EGI Community Forum 2014
Paul van Dijk presented at the EGI Community Forum in Helsinki how OpenConext can be deployed to support and enhance scientific cooperation. Among other things he went into the wishes and requirements of scientific collaboration in the field of authentication and authorization. OpenConext is particularly suitable for centralized management of users of cooperative organizations.
A Secure and Reliable Document Management System is Essential.docx
OpenConext: Authentication & Authorization Infrastructure for Virtual Research Communities
1. Authentication & Authorization Infrastructure
for Virtual Research Communities
Paul van Dijk, SURFnet
Alexandre Bonvin, WeNMR
2. SURFnet: the Dutch NREN
• SURFnet is the Dutch National Research &
Education Network (NREN)
- Services, innovation, knowledge
- Not for profit
- Task organisation of Stichting SURF = ICT collaboration of higher education &
research
• A small operation serving a large community:
- 85 employees
- 160 connected institutions
- 1 million end-users
- Turnover 35 million Euro; 1/3 innovation subsidies
7. WeNMR VRC"
How to deal with Authentication?!
For the end-user!
• How to provide as easy as possible access!
• Use institutional account!
• Single Sign-On to all kind of NMR resources!
For WeNMR administrators!
• How to verify users? (albert.einstein@gmail.com) !
• How to deal with burden of account management?!
• How to bridge authentication across domains and
resources?!
8. AAI for research
observations, questions, challenges
• AAI one of the cornerstones (or at least a key starting point) for
international collaboration and system integration
• Ever growing space.......with many issues
• More than technique and engineering ! policies, procedures
and a lot of human interaction (!)
• Can we build on existing building blocks?
9. The Netherlands: research apps
SURFconext ecosystem
Drive
WeNMR Portal
Identity
Providers
>200 Service Providers
commercial / non-commercial
SURFconext
Authentication
Hub
Trust FrameworkUniversity
Dirk Stap
dirkstap@vu.nl
Staff member
ID#: 2989289283921
SP stores attributes
11. WeNMR SSO Drupal module
see: bit.ly/1oc3Gu3
provides a closed and self-contained solution
for everything related to authentication,
authorization and accounting for a service,
without any need for additional modules or
external services.
12. Crossing national borders via eduGAIN
Knowledge!
Help Center!
Tutorials,
Wiki!
Consultancy!
Services!
Portals!
Third-party aggregation!
Grid!
SAML
SAML
SAML
SAML
SAML
SAML
SAML
Identity Providers Service ProvidersSURFconext
Authentication
Hub
WeNMR!
VRC!
SAML
SAML
SAML
19. OpenConext for
Collaborative Organisations
• Groups
• Distributes Services
• Attributes, roles and rights
Groups are core to collaboration
Any collaboration is based on groups. In eScience these groups
are dynamic and international
Distributed Services
COs collaborate around distributes services. Managing and
maintaining many SP - IdP interconnections is tough
Attributes, roles and rights
Roles and rights are based on Attributes. COs need very
different attributes as compared to the attributes provided
by the IdPs
20. How OpenConext helps
• Groups
• Distributed Services
• Attributes, roles and rights
Centralized and external group providers
OpenConext provides a centralized group provider and allows
linking external group providers
Manage services
CO SP and IdP connections can be managed centrally, including
Access Policies and Attribute Release Policies
Attributes
Can be transformed and filtered both at logon as well as
when queried out-of-band
21. PoC EGI and SURFnet (Q2/Q3) in a
SAML world
A CO manager
• Verifies authenticity
• Adds attributes
• Provides workflows
Self Asserted
+31(6) 120202020
Skype: DirkStap
LinkedIn: DirkHStap
Collab Organisation
CO- admin
CO- researcher
Self Asserted
+31(6) 120202020
Skype: DirkStap
LinkedIn: DirkHStap
Collab Organisation
CO- admin
CO- researcher
University
Dirk Stap
dirkstap@uvk.nl
Staff member
ID#: 2989289283921
keystone
• Aggregate attributes
• Forward with ARP to SP
add. attr. at logon
add. attr. by query
University
Dirk Stap
dirkstap@uvk.nl
Staff member
ID#: 2989289283921
UVK
• Authenticate
• Add attributes
22. Conclusion
Authentication infrastructure
• Identity federations: Works well on a national level ! run-of-
the-mill in many countries, UX could be better
• Interfederation: will it scale? requires a lot of effort ! streamline
and harmonize procedures, improve discovery of endpoint
representatives ! on the radar of organizations like REFEDS
and GEANT (eduGAIN)
Authorization infrastructure
• Still in development, some solutions/approaches available !
collaborate, just do it, run PoCs with community & improve