(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP,...
-
Upload
kadin-brant -
Category
Documents
-
view
217 -
download
4
Transcript of (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP,...
![Page 1: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/1.jpg)
(Re)using existing AAIexperiences and future
--- AAI Soapbox ---
Jens Jensen, STFC-RALTerena VAMP, 0-1 Oct 2013
![Page 2: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/2.jpg)
Background Question
• ePTID
![Page 3: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/3.jpg)
Why – Basic Advantages
• Meet needs of existing user communities
• Avoiding managing ids and pwds• Build on existing work, e/cyber-
infra• Users get single login (sort of)
![Page 4: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/4.jpg)
Security as a 1st class WP in projects
• Prev: Build first, secure later – afterthought– Still often is…
• AAI designed in from the start– But that requires a usable AAI ready to
integrate– Supported in useful languages (or SOA)– Still hard problems to solve– Inconsistent between
![Page 5: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/5.jpg)
Single Sign-On
• Single “account”• Single password with x-ple
resources• Single login (subject to timeout)
– Typ., 1hr for Shib– Expiry of TGT for K5– Expiry of GSI proxy (typ. 12 hrs)
![Page 6: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/6.jpg)
Single Sign-On
• Pros:– Improves the user
experience– Reduces the password
sharing– Single point to re(set)
password– Password can be
validated
• Cons:– Phishing problem– Serious if cred stolen– Needs X-site trust– LoA not always well
defined– The attribute
problem…
![Page 7: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/7.jpg)
The attribute problem(s)
• Attributes not always suitable for service
• IdP rarely knows AuZ attributes• Consistency of naming values
(schemata)• Users have no control
– Cf. mobile phone apps
![Page 8: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/8.jpg)
The “Account”
• Holds user identity– Identity-related attributes (AuC)
• Holds (sometimes) AuZ attrs/request
• Accounting information, billing• Linked to credential – proof of pos.• Single identifier / single persistent
identifier
![Page 9: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/9.jpg)
Not just true for e-/cyber-I
• Checking into a hotel– Payment (pre or post)– Customer leaves without…
• Paying• Their jewellery
– Process – detailed, brokered
![Page 10: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/10.jpg)
Aye, there’s the rub
• Is the user authorised to access the service?– Has the user paid/can we make the
user pay? (“payment” doesn’t have to be money)
• Can we trace the user if something goes wrong (or very wrong)
![Page 11: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/11.jpg)
The Rub
• How much information do we (RPs) need about the user?
• How do we ensure it is timely and accurate?
![Page 12: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/12.jpg)
Two Approaches
Federations• Policy defined,
processes• MinLoA• RPs and IdPs
Reputations• More unilateral,
doesn’t scale • More ad-hoc
![Page 13: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/13.jpg)
How to build a better user?
• Someone better says something nice– VO, or other trusted – Peers: social
• Reputation• Policies accepted• Higher LoA
![Page 14: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/14.jpg)
How to build a better user?
• Combining known statements
IdP IdP IdP IdPAA AA
![Page 15: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/15.jpg)
How to build a better user?
• Combining known statements
IdP IdP IdP IdPAA AA
Federation Policies P2P trust
![Page 16: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/16.jpg)
Why build a better user?
• “Cloudier”– Less work needed before accessing
privileged resource– (Train and grant) vs (grant and
enforce)• Enable multi-LoA access to
resources
![Page 17: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/17.jpg)
Policies need more work
• Users accept RP AUP… how much is that worth?
• Fed policies: home org says user accepts– Still the education issue
• Combining policies: site, federation, VO
![Page 18: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/18.jpg)
Actual Project Experiences
• Yes, ePTID is a pain in the bum– But it’s what it is for a reason– Workaround requires tighter
integration
EUDAT
Community
Two portals, one presented inside the otherSingle login actually works! Demonstratedwith CLARIN
![Page 19: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/19.jpg)
IdPBridg
e
Yahoo
Umbrella
WAYF
IdP
Auz Svr
DB
Account creationLoA setAttribute update (eg email)
Single SP for all IdPsUniform identity presentedto the fed core (OAuth AS)
![Page 20: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/20.jpg)
Recommendations
• Give users more control over attrs• Introduce multi-LoA• Like data protecion – RPs need
adequate (just-about-good-enough LoA) and relevant data
• Publish data requirements (eg SLAs)– Negotiate (cf WS-AgreementNegotiation)
![Page 21: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/21.jpg)
User Control of Personal Attrs
• Which ones are released from the IdP• How they are being used (and where)• Data protection guarantees
– Not just promises• How they are used once released• Withdraw the rights-of-use• Note the when-is-consent-not-consent
from data protection directive
![Page 22: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/22.jpg)
Compare Contrail use of OAuth
• Delegate rights to obtain credential– With AuZ attrs
• Users access AS to check their delegations
![Page 23: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/23.jpg)
Dramatis Personae
• NRENs, GEANT, eduGain – infrastructure, superfederating, policy
• e/cyber Projects – build• User projects (ESFRI et al) – policy,
integration
![Page 24: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/24.jpg)
Technology View
• Shibboleth– Designed to err on the side of caution– Lacks flexibility in practical
deployments• Moonshot
– Superfederation– Carrying attrs from IdP (org), or from
AA designated by IdP org.
![Page 25: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/25.jpg)
Conclusion• Users are not authoritative for their attrs
– Except for self assertions (cardspace, non-org email)• Users should be able to release and control
– Many users, of course, “just want it to work”• Multi-fed policies, multi-LoA
– Combine in sensible ways: fed, community, site, user• Need for AAAaaS (Piyush Harsh)• Need Community effort
![Page 26: (Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a91b3550346b52d8b5e4d/html5/thumbnails/26.jpg)
Acks
This work partially funded by the Contrail and EUDAT FP7 projects
Special thanks to: Shiraz Memon, FZJ, GermanyAleš Černivec, XLAB, SloveniaWillem Elbers, MPI, Netherlands