

•ConnectedSPsgetconsistent/harmonised useridentifiers

andaccompanying attributesets fromoneormoreAAs

thatcanbeinterpretedinauniformwayforauthZ

purposes

• ExternalIdPs onlydealwithasingleSP proxy

https://aarc-project.eu

TheFunctionalComponentsandavailableAAItools

aarc-project.eu

AvailableAAIComponents

AttributeAuthorities

IdPs

Proxies

Token Translation

Service Provider

AnalysisofUserCommunities

AndInfrastructureProviders

https://aarc-project.eu

eduGAIN&AARC

eduGAIN andtheIdentityFederations

Asolidfoundationforfederatedaccess inR&E

AuthenticationandAuthorizationArchitectureforResearchCollaboration

AsetofbuildingblocksontopofeduGAINforInternational ResearchCollaboration

https://aarc-project.eu

Areallifeimplementation…

SP: VO Portal

Attribute Authority

IdP/SP Proxy

SP DS

Master Portal

IdP

SP: Tool

Federation

IdPeduGAINeGOVSocial IDs

Delegation Service /OpenID

AuthZ Server

MyProxy

CA

FQANs

SAML

OpenSSLEngine

OIDC

PUSP

Attribute Authority

https://aarc-project.eu

Areallifeimplementation…

• IdP Discovery• UserEnrolment• UserConsent• SupportforLoA• AttributeAggregation• SAML2.0AttributeQuery,REST,LDAP

• Attributemapping• SupportforOIDC/OAuth2• Google,Facebook,LinkedIn, ORCID

• SupportforeGov IDs

https://aarc-project.eu

Pilots

RequirementsUserCommunity

OverviewAvailableAAIComponents

DraftBlue-PrintArchitecture

aarc-project.eu

https://goo.gl/kSxENp https://goo.gl/NzQA2U https://goo.gl/7dZZF4

PilotsWithCommunities

Plan

Develop

Test

IncludeFeedback

Input fortraining

Package/release

https://aarc-project.eu

ThankyouAnyQuestions?

©GÉANT onbehalf of theAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeunderGrantAgreementNo.653965(AARC).

https://aarc-project.eu

ChristosKanellopoulosskanct@admin.grnet.gr