Chair: Josh Howlett, head of trust and identity, Jisc.
The importance of trust and identity to the network continues to grow in step with the rapid expansion in the scale and complexity of delivering services and content to distant users. As a result, the consumers and providers of digital services and content need access to increasingly sophisticated capabilities to make the best of the opportunities offered by the network.
This presents technical and resource challenges to those charged with providing these capabilities. In this session, we explore how Jisc and other organisations and initiatives are responding to the opportunities and challenges faced by institutions.
Running order of talks:
09:15-09:40 - Jisc service update
Speaker: Simon Cooper, trust and identity services group manager, Jisc.
09:40-10:05 - National AAAI pathfinder project
Speaker: Jeremy Yates, UCL.
10:05-10:30 - Better together!
Speaker: Klaas Wierenga, GÉANT.
2. Please switch your mobile phones to silent
12:45
No fire alarms scheduled. In the event of an
alarm, please follow directions of NCC staff
Networkshop closes.
Light lunch (including ‘grab bag’ option)
3. Update on
Jisc’s trust and
identity services
Simon Cooper, trust and identity operations group, Jisc
4. Agenda
»What services are trust and identity?
»The four services supported
» Update on services and new developments
13/04/2017 Jisc trust and identity services update
5. What services are trust and identity?
»The operations group supports:
› Assent
› Certificate service
› Domain registry service
› UK Access Management Federation
» 1,400 members and customers
»A new fifth service…
13/04/2017 Jisc trust and identity services update
6. Assent
»Underlying Moonshot technology - RADIUS and SAML
»Steady uptake
»National Pathfinder project and other big
research projects
»Developments:
› Support for Mac clients, UX development, Dynamic
Trust Router
»Future - hosting of trust and identity service infrastructures
13/04/2017 Jisc trust and identity services update
7. Certificate service
»10 year anniversary and 700 members
»Over 90,000 certs issued
»Service with QuoVadis since May 2015
› High assurance ExtendedValidation
› S/MIME for email signing
13/04/2017 Jisc trust and identity services update
9. Certificate service
»Ten year anniversary and 700 members
»Over 90,000 certs issued
»Service with QuoVadis since May 2015
› High assurance extended validation
› S/MIME for email signing
»Stability - no procurement for at least 2 years
13/04/2017 Jisc trust and identity services update
10. Domain registry
»Registry for all .ac.uk and gov.uk domains
»Over 5,000 .ac.uk and 3,000 .gov.uk
»Online portal available for all domain owners
and registrars
»New portal functionality rolled out
»ICANN accreditation?
13/04/2017 Jisc trust and identity services update
11. UK Access Management Federation
»10 years of operation
»4,000 entities and 1,100 members
»What’s changed?
»What’s next?
› Technical enhancements e.g. MDQ and
Self-service portal
› Support of SIRTFY, CodeOfConduct and Research
and scholarship entity category
13/04/2017 Jisc trust and identity services update
12. Liberate – ManagedTrust and identity services IdP
»Integrates with Active Directory
»Lowers the barrier to adoption of UK AMF, eduroam
and Assent
»Timescales for launch
› piloting with public libraries
› beta service in early July
»Production service September 2017
»Further info http://ji.sc/managed-idp and
liberate@jisc.ac.uk
13/04/2017 Jisc trust and identity services update
13. Trust and identity services
»Where are we?
› Stable services in place, fully supported
› Continuous improvement
»How can we be better?
› Technical functionality?
› Policy?
› New products?
»Contact point:TrustAndIdentity@jisc.ac.uk
13/04/2017 Jisc trust and identity services update
14. jisc.ac.uk
Questions?
Simon Cooper
Trust & Identity Service Group Manager
Email: simon.cooper@jisc.ac.uk
Services:TrustAndIdentity@jisc.ac.uk
jisc.ac.uk/network/authentication
13/04/2017 Jisc trust and identity services update
16. The National AAAI
Pathfinder Pilot
A project funded by the Research Councils and JISC to
develop a simplified access and user management service for
the UK’s research computing community.
March 2017
17. Why are we doing this
• The UK National eInfrastructure is now in a position to greatly
simplify its access control infrastructure to a range of services such as
Cloud, data services, HPC and Grid computing
• Simplified sign-on reducing need for multiple credentials
• Flexible deployment models Assent can be deployed using any
model (centralised, distributed, Cloud).
• Minimal ongoing management and specific communities are able to
manage it themselves.
• Standards based – all protocols are international (IETF) standards
18. Benefits for research communities
• More applications and services to be accessed via a federated identity. Assent
extends the range of applications and services that can consume federated
identity and improves the security of your services by controlling access to
resources.
• Lower operational costs by using existing infrastructure to unify all of our trust
technologies and drive down operational costs. This reduces the cost and time to
create new services and minimises the administration associated with providing
secure user access to resources.
• Builds on existing technologies. Assent builds on the existing technologies that
underpin eduroam and the UK Access Management Federation services.
• The UK to federate efficiently with non-UK and International projects that use
other access control technologies such as X509 certificates. The need for
federated identity management to support research and promote collaborations
is widely recognised
19. Pathfinder AAAI Project - Sep 2016 to June 2017
Jisc’s Assent service, to provide
users with a common, single sign on
mechanism that integrates with
institutional identity management
systems to confirm a researcher’s
identity; and its peer systems
overseas.
Existing virtual organisation (VO) systems, such as the EPPC’s
SAFE management infrastructure.
A High Assurance Network and
two-factor authentication, where
appropriate, for secure data access
and transport e.g. JISC’s SafeShare
service. The outputs will be secure and very secure versions of a common
AAAI application which integrates Assent and SAFE. This will also
be able to federate with SAML and X.509 identity management
systems which is a requirement for international collaborations.
20. • A series of Pilots will produce common prototype applications and services that
facilitate the Authentication, Authorisation and Accounting Infrastructure (AAAI)
• These Pilots will demonstrate
• Successful use of a common AAAI in the field for Engineering, Physical
Sciences and Medical Health research
• Successful use of a common AAAI in the context of HEI service delivery
• Successful use of a common AAAI when federating with international
services and research projects
• This common AAAI will include services to facilitate secure data access for
health, government and business data.
• A technical architecture and business case will be produced to construct and
operate a National AAAI Service, which will facilitate a common AAAI for all NeI
Projects in the RCUK domain. It will enable secure access and use by third
parties such as Government and Business.
21. What is it made of?
• Users will be provided with a common interface and single-sign-on features.
• This will use institutional HR data to confirm a researcher’s identity
• This is the Jisc Assent Service.
• We are leveraging existing virtual organisation systems such as the National Service SAFE
management infrastructure.
• Data and resources can be securely shared between projects irrespective of researcher location.
• Where information security is paramount, such as health and government records, data are
automatically encrypted prior to transfer.
• This is the JISC Safe Share project.
• Opens door to integration of main NeI projects
• Single Sign on: Removes a major barrier to access for users
• Enables hardware to be shared across domains
• From a service provider perspective this encourages aggregation and pooling of resources
• Allows cloud and data services to work effectively, efficiency and appropriately
• You know who I am, what I can do, how I’ll be measured, and where I live
• In addition, the EPCC SAFE framework provides the complementary capabilities of accounting
and resource management of computing facilities. This makes it ideal for this pilot
• The related Jisc Safe Share project will soon provide a Higher Assurance Network and support
two-factor authentication for projects requiring additional security.
23. Meet the team
• Josh Howlett, Jeremy Yates, Jacky Pallas, Kostas Kavoussanakis,
Stephen Booth, Richard Sanders, Gareth Francis, Stefan Paetow, Lydia
Heck, Stuart Rankin, David Fergusson, Bruno Silva, Stephen Young,
Dugan Witherick, Jens Jensen, Alan Real, Andrew Sansum, Mark
Parsons
• JISC, EPCC, RAL, Durham, eMedLab, Sanger, QMUL, Cambridge,
Oxford, Crick
24. Work Packages
1. Work package 1: Integration of SAFE with Assent
2. Work package 2: Local deployment pilot
3. Work package 3: Assent integration with Virtual Organisation
infrastructure
4. Work package 4: Productisation
25. Outputs
1. A pilot AAAI infrastructure comprising multiple sites and projects, built on
existing assets and capabilities, tested in the following production settings:
• A University HPC ecosystem – University of Oxford
• A Regional HPC ecosystem – N8
• A national HPC ecosystem – DiRAC
• A Secure Ecosystem – eMedLab
2. Demonstration of interoperability with other non-SAFE and non-Assent
technologies. This is necessary for gaining access to non-UK resources e.g.
wLCG, Elixir, EGI, EUDAT, PRACE.
3. A route towards productisation of the outputs and findings of the
pathfinder through a Technical Architecture and a Business Case for a
future national AAAI.
26. Milestones
Reporting Point:
Month End
Work Package Outputs
2 WP1.1 Setting up Assent for use at eMedLab, N8 and DiRAC
3 WP1.2 Identity Provider service prototype completed. Report on use at DiRAC site
2 WP1.3 Prototype Application that combines SAFE and Assent, Report on use at
eMedLab & N8
5 WP2 WP2: Report on Application of SAFE to managing projects at local HPC facilities
5 WP3.1 WP3.1: Prototype SAFE+Assent that can use SAML. This will allow Virtual
Organisations to manage authorisation for Assent-based authentication.
8 WP3.2 WP3.2: Construct a working API that will bridge Assent with other
authentication technologies, such as X.509.
Report on 3.1 and 3.2 progress.
Final Report 10 WP4.1 and
WP4.2
Technical Architecture and Business Case for proposed National AAAI Service
27. Progress (March 2017)
Work
Package
Progress What this means
WP 1.1 Completed Set up Assent at Durham and Edinburgh. Integrated SAFE and Assent and tested at Durham
WP 1.2 Completed Assent IdP set up by EPCC. Can generate attributes without reference to HEIs. Helpful for non
academic users
WP 1.3 Delayed Testing Assent and SAFE in a secure environment and on an OpenStack system; eMedLab, Crick,
QMUL, Sanger are installing Assent, OSP upgrade delayed testing until May 2017
WP 2 Will start in May 17 Use Assent and SAFE in a HEI environment
WP 3.1 Completed DiRAC SAFE can provide user attributes to Assent. OpenSAML attribute authority was linked to SAFE
database and can be linked to Assent
WP 3.2 Started March 24th Deliver a credential conversion service that enables users with
sufficiently high levels of assurance (through their Assent IdP) to obtain
a certificate from an IGTF CA
WP 4.1,
WP4.2
Started Consultation on business model with NeI PDG and HPC-SIG members
28. Other Opportunities
• Possible test project with Elixir (WP 3.2)
• Possible test project with the Hartree Centre (WP1.2)
• Possible test project with AWS (WP3.1)
• Possible test project with a second Openstack service (MRC CLIMB
WP3.1)
29. Proposed architecture
• A composite of three separate but complementary capabilities
• SafeShare
• Provides high assurance connectivity using encrypted tunnels
• Imminent launch of Jisc service
• Assent
• Provides secure federated authentication & attributes
• A Jisc service with 20 member organisations
• SAFE
• Provides accounting, reporting, and resource management
• Software provided by EPCC, some of it supported by funding from Jisc
• A composite service does not have composite users!
• How can we construct a coherent proposition, such that the different
stakeholders can deploy and use the respective services without resulting in
confusion?
30. Developing the Business Case
• SAFE delivery model
1. Would users of SAFE prefer to consume it as packaged software, or as Software as
a Service, or both?
• Ancillary capabilities
2. For each delivery model, what ancillary capabilities might be desirable?
• Packaged software: software development, deployment consultancy
• SaaS: ???
• Both: technical support, project management
• Sustainability
• Assent is currently funded by Jisc
• SafeShare will be funded by its users through a separate service subscription
• “SAFE as packaged software” probably implies some form of centralised funding;
“SAFE as SaaS” allows for a subscription model
3. How should a composite service be funded?
31. Summary
• Seven Research Councils and JISC have committed funding and
resource to a National AAAI Pathfinder Pilot
• Benefits to the research community include simplified sign-on (users)
and streamlined user management (infrastructure providers)
• The pilot integrates existing services and software and is testing this
in a range of environments
• University, regional resource, private cloud, industry, international links
• Scale-up and sustainability addressed through a robust evaluation of
a business case