1 / 21

Authentication and Authorization Infrastructures in e-Science (and the role of NRENs)

Authentication and Authorization Infrastructures in e-Science (and the role of NRENs). Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006. Outline. Introduction SWITCH AAIs and e-Science Case study SWITCHaai As an example for the role of an NREN in e-Science

opa
Download Presentation

Authentication and Authorization Infrastructures in e-Science (and the role of NRENs)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Authentication and AuthorizationInfrastructures in e-Science(and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006

  2. Outline • Introduction • SWITCH • AAIs and e-Science • Case study SWITCHaai • As an example for the role of an NREN in e-Science • Interoperability AAI - Grid • The broader picture in Europe • Summary

  3. SWITCH - Teleinformatikdienste für Lehre und Forschung Network • Security • CERT • Middleware • AAI • Mobile • PKI • Grid • Foundation (non-profit organization) • located in Zurich • 70 employees • Internet Identifiers • Domain name registration • .ch and .li • NetServices • Video conferencing • Streaming • collaboration tools

  4. AAI in e-Science • AAI solve the old problem of access control to resources • There are various technologies in use - their usefulness depends on the underlying infrastructure • Crusader Castle • League of Nations • Federations

  5. Crusader Castle • Appropriate for few, non-mobile users

  6. Crusader Castle University A • Tedious user registration at all resources • Unreliable and outdated user data at resources • Different login processes • Many different passwords • Many resources not protected due to difficulties • Often IP-based authorization • Costly implementation of inter-institutional access Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials

  7. League of Nations Standardized Credentials (International Conference on Passports 1920) University A X.509 credentials Student Admin • User registration process with CA • User has one credential to present to resources • authN and authZ at resource • User has to manage credential • Standard use in grids (IGTF) • Delegation mechanism Web Mail e-Learning Passport Issuer (CA) University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials

  8. Federated Identity Management • No user registration and user data maintenance at resource needed • Single login process for the users • Many new resources available for the users • Enlarged user communities for resources • Efficient implementation of inter-institutional access • Shibboleth • open source • internet2 • SAML • Web-based Single Sign-on • authN at Identity Provider • authZ at Service Provider • based on user’s attributes • as provided by IdP • Privacy University A Federated Identity Management Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials

  9. Introduction • Case Study SWITCHaai • As an example for the role of an NREN in e-Science • Interoperability AAI - Grid • The broader picture in Europe • Summary

  10. SWITCHaai • Need for a national AAI infrastructure identified in 2001 • Problems: • How to agree on one AAI implementation • How to introduce a national AAI in a highly fragmented higher education sector? • How to formally agree on a federation policy in a country with a very strong federalist tradition Today about 160’000 (75%) of the members of the Swiss higher education and research sector have SWITCHaai accounts. About 10’000 users access regularly about 100 resources. Examples of resources are e-learning, e-Journals, software distributions, v-conf and others

  11. SWITCHaai Project Timeline • Working groups and sub-projects between universities IT services, researchers and SWITCH • Co-operative work to have all stakeholders involved 2001 2002 2003 2004 2005 2006 2007 Study Pilot Operation Production Operation Architecture Evaluation  Shibboleth Stakeholders involved

  12. Federations Federation = a group of organizations that agree on a common set of rules and standard with the goal to cooperate in inter-organizational authentication, authorization and accounting

  13. Funding funding / costs Pilot Phase Project Phase Operational Service funded by SWITCH & universities funded by federal grants funded by tariffs 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 • SWITCH has applied for federal grants in the name of the Swiss Universities • Grants have to be used for AAI projects and with matching funds strategy

  14. Introduction • Case study SWITCHaai • Interoperability AAI - Grid • The broader picture in Europe • Summary

  15. Why Interoperability AAI - Grid ? • For AAI Federations: • Add grid resources to • federation • For Grids: • Add huge user base (campus network) • For Users: • Simpler management • of credentials • Easy access to grids • For e-Science: • Unified user base • Bring stakeholder together (NRENs - Grids)

  16. SWITCH and EGEE-II • SWITCH joined EGEE-II: Interoperability gLite - Shibboleth • Focus is on • Interoperability (NO replacement for X.509) • Key Concepts: • Home institution of the user should be the Identity Provider • Home institution provides some attributes • But VO is needed for (grid specific) attributes

  17. Interoperability gLite - Shibboleth

  18. Introduction • Case study SWITCHaai • Interoperability AAI - Grid • The broader picture in Europe • Summary

  19. AAI’s in Europe • There are many AAI efforts underway in Europe • Normally they are tied to NRENs • eduGAIN: • Within GEANT2 • Interoperability between AAIs • Architecture of Bridging Elements between Federations • Based on SAML • Bridging Element to Shibboleth is being developed by SWITCH

  20. Interoperability Efforts Grid - AAIs • Various interoperability efforts Grid - AAIs underway • UK, MAMS, GridShib • Prerequisite: rather well established AAI federation • Approach varies (depending on requirements): • Web-based Portals as Gateway to Grid • Command line • IGTF accreditation

  21. Conclusions • National AAI’s aim to interconnect campus networks • Single log-on experience for the user • Enable the user to access many resources • AA mechanism of Grids is based on X.509 certificates • Benefits of interoperability between these national AAIs and grid infrastructure(s) (on national and European scale) • User: simple access to many resources • e-Science: connect the largest audience possible • SWITCH: • SWITCHaai: operate a Shibboleth-based AAI in production mode • gLiteShib: contribution to EGEE-II

More Related