Authentication and Authorization Infrastructures in e
Download
Report
Transcript Authentication and Authorization Infrastructures in e
Authentication and Authorization
Infrastructures
in e-Science
(and the role of NRENs)
Christoph Witzig
SWITCH
e-IRG, Helsinki, Oct 4, 2006
2006 © SWITCH
Outline
• Introduction
●
●
SWITCH
AAIs and e-Science
• Case study SWITCHaai
●
As an example for the role of an NREN in e-Science
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
2
SWITCH - Teleinformatikdienste für Lehre und Forschung
Network
• Foundation (non-profit
organization)
• located in Zurich
• 70 employees
Security
• CERT
• Middleware
• AAI
• Mobile
• PKI
• Grid
NetServices
• Video conferencing
• Streaming
• collaboration tools
2006 © SWITCH
Internet Identifiers
• Domain name registration
• .ch and .li
e-IRG Helsinki Oct 4, 2006
3
AAI in e-Science
•
AAI solve the old problem of access control to resources
•
There are various technologies in use - their usefulness
depends on the underlying infrastructure
•
•
•
2006 © SWITCH
Crusader Castle
League of Nations
Federations
e-IRG Helsinki Oct 4, 2006
4
Crusader Castle
Appropriate for few, non-mobile users
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
5
Crusader Castle
University A
Student Admin
Web Mail
e-Learning
Library B
e-Journals
Literature DB
University C
Research DB
e-Learning
User Administration
Authentication
2006 © SWITCH
Authorization
Resource
e-IRG Helsinki Oct 4, 2006
Tedious user registration
at all resources
Unreliable and outdated
user data at resources
Different login processes
Many different
passwords
Many resources not
protected due to
difficulties
Often IP-based
authorization
Costly implementation of
inter-institutional access
Credentials
6
League of Nations
Standardized Credentials (International Conference on Passports 1920)
University A
X.509 credentials
Student Admin
Web Mail
e-Learning
User has to manage
credential
University C
Research DB
e-Learning
2006 © SWITCH
User has one credential
to present to resources
authN and authZ at
resource
Passport
Issuer (CA)
User Administration
Authentication
User registration process
with CA
Authorization
Resource
e-IRG Helsinki Oct 4, 2006
Standard use in grids
(IGTF)
Delegation mechanism
Credentials
7
Federated Identity Management
University A
Federated Identity
Management
Student Admin
Web Mail
e-Learning
Library B
e-Journals
Literature DB
University C
Research DB
e-Learning
User Administration
Authentication
2006 © SWITCH
Authorization
Resource
e-IRG Helsinki Oct 4, 2006
No user registration and
Shibboleth
user data maintenance at
resource needed
• open
source
Single
login process for
the users
• internet2
Many new resources
• SAML
available for the users
Enlarged user
• Web-based
Single Sign-on
communities
for Provider
• authN at Identity
resources
• authZ at Service Provider
based implementation
on user’s attributes
Efficient
as provided by IdP
of inter-institutional
access
• Privacy
Credentials
8
• Introduction
• Case Study SWITCHaai
As an example for the role of an NREN in e-Science
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
9
SWITCHaai
• Need for a national AAI infrastructure identified in 2001
• Problems:
●
●
●
How to agree on one AAI implementation
How to introduce a national AAI in a highly fragmented higher education
sector?
How to formally agree on a federation policy
in a country with a very strong federalist tradition
Today about 160’000 (75%) of the members of the Swiss higher education
and research sector have SWITCHaai accounts.
About 10’000 users access regularly about 100 resources.
Examples of resources are e-learning, e-Journals, software distributions,
v-conf and others
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
10
SWITCHaai Project Timeline
2001
2002
Study
2003
2004
Pilot Operation
2005
2006
2007
Production Operation
Architecture
Evaluation
Shibboleth
Stakeholders involved
Working groups and sub-projects between universities IT
services, researchers and SWITCH
Co-operative work to have all stakeholders involved
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
11
Federations
Federation = a group of organizations that agree on a common
set of rules and standard with the goal to cooperate in interorganizational authentication, authorization and accounting
QuickTimeᆰ and a
TIFF (LZW) decompressor
are needed to see this picture.
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
12
Funding
funding / costs
Pilot Phase
Project Phase
funded by SWITCH
& universities
funded by federal grants
2000
2001
2002
2003
2004
2005
2006
Operational
Service
2007
funded by tariffs
2008
2009
2010
• SWITCH has applied for federal grants in the name of the Swiss Universities
• Grants have to be used for AAI projects and with matching funds strategy
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
13
• Introduction
• Case study SWITCHaai
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
14
Why Interoperability AAI - Grid ?
For AAI Federations:
• Add grid resources to
federation
For Grids:
• Add huge user base
For Users:
• Simpler management
of credentials
• Easy access to grids
For e-Science:
• Unified user base
• Bring stakeholder together
2006 © SWITCH
(campus network)
(NRENs - Grids)
e-IRG Helsinki Oct 4, 2006
15
SWITCH and EGEE-II
• SWITCH joined EGEE-II: Interoperability gLite - Shibboleth
• Focus is on
●
Interoperability (NO replacement for X.509)
• Key Concepts:
●
●
●
Home institution of the user should be the Identity Provider
Home institution provides some attributes
But VO is needed for (grid specific) attributes
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
16
Interoperability gLite - Shibboleth
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
17
• Introduction
• Case study SWITCHaai
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
18
AAI’s in Europe
• There are many AAI efforts underway in Europe
Normally they are tied to NRENs
• eduGAIN:
– Within GEANT2
– Interoperability between AAIs
2006 © SWITCH
Architecture of Bridging Elements between Federations
Based on SAML
Bridging Element to Shibboleth is being developed by SWITCH
e-IRG Helsinki Oct 4, 2006
19
Interoperability Efforts Grid - AAIs
• Various interoperability efforts Grid - AAIs underway
– UK, MAMS, GridShib
– Prerequisite: rather well established AAI federation
• Approach varies (depending on requirements):
– Web-based Portals as Gateway to Grid
– Command line
– IGTF accreditation
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
20
Conclusions
• National AAI’s aim to interconnect campus networks
●
●
Single log-on experience for the user
Enable the user to access many resources
• AA mechanism of Grids is based on X.509 certificates
• Benefits of interoperability between these national AAIs and
grid infrastructure(s) (on national and European scale)
●
●
User: simple access to many resources
e-Science: connect the largest audience possible
• SWITCH:
●
●
SWITCHaai: operate a Shibboleth-based AAI in production mode
gLiteShib: contribution to EGEE-II
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
21