2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006

2006 © SWITCH

Authentication and AuthorizationInfrastructures

in e-Science(and the role of NRENs)

Christoph WitzigSWITCH

e-IRG, Helsinki, Oct 4, 2006

2006 © SWITCH 2e-IRG Helsinki Oct 4, 2006

Outline

• Introduction–SWITCH –AAIs and e-Science

• Case study SWITCHaai As an example for the role of an NREN in e-Science

• Interoperability AAI - Grid

• The broader picture in Europe

• Summary


• Foundation (non-profit organization)

• located in Zurich

• 70 employees

Network

SWITCH - Teleinformatikdienste für Lehre und Forschung

Internet Identifiers

• Domain name registration• .ch and .li

Security • CERT

• Middleware• AAI• Mobile• PKI• Grid

NetServices

• Video conferencing• Streaming• collaboration tools


AAI in e-Science

• AAI solve the old problem of access control to resources

• There are various technologies in use - their usefulness depends on the underlying infrastructure

1. Crusader Castle2. League of Nations3. Federations


Crusader Castle

Appropriate for few, non-mobile users


University A

Library B

University C

Crusader Castle

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB

AuthorizationUser Administration

AuthenticationResource Credentials

e-Journals

Tedious user registration at all resources

Unreliable and outdated user data at resources

Different login processes

Many different passwords

Many resources not protected due to difficulties

Often IP-based authorization

Costly implementation of inter-institutional access


University A

University C

League of Nations

Student Admin

Web Mail

e-Learning

e-Learning

Research DB



User registration process with CA

User has one credential to present to resources

authN and authZ at resource

User has to manage credential

Standard use in grids (IGTF)

Delegation mechanism

Standardized Credentials (International Conference on Passports 1920)

PassportIssuer (CA)

X.509 credentials


University A

Library B

University C

Federated IdentityManagement

Federated Identity Management

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB



e-Journals

No user registration and user data maintenance at resource needed

Single login process for the users

Many new resources available for the users

Enlarged user communities for resources

Efficient implementation of inter-institutional access

Shibboleth

• open source • internet2

• SAML

• Web-based Single Sign-on• authN at Identity Provider• authZ at Service Provider based on user’s attributes as provided by IdP

• Privacy


• Introduction

• Case Study SWITCHaai As an example for the role of an NREN in e-Science



• Summary


SWITCHaai

• Need for a national AAI infrastructure identified in 2001

• Problems: –How to agree on one AAI implementation–How to introduce a national AAI in a highly fragmented higher education

sector?–How to formally agree on a federation policy

in a country with a very strong federalist tradition

Today about 160’000 (75%) of the members of the Swiss higher education and research sector have SWITCHaai accounts.

About 10’000 users access regularly about 100 resources.

Examples of resources are e-learning, e-Journals, software distributions, v-conf and others


SWITCHaai Project Timeline

Working groups and sub-projects between universities IT services, researchers and SWITCH

Co-operative work to have all stakeholders involved

ArchitectureEvaluation

Shibboleth

2001 2002 2003 2004 2005 2006 2007

Pilot Operation Production Operation Study

Stakeholders involved


Federations

Federation = a group of organizations that agree on a common set of rules and standard with the goal to cooperate in inter-organizational authentication, authorization and accounting

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.


Funding

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

funding / costs

Pilot Phase Project Phase Operational Service

funded by SWITCH & universities funded by federal grants funded by tariffs

• SWITCH has applied for federal grants in the name of the Swiss Universities

• Grants have to be used for AAI projects and with matching funds strategy


• Introduction

• Case study SWITCHaai



• Summary


Why Interoperability AAI - Grid ?

For AAI Federations:

• Add grid resources to

federation

For Grids:

• Add huge user base (campus network)

For Users:

• Simpler management

of credentials

• Easy access to grids

For e-Science:• Unified user base • Bring stakeholder together

(NRENs - Grids)


SWITCH and EGEE-II

• SWITCH joined EGEE-II: Interoperability gLite - Shibboleth

• Focus is on – Interoperability (NO replacement for X.509)

• Key Concepts: –Home institution of the user should be the Identity Provider

–Home institution provides some attributes

–But VO is needed for (grid specific) attributes


Interoperability gLite - Shibboleth


• Introduction

• Case study SWITCHaai



• Summary


AAI’s in Europe

• There are many AAI efforts underway in Europe

Normally they are tied to NRENs

• eduGAIN: –Within GEANT2– Interoperability between AAIs

Architecture of Bridging Elements between Federations Based on SAML Bridging Element to Shibboleth is being developed by SWITCH


Interoperability Efforts Grid - AAIs

• Various interoperability efforts Grid - AAIs underway–UK, MAMS, GridShib

–Prerequisite: rather well established AAI federation

• Approach varies (depending on requirements):–Web-based Portals as Gateway to Grid

–Command line

– IGTF accreditation


Conclusions

• National AAI’s aim to interconnect campus networks– Single log-on experience for the user– Enable the user to access many resources

• AA mechanism of Grids is based on X.509 certificates

• Benefits of interoperability between these national AAIs and grid infrastructure(s) (on national and European scale)– User: simple access to many resources – e-Science: connect the largest audience possible

• SWITCH:– SWITCHaai: operate a Shibboleth-based AAI in production mode – gLiteShib: contribution to EGEE-II

Documents

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006