Federated Identity Management Interest Group

Transcription

1 1 Federated Identity Management Interest Group The FIM interest group (FIMig) is an international crossdomain interest group to work on all issues related to the use FIM for the implementation of AAIs (Authentication and Authorization Infrastructures) in research infrastructures

2 Agenda 2 IG Federated Identity Management (FIM) This session will provide the opportunity to update participants on the recent activity of the deployment of pilots from several research communities and gather their input for policy alignment between European and US activities in the federated identity management domain. Bob Jones (CERN) - Overview of FIM4R activities and AARC: Authorisation and Authentication for Research Communities Ken Klingenstein (Internet2) - Covering the rest of the waterfront in FIM Dieter Van Uytvanack (Clarin): Single-sign on for a distributed infrastructure for social sciences and humanities - an update on CLARIN's FIM implementation Please use the sign-up sheet for this session: 2

3 What is FIM 4 R Series of workshops starting in June 2011 hosted by European research communities which have led to Convergence on a common vision for FIM Set of requirements and proposed a number of recommendations for the uptake of FIM paper Undertaken a series of prototypes/pilots with providers 3

4 The FIM 4 R Vision A common policy and trust framework for Identity Management based on existing structures and federations either presently in use by or available to the communities. This framework must provide researchers with unique electronic identities authenticated in multiple administrative domains and across national boundaries that can be used together with community defined attributes to authorize access to digital resources. Bob Jones (CERN) April 2014

5 FIM Pilots WLCG international grid/cloud data transfers High Energy Physics Community ELIXIR European genome phenome archive Life Science community CLARIN see Dieter s talk Umbrella AAI - Photon / Neutron community DARIAH: Digital Research Infrastructure for the Arts and Humanities ESA - Earth Observation community 5

6 edugain The purpose of edugain is to interconnect identity federations and simplify access to content, services and resources for the global research and education community Built on existing federations and infrastructures 6

7 4 Feb 15 Sirtfi at FIM4R, Kelsey 7

8 Wild West Impossible to impose practices on edugain participants! No minimal requirements for IdPs and SPs! No requirement to help/share/respond during security incidents! No process to make sure you will be informed of incidents, compromised IdPs, etc.! No incident reporting channel! No identity banning process 4 Feb 15 Sirtfi at FIM4R, Kelsey 8 8

9 Security for Collaborating Infrastructures (SCI) A collaborative activity of information security officers from large-scale infrastructures EGI, OSG, PRACE, EUDAT, CHAIN, WLCG, XSEDE, Developed out of EGEE security policy group We are developing a Trust framework Enable interoperation (security teams) Manage cross-infrastructure security risks Develop policy standards Especially where not able to share identical security policies Version 1 of SCI document 4 Feb 15 Sirtfi at FIM4R, Kelsey 9

10 AARC? Authentication and Authorisation for Research and Collaboration support the collaboration model across institutional and sector borders advance mechanisms that will improve the experience for users guarantee their privacy and security build on the very many existing and evolving components ESFRI clusters, edugain, national AAI federations, NGIs, IGTF, SCI, SirTFi, design, test and pilot any missing components integrate them with existing working flows 10

11 AARC Authentication and Authorisation for Research and Collaboration Two year project 19 funded plus 2 unfunded partners Coordinated by the Amsterdam Office NRENs, e Infrastructure providers and Libraries as equal partners About 3M euro budget Starting date 1 May,

12 AARC/REFEDS/GN4 Working together AARC Requirements REFEDS Anchored in real use cases Pilot AARC technical and policy findings Training Pre existing design work Federation Operators expertise Validate AARC finding GN4 Develop business case (P1) Costing Supply chain Pilot the deployment (P2) edugain Incorporate (P2, P3) 12

13 AARC Goals OUTREACH and TRAINING To lower entry barriers for organisations to join national federations To improve penetration of federated access TECHNICAL and POLICY Work To develop an integrated AAI built on production services (i.e. edugain) To define an incident response framework to work in a federated context To agree on a LoA baseline for the R&E community To pilot new components and best practices guidelines in existing production services 13

14 Training Activities Training for IdPs Directly focusing on research use cases, engaging their local researchers and their requirements Encourage them to harmonize through best practices Expand coverage of national identity federations, supporting institutions with low levels of technical or organisational preparedness Architectures for integrated/interoperable AAI technical elements needed for the integrated AAI: attribute frameworks and deployable web & non web technologies Support for guest IdPs Risk based models for AAI solutions GÉANT, Jim Buddin GRNET, Christos Kanellopoulos

15 Technical pilots Pilots on integrated R&E AAI Introduction of attribute management services Access to R&E + commercial services Guest services Build PoCs together with the community SURFnet, Paul & Niels van Dijk Demonstrate production worthy pilots that have a sustainability model e.g. adoption by the GEANT services activity, run by the research community, or by the e Infrastructures Facilitate researchers to collaborate in a secure and trusted virtual research environment

16 Policy and best practice harmonization Policy and Best Practices harmonisation collate a level of assurance framework for SPs: where we already have DP CoC, R&S EC for IdPs: express reasonably achievable assurances for AAs and communities: a new domain consistent handling of security incidents (in edugain &c) scalable policy expression and negotiation identify policies needed for attribute aggregation policy & security to enable the integration of attribute providers and of credential translation services support models for (inter)federated access (i.e. how are we going to sustain something scalable once AARC is over? guidelines to enable exchange of accounting data Nikhef, DavidG

17 Bob Jones (CERN) April 2014

18 Bob Jones (CERN) April 2014

19 Bob Jones (CERN) April 2014