Authentication and Authorization Infrastructures in e

Download Report

Transcript Authentication and Authorization Infrastructures in e 

Authentication and Authorization
Infrastructures
in e-Science
(and the role of NRENs)
Christoph Witzig
SWITCH
e-IRG, Helsinki, Oct 4, 2006
2006 © SWITCH
Outline
• Introduction
●
●
SWITCH
AAIs and e-Science
• Case study SWITCHaai
●
As an example for the role of an NREN in e-Science
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
2
SWITCH - Teleinformatikdienste für Lehre und Forschung
Network
• Foundation (non-profit
organization)
• located in Zurich
• 70 employees
Security
• CERT
• Middleware
• AAI
• Mobile
• PKI
• Grid
NetServices
• Video conferencing
• Streaming
• collaboration tools
2006 © SWITCH
Internet Identifiers
• Domain name registration
• .ch and .li
e-IRG Helsinki Oct 4, 2006
3
AAI in e-Science
•
AAI solve the old problem of access control to resources
•
There are various technologies in use - their usefulness
depends on the underlying infrastructure
•
•
•
2006 © SWITCH
Crusader Castle
League of Nations
Federations
e-IRG Helsinki Oct 4, 2006
4
Crusader Castle
Appropriate for few, non-mobile users
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
5
Crusader Castle
University A
Student Admin
Web Mail
e-Learning
Library B
e-Journals
Literature DB
University C
Research DB
e-Learning
User Administration
Authentication
2006 © SWITCH
Authorization
Resource
e-IRG Helsinki Oct 4, 2006
 Tedious user registration
at all resources
 Unreliable and outdated
user data at resources
 Different login processes
 Many different
passwords
 Many resources not
protected due to
difficulties
 Often IP-based
authorization
 Costly implementation of
inter-institutional access
Credentials
6
League of Nations
Standardized Credentials (International Conference on Passports 1920)
University A
X.509 credentials
Student Admin
Web Mail
e-Learning
 User has to manage
credential
University C
Research DB
e-Learning
2006 © SWITCH
 User has one credential
to present to resources
 authN and authZ at
resource
Passport
Issuer (CA)
User Administration
Authentication
 User registration process
with CA
Authorization
Resource
e-IRG Helsinki Oct 4, 2006
 Standard use in grids
(IGTF)
 Delegation mechanism
Credentials
7
Federated Identity Management
University A
Federated Identity
Management
Student Admin
Web Mail
e-Learning
Library B
e-Journals
Literature DB
University C
Research DB
e-Learning
User Administration
Authentication
2006 © SWITCH
Authorization
Resource
e-IRG Helsinki Oct 4, 2006
 No user registration and
Shibboleth
user data maintenance at
resource needed
• open
source
 Single
login process for
the users
• internet2
 Many new resources
• SAML
available for the users
 Enlarged user
• Web-based
Single Sign-on
communities
for Provider
• authN at Identity
resources
• authZ at Service Provider
based implementation
on user’s attributes
 Efficient
as provided by IdP
of inter-institutional
access
• Privacy
Credentials
8
• Introduction
• Case Study SWITCHaai

As an example for the role of an NREN in e-Science
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
9
SWITCHaai
• Need for a national AAI infrastructure identified in 2001
• Problems:
●
●
●
How to agree on one AAI implementation
How to introduce a national AAI in a highly fragmented higher education
sector?
How to formally agree on a federation policy
in a country with a very strong federalist tradition
Today about 160’000 (75%) of the members of the Swiss higher education
and research sector have SWITCHaai accounts.
About 10’000 users access regularly about 100 resources.
Examples of resources are e-learning, e-Journals, software distributions,
v-conf and others
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
10
SWITCHaai Project Timeline
2001
2002
Study
2003
2004
Pilot Operation
2005
2006
2007
Production Operation
Architecture
Evaluation
 Shibboleth
Stakeholders involved
Working groups and sub-projects between universities IT
services, researchers and SWITCH
Co-operative work to have all stakeholders involved
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
11
Federations
Federation = a group of organizations that agree on a common
set of rules and standard with the goal to cooperate in interorganizational authentication, authorization and accounting
QuickTimeᆰ and a
TIFF (LZW) decompressor
are needed to see this picture.
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
12
Funding
funding / costs
Pilot Phase
Project Phase
funded by SWITCH
& universities
funded by federal grants
2000
2001
2002
2003
2004
2005
2006
Operational
Service
2007
funded by tariffs
2008
2009
2010
• SWITCH has applied for federal grants in the name of the Swiss Universities
• Grants have to be used for AAI projects and with matching funds strategy
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
13
• Introduction
• Case study SWITCHaai
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
14
Why Interoperability AAI - Grid ?
For AAI Federations:
• Add grid resources to
federation
For Grids:
• Add huge user base
For Users:
• Simpler management
of credentials
• Easy access to grids
For e-Science:
• Unified user base
• Bring stakeholder together
2006 © SWITCH
(campus network)
(NRENs - Grids)
e-IRG Helsinki Oct 4, 2006
15
SWITCH and EGEE-II
• SWITCH joined EGEE-II: Interoperability gLite - Shibboleth
• Focus is on
●
Interoperability (NO replacement for X.509)
• Key Concepts:
●
●
●
Home institution of the user should be the Identity Provider
Home institution provides some attributes
But VO is needed for (grid specific) attributes
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
16
Interoperability gLite - Shibboleth
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
17
• Introduction
• Case study SWITCHaai
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
18
AAI’s in Europe
• There are many AAI efforts underway in Europe
Normally they are tied to NRENs
• eduGAIN:
– Within GEANT2
– Interoperability between AAIs



2006 © SWITCH
Architecture of Bridging Elements between Federations
Based on SAML
Bridging Element to Shibboleth is being developed by SWITCH
e-IRG Helsinki Oct 4, 2006
19
Interoperability Efforts Grid - AAIs
• Various interoperability efforts Grid - AAIs underway
– UK, MAMS, GridShib
– Prerequisite: rather well established AAI federation
• Approach varies (depending on requirements):
– Web-based Portals as Gateway to Grid
– Command line
– IGTF accreditation
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
20
Conclusions
• National AAI’s aim to interconnect campus networks
●
●
Single log-on experience for the user
Enable the user to access many resources
• AA mechanism of Grids is based on X.509 certificates
• Benefits of interoperability between these national AAIs and
grid infrastructure(s) (on national and European scale)
●
●
User: simple access to many resources
e-Science: connect the largest audience possible
• SWITCH:
●
●
SWITCHaai: operate a Shibboleth-based AAI in production mode
gLiteShib: contribution to EGEE-II
2006 © SWITCH
e-IRG Helsinki Oct 4, 2006
21