Top Banner
Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013
9

Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

Dec 26, 2015

Download

Documents

Douglas Daniel
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

Here Come the FedsFederated identity management:

the consumer’s perspective

Jens Jensen, STFC

On behalf of EUDAT AAI TF

EGI CF Manchester April 2013

Page 2: Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

2

Background – EUDAT in nuce

• EUDAT is building a data e-infrastructure– Support user communities (ESFRI)

• CLARIN (linguistics, heterogeneous + long tail)• ENES (climate)• EPOS (Earth obs)• VPH (human physiology)• LifeWatch (biodiversity)

– Move data in and out of EUDAT: PRACE, EGI, …– Move data between sites (replication)– Data storage for individual users

Page 3: Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

3

Principles: AAI

• Authentication– Make use of existing infrastructures– SSO whenever possible– Make use of existing code - pragmatic

• Authorisation– Link to community rôles (users can be in more than

one community)

• Infrastructure– Like the grids, secure with IGTF+commercial

Page 4: Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

4

Page 5: Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

5

Requirements

• Scalable (10**7 users)• Easy enough to use for “non-technical” users• Support long tail researchers (aka homeless)• Portal and command line login• Mature, robust, performant• Standards-based• Work with existing community practices (if pos.)• Communities manage authorisation policies

Page 6: Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

6

Premise

• Support existing user communities– CLARIN already using Shib (note the ePTID problem)– ENES already use OpenID (in ESGF)– Provide “authentication services”

• Federated identity management– Must work with iRODS for data storage– Must work with GridFTP (and GlobusOnline) for data

movement– Must work with Invenio (ORCID)

Page 7: Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

Plan A and Plan B API

Redirect to EUDAT

Obtain Access Token

Call CA API

Plan APlan B

Page 8: Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

8

Evaluations – 2010

1. Standalone Shib (or SAML)

2. Work with a single community’s portal

3. Use SimpleSAMLPhp

4. EGI or GEMBUS STS

5. Contrail AAI code – see Yvon’s talk

6. Moonshot

Page 9: Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

9

Findings

• Code satisfying most requirements least mature• Need X.509 – at least internally (GridFTP)• Need good docs for integrators – and effort!

– Need to be able to work with betas

• Technical collaborations: EGI, EUDAT, Contrail• Supporting multiple communities:

– Ends up being kludgy– MyProxy for GO, OAuth2 for ORCID, …

• Requirements change regularly• Can spend ∞ time on evaluations