Parallel session K: Trust and identity Chair: Josh Howlett
Parallel session K:Trust and identity
Chair: Josh Howlett
Please switch your mobile phones to silent
12:45
No fire alarms scheduled. In the event of an alarm, please follow directions of NCC staff
Networkshop closes. Light lunch (including ‘grab bag’ option)
Update on Jisc’s trust and
identity servicesSimon Cooper, trust and identity operations group, Jisc
Agenda
»What services are trust and identity?
»The four services supported
» Update on services and new developments
13/04/2017 Jisc trust and identity services update
What services are trust and identity?
»The operations group supports:
› Assent
› Certificate service
› Domain registry service
› UK Access Management Federation
» 1,400 members and customers
»A new fifth service…
13/04/2017 Jisc trust and identity services update
Assent
»Underlying Moonshot technology - RADIUS and SAML
»Steady uptake
»National Pathfinder project and other big research projects
»Developments:
› Support for Mac clients, UX development, Dynamic Trust Router
»Future - hosting of trust and identity service infrastructures
13/04/2017 Jisc trust and identity services update
Certificate service
»10 year anniversary and 700 members
»Over 90,000 certs issued
»Service with QuoVadis since May 2015
› High assurance Extended Validation
› S/MIME for email signing
13/04/2017 Jisc trust and identity services update
Certificate service
13/04/2017 Jisc trust and identity services update
Certificate service
»Ten year anniversary and 700 members
»Over 90,000 certs issued
»Service with QuoVadis since May 2015
› High assurance extended validation
› S/MIME for email signing
»Stability - no procurement for at least 2 years
13/04/2017 Jisc trust and identity services update
Domain registry
»Registry for all .ac.uk and gov.uk domains
»Over 5,000 .ac.uk and 3,000 .gov.uk
»Online portal available for all domain owners and registrars
»New portal functionality rolled out
»ICANN accreditation?
13/04/2017 Jisc trust and identity services update
UK Access Management Federation
»10 years of operation
»4,000 entities and 1,100 members
»What’s changed?
»What’s next?
› Technical enhancements e.g. MDQ and Self-service portal
› Support of SIRTFY, CodeOfConduct and Research and scholarship entity category
13/04/2017 Jisc trust and identity services update
Liberate – Managed Trust and identity services IdP
»Integrates with Active Directory
»Lowers the barrier to adoption of UK AMF, eduroamand Assent
»Timescales for launch› piloting with public libraries› beta service in early July
»Production service September 2017
»Further info http://ji.sc/managed-idp and [email protected]
13/04/2017 Jisc trust and identity services update
Trust and identity services
»Where are we?
› Stable services in place, fully supported
› Continuous improvement
»How can we be better?
› Technical functionality?
› Policy?
› New products?
»Contact point: [email protected]/04/2017 Jisc trust and identity services update
jisc.ac.uk
Questions?
Simon Cooper
Trust & Identity Service Group Manager
Email: [email protected]
Services: [email protected]/network/authentication
13/04/2017 Jisc trust and identity services update
National AAAI pathfinder project
Jeremy Yates, UCL
The National AAAIPathfinder Pilot
A project funded by the Research Councils and JISC to develop a simplified access and user management service for
the UK’s research computing community.
March 2017
Why are we doing this
• The UK National eInfrastructure is now in a position to greatly simplify its access control infrastructure to a range of services such as Cloud, data services, HPC and Grid computing
• Simplified sign-on reducing need for multiple credentials
• Flexible deployment models Assent can be deployed using any model (centralised, distributed, Cloud).
• Minimal ongoing management and specific communities are able to manage it themselves.
• Standards based – all protocols are international (IETF) standards
Benefits for research communities
• More applications and services to be accessed via a federated identity. Assent extends the range of applications and services that can consume federated identity and improves the security of your services by controlling access to resources.
• Lower operational costs by using existing infrastructure to unify all of our trust technologies and drive down operational costs. This reduces the cost and time to create new services and minimises the administration associated with providing secure user access to resources.
• Builds on existing technologies. Assent builds on the existing technologies that underpin eduroam and the UK Access Management Federation services.
• The UK to federate efficiently with non-UK and International projects that use other access control technologies such as X509 certificates. The need for federated identity management to support research and promote collaborations is widely recognised
Pathfinder AAAI Project - Sep 2016 to June 2017
Jisc’s Assent service, to provide users with a common, single sign on mechanism that integrates with institutional identity management systems to confirm a researcher’s identity; and its peer systems overseas.
Existing virtual organisation (VO) systems, such as the EPPC’s SAFE management infrastructure.
A High Assurance Network and two-factor authentication, where appropriate, for secure data access and transport e.g. JISC’s SafeShareservice. The outputs will be secure and very secure versions of a common
AAAI application which integrates Assent and SAFE. This will also be able to federate with SAML and X.509 identity management systems which is a requirement for international collaborations.
• A series of Pilots will produce common prototype applications and services that facilitate the Authentication, Authorisation and Accounting Infrastructure (AAAI)
• These Pilots will demonstrate
• Successful use of a common AAAI in the field for Engineering, Physical Sciences and Medical Health research
• Successful use of a common AAAI in the context of HEI service delivery
• Successful use of a common AAAI when federating with international services and research projects
• This common AAAI will include services to facilitate secure data access for health, government and business data.
• A technical architecture and business case will be produced to construct and operate a National AAAI Service, which will facilitate a common AAAI for all NeIProjects in the RCUK domain. It will enable secure access and use by third parties such as Government and Business.
What is it made of?• Users will be provided with a common interface and single-sign-on features.
• This will use institutional HR data to confirm a researcher’s identity• This is the Jisc Assent Service.
• We are leveraging existing virtual organisation systems such as the National Service SAFE management infrastructure.
• Data and resources can be securely shared between projects irrespective of researcher location.
• Where information security is paramount, such as health and government records, data are automatically encrypted prior to transfer.• This is the JISC Safe Share project.
• Opens door to integration of main NeI projects• Single Sign on: Removes a major barrier to access for users• Enables hardware to be shared across domains • From a service provider perspective this encourages aggregation and pooling of resources• Allows cloud and data services to work effectively, efficiency and appropriately
• You know who I am, what I can do, how I’ll be measured, and where I live
• In addition, the EPCC SAFE framework provides the complementary capabilities of accounting and resource management of computing facilities. This makes it ideal for this pilot
• The related Jisc Safe Share project will soon provide a Higher Assurance Network and support two-factor authentication for projects requiring additional security.
How Assent Works – think eduroam and radius server…
Meet the team
• Josh Howlett, Jeremy Yates, Jacky Pallas, Kostas Kavoussanakis, Stephen Booth, Richard Sanders, Gareth Francis, Stefan Paetow, Lydia Heck, Stuart Rankin, David Fergusson, Bruno Silva, Stephen Young, Dugan Witherick, Jens Jensen, Alan Real, Andrew Sansum, Mark Parsons
• JISC, EPCC, RAL, Durham, eMedLab, Sanger, QMUL, Cambridge, Oxford, Crick
Work Packages
1. Work package 1: Integration of SAFE with Assent
2. Work package 2: Local deployment pilot
3. Work package 3: Assent integration with Virtual Organisation infrastructure
4. Work package 4: Productisation
Outputs
1. A pilot AAAI infrastructure comprising multiple sites and projects, built on existing assets and capabilities, tested in the following production settings:• A University HPC ecosystem – University of Oxford• A Regional HPC ecosystem – N8• A national HPC ecosystem – DiRAC• A Secure Ecosystem – eMedLab
2. Demonstration of interoperability with other non-SAFE and non-Assent technologies. This is necessary for gaining access to non-UK resources e.g. wLCG, Elixir, EGI, EUDAT, PRACE.
3. A route towards productisation of the outputs and findings of the pathfinder through a Technical Architecture and a Business Case for a future national AAAI.
MilestonesReporting Point:
Month End
Work Package Outputs
2 WP1.1 Setting up Assent for use at eMedLab, N8 and DiRAC
3 WP1.2 Identity Provider service prototype completed. Report on use at DiRAC site
2 WP1.3 Prototype Application that combines SAFE and Assent, Report on use at
eMedLab & N8
5 WP2 WP2: Report on Application of SAFE to managing projects at local HPC facilities
5 WP3.1 WP3.1: Prototype SAFE+Assent that can use SAML. This will allow Virtual
Organisations to manage authorisation for Assent-based authentication.
8 WP3.2 WP3.2: Construct a working API that will bridge Assent with other
authentication technologies, such as X.509.
Report on 3.1 and 3.2 progress.
Final Report 10 WP4.1 and
WP4.2
Technical Architecture and Business Case for proposed National AAAI Service
Progress (March 2017)Work Package
Progress What this means
WP 1.1 Completed Set up Assent at Durham and Edinburgh. Integrated SAFE and Assent and tested at Durham
WP 1.2 Completed Assent IdP set up by EPCC. Can generate attributes without reference to HEIs. Helpful for non academic users
WP 1.3 Delayed Testing Assent and SAFE in a secure environment and on an OpenStack system; eMedLab, Crick, QMUL, Sanger are installing Assent, OSP upgrade delayed testing until May 2017
WP 2 Will start in May 17 Use Assent and SAFE in a HEI environment
WP 3.1 Completed DiRAC SAFE can provide user attributes to Assent. OpenSAML attribute authority was linked to SAFE database and can be linked to Assent
WP 3.2 Started March 24th Deliver a credential conversion service that enables users with sufficiently high levels of assurance (through their Assent IdP) to obtain a certificate from an IGTF CA
WP 4.1, WP4.2
Started Consultation on business model with NeI PDG and HPC-SIG members
Other Opportunities
• Possible test project with Elixir (WP 3.2)
• Possible test project with the Hartree Centre (WP1.2)
• Possible test project with AWS (WP3.1)
• Possible test project with a second Openstack service (MRC CLIMB WP3.1)
Proposed architecture
• A composite of three separate but complementary capabilities• SafeShare
• Provides high assurance connectivity using encrypted tunnels• Imminent launch of Jisc service
• Assent• Provides secure federated authentication & attributes• A Jisc service with 20 member organisations
• SAFE• Provides accounting, reporting, and resource management• Software provided by EPCC, some of it supported by funding from Jisc
• A composite service does not have composite users!• How can we construct a coherent proposition, such that the different
stakeholders can deploy and use the respective services without resulting in confusion?
Developing the Business Case
• SAFE delivery model1. Would users of SAFE prefer to consume it as packaged software, or as Software as
a Service, or both?
• Ancillary capabilities2. For each delivery model, what ancillary capabilities might be desirable?
• Packaged software: software development, deployment consultancy• SaaS: ???• Both: technical support, project management
• Sustainability• Assent is currently funded by Jisc• SafeShare will be funded by its users through a separate service subscription• “SAFE as packaged software” probably implies some form of centralised funding;
“SAFE as SaaS” allows for a subscription model3. How should a composite service be funded?
Summary
• Seven Research Councils and JISC have committed funding and resource to a National AAAI Pathfinder Pilot
• Benefits to the research community include simplified sign-on (users) and streamlined user management (infrastructure providers)
• The pilot integrates existing services and software and is testing this in a range of environments• University, regional resource, private cloud, industry, international links
• Scale-up and sustainability addressed through a robust evaluation of a business case
Better together!Kiara Wierenga, Geant
13/04/2017Infrastructure Division Update
jisc.ac.uk
Klaas Wierenga,
Geant
13/04/2017 Infrastructure Division Update