Transcript federation-dieter

Authorization and Authentication
Infrastructure
Daan Broeder & Dieter Van Uytvanck
Max Planck Institute for Psycholinguistics
[email protected]
CLARIN-NL Info Session
Nijmegen
2009-07-01
Overview
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu




CLARIN and the holy grail
Traditional Federations
AAI prototype
Planning
CLARIN and the Holy Grail (1)
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 A researcher authenticates at his/her own organization and
creates a “virtual” collection of resources from different
repositories.
CLARIN and the Holy Grail (2)
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 browsing a catalogue, searching through metadata, or
searching in resource content.
 workflow specification tool to process this virtual collection
with possibly a mix of home grown and remote service
components.
 Resulting data can be added to the origin repositories (with
“virtual” collection)
 For our domain this is very ambitious and challenging, but
even a partial realization is worthwhile!
CLARIN-NL Info Session
Nijmegen
2009-07-01
Traditional Federations (1)
www.clarin.eu
From a local user store to a traditional federation…
Local
External
Federation
DB
DB
LDAP
SP
SP
HTTP
HTTP
B
B
LDAP
LDAP
IDP
SP
HTTP
B
SAML
(HTTP)
HTTP
IDP
CLARIN-NL Info Session
Nijmegen
2009-07-01
Traditional Federations (2)
www.clarin.eu
IdP
SP
IdP
SP
IdP
SP
CLARIN-NL Info Session
Nijmegen
2009-07-01
CLARIN AAI prototype (1)
www.clarin.eu
IDP
SP
IDP
SP
IDP
SP
IDP
SP
IDP
SP
IDP
SP
(Identity)
Federation
CLARIN AAI Prototype (2)
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 7 Service Providers:
 INL, Meertens Instituut, MPI
 IDS, DFKI, BBAW
 CSC / U Helsinki
 3 national Identity Federations:
 SurfFederatie (NL)
 DFN (DE)
 HAKA (FI)
AAI prototype agreements
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 Two options:
 One SP signs on behalf of
all participating SPs (1xN,
preferred)
 Every SP signs a separate
contract with each national
Identity Federation (NxN,
more fuss but feasible)
Planning
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 Before end 2009: prototype federation
 WP7: contractual issues
 WP2: technical aspects
 Keep good contacts with GEANT3/TERENA/eduGAIN
 Talks with CSC about implementing a common code of
conduct service
Thank you for your attention
CLARIN has received funding from
the European Community's Seventh Framework Programme
under grant agreement n° 212230
Backup slides
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
References
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu

http://www.terena.org/activities/tf-emc2/meetings/12/slides/eduGAINstatus.pdf
 http://www2.surfnet.nl/bijeenkomsten/rd2008/sheets/zandbelt.ppt
 http://www.clarin.eu/events/aai-hands-on-workshop
CLARIN SP
Include MD about IdPs within national IdF
Metadata
DFN
?
Metadata
Metadata
HAKA
Metadata
SurfFederatie
SWITCH system
SMTP
Push SP metadata to national IdF
via protocol as chosen by the specific IdF
With eduGAIN 2.0
CLARIN SP
Include MD about national IdPs in SP MD
Metadata
Metadata
eduGAIN
Metadata hub
Metadata
Metadata
DFN
HAKA
SurfFederatie
CLARIN-NL Info Session
Nijmegen
2009-07-01
Beyond the Traditional Federations:
SPO
www.clarin.eu
IDP
SP
IDP
SP
IDP
SP
IDP
SP
IDP
SP
IDP
SP
Service
Provider
Federation/
Organization
AAI Issues & Challenges (1)
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 CLARIN is not an IdF
 Our intended clientele is too wide spread
 No special IdP configuration can be expected
 So, only a SP organization relying on national IdFs
 What forms the SP organization (wrt. AAI)?
 LRT Community
 Standard contracts with the (national) IdFs
 Common set of CCs / licenses
 Attribute requirements
 Shallow versus deep federation
 SPs specify auditing level
 No penalties
AAI Issues & Challenges (2)
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 Attribute harmonization
 eduGAIN solves it all?
 WAYF (& WFAYF)
 AAI software
 Shibboleth and SimpelSamlPhp
 Is there more needed?
 Guest accounts for the homeless
AAI Issues & Challenges (3)
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 SSO for client applications
 E.g. downloading distributed virtual collections
 SSO for web services
 Deal with workflows chaining web services from
different providers
 SSO when dealing with CCs, 3 options:
 Leave it to the SP
 User attribute (~ IdP)
 Separate service, external attribute authorities.
 Use of GRID resources
 Data GRID & Compute GRID
eduGAIN confederation
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 Connect national AAI on a pan-European level
 GEANT (2,3) workgroup: TF-EMC2
 CLARIN: excellent use case!
CLARIN-NL Info Session
Nijmegen
2009-07-01
CLARIN Federation Infrastructure
www.clarin.eu
CLARIN wants to be a LR&T “service federation”
• simplified and unified rules for licensing, accessing
• agreements with national identity federations
• must make sure all necessary attributes are available
• cater also for A&A
• of non-web applications
• and web services
• interaction with GRID AAI
eJournal Service Providers
Trust
Agreements
national Identity Federations
Trust
Agreement
LRT Service Providers
DAM-LR EU project (1)
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
Small EU project (2005-2007) on archive integration
of 4 partners
 corpus/computational linguistics and endangered
language documentation
 Resource discovery: sharing a single metadata set
for searching & browsing
 Authentication & Authorization: single user identity,
single sign-on by using Shibboleth.
 Referencing and citing “archived resources” using a
single persistent identifier system.
DAM-LR EU project (2)
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 Experiences:
 Standard eduPerson attribute set is probably
sufficient, (but CCs …)
 Shibboleth is nice when using web applications, but
applications need access too!
 Shibboleth efficient when dealing with groups e.g.
staff, student, … But our domain has also to deal with
individuals => store user IDs in authorization records
 DAM-LR federation of both IdPs & SPs, CLARIN aims
at a much larger potential user group whose home
organizations do not want to run a CLARIN specific
IdP => use the national IDFs
CLARIN-NL Info Session
Nijmegen
2009-07-01
Applications need Authentication too
www.clarin.eu
The application speaks only
HTTP with basic authentication
It does not understand form
based authentication employed
by the Shib. IdP
Shib.
apache
Shib.
apache
archiveA
IMDI
copier
user
archiveB
The application is also not able
to profit from the SSO over
archives
application
IdP
User scenario:
Copying resources from different
repositories to the local machine
Possible solution:
Use certificates for authentication
Obtained by SLCS
(But can auth. handshake be
mimicked by software?)
Searching through annotations
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
Content search in one archive: no
problem (check single DB)
Auth DB
Search
service
DB/SE
IdP
CHAT
Shoebox
EAF
Parsers “normalize”
the structural format
MPI Archive
CLARIN-NL Info Session
Nijmegen
2009-07-01
Searching through annotations
www.clarin.eu
IdP
AuthN
Federative search scenario
AuthZ DB
AuthZ DB
Specialized
web portal
Search
service
DB/SE
Search
service
CHAT
DB/SE
Shoebox
CHAT
EAF
Parsers “normalize”
the structural format
MPI Archive
Archive B
The web portal app would like to act
on behalf of the user and access the
search services.
What do we aim for?
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 blah-blah
 blah-blah
 blah-blah
 blah-blah
 blah-blah
CLARIN-NL Info Session
Nijmegen
2009-07-01
Licenses & Code of conducts 1
www.clarin.eu
SP requires CC signed
and takes care of this
but only for its own
domain
This can break the SSO
if the user is required to
sign the same CC
several times
CC DB
CC DB
SPa
SPb
browser
user
IdP
CLARIN will harmonize the
CCs and licenses to a limited
number
CLARIN-NL Info Session
Nijmegen
2009-07-01
Licenses & Code of conducts 2
www.clarin.eu
SPa
SPb
browser
user
Store the CC DB info in the
user attributes at the IdP (cfr
Switch aaiUapprove)
IdP
CC DB
But how does it get there?
• Special app?
• Not every IdP will/can run this
CLARIN-NL Info Session
Nijmegen
2009-07-01
Licenses & Code of conducts 3
www.clarin.eu
SPa
SPb
browser
CC
service
user
CC DB
IdP
Create special CC service.
This is part of the SPF
independent of the IDFs
What do we aim for?
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 blah-blah
 blah-blah
 blah-blah
 blah-blah
 blah-blah
AAI Planning (1)
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 Training courses for AAI: support of SimplSAMLPhp,
Shibboleth
AAI Planning (2)
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 Centers should make their policies explicit:
 Integration of SP with AAI
 IdP support for their users
 Is there potential for a “fire brigade”?
 Help with configuration & integration
 MPG (RZG) does something there, who else?
 Contracts with national IdFs (WP7)
 What role has eduGAIN?
What‘s next?
CLARIN-NL Info Session
Nijmegen
2009-07-01
www.clarin.eu
 SLCS with SURFnet (preliminary research)
 Direct interaction with GEANT 3 (May 5/6)
 Talks with CSC about implementing a CC service