Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL, UK) david.kelsey@stfc.ac.uk Federations Virtual Day 19 Jun 2013
Who am I? Head of Particle Physics Computing at RAL in the United Kingdom Lead many Grid Security activities in EGI, WLCG and UK GridPP Both policy development and security operations Member of IGTF TAGPMA and EUGridPMA representing WLCG (as relying party) A representative of WLCG on FIM4R activities 19 Jun 13 FIM4R, Kelsey 2
Outline FIM4R what is it? Why do we want to federate? Status and plans Working with REFEDs, edugain, Geant3+ Lessons learned 19 Jun 13 FIM4R, Kelsey 3
Introduction FIM4R Federated Identity Management for Research Collaborations An ad-hoc activity that started 2 years ago in Europe To explore and document a joint vision and our common requirements for FIM And describe issues that make progress difficult Includes: Climate Science, Earth Sciences, ESA, High Energy Physics, Social Sciences & Humanities, Life Sciences, Neutron & Photon Facilities, WeNMR And open to any others who wish to join 19 Jun 13 FIM4R, Kelsey 4
Why federate? Separate authentication and authorisation Identification done by home institute Community manages authorisation Ease of use User single sign-on Ease of management 19 Jun 13 FIM4R, Kelsey 5
Workshops and Paper 5 workshops to date link to Mar 2013 agenda (and links therein) http://indico.psi.ch/conferencedisplay.py?confid=2230 April 2012: We prepared a paper that documents use cases, common requirements, a common vision and recommendations Paper: CERN-OPEN-2012-006: https://cdsweb.cern.ch/record/1442597 19 Jun 13 FIM4R, Kelsey 6
Common vision statement A common policy and trust framework for Identity Management based on existing structures and federations either presently in use by or available to the communities. This framework must provide researchers with unique electronic identities authenticated in multiple administrative domains and across national boundaries that can be used together with community defined attributes to authorize access to digital resources 19 Jun 13 FIM4R, Kelsey 7
Common Requirements User friendliness Many users use infrequently Browser and non-browser federated access Bridging between communities Multiple technologies and translators Translation will often need to be dynamic Open standards and sustainable licenses For interoperability and sustainability Different Levels of Assurance When credentials are translated, LoA provenance to be preserved Authorisation under community and/or facility control Externally managed IdPs cannot fulfil this role Well defined semantically harmonised attributes For interoperable authorisation Likely to be very difficult to achieve! 19 Jun 13 FIM4R, Kelsey 8
Requirements (2) Flexible and scalable IdP attribute release policy Different communities and different SPs need different attributes Negotiate with IdF not all IdPs for scaling Attributes must be able to cross national borders Data protection/privacy considerations Attribute aggregation for authorisation Privacy and data protection to be addressed with communitywide individual identities We need to identify individuals E.g. ethical committees can require names, addresses, supervisors to grant access 19 Jun 13 FIM4R, Kelsey 9
Pilot Projects 19 Jun 13 FIM4R, Kelsey 10
Addressing e-researchers Requirements Licia Florio, TERENA florio@terena.org REFEDS Meeting 2 June 2013
FIM4R Paper FIM Paper highlighted some of the issues that hinder the usage of federated access in the e- Research community: Contains use-cases Present common requirements There is common consensus to work towards increased use of Federated Identity Management within the escience communities: However there are a number of use-cases that are not well (or at all) supported by the ID Feds
Roadmap for collaboration REFEDS/eduGAIN produced a document to address FIM4R issues: Provides an initial list of prioritised requirements (thanks also to Bob Jones & co.) Addresses some perceived issues Presents proposals to solve some of the challenges https://refeds.terena.org/images/3/3e/analysisfimdocumentv0.7.pdf
Approach The roadmap IS a joint work ID Fed and e- Researchers: Identify key projects within the e-research community that REFEDS/GÉANT can liaise with Funding: edugain and GN3plus have dedicated budget to carry out some work and do some pilots REFEDS can offer a limited budget Participating e-research projects may use some of their funding?
The Proposals Selection of areas presented at the FIM4R Workshop: Federated access for non-web applications Not really in scope for REFEDS Guests IdPs Controversial topic: some people are in favour, some other are against Community managed attribute authorities Work is happening in the GN3+ project But maybe also in scope for REFEDS Motivating IdPs to release attributes Lots in the REFEDS plan (entity categories, LoA, CoC, etc.,)
Lessons learned Federating is not easy! Policy often more difficult than technical issues Many issues Attribute release, scalability of agreements, levels of assurance, non-web applications, need an IdP for the homeless, merge attributes, Very useful to work together Pilot projects are good for focussing on issues You are very welcome to join FIM4R 19 Jun 13 FIM4R, Kelsey 16
Next steps More work on pilot projects Work with REFEDs/Geant/EduGAIN on agreed Roadmap issues Next FIM4R meeting 30 Sep 3 October 2013 CSC, Finland With VAMPS and REFEDs meetings All welcome! 19 Jun 13 FIM4R, Kelsey 17
More info FIM4R (see this and links therein) http://indico.psi.ch/conferencedisplay.py?confid=2230 REFEDs https://refeds.org/ VAMP http://www.terena.org/activities/vamp/ 19 Jun 13 FIM4R, Kelsey 18
Questions? 19 Jun 13 FIM4R, Kelsey 19