Building Interoperable AAI For Researchers

https://aarc-project.eu
Authentication and Authorisation for Research and Collaboration
Licia Florio
EUDAT Conference
Building Interoperable AAI For Researchers
25 Jan 2018, Porto
AARC Project Coordinator
GÉANT

•Present building blocks and policy frameworks to
build interoperable AAI for research
collaborations
•Results based on the AARC project work
• Work driven by research collaborations requirements
•Get some inputs from you J
2
Aim of this session

https://aarc-project.eu 3
The project
3
• EC-funded project
• AARC (2015-2017),
• AARC2 started in Apr 2017 and will end in 2019
• 25 Partners: NRENs, research and
e-Infrastructure providers as equal
partners
• Focus on enabling FIM for eScience
• https://aarc-project.eu/
Watch the AARC video to find out more

What AARC wants to achieve?
Improve adoption of FIM – Promote FIM key aspects, leverage
identity providers outside the academic boundaries and
deliver training modules.
Address eScience requirements – Deliver a blueprint
architecture and a number of building blocks to meet eScience
requirements.
Offer support for global policies – Work on and sponsor the
development of key policy frameworks that aim to add
additional ‘flavours’ to eduGAIN.
Make results sustainable – Pilot results in production
environments and ensure that pilots operations and, security
and policy frameworks rest with r/e-infrastructures.

Main focus of AARC for the next two years
• Promote and get inputs on AARC results
• Address authorisation aspects
• Work on assurance and combined levels
• Build a policy toolkit for r-infras
• Consolidate AARC as the neutral platform to
bring together r/e-infra to align polices
• Consolidate the engagement with r-infras
• Pilot proposed solutions and present them to
other research collaborations

Project Management & Sustainability Training and Outreach
Policy & Best Practice
Harmonisation
Engagement Group for Infrastructures
Community Engagement Forum
Integrated AAI
development
Use Cases, Pilots & AAI
Integration Support
Workpackages
In
Research
Communities
Use Cases
Delivery
Platforms
Research Communities
Research/e-
Infrastructures
Integration
Use-cases
The AARC project

Requirements

Federated Identity Management for Research
oAccess services using identities from their Home
Organizations when available.
o Secure integration of guest identity solutions and
support for stronger authentication mechanisms when
needed.
o Access to various services based on the role(s) the users
have in the collaboration.
o Requirement for one persistent identity across all
community services when needed.
o Ease of use for users and service providers. The
complexity of multiple IdPs/Federations/Attribute
Authorities/ - technologies should be hidden.

AARC Blueprint Architecture – Requirements 2015
11
Non-web-
browser
Guest
users
Persistent
Unique Id
Credential
translation
Attribute
Aggregation
Attribute
Release
Levels of
Assurance
Community
based AuthZ
Social & e-Gov
IDs
Step-up
AuthN
User Managed
Information
User
Friendliness
Incident
Response
Best
Practices
Credential
Delegation
SP
Friendliness

AARC Blueprint Architecture – Requirements 2017
11
Non-web-
browser
Guest
users
Persistent
Unique Id
Credential
translation
Attribute
Aggregation
Attribute
Release
Assurance
Frameworks
Community
based AuthZ
Social &
e-Gov IDs
Step-up AuthN
User Managed
Information
User
Friendliness
Incident
Response
Best
Practices
Credential
Delegation
SP
Friendliness

How to build an AAI for researchers

eduGAIN – A global network of academic identities
o Allows researchers to use ONE digital
identity to access MANY services and
resources available in eduGAIN
o Access to resources based on the
user’s affiliation
oAuthZ happens @services/resources
o Users’ group memberships are not
know by users’ institutions !

Typical Use-Case supported by eduGAIN

AARC Blueprint Architecture - Enabling an ecosystem of solution on top of
eduGAIN
o A Blueprint Architecture for
authentication and authorization
o A set of architectural and policy
building blocks on top of
eduGAIN
o eduGAIN and the Identity
Federations
o A solid foundation for federated
access in Research and
Education

AARC Blueprint Architecture
https://aarc-project.eu/architecture/

The Blueprint Architecture Components
End Services
• Web vs non-web services
• Interactive vs autonomous
• SAML vs OIDC vs OAuth2 vs digital
certificates
https://aarc-project.eu/architecture

The User Identity Layer
• Identity proofing, credential issuance,
authentication
• Academic IdPs (eduGAIN)
• Certification Authorities (IGTF)
• Govermental eIDs (eIDAS)
• Social Network (Google, Facebook etc)
• Multiple protocols/technologies
• SAML, digital certificates, OIDC etc.

Identity Access Management
• Proxy & Token Translation Services
• Administrative, policy and technical
boundary
• Integration of multiprotocol IdPs and SPs
• IdP Discovery
• User Consent
• Integration of external group
management systems
• Account Linking
• Unique Identifiers
• LoA

User Attribute Services
• Managing and providing information
(attributes) about users
• Group membership, scientific
community roles
• Group management systems
• Operated by or on behalf of the
scientific community
• User enrolment and management
• Access rights, AUP etc.

Authorisation
• Delegation of complex authorisation
decisions to central components
• Typically authorisation based on:
• Group membership
• User roles
• Entitlements
• Affiliations
• LoA

AARC BPA Implementations
21

https://aarc-project.eu/blueprint-architecture/ Guidelines and support documents
• Best practices for managing authorisation
• Expressing group membership and role information
• Scalable attribute aggregation
• Implementation of token TTS
• Credential delegation
• Non-web access
• Social media IdPs
• Use cases for account linking
• Use cases for LoA elevation via step-up authentication

https://aarc-project.eu/workpackages/policy-
harmonisation/
Policy recommendations & frameworks
• Security Incident Response Trust Framework for
Federated Identity – Sirtfi (see also the MooC)
• Scalable Negotiator for a Community Trust Framework
in Federated Infrastructures – Snctfi
• Recommendations on Minimal Assurance Level
Relevant for Low-risk Research Use Cases
• Differentiated LoA recommendations for policy and
practices of identity and attribute providers
• Recommendations and template policies for the
processing of personal data by participants in the pan-
European AAI

Examples of AARC BPA deployments

EUDAT B2ACCESS Service
• Enables communities to use
federated identities to access
EUDAT services
• Connects to eduGAIN to enable
users use their existing accounts
at their home organisations
• Supports social ID logins and
integration with token
translations services for enable
non-web access
• Communities can connect their
community management
systems as Attribute Authorities

EGI Check-In Service
EGI services
non-web access

INDIGO AAI
services using OIDC
non-web access

GÉANT eduTEAMS
• A suite of services to support
research collaboration
• Built on top of eduGAIN, takes
full advantage of federated AAI
•Simplifies the management of
group and authorization
information
•Enables the integration of users
and services from a wide range
of environments
•Supports for Social IDs using the
identity Hub

NA1 – Project Management & Sustainability NA2 –Training and
Outreach
NA3 –Policy & Best
Practice
Harmonisation
Engagement Group for Infrastructures
Community Engagement Forum
JRA1 –Integrated AAI
development
SA1 –Use Cases, Pilots &
AAI Integration Support
Workpackages
In
Research
Communities
Use Cases
Delivery
Platforms
Research Communities
Research/e-
Infrastructures
Integration
Use-cases
The AARC project

AARC Engagement Group for Infrastructures
31
• Representatives from research and e-
Infrastructures who operate AAI services
for the communities they support
• A communication channel with and
across the infrastructure providers
• Promote a consistent vision for federated
access
• Facilitate activities so that infrastructures
adopt and implement harmonised
solutions and avoid ’re-inventing the
wheel”

How do make all this secure ?

Two policy frameworks
33

Security is important for Researchers!
We must protect:
•Their identities
•Their research data
Why Sirtfi ?
Image credit GEANT

Historically, researchers have been protected by security
policies and operations within their closed communities

eduGAIN allows researchers to access services beyond their
closed community, and enables external identities to access
community owned resources

Sirtfi is a framework to provide security within identity
federations and interfederation, so that researchers remain
protected outside their closed community

Why is incident response difficult in identity federations?
The SP has the logs I
need to investigate an
incident
Only the IdP is able to
contact this user, I need
their help
This is all outside my
job description…
How can I contact
security at an IdP?
Federation 3
Federation 1
Federation 2
S
P
S
P
S
P
S
P
S
P
S
P
S
P
S
P
S
P
S
P
IdP
IdP
IdP
IdP
IdP

The SCI document formed the basis for the
Security
Incident
Response
Trust Framework for
Federated
Identity
This framework has been approved by the REFEDS Community and registered as an assurance
profile by the Internet Assigned Numbers Authority (IANA)
https://www.iana.org/assignments/loa-profiles/loa-profiles.xhtml
39
A Security Incident Response Trust Framework

What is Sirtfi?
• Require that a security incident response capability exists with sufficient
authority to mitigate, contain the spread of, and remediate the effects of
an incident.
Operational Security
• Assure confidentiality of information exchanged
• Identify trusted contacts
• Guarantee a response during collaboration
Incident Response
• Improve the usefulness of logs
• Ensure logs are kept in accordance with policy
Traceability
• Confirm that end users are aware of an appropriate AUP
Participant Responsibilities

Adoption
• 247 entities
• 19 Federations
• https://technical.edugain.org/entities

Find out more
https://refeds.org/sirtfi
https://www.youtube.com/watch?v=EuXrzCjuXDw
&t=17s
https://refeds.org/sirtfi

Added Value for SPs

Why should I adopt Sirtfi?
I should adopt Sirtfi to advertise that I am a secure service (to
encourage IdPs to trust me), and to broadcast my security
contact information
Added value for SPs

Why should IdPs adopt Sirtfi?
I would like IdPs to adopt Sirtfi so that I can identify trustworthy
sources of identity to grant access to my critical infrastructure,
and to provide a contact point for incident handling
45
Added value for SPs

Snctfi

• A research community wants to use R&E federation IdPs (eduGAIN)
• But they have many distributed research community SPs
• And they do not all want to (or cannot) join a national identity federation
• A popular way of joining the two worlds together is via an SP/IdP Proxy
• Acts as an SP in the eduGAIN world
• Acts as an IdP for the research community
• see AARC Blueprint Architecture
• But still have to establish trust between the eduGAIN IdPs and the research community
• Or between Infrastructures
• SP/IdP Proxy wishes to assert:
• REFEDS Research and Scholarship
• GÉANT data protection code of conduct
• REFEDS Sirtfi
• How can we build such scalable trust?
- > Snctfi
47
A classic FIM4R use case – “Research Communities and eduGAIN”

Flow of attributes and trust – via SP/IdP Proxy
Picture from GEANT – eduGAIN
Attribute flow
Trust flow

Snctfi: aiding Infrastructures achieve policy coherency
Graphics inset: Ann Harding and Lukas Hammerle, GEANT and SWITCH
Develop recommendations for an Infrastructure’s coherent policy setü
allow SPIdP Proxies to assert ‘qualities’, categories, based on assessable trustü
Snctfi
Scalable Negotiator for a Community Trust
Framework in Federated Infrastructures
• Derived from SCI, the framework on
Security for Collaboration among Infrastructures
• Complements Sirtfi with requirements on internal consistent
policy sets for Infrastructures
• Aids Infrastructures to assert existing categories to IdPs
REFEDS R&S, Sirtfi, DPCoCo, …

• Abstract: identifies operational and policy requirements to help establish trust between an
Infrastructure and identity providers either in an R&E Federation or in another Infrastructure,
in each case joined via a Service Provider to Identity Provider proxy
• The target audience: intended for use by the personnel responsible for the management,
operation and security of an Infrastructure and those wishing to assess its trustworthiness
• Snctfi version 1
• An output of the EU H2020 AARC project
• Published on 26 Apri 2017
• https://aarc-project.eu/policies/snctfi/
• Peer-review and assessments – future work
• Interoperable Global Trust Federation (IGTF)
• https://www.igtf.net/snctfi/
• EGI Security Policy Group – together with AARC2
• Working on two “Community” security policies – to implement requirements of Snctfi
50
Snctfi - the new Trust and Policy Framework

Snctfi infrastructure requirements, a summary
• State common security requirements: AAI, security, incident and vulnerability handling
• Ensure constituents comply: through MoUs, SLA, OLA, policies, or even contracts, &c
Operational Security
• Awareness: users and communities need to know there are policies
• Have an AUP covering the usual
• Community registration and membership should be managed
• Have a way of identifying both individuals and communities
• Define the common aims and purposes (that really helps for data protection …)
User Responsibilities
• Have a data protection policy that binds the infrastructure together, e.g. AARCs
recommendations or DP CoCo
• Make sure every ‘back-end’ provider has a visible and accessible Privacy Policy
Protection and Processing of Personal Data

How does AARC work fit in EOSC?

The Life Science AAI Pilot

Thank you
Any Questions?
© GÉANT on behalf of the AARC project.
The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 730941 (AARC2).
Christos.Kanellopoulos@geant.org, Licia.Florio@geant.org

Building Interoperable AAI For Researchers

Recommended

Recommended

More Related Content

What's hot

What's hot (8)

Similar to Building Interoperable AAI For Researchers

Similar to Building Interoperable AAI For Researchers (20)

More from EUDAT

More from EUDAT (20)

Recently uploaded

Recently uploaded (20)

Building Interoperable AAI For Researchers