T0 Federation Scaling through self service. September, Heath Marks, Manager AAF.

Transcription

1 T0 Federation Scaling through self service September, Heath Marks, Manager AAF.

2 Big responsibility, small footprint The value of the AAF is a shared service for Australian Research and Education We allow our subscribers to undertake self service as much as possible to minimise support workload!

3 Cloud based approaches for easy participation in the AAF Help Desk Support framework Who do the users contact? Tools for Admins so they can self administer Self Defined Set of Attributes & Attribute Release policy Mechanisms for Fine Grained Access Control & Group Mgt Service Availability & Monitoring When IdP & SPs are up/down minimise workload, Some want mechanisms for Identity Assurance maximise value in what we deliver! Mechanisms for providing Access to collaborators not already in the AAF

4 auedupersonsharedtoken edupersonassurance edupersontargetedid mail cn displayname edupersonscopedaffiliatio organisationname AuthenticationMethod edupersonaffiliation edupersonentitlemen Australian Access Federation Inc.

5 Self Service Tool: Federation Registry the central management point for all AAF components, Identity Providers and Service Providers. It is accessible via the web for administrators and REST API for downstream systems

6

7

8

9 FR integrations for the AAF

10 Our TEST federation, please ignore number of down/unmonitored

11 What next? Providing access to collaborators Virtual Home Registry VHR There exists a community of researchers that are unable to take advantage of the services provided by the AAF because they are not a member of, or associated with an Organisation that is a subscriber to the AAF. Telling eresearch service providers that they need to find their own way to provide access to these cohorts is a barrier to adoption. (we have tried it for the last 3 years)..

12 VHR Key Benefits Increased functionality over that provided by the existing Virtual Home Organisation (VHO) Removal of technical and financial barriers to on-board small research groups into the federation Improved speed at which researchers will be able to gain access to federated services (removing technical barriers faced by smaller research groups and organisations wanting to gain access to federated services)

13 VHR Key Users 1. Small cohorts of researchers that do not belong to organisations subscribed to the AAF (e.g. research bodies) 2. Commercial researchers (that usually partner with AAF subscribers) 3. Citizen researchers that are associated with an AAF subscribed organisation 4. International researchers associated with an AAF subscribed organisation.

14 VHR - Deliverables 1. A complete user self-service web interface to request accounts, manage passwords, reset forgotten passwords 2. A mechanism for 2 factor authentication 3. Workflow and administrative interface for domain leaders to manage users 4. Workflow and administrative interfaces for supplying higher Levels of Identity Assurance to end users (2 nd identity for some?) 5. Usage reports 6. High availability architecture 7. Full integration into the AAF Federation Registry

15 How else can we self service our stakeholders? - LoIAR Level of Identity Assurance Register Pronounced lawyer Enables the assertion of end users with recognised higher levels of Identity Assurance. This will allow service providers to define the trust levels they require independently of the different IdP implementation states of AAF's subscribers.

16 LoIAR Key Benefits a web user interface that will allow researchers to register and request a higher level of identity assurance. Workflows built into the LoIAR will allow registration authorities (RA) to approve such requests based on personally identifiable information submitted by each researcher. Services can then retrieve researcher's approved Level of Identity Assurance from the LoIAR service using standard AAF interfaces to aid in access control decisionmaking.

17 LoIAR Key Deliverables web interface, workflow and Attribute Authority documentation for Service Providers defining how to query the LoIAR and perform access control decisions based on the result Development of policies and procedures for Registration Authorities to use when verifying a user s identity

18 End user flow for accessing federated eresearch services Institution Authentication Middleware eresearch Service Providers Authorisation eresearcher services registered in the AAF (owned and managed by Service Providers) Behind the scenes Authentication Institution owned and managed Identity Provider AAF MAGIC happens here

19 What happens when something doesn t work? Institution Authentication Middleware eresearch Service Provider? eresearcher?? eresearch Service Service Desk T3 T1 T2? Local Service Desk T3 T3 AAF Service Desk & Knowledge base

20 We want to further extend AAF capability to meet stakeholder expectations. Initiative Develop services to enable fine grained access control and group management for Service Providers edupersonentitlement Develop cloud-based approaches for participation in AAF Outcome Increased utility of the federation for eresearch services Reduced technical barriers for participation in AAF

21 Future Initiative 1: N ational E S ntitlement ervice Our subscribers would like to see a solution to ease the burden of implementing cross service, finegrained access control with values being transported via the edupersonentitlement attribute.

22 NES Proposed Features A central service that would act as a source of enhanced entitlement data for end users that supplements the existing, reliable personal information about end users that is already supplied from AAF Identity Providers. Entitlements provided by the NES would be able to be assigned to end users by experts in their relevant fields via the NES web front end without the need for involvement of IT helpdesks. Self-assigned entitlements (that are clearly delineated for security purposes) would also be able to be provided via the NES. This would allow users to indicate their interest in specific fields Technically services would see the NES as an Attribute Authority and access data via standard SAML 2 attribute queries after successful login via a users IdP. This work turbo charges the concepts found in our in development LoIAR application.

23 Future Initiative 2: AAF Hosted IdP solution The VHR forms the core interface for this Remove the technical barriers of installing, configuring and managing an IdP Increase our subscriber base to make it easier for new organisations to come on board

24 Web: Initiatives: FR: wiki.aaf.edu.au/federationregistry2/

25 AUEDUPERSONSHAREDTOKEN A unique identifier enabling federation spanning services such as Grid and Repositories.Values of the identifier are generated using a set formula. The value has the following qualities: o Unique o Opaque o Non-targeted o Persistent o Resolvable (only by an IdP that has supplied it) o Not re-assignable o Not mutable (refreshing the value is equivalent to creating a new identity) o Permitted to be displayed o Portable Format is 27 character PEM Base 64 Encoding with URL and Filename Safe Alphabet encoded string from a 160-bit SHA1 hash of a globally unique string. Padding character, =, is removed from the value. Australian Access Federation Inc.