View
215
Download
0
Tags:
Embed Size (px)
Citation preview
2006 © SWITCH
Authentication and AuthorizationInfrastructures
in e-Science(and the role of NRENs)
Christoph WitzigSWITCH
e-IRG, Helsinki, Oct 4, 2006
2006 © SWITCH 2e-IRG Helsinki Oct 4, 2006
Outline
• Introduction–SWITCH –AAIs and e-Science
• Case study SWITCHaai As an example for the role of an NREN in e-Science
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH 3e-IRG Helsinki Oct 4, 2006
• Foundation (non-profit organization)
• located in Zurich
• 70 employees
Network
SWITCH - Teleinformatikdienste für Lehre und Forschung
Internet Identifiers
• Domain name registration• .ch and .li
Security • CERT
• Middleware• AAI• Mobile• PKI• Grid
NetServices
• Video conferencing• Streaming• collaboration tools
2006 © SWITCH 4e-IRG Helsinki Oct 4, 2006
AAI in e-Science
• AAI solve the old problem of access control to resources
• There are various technologies in use - their usefulness depends on the underlying infrastructure
1. Crusader Castle2. League of Nations3. Federations
2006 © SWITCH 5e-IRG Helsinki Oct 4, 2006
Crusader Castle
Appropriate for few, non-mobile users
2006 © SWITCH 6e-IRG Helsinki Oct 4, 2006
University A
Library B
University C
Crusader Castle
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
AuthorizationUser Administration
AuthenticationResource Credentials
e-Journals
Tedious user registration at all resources
Unreliable and outdated user data at resources
Different login processes
Many different passwords
Many resources not protected due to difficulties
Often IP-based authorization
Costly implementation of inter-institutional access
2006 © SWITCH 7e-IRG Helsinki Oct 4, 2006
University A
University C
League of Nations
Student Admin
Web Mail
e-Learning
e-Learning
Research DB
AuthorizationUser Administration
AuthenticationResource Credentials
User registration process with CA
User has one credential to present to resources
authN and authZ at resource
User has to manage credential
Standard use in grids (IGTF)
Delegation mechanism
Standardized Credentials (International Conference on Passports 1920)
PassportIssuer (CA)
X.509 credentials
2006 © SWITCH 8e-IRG Helsinki Oct 4, 2006
University A
Library B
University C
Federated IdentityManagement
Federated Identity Management
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
AuthorizationUser Administration
AuthenticationResource Credentials
e-Journals
No user registration and user data maintenance at resource needed
Single login process for the users
Many new resources available for the users
Enlarged user communities for resources
Efficient implementation of inter-institutional access
Shibboleth
• open source • internet2
• SAML
• Web-based Single Sign-on• authN at Identity Provider• authZ at Service Provider based on user’s attributes as provided by IdP
• Privacy
2006 © SWITCH 9e-IRG Helsinki Oct 4, 2006
• Introduction
• Case Study SWITCHaai As an example for the role of an NREN in e-Science
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH 10e-IRG Helsinki Oct 4, 2006
SWITCHaai
• Need for a national AAI infrastructure identified in 2001
• Problems: –How to agree on one AAI implementation–How to introduce a national AAI in a highly fragmented higher education
sector?–How to formally agree on a federation policy
in a country with a very strong federalist tradition
Today about 160’000 (75%) of the members of the Swiss higher education and research sector have SWITCHaai accounts.
About 10’000 users access regularly about 100 resources.
Examples of resources are e-learning, e-Journals, software distributions, v-conf and others
2006 © SWITCH 11e-IRG Helsinki Oct 4, 2006
SWITCHaai Project Timeline
Working groups and sub-projects between universities IT services, researchers and SWITCH
Co-operative work to have all stakeholders involved
ArchitectureEvaluation
Shibboleth
2001 2002 2003 2004 2005 2006 2007
Pilot Operation Production Operation Study
Stakeholders involved
2006 © SWITCH 12e-IRG Helsinki Oct 4, 2006
Federations
Federation = a group of organizations that agree on a common set of rules and standard with the goal to cooperate in inter-organizational authentication, authorization and accounting
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
2006 © SWITCH 13e-IRG Helsinki Oct 4, 2006
Funding
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
funding / costs
Pilot Phase Project Phase Operational Service
funded by SWITCH & universities funded by federal grants funded by tariffs
• SWITCH has applied for federal grants in the name of the Swiss Universities
• Grants have to be used for AAI projects and with matching funds strategy
2006 © SWITCH 14e-IRG Helsinki Oct 4, 2006
• Introduction
• Case study SWITCHaai
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH 15e-IRG Helsinki Oct 4, 2006
Why Interoperability AAI - Grid ?
For AAI Federations:
• Add grid resources to
federation
For Grids:
• Add huge user base (campus network)
For Users:
• Simpler management
of credentials
• Easy access to grids
For e-Science:• Unified user base • Bring stakeholder together
(NRENs - Grids)
2006 © SWITCH 16e-IRG Helsinki Oct 4, 2006
SWITCH and EGEE-II
• SWITCH joined EGEE-II: Interoperability gLite - Shibboleth
• Focus is on – Interoperability (NO replacement for X.509)
• Key Concepts: –Home institution of the user should be the Identity Provider
–Home institution provides some attributes
–But VO is needed for (grid specific) attributes
2006 © SWITCH 17e-IRG Helsinki Oct 4, 2006
Interoperability gLite - Shibboleth
2006 © SWITCH 18e-IRG Helsinki Oct 4, 2006
• Introduction
• Case study SWITCHaai
• Interoperability AAI - Grid
• The broader picture in Europe
• Summary
2006 © SWITCH 19e-IRG Helsinki Oct 4, 2006
AAI’s in Europe
• There are many AAI efforts underway in Europe
Normally they are tied to NRENs
• eduGAIN: –Within GEANT2– Interoperability between AAIs
Architecture of Bridging Elements between Federations Based on SAML Bridging Element to Shibboleth is being developed by SWITCH
2006 © SWITCH 20e-IRG Helsinki Oct 4, 2006
Interoperability Efforts Grid - AAIs
• Various interoperability efforts Grid - AAIs underway–UK, MAMS, GridShib
–Prerequisite: rather well established AAI federation
• Approach varies (depending on requirements):–Web-based Portals as Gateway to Grid
–Command line
– IGTF accreditation
2006 © SWITCH 21e-IRG Helsinki Oct 4, 2006
Conclusions
• National AAI’s aim to interconnect campus networks– Single log-on experience for the user– Enable the user to access many resources
• AA mechanism of Grids is based on X.509 certificates
• Benefits of interoperability between these national AAIs and grid infrastructure(s) (on national and European scale)– User: simple access to many resources – e-Science: connect the largest audience possible
• SWITCH:– SWITCHaai: operate a Shibboleth-based AAI in production mode – gLiteShib: contribution to EGEE-II