210 likes | 342 Views
Authentication and Authorization Infrastructures in e-Science (and the role of NRENs). Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006. Outline. Introduction SWITCH AAIs and e-Science Case study SWITCHaai As an example for the role of an NREN in e-Science
E N D
Authentication and AuthorizationInfrastructures in e-Science(and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006
Outline • Introduction • SWITCH • AAIs and e-Science • Case study SWITCHaai • As an example for the role of an NREN in e-Science • Interoperability AAI - Grid • The broader picture in Europe • Summary
SWITCH - Teleinformatikdienste für Lehre und Forschung Network • Security • CERT • Middleware • AAI • Mobile • PKI • Grid • Foundation (non-profit organization) • located in Zurich • 70 employees • Internet Identifiers • Domain name registration • .ch and .li • NetServices • Video conferencing • Streaming • collaboration tools
AAI in e-Science • AAI solve the old problem of access control to resources • There are various technologies in use - their usefulness depends on the underlying infrastructure • Crusader Castle • League of Nations • Federations
Crusader Castle • Appropriate for few, non-mobile users
Crusader Castle University A • Tedious user registration at all resources • Unreliable and outdated user data at resources • Different login processes • Many different passwords • Many resources not protected due to difficulties • Often IP-based authorization • Costly implementation of inter-institutional access Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials
League of Nations Standardized Credentials (International Conference on Passports 1920) University A X.509 credentials Student Admin • User registration process with CA • User has one credential to present to resources • authN and authZ at resource • User has to manage credential • Standard use in grids (IGTF) • Delegation mechanism Web Mail e-Learning Passport Issuer (CA) University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials
Federated Identity Management • No user registration and user data maintenance at resource needed • Single login process for the users • Many new resources available for the users • Enlarged user communities for resources • Efficient implementation of inter-institutional access • Shibboleth • open source • internet2 • SAML • Web-based Single Sign-on • authN at Identity Provider • authZ at Service Provider • based on user’s attributes • as provided by IdP • Privacy University A Federated Identity Management Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials
Introduction • Case Study SWITCHaai • As an example for the role of an NREN in e-Science • Interoperability AAI - Grid • The broader picture in Europe • Summary
SWITCHaai • Need for a national AAI infrastructure identified in 2001 • Problems: • How to agree on one AAI implementation • How to introduce a national AAI in a highly fragmented higher education sector? • How to formally agree on a federation policy in a country with a very strong federalist tradition Today about 160’000 (75%) of the members of the Swiss higher education and research sector have SWITCHaai accounts. About 10’000 users access regularly about 100 resources. Examples of resources are e-learning, e-Journals, software distributions, v-conf and others
SWITCHaai Project Timeline • Working groups and sub-projects between universities IT services, researchers and SWITCH • Co-operative work to have all stakeholders involved 2001 2002 2003 2004 2005 2006 2007 Study Pilot Operation Production Operation Architecture Evaluation Shibboleth Stakeholders involved
Federations Federation = a group of organizations that agree on a common set of rules and standard with the goal to cooperate in inter-organizational authentication, authorization and accounting
Funding funding / costs Pilot Phase Project Phase Operational Service funded by SWITCH & universities funded by federal grants funded by tariffs 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 • SWITCH has applied for federal grants in the name of the Swiss Universities • Grants have to be used for AAI projects and with matching funds strategy
Introduction • Case study SWITCHaai • Interoperability AAI - Grid • The broader picture in Europe • Summary
Why Interoperability AAI - Grid ? • For AAI Federations: • Add grid resources to • federation • For Grids: • Add huge user base (campus network) • For Users: • Simpler management • of credentials • Easy access to grids • For e-Science: • Unified user base • Bring stakeholder together (NRENs - Grids)
SWITCH and EGEE-II • SWITCH joined EGEE-II: Interoperability gLite - Shibboleth • Focus is on • Interoperability (NO replacement for X.509) • Key Concepts: • Home institution of the user should be the Identity Provider • Home institution provides some attributes • But VO is needed for (grid specific) attributes
Introduction • Case study SWITCHaai • Interoperability AAI - Grid • The broader picture in Europe • Summary
AAI’s in Europe • There are many AAI efforts underway in Europe • Normally they are tied to NRENs • eduGAIN: • Within GEANT2 • Interoperability between AAIs • Architecture of Bridging Elements between Federations • Based on SAML • Bridging Element to Shibboleth is being developed by SWITCH
Interoperability Efforts Grid - AAIs • Various interoperability efforts Grid - AAIs underway • UK, MAMS, GridShib • Prerequisite: rather well established AAI federation • Approach varies (depending on requirements): • Web-based Portals as Gateway to Grid • Command line • IGTF accreditation
Conclusions • National AAI’s aim to interconnect campus networks • Single log-on experience for the user • Enable the user to access many resources • AA mechanism of Grids is based on X.509 certificates • Benefits of interoperability between these national AAIs and grid infrastructure(s) (on national and European scale) • User: simple access to many resources • e-Science: connect the largest audience possible • SWITCH: • SWITCHaai: operate a Shibboleth-based AAI in production mode • gLiteShib: contribution to EGEE-II