Federated Identities and Services: the CHAIN-REDS vision
description
Transcript of Federated Identities and Services: the CHAIN-REDS vision
Co-ordination & Harmonisation of Advanced e-Infrastructuresfor Research and Education Data Sharing
[email protected] Agreement n. 306819
Federated Identities and Services: the CHAIN-REDS vision
Federico Ruggieri, GARR/INFN
Joint CHAIN-REDS/ELCIRA Workshop, Cancun, May 2014
Outline
2
Introduction General information and CHAIN-REDS vision Federated Identities and Services Major achievements The role of NRENs Conclusions
Genesis II
Regional e-Infrastructures
Interoperability and easiness of access are issues
5
Coordination & Harmonisation of Advanced
eINfrastructures for Research & Education Data Sharing
4
General information
Co-ordination & Harmonisation of Advanced eInfrastructures for Research and Education Data Sharing
Research Infrastructures – Support Action Grant Agreement n. 306819 Total Costs of € 2.3 M Max. EC contribution: € 1.52 M Start date: 1 December 2012 Duration: 30 Months
5
Partners and roles INFN (IT) – Coordinator CIEMAT (ES) – WP4 Leader GRNET (GR) – WP3 Leader CESNET (CZ) – WP5 Leader UBUNTUNET (MW) – Africa CLARA (UR) – Latin America IHEP (CN) – China ASREN (DE) – Arab States SIGMA ORIONIS (FR) – WP2 Leader C-DAC (IN) – India
6
Project Strategic Vision
CHAIN-REDS first periodic review, Madrid, January 2014
Promote and support technological and scientific collaboration across different eInfrastructures established and operated in various continents to facilitate their uptake and use by established and emerging Virtual Research Communities (VRCs) but also by single researchers
Not only disseminate, exchange and reinforce the best practices currently adopted in Europe and other continents, but also promote the progress of interoperability among different regional eInfrastructures
Study and define a path towards a global eInfrastructure ecosystem that will allow VRCs, research groups and even single researchers to access and efficiently use worldwide distributed resources
Action lines (1/2)Distributed Computing Infrastructure (WP3)DCI
• Provide ongoing support of the DCI road-map for intercontinental DCI collaboration, specified within the CHAIN project
Regional Operation Centres (WP3)ROC• Support stability of existing and emerging Regional Operation Centres.
Cooperate with other projects & initiatives (e.g. AfricaConnect, TEIN3) to support the development of eInfrastructures and key VRCs in Africa, Asia, Latin America and the Middle-east
Clouds for Research and Education (WP3)Cloud• Support for coordination of Cloud developments for Research &
Education with other regions (e.g. China, India, Latin America)
7
Action lines (2/2)Data Infrastructures and Repositories (WP4)Data
• Extend the CHAIN Knowledge Base with information on Data Infrastructures: collecting issues, best practices and identifying data repositories of direct interest for VRCs
• Support the study of data infrastructures for a target subset of VRCs (e.g. Agriculture, Climate Change, Health, Biomedicine, etc.)
Science Gateways (WP5)SG• Promote the usage of Science Gateways as a means for attracting new
communities and promote the use of eInfrastructures for every researcher
Federations of Identity Providers (WP5)IDF• Foster the creation of Identity Federations in cooperation with
Certification Authorities; promote and coordinate their usage. Support integration of different AA approaches
8
9
CollaborationsData and Document Repositories
Science Gateways
Deployment of new IdPs
Interperations and Interoperability
Dissemination
Policy development
10
How to check the personal Identity (Authentication) ?
Grid Infrastructures use X509 Digital Certificates Highly secure system used also for computers and
services Requires a structure of Certification and Registration
Authorities that cerify the identity and assign Certificates
Users need to go through a cerification process Services need to manage and recognise certificates
Why not try to use the identity system of the organisation where the user is affiliated (Identity Providers – IdP) ? The user already has a Username/Password or
another systems he is familiar with. The organisation can authenticate the user with
many different methods: Us/Pw, Certificates, Smart Card, Fingerprint, etc.
11
Identity Federations in the world
A lot of work still to be done1,000’s Institutions1,000’s Services >17 million people
Identity Federations (WP5)
12
BoF organised at TERENA conference Analysis of the current and alternative AAI
mechanisms with a state of the art in the regions addressed by the project – D5.1
Support for new IdPs
Services
13
Federations can’t be only made by IdPs Service Providers (SP) are the other
fundamental component The success of an Identity Federation is not
only in the number of IdPs but also in the number of SPs that provide services to the users and make the Federation attractive for new users
eduroam Service
14
WiFi access across several countries
GÈANT’s eduGAIN goes beyond EU
15
eduGAIN MemberJoining eduGAINCandidate FederationExisting/Pilot FederationMissing Federation
Authentication is not enough
16
Services require also to profile the users in order to decide what they are allowed to do (Authorisation).
How can we infer the user’s profile from his Authentication ?
We need more info attached to the confirmation of his/her identity.
First Login(Registratio
n)
Create User
Profile
17
Project’s Recommendations (D5.1)
Eduroam setup Simple but efficient example of Federated Identity use Make Eduroam available through all the regions
Identity provisioning Setup and operate an IdP Collect experience in setting up IdP (even if shared one)
Identity Management An often missing piece of IdP setup EU partners technology used as a starting point
Science Gateway as an IdP service Certification Authority through IdP
Access to more “standard” services relying on certificates Simple but useful example of a federated service Agreement with Comodo for X.509 widely accepted
certificates
18
CHAIN-REDS recommendations and those of the TERENA AAA
StudyThe goal of the report has been broken down into two objectives:1. A collection of users’ access requirements coming from different communities2. A gap analysis of the existing AAIs used in the realm of research and education,
the use-cases they support and the associated challenges
19
Agreement with Comodo
13 Organisations (11 NRENs); 46 domains validated
Long-term agreement like TERENA TCS under discussion
20
The GrIDP “catch-all” Federation and its “open” and
“social” IdPs
21
New IdPs(LA, Arab Region, sub-Saharan
Africa)
Many of these were deployed in strong collaboration
with other projects like eI4Africa and ELCIRA
22
New Science Gateways (being) developed and supported by CHAIN-
REDS
in preparation
The role of NRENs
23
The NRENs are starting to offer services on top of the connectivity. This is a necessary evolution to address the needs of the users and increase the visibility of the NRENs towards the community.
The Identity Federations can favour the increase of the number of available service and users that can access them without having a different identification.
Several issues need still to be solved and NREN’s can contribute providing requirements, use cases and some software development in an OpenSource environment.
There is thus a Business Case for NRENs to work on in cooperation with EU and other Regions of the world
24
Conclusions CHAIN-REDS project has successfully progressed
during the first year It has investigated the advantages and issues
related to the Federations of Identity (Deliverable D5.1)
The project is actively collaborating with TERENA and promoting eduroam and eduGAIN
CHAIN-REDS has fostered the creation of new IdPs in the regions addressed by the project
The collaboration with ELCIRA in LA has been particularly significant
Co-ordination & Harmonisation of Advanced e-Infrastructuresfor Research and Education Data Sharing
[email protected] Agreement n. 306819
Thank you !