VOPaaS Virtual Organisation Platform as a Service



Similar documents
Deliverable D9.2 Market Analysis for Virtual Organisation Platform as a Service (VOPaaS)

Federated Identity Management Interest Group

Collaboration in the Cloud. Niels van Dijk, SURFnet, CAMP, Nov , San Francisco

Experiences in Supporting Service Providers and User Communities. Lukas Hämmerle, GÉANT/SWITCH Conference 26 November 2014

Enabling a federated environment to support biomedical research. Gianmauro Cuccuru CRS4

RDA Report Working Meeting Session 5 IG Federated Identity Management. Presentations

GÉANT IaaS suppliers meeting Towards Pan-European Cloud Services. Utrecht October

RedIRIS Identity Service

GN3plus JRA3 T1 Attribute and Group management in the AAI environment

GÉANT Cloud Activity Towards Pan-European Cloud Services

Case Studies in Federated Identity Management for Research Communities

Identity Management: Background, Principles, GENI

Licia Florio Project Development Officer Identity Federations in Europe

Ready for cloud service delivery?

Identity Management Systems for Collaborations and Virtual Organizations

EUDAT Federated AAI TF (Authentication Authorization Infrastructure Task Force)

Networks Services People 1

Three Case Studies in Access Management

CLOUD POWER. NREN collaboration in STF

SA3: Support for Multi-Domain Services Plenary

Federated Identity Management

Federated Identity Management for Research Communities (FIM4R)

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

TRUST AND IDENTITY EXCHANGE TALK

GridPP36 Security Report

GÉANT Cloud Ac-vity Towards Pan- European Cloud Services Kris?n Selvaag

TERENA Trusted Cloud Drive

The EGI Federated Cloud e-infrastructure

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Modern Approach for User and Service Management. Michal Procházka CESNET Czech Republic

Indicative Requirements for Cloud Service Providers. connect communicate collaborate

Step-up-authetication as a service

Development and deployment of integrated attribute based access control for collaboration

Toward the Clouds, Together!

Big Data in BioMedical Sciences. Steven Newhouse, Head of Technical Services, EMBL-EBI

The Case for NRENs John DYER

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

Managing identities. TICAL 2012, Lima, Peru Roland Hedberg tisdag 3 juli 12

Federated Wikis Andreas Åkre Solberg

GN3+ SA3T3 / Multi-Domain-VPN service: Collaboration of NREN s NOC

Update on Internet Identity and Scalable Access Control. Ken Klingenstein,

Federated Identity Management for Research Collaborations

CLOUD POWER. NREN collaboration in GÉANT

UW System Identity & Access Management (IAM) Recommended Strategic Roadmap

June 5, 2013 Ken Klingenstein. Identity Management, the Cloud, NSTIC and Accessibility

Federated Identity Management for Research Collaborations

Issues in federated identity management

Big Data Challenges for e-science Infrastructure

Campus Best Practices What s that?

SURFnet IaaS developments

A public-private partnership building a multidisciplinary cloud platform for data intensive science

Guideline on Implementing Cloud Identity and Access Management

New InCommon Working Groups

A Framework for Security e-irg, Zürich, April Christoph Graf

Running List: Collab Stuff Framework Services Appliance

INDIGO-DataCloud Wupi 4 (Resource Virtualization)

The case for federation

Introduc)on to STORK2.0 project

Perun Modern Approach for User and Service Management

TrustedX: eidas Platform

Provisioning and deprovisioning in an identity federation

MAGIC. Collaboration Tools and Agreements for Global Communities

OIX IDAP Alpha Project - Technical Findings

IGI Portal architecture and interaction with a CA- online

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

Federated Authentication and Credential Translation in the EUDAT Collaborative Data Infrastructure

SURFconext, Cloud Integration for Higher Education and Research. Paul van Dijk, Product Manager SURFnet

Security in Federated e-infrastructure

Standardisation of eduroam Testing, Monitoring, Metrics and Support Tools

Quantum Leap in Open Source Collaboration

Agenda. NRENs, GARR and GEANT in a nutshell SDN Activities Conclusion. Mauro Campanella Internet Festival, Pisa 9 Oct

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps

Deliverable D11.1 Review of SA7 Online Services Supply Chain Work in GN4-1

Distributed Computing Services on top of a Research and Education Network: GARR. Federico Ruggieri Ubuntunet Connect 2013 Kigali, Rwanda

AMRES Experience with Implementing the Campus Best Practices Model

The Top 5 Federated Single Sign-On Scenarios

Federated Identity Management

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

A new Service Activity: SA6 In support of European collaboration

Scientific Cloud Computing Infrastructure for Europe. Bob Jones,

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

SURFfederatie - edugain. Opt-in Metadata Management for a Hub & Spoke Federation

Single Sign On. SSO & ID Management for Web and Mobile Applications

Increase the Security of Your Box Account With Single Sign-On

Broadening Iden-ty & Access Management: InCommon Federa-on

GN3plus Exit Service Catalogue Review

MS7.1.1 Cloud Assessment Document

Success Story. GÉANT Operations Centre Improves SLA Management Service and Efficiencies with Cloud-based Version of OTRS.

MPLS multi-domain services MD-VPN service

ESA EO Identify Management

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

THE RESEARCH INFRASTRUCTURES IN FP7

VISION Cloud: Highlighting challenges on Federation. Interoperability for data storage cloud. OGF 35 June 17-19, 2012 Delft, Netherlands

Software Design Document SAMLv2 IDP Proxying

Interagency Advisory Board Meeting Agenda, July 28, 2010

AA enabling a closed source legacy application

Trial of the Infinera PXM. Guy Roberts, Mian Usman

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

Transcription:

VOPaaS Virtual Organisation Platform as a Service Marina Adomeit Task Leader, AMRES, Serbia Niels Van Dijk Technical Lead, SURFnet, The Netherlands FIM4R meeting Nov 30, 2015, Austria

About VOPaaS in GÉANT GÉANT project is Europe s leading collaboration on network and related infrastructure and services for the benefit of research and education. Majority of GÉANT members operate Identity Federations and GÉANT operates the edugain interfederation. GÉANT members also collaborate to design and deliver services. In order to support the uptake of federated technologies and enable more communities to use edugain, GÉANT initated a task offering hosted federation services. Federation as a Service - FaaS is service aimed to federation operators. Service offering is hosted federation metadata registry connected to edugain MDS. VO Platform as a Service VOPaaS offering is a simple, consistent way of offering and using federated services for virtual organisations, including group management, attribute authorities. 2

VO Platform as a Service Goal: Investigate the conditions that would allow GÉANT to provide services to support Virtual Organisations Focus on delivery of Technical services Out of scope: Technical development Policy & LOA development Activities: Gather requirements and priorities with/from communities Look at existing tools and technologies Look into delivery model Investigate business case & sustainability Operations and Market 3

Virtual Organisations and AAI Access to resources (or Services) often needs to be managed, and therefore requires authentication and authorization. When using Federated Authentication in R&E, the identity is managed at the Home Institution. The Identity provider (IdP), operated by the Home Institution, allows the authentication towards a Service Provider (SP). Identity Federations provide trust frameworks between Service Providers and Institutions. Interfederation, such as edugain, emerged because of the need to interconnect National identity federations. For international collaborations, federated AAI based on edugain looks like an extremely useful infrastructure to build on. 4

Virtual Organisations and AAI Authorization is about specifying access rights to a Service To be able to grant access, a Service needs information beyond Authentication In Identity Federations this information is often conveyed using attributes Often attributes from the Home Organisation alone are not enough: VO related Services need attribute information in the context of the VO VOs therefore need to be able to manage and provide attribute and group information towards Services, independently from the Home Organisation 5

Requirements for building on Federated AAI as a VO The FIM4R paper (April 2012) was one of the first to articulate collective requirements for using Federated AAI for VOs. Many VOs have chosen to build the AAI infrastructure using the national and edugain infrastructures. Identity Federations and Identity providers are however traditionally focused on Campus use cases, which introduces a number of challenges for VOs in leveraging Federated AAI. The VOPaaS has performed a survey among several small and large Pan- European VOs to (re-)validate the FIM4R requirements. From the results of this Survey, functional requirements were analyzed. A number of services were proposed to be put in place to support VOs on a Pan-European level. 6

VOPaaS Market Analysis Interviews and desk study conducted with: Umbrella CLASSe DARIAH CERN CLARIN Virtual Campus Hub ELIXIR GÉANT VAPIRE (Large neutron and photon facilities) (Shared IaaS) (Humanities) (High Energy Physics) (Humanities and social sciences) (elearning, Renewable Energy) (Life Sciences, Bioinformatics) (NREN collaboration). Broad NREN/federation participation: AMRES, CESNET, DFN/LRZ, GARR, IUCC, NIIF, RENATER, SUNET, SURFnet, SWITCH Market Analysis http:///projects/geant_project_gn4-1/deliverables/d9-2_market-analysis-for-virtual-organisation-platform-as-a-service.pdf 7

VOpaas Market Analysis Results 8

Function requirements for VOPaaS Functional requirements identified Persistent Identifier - Allow the VO to identify the user even if (s)he changes IdP VO Membership Registry - To become members of the VO a certain workflow must be followed External Identities - Many VO users will not be in edugain Attribute Management - Attributes beyond the IdP are needed for VO roles and rights, or to provide extra context (e.g. ORCID, Grant number) Group Management - groups may also be used to define roles and rights (de)provisioning Identity, attributes and groups need to be provided to Services Service Proxy and Attribute Aggregation A centralised infrastructure to operate on behalf of the VO Service Providers 9

Deployment model Basic Services Operated by GÉANT Multi tenant service Also for VOs that are not legal entities Operated as a (set of) Services Advanced Services Operated by GÉANT on behalf of a VO Single tenant service Somebody a legal entity - must take responsibility for that data Operates as per VO applications on VM boxes 10

Basic Services VO Membership service registry for VO persistent Identifier VO specific Workflows for onboarding Limited set of attributes Accessible through edugain & TEIP Transparent External Identity proxy (TEIP) One persistent (SAML) IdP for many Guest Identity Providers, including: Social (Google, Twitter, Linkedin, Facebook) NREN operated & Commercial Guest IdPs (OpenIDP, UnitedID.org, eduid.se) egov (STORK) BankID Provides LOA: eidas by default, others upon request from SP Available and accessible through edugain 11

Advanced Services (advanced) Attribute Management - Whatever you can come up with (advanced) Group Management - Groups in groups, etc. Provisioning - For web and non-web resources, application specific connectors Service Proxy and Attribute Aggregation To have a central point for technology and policy Accessible through edugain & extidp May be delivered as a paid service 12

Tools Basic Services VO Membership service: COmanage Transparent External Identity Proxy (TEIP): SaToSa Advanced Services Attributes and Groups: HEXAA, PERUN and COmanage SP Proxy: OpenConext 13

VOPaaS membership registration functional design 14

VOPaaS TEIP functional design 15

VOPaaS Future 2015 Market Analysis Cost Benefit Analysis & Business Model Deploy pilot platform Q1 2016 Run pilots with Basic Services, in collaboration with AARC Interested to have your VO participating in the pilot? Contact us: marina@amres.ac.rs niels.vandijk@surfnet.nl Support application integrations 2016 Production service for Basic Services Deploy Pilots for Advanced Services Possibly: pick up new services as developed within GEANT, AARC or others 16

Thank you This work is part of a project that has applied for funding from the European Union s Horizon 2020 research and innovation programme under Grant Agreement No. 691567 (GN4-1). 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information