Federated Identity Management for Research: The Key is Collaboration
Federated Identity Management for Research: The Key is Collaboration
Federated Identity Management for Research:The Key is CollaborationHannah ShortCERN, Identity Federation ManagerAARC Project Participant
With thanks to input from the FIM4R Community and AARC
2
Who am I?• My job = making digital life
for researchers more secure• Based at CERN• Spend most of my time
working with others like me around the world
3
The Past
4
5Image: Maximilen Brice/CERN
supply - demand = ?
6
7http://wlcg-public.web.cern.ch
8
Data
Par
ticip
ants
9
Field Users Countries Computing Sites
LIGO Gravitational Waves
1,200 20 9
WLCG (CERN)
High Energy Physics
13,000 43 170
ESGF Climate Science
17,000 13 18
Source: http://doi.org/10.5281/zenodo.129603
The challenge- Large, global user community- Working on a distributed infrastructure- Don’t necessarily know each other- Don’t necessarily ever meet
How can we securely provision digital identities that are trusted by the infrastructure?
10
11
A: The Research Community B: The Infrastructure
C: The Home Organisation D: Nobody
Who knows the user best?
12
A: The Research Community B: The Infrastructure
C: The Home Organisation D: Nobody
Who knows the user best?
13
A: The Research Community B: The Infrastructure
C: The Home Organisation D: Nobody
Who knows what they are working on?
14
A: The Research Community B: The Infrastructure
C: The Home Organisation D: Nobody
Who knows what they are working on?
Authentication vs Authorisation
15
16
Trusted Identity Provider Research
Community
AuthenticationAuthoris
ation
Infrastructure
● Authentication provided by X.509 certificates from trusted Certificate Authorities (ID vetting, strong policy set)
● Authorisation provided by Research Communities adding certificate extensions
2000s
17
18
Trusted Identity Provider Research
Community
Infrastructure
Where’s the trust?
19
Trusted Identity Provider Research
Community
AuthenticationAuthoris
ation
Infrastructure
I just wasted 30 minutes with my student trying to sort out his certificate...
The hope that SAML federations (and Interfederation through eduGAIN) could provide a better solution
2010s
20https://www.geant.org/Services/Trust_identity_and_security/eduGAIN/Pages/About-eduGAIN.aspx
21
Trusted Identity Provider Research
Community
Infrastructure
Where’s the trust?
Federation
The realisation that SAML Federations were one small piece of the puzzle
2015+
22https://aarc-project.eu/architecture/
The realisation that SAML Federations were one small piece of the puzzle
2015+
23https://aarc-project.eu/architecture/
The Present
24
AARCAuthentication and Authorisation for Research and Collaboration
25
26
Many success stories• gw-astronomy.org • Collaboration hub for
gravitational-wave and multi-messenger astronomy (MMA)
• Used to manage collaboration around the August 17, 2017 kilonova event
27
• EU Photon & Neutron facilities
• Single Sign On for 16 light sources
• Steady growth rate of 20% per year
Slide taken from FIM4R Session, TNC2018
Is the challenge now solved?
28
29
** Not all contributors’ logos represented
30
Research representation, funding for sustainable operation, ongoing coordination
Governance & Sustainability
Attribute release, remove interoperability barriers, non-legal status, user mobility
Baseline of User Experience
For federations, interfederation and organisations
Security Incident Response Readiness
Reuse generic services, follow best practices for interoperability
Harmonisation of Proxy Operations & Practices
Support multifactor authentication and publish Assurance Profiles
Sensitive Research User Experience
31
FIM4R Recommendations
Slide taken from FIM4R Session, TNC2018
Security, a closer look
32
Security, a closer look
33https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
Attribute release, a closer look
34
Identity Provider
Research Service
IDNameEmail
Nine Stakeholder Groups to address• General Stakeholders
• Network coordinators and operators: GÉANT (Europe), Internet2 (US)
• Research funding bodies • REFEDS (Research and Education FEDerations group)
• Identity federation stakeholders• Researchers’ Home organisations• National R&E federations• eduGAIN operators providing the Interfederation
• Research stakeholders• Generic e-infrastructures• Research community proxies in particular• Research communities
35Slide taken from FIM4R Session, TNC2018
Nine Stakeholder Groups to address• General Stakeholders
• Network coordinators and operators: GÉANT (Europe), Internet2 (US)
• Research funding bodies • REFEDS (Research and Education FEDerations group)
• Identity federation stakeholders• Researchers’ Home organisations• National R&E federations• eduGAIN operators providing the Interfederation
• Research stakeholders• Generic e-infrastructures• Research community proxies in particular• Research communities
36Slide taken from FIM4R Session, TNC2018
Collaboration is critical
The Future
37
Trends
38
Diverse compute resources
New Protocols
Increased focus on Data
Protection
Increased focus on Operational
Security
Research Community AAIs
Infrastructure AAIs
What does this mean for Research Infrastructures?
39
40https://aarc-project.eu/wp-content/uploads/2018/09/AARC2-DJRA1.1-V3-v3FINAL.pdf
41https://aarc-project.eu/wp-content/uploads/2018/09/AARC2-DJRA1.1-V3-v3FINAL.pdf
42
Impact• Interoperability fundamental
• Technical• Policy
• Overhead of AAI significant• Hosted options will be critical• Sustainable support for key components required
The FIM4R Recommendations go some way to defining the path towards an interoperable future
43
44
A: Read the FIM4R Paper B: Share with others
C: Think of the Researchers D: Nothing
What can you do?
45
A: Read the FIM4R Paper B: Share with others
C: Think of the Researchers D: Nothing
What can you do?
“Every researcher is entitled to focus on their work and not be impeded by needless obstacles nor required to understand anything about the FIM infrastructure enabling their access to research services.” FIM4R version 2
46
fim4r.org
47