Authentication and Authorisation for Research and Collaboration RCauth.eu

Authentication and Authorisation for Research and Collaboration RCauth.eu

Authentication and Authorisation for Research and Collaboration RCauth.eu CILogon-like service in EGI and the EOSC Deployment and Sustainability Models for the AARC CILogon-like TTS Pilot David Groep AARC NA3 coordinator, EGI AAI-TCB Nikhef PDP group EGI TCB-AAI May 2017 https://aarc-project.eu RCauth.eu is operated by Nikhef as part of the Dutch National e-Infrastructure for Research coordinated by SURF for the benefit of the collective European Research and e-Infrastructures 1 Aim: seamless access to existing services with eduGAIN for all No Changes to the Model

for infrastructures and their service providers Dispersed User Base critical mass is beyond any single institution 11 : Pan-European Access not country-opt-in based standards-based assurance $ exec Command-line and VOMS with delegation and brokering Concentrate Sensitive Components no long-term token needs in the VO portal credential management by the Infrastructures https://aarc-project.eu

$oidc-> authenticate() echo "Hola $name" Minimal Coding for the VO portals 2 CILogon-like TTS Pilot, the Users work flow user login flow: VO portal Community Infrastructure RCauth service federated AAI credential flow: authentication, SAML federation, Policy Filter, OpenID Connect, PKIX+OIDC, (VOMS), proxy-on-portal R&S science gateways delegation AARC Master Portal or Infrastructure Solution https://aarc-project.eu

server filtering WAYF 3 Token Translator RCauth.eu service component Needs security and policy expertise (people) and ability to maintain accreditation Needs operational and technical capabilities (hardware): hardware security modules, managed data centres, off-line and on-line secure areas, trained personnel, designate infrastructure to security operations Connects to a handful of Master Portals (MPs) with explicit agreements to take care of user credential protection and compliance Connects (many, we hope scalably) federations, IdPs and (few) SP-IdP-Proxies Serves many communities, some of which we dont yet know, and beyond just the European e-Infrastructures Considerations: Trust and compliance, with IGTF accreditation Single logical instance, with HA built in for production Managed by a consortium: in Europe agreed by at least EGI, EUDAT, GANT, ELIXIR, and SURF https://aarc-project.eu

4 Where are we today? In pre-production since May 2016, now several connections deployed to EGI, ELIXIR, DNI/SURF, production demonstrator instance of Rcauth.eu set up in the right way at Nikhef (only for now): Dedicated secure environment, FIPS 140 level 3 approved HSM, anchored in a stable way Policy and practices accredited under unique-identifier profile at the IGTF good enough for some infrastuctures, and within EGI in combination with vetted & managed communities Scalable negotiation model based on Sirtfi and REFEDS R&S section 6 Requirements on attached credential stores defined (for key protection) Trust anchors in production (RCauth.eu is part of the EGI-CAM package) But its a production demonstrator, not true production, without an SLA, and with limited capacity (~2k users) and its a bit a Heath Robinson service, using mostly pre-available hardware intended availability is high, but no on-site 24x365, nor redundancy https://aarc-project.eu 5

Planned RCauth.eu management model shared governance through a Policy Management Authority non-discriminatory policy and practices joint PMA authoritative for policy and operations Stakeholders EGI, EUDAT, SURF, GANT, ELIXIR, Infrastructure-specific Master Portals and Credential Repository https://aarc-project.eu in-kind or explicit contributions of services, kit, and operators

trust by any and all global relying parties user contact service by specific stakeholder 6 Service distribution and support plans Beyond just the Nikhef Best Effort service what is the service in this context: Delegation Service & WAYF can be anywhere between a few kEur to well over 100+kEur cost per year Recuperation model Master Portals (Credential Management) from other (non-RCauth) funding Delegation Service/RCauth.eu: free at point of use funded via in-kind contributions by the major e-Infrastructures distributed H/A setup, leveraging existing capabilities and some additional person effort EOSC Hub Consortium picked middle ground contribute effort and some hardware resources to the joint pan-European pool help steer the development through joint, independent, management body (PMA) partners with existing security operations expertise: GRNET, STFC, FZJ + SURF/Nikhef

https://aarc-project.eu 7 References https://wiki.geant.org/display/AARC/Models+for+the+CILogon-like+TTS+Pilot https://www.rcauth.eu/ DIY demo for users from Sirtfied R&S Institutions, or through the IGTF eduGAIN bridge: https://rcdemo.nikhef.nl/ https://aarc-project.eu 8 Parts of this work have also been performed as part of the work programme of EGIENGAGE EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Thank you Any Questions? Thanks to all collaborators on this joint enterprise:

EGI, EUDAT, GEANT, SURF; Nikhef, GRNET, Christos Kanellopoulos and to Jim Basney of NCSA, CTSC and CILogon [email protected] https://aarc-project.eu GANT on behalf of the AARC project. The work leading to these results has received funding from the European Unions Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC). https://aarc-project.eu 9

Recently Viewed Presentations

  • Year End Preparation Gerald Whittmore, CPP Xerox Business

    Year End Preparation Gerald Whittmore, CPP Xerox Business

    Set up and test all new tax updates including the employer wage bases and tax percentage rates for social security, Medicare, Federal unemployment, state disability, state unemployment and local taxes. Set up and test your company's benefits package. Prepare electronic...
  • CONTEXTUAL, FLOW-BASED ACCESS CONTROL WITH SCALABLE HOST-BASED SDN

    CONTEXTUAL, FLOW-BASED ACCESS CONTROL WITH SCALABLE HOST-BASED SDN

    SDN & OpenFlow. SDNs, implemented using OpenFlow, provide a powerful, vendor-independent approach to managing complex networks with dynamic demands. SDN with OpenFlowprotocol allows a centralized controller to learn each time a new flow is created
  • Ang Paglilitis at Kamatayan Ni Kkk Supremo Andres Bonifacio

    Ang Paglilitis at Kamatayan Ni Kkk Supremo Andres Bonifacio

    Noong Noviembre 2, l906 inilimbag ng Muling Pagsilang ang sanaysay "Hinggil sa Kasaysayan ng Pilipinas," na kinatha ni G. Gonzalo Cue Malay. Tahasang tinukoy ni G. Cue Malay ang mga sumusunod na petsa kaugnay sa buhay at kamatayan ni Andres...
  • 디자인마케팅

    디자인마케팅

    크리에이티브 발상법 Company Logo @ 최성재교수
  • ISO/TS 16949 NEDİR - KalGe

    ISO/TS 16949 NEDİR - KalGe

    ISO/TS 16949:2009 KALİTE YÖNETİM SİSTEMİ Veysel İNCE * www.kalge.net * 8.3.4.Müşteri Feragatı Ürün ve prosesin müşteri tarafından onaylanmış durumundan farklı olması halinde müşteriden sapma onayı alınmalı.
  • Technologies de l'information: marché et tendances

    Technologies de l'information: marché et tendances

    Both Whistle and Cobalt generate their revenue on hardware volume. Consequently, funding OSS enables them to avoid today's PC market where a "tax" must be paid to the OS vendor (NT Server retail price is $800 whereas Cobalt's target MSRP...
  • Islamic Banking and Finance: History Development and ...

    Islamic Banking and Finance: History Development and ...

    Islamic Banking and Finance: History Development Development of Islamic Banking and Finance in Other Countries (2) Gulf Cooperation Council (GCC) States Saudi Arabia Shari'ah is the law of the land but it does not have an Islamic banking law There...
  • Canada - Lisa Williams Social Studies

    Canada - Lisa Williams Social Studies

    The four Great Lakes that do form part of the U.S./Canada border (Superior, Huron, Ontario, & Erie), also provide fresh water, fish and hydroelectricity for the people of Canada. Canadian Shield The Canadian Shield (also called the Boreal Shield), covers...