AARC Draft Blueprint Architecture -...
Transcript of AARC Draft Blueprint Architecture -...
https://aarc-project.eu
AuthenticationandAuthorisationforResearchandCollaboration
Ιnternet22016Global Summit
AARCDraftBlueprintArchitecture
May15– 18,Chicago
Christos KanellopoulosArchitecture (JRA1) WPLeader,GRNET
https://aarc-project.eu 2
Thestartingpoint
• Thescenario:• Thereisatechnicalarchitectofaresearchcommunity
• Hercommunityisdistributedinternationally
• Increasingnumberofservicesneedauthentication
andauthorization
• Herjobistofindasolution
• Shewantstofocusonresearchandnotreinventthewheel
• Shestartsgoogling
• So,therearesomesolutionsavailable,but…
https://aarc-project.eu 3
Thegoals
1. Users should be able to access the all services using the credentials from their HomeOrganization
2. Users should have one persistent non-reassignable non-targetedunique identifier.
3. Attempt to retrieve user attributes from the user’s Home Organization. If this is notpossible, then an alternate process should exist.
4. Distinguish (LOA) between self-asserted attributes and the attributes provided by theHome Organization/VO
5. Access to the various services should be granted based on the role(s) the users havewithin the collaboration
6. Services should not have to deal with the complexity of multipleIdPs/Federations/Attribute Authorities/technologies.
https://aarc-project.eu
AARC:AnalysisofUserCommunitiesande-InfrastructureProviders
Non-web-browser
Guestusers
PersistentUniqueId
Credentialtranslation
AttributeAggregation
AttributeRelease
LevelsofAssurance
CommunitybasedAuthZ
Social&e-Gov IDs
Step-upAuthN
UserManagedInformation
UserFriendliness
IncidentResponse
BestPractices
CredentialDelegation
SPFriendliness
https://aarc-project.eu
ThefunctionalComponents
UserCommunityRequirements
aarc-project.eu
https://goo.gl/kSxENp
https://aarc-project.eu 6
Whytheproxymodel?
•AllinternalServicescanhaveonestaticallyconfiguredIdP
•NoneedtorunanIdP Discovery Service oneachService
•ConnectedSPsgetconsistent/harmonised useridentifiers
andaccompanying attributesets fromoneormoreAAs
thatcanbeinterpretedinauniformwayforauthZ
purposes
• ExternalIdPs onlydealwithasingleSP proxy
https://aarc-project.eu
TheFunctionalComponentsandavailableAAItools
aarc-project.eu
AvailableAAIComponents
AttributeAuthorities
IdPs
Proxies
Token Translation
Service Provider
AnalysisofUserCommunities
AndInfrastructureProviders
https://aarc-project.eu
eduGAIN&AARC
eduGAIN andtheIdentityFederations
Asolidfoundationforfederatedaccess inR&E
AuthenticationandAuthorizationArchitectureforResearchCollaboration
AsetofbuildingblocksontopofeduGAINforInternational ResearchCollaboration
https://aarc-project.eu
Areallifeimplementation…
SP: VO Portal
Attribute Authority
IdP/SP Proxy
SP DS
Master Portal
IdP
SP: Tool
Federation
IdPeduGAINeGOVSocial IDs
Delegation Service /OpenID
AuthZ Server
MyProxy
CA
FQANs
SAML
OpenSSLEngine
OIDC
PUSP
Attribute Authority
https://aarc-project.eu
Areallifeimplementation…
• IdP Discovery• UserEnrolment• UserConsent• SupportforLoA• AttributeAggregation• SAML2.0AttributeQuery,REST,LDAP
• Attributemapping• SupportforOIDC/OAuth2• Google,Facebook,LinkedIn, ORCID
• SupportforeGov IDs
https://aarc-project.eu
Pilots
RequirementsUserCommunity
OverviewAvailableAAIComponents
DraftBlue-PrintArchitecture
aarc-project.eu
https://goo.gl/kSxENp https://goo.gl/NzQA2U https://goo.gl/7dZZF4
PilotsWithCommunities
Plan
Develop
Test
IncludeFeedback
Input fortraining
Package/release
https://aarc-project.eu
ThankyouAnyQuestions?
©GÉANT onbehalf of theAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeunderGrantAgreementNo.653965(AARC).
https://aarc-project.eu