Co-ordination & Harmonisation of Advanced e-Infrastructuresfor Research and Education Data Sharing

www.chain-project.euproj-office@chain-project.euGrant Agreement n. 306819

Federated Identities and Services: the CHAIN-REDS vision

Federico Ruggieri, GARR/INFN

Joint CHAIN-REDS/ELCIRA Workshop, Cancun, May 2014

Outline

2

Introduction General information and CHAIN-REDS vision Federated Identities and Services Major achievements The role of NRENs Conclusions

Genesis II

Regional e-Infrastructures

Interoperability and easiness of access are issues

5

Coordination & Harmonisation of Advanced

eINfrastructures for Research & Education Data Sharing

4

General information

Co-ordination & Harmonisation of Advanced eInfrastructures for Research and Education Data Sharing

Research Infrastructures – Support Action Grant Agreement n. 306819 Total Costs of € 2.3 M Max. EC contribution: € 1.52 M Start date: 1 December 2012 Duration: 30 Months

5

Partners and roles INFN (IT) – Coordinator CIEMAT (ES) – WP4 Leader GRNET (GR) – WP3 Leader CESNET (CZ) – WP5 Leader UBUNTUNET (MW) – Africa CLARA (UR) – Latin America IHEP (CN) – China ASREN (DE) – Arab States SIGMA ORIONIS (FR) – WP2 Leader C-DAC (IN) – India

6

Project Strategic Vision

CHAIN-REDS first periodic review, Madrid, January 2014

Promote and support technological and scientific collaboration across different eInfrastructures established and operated in various continents to facilitate their uptake and use by established and emerging Virtual Research Communities (VRCs) but also by single researchers

Not only disseminate, exchange and reinforce the best practices currently adopted in Europe and other continents, but also promote the progress of interoperability among different regional eInfrastructures

Study and define a path towards a global eInfrastructure ecosystem that will allow VRCs, research groups and even single researchers to access and efficiently use worldwide distributed resources

Action lines (1/2)Distributed Computing Infrastructure (WP3)DCI

• Provide ongoing support of the DCI road-map for intercontinental DCI collaboration, specified within the CHAIN project

Regional Operation Centres (WP3)ROC• Support stability of existing and emerging Regional Operation Centres.

Cooperate with other projects & initiatives (e.g. AfricaConnect, TEIN3) to support the development of eInfrastructures and key VRCs in Africa, Asia, Latin America and the Middle-east

Clouds for Research and Education (WP3)Cloud• Support for coordination of Cloud developments for Research &

Education with other regions (e.g. China, India, Latin America)

7

Action lines (2/2)Data Infrastructures and Repositories (WP4)Data

• Extend the CHAIN Knowledge Base with information on Data Infrastructures: collecting issues, best practices and identifying data repositories of direct interest for VRCs

• Support the study of data infrastructures for a target subset of VRCs (e.g. Agriculture, Climate Change, Health, Biomedicine, etc.)

Science Gateways (WP5)SG• Promote the usage of Science Gateways as a means for attracting new

communities and promote the use of eInfrastructures for every researcher

Federations of Identity Providers (WP5)IDF• Foster the creation of Identity Federations in cooperation with

Certification Authorities; promote and coordinate their usage. Support integration of different AA approaches

8

9

CollaborationsData and Document Repositories

Science Gateways

Deployment of new IdPs

Interperations and Interoperability

Dissemination

Policy development

10

How to check the personal Identity (Authentication) ?

Grid Infrastructures use X509 Digital Certificates Highly secure system used also for computers and

services Requires a structure of Certification and Registration

Authorities that cerify the identity and assign Certificates

Users need to go through a cerification process Services need to manage and recognise certificates

Why not try to use the identity system of the organisation where the user is affiliated (Identity Providers – IdP) ? The user already has a Username/Password or

another systems he is familiar with. The organisation can authenticate the user with

many different methods: Us/Pw, Certificates, Smart Card, Fingerprint, etc.

11

Identity Federations in the world

A lot of work still to be done1,000’s Institutions1,000’s Services >17 million people

Identity Federations (WP5)

12

BoF organised at TERENA conference Analysis of the current and alternative AAI

mechanisms with a state of the art in the regions addressed by the project – D5.1

Support for new IdPs

Services

13

Federations can’t be only made by IdPs Service Providers (SP) are the other

fundamental component The success of an Identity Federation is not

only in the number of IdPs but also in the number of SPs that provide services to the users and make the Federation attractive for new users

eduroam Service

14

WiFi access across several countries

GÈANT’s eduGAIN goes beyond EU

15

eduGAIN MemberJoining eduGAINCandidate FederationExisting/Pilot FederationMissing Federation

Authentication is not enough

16

Services require also to profile the users in order to decide what they are allowed to do (Authorisation).

How can we infer the user’s profile from his Authentication ?

We need more info attached to the confirmation of his/her identity.

First Login(Registratio

n)

Create User

Profile

17

Project’s Recommendations (D5.1)

Eduroam setup Simple but efficient example of Federated Identity use Make Eduroam available through all the regions

Identity provisioning Setup and operate an IdP Collect experience in setting up IdP (even if shared one)

Identity Management An often missing piece of IdP setup EU partners technology used as a starting point

Science Gateway as an IdP service Certification Authority through IdP

Access to more “standard” services relying on certificates Simple but useful example of a federated service Agreement with Comodo for X.509 widely accepted

certificates

18

CHAIN-REDS recommendations and those of the TERENA AAA

StudyThe goal of the report has been broken down into two objectives:1. A collection of users’ access requirements coming from different communities2. A gap analysis of the existing AAIs used in the realm of research and education,

the use-cases they support and the associated challenges

19

Agreement with Comodo

13 Organisations (11 NRENs); 46 domains validated

Long-term agreement like TERENA TCS under discussion

20

The GrIDP “catch-all” Federation and its “open” and

“social” IdPs

21

New IdPs(LA, Arab Region, sub-Saharan

Africa)

Many of these were deployed in strong collaboration

with other projects like eI4Africa and ELCIRA

22

New Science Gateways (being) developed and supported by CHAIN-

REDS

in preparation

The role of NRENs

23

The NRENs are starting to offer services on top of the connectivity. This is a necessary evolution to address the needs of the users and increase the visibility of the NRENs towards the community.

The Identity Federations can favour the increase of the number of available service and users that can access them without having a different identification.

Several issues need still to be solved and NREN’s can contribute providing requirements, use cases and some software development in an OpenSource environment.

There is thus a Business Case for NRENs to work on in cooperation with EU and other Regions of the world

24

Conclusions CHAIN-REDS project has successfully progressed

during the first year It has investigated the advantages and issues

related to the Federations of Identity (Deliverable D5.1)

The project is actively collaborating with TERENA and promoting eduroam and eduGAIN

CHAIN-REDS has fostered the creation of new IdPs in the regions addressed by the project

The collaboration with ELCIRA in LA has been particularly significant

Co-ordination & Harmonisation of Advanced e-Infrastructuresfor Research and Education Data Sharing

www.chain-project.euproj-office@chain-project.euGrant Agreement n. 306819

Thank you !

www.chain-project.euproj-office@chain-project.eu