Authentication and Authorization Overview

Kimmo Koskenniemi, Antti Arppe, Mikael LindénUniversity of Helsinki, CSC – IT Centre for Science

Consortium meeting – Legal thematic sessionBarcelona

2009-05-12

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN players and their relationships

• dashed arrows: flow of permissions

• solid arrows: data flow and other connections

Content Provider

Service Provider

CLARIN User

Copyright Owner

AuthorizationRecords

AccessDatabase

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN legal entities (1)

Copyright Owner – CO Content Provider – CP Service Provider – SP Identity Federation – IdF Identity Provider – IdP CLARIN User – CU

How do these map with the CLARIN centre types (in the WP2 documentation)?

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN legal entities (2)

Copyright owners (CO) the authors and publishers or whoever possesses the original

(or acquired) rights. Content Providers (CP)

organizations which acquire language materials and sufficient rights from the Copyright Owners (CO) may also produce these resources themselves

The rights needed by the CP typically include right to grant some end users the right to access and use the

materials COs may put some restrictions on who may use the materials

and in which ways they may be used, e.g. only for research purposes or not to make copies other than customary citations

deposits the material at a CLARIN Service Provider (SP)

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN legal entities (3)

Service Provider (SP) institution which provides technical access to the LRT

usually a computing centre

agrees to allow CLARIN end-users access the materials only according to the authorization by CPs: some materials automatically for larger groups, others only

according to individual applications

agrees to protect the material against unauthorized access

CLARIN infrastructure will consist of several SPs which are linked together with agreements

Several CPs may be connected to each SP

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN legal entities (4)

CLARIN Identity Federation (IdF) Consists of IdPs which operate according to a common policy

(e.g. Haka in Finland, DFN in Germany, SurfFederatie in Holland)

SPs make agreements with IdFs Each SP cooperates with all CLARIN IdFs

Identity Providers (IdP) are existing institutional identity services (e.g. University of Helsinki as a part of Haka) Used for identifying large groups of people such as staffs of

organizations or students The (unique) identity provided by IdPs within IdFs is the basis

for identifying CLARIN Users (CUs) CLARIN User (CU)

Identified and authenticated with the attributes provided by an IdP as EduPersonPrincipalName@Domain

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN legal entities (5)

The CLARIN AA infrastructure consists of many CP institutions not so many SP centres

each CP is typically associated with one SP centre CO involvement restricted to the negotiations and agreements

by which CPs acquire LRT content from them CLARIN SPs are linked with all national IdFs using SAML2

and ePPN@domain identities One organization may offer several functions

some units may provide both the CP and SP functions some CLARIN SP may maintain a national IdP federation

(e.g. CSC maintains Haka in Finland)

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Authorization

CP institutions control the authorization by maintaining the contents of CLARIN Authorization Records (ARs) Binding legal documents with (electronic) signatures which

indicate which materials each CU is allowed to use and how Some end-user licenses may be granted automatically by the

electronic signature by the CU The permitted uses of the material may vary Some materials require more elaborate application by the CU

and processing by the CP, including explaining and justifying the need to use a material possible recommendation (through an electronic signature) acceptance or denial of the application

All rights the CP can grant to the CUs to use materials, must have been acquired from the CO

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN players and their relationships

• dashed arrows: flow of authorizing

• red arrows: flow of access

Content Provider

Service Provider

CLARIN User

Copyright Owner

AuthorizationRecords

AccessDatabase

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Authorization

The ARs are technically maintained by the SPs The ARs are based on

Unique IdP identities: ePPN@domain Potentially required (electronic) signatures confirming the

acceptance of relevant license terms The Access Database contains the core information of ARs,

i.e. which materials identified by PIDs a user identified as ePPN@domain is allowed to use– according to the Single-Sign-On (SSO) principle

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Agreements between CLARIN legal entities

CO-CP acquisition of permissions CP-SP resource depositions agreements including AR and

access database maintenance SP-SP agreement of uniform services SP-IdF agreement of secure and uniform identification

– SP-IdP agreement of the same in the absence of national IdFs

IdF-IdF confederations (eduGAIN etc.) on common policies and interpretation of attributes

CP-CU end-user license

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN players and their relationships

• red arrows: agreements

Content Provider

Service Provider

CLARIN User

Copyright Owner

AuthorizationRecords

AccessDatabase

Service Provider

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN SP-SP agreement (1)

links all CLARIN SP centres together harmonizes their CLARIN services

CUs can identify themselves using their local IdP services access the materials on any SP centre according to their

permissions in the ARs contains some obligations for each of the participating

centres responsibility to enter into necessary agreements with the

IdPs used within CLARIN may include the agreements allowing the use of identity

information in a systematic way together with other centres in the group

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN SP-SP agreement (2)

states the set of minimum requirements for usage, deposition and authorization rights which a CP must be able to grant to all SPs which each CP has to have negotiated with and acquired from

each CO to allow for the use of these materials throughout the CLARIN

federation of SPs. (in the form of a checklist or model licensing templates)

requires that the CPs of the SP may only include materials with sufficient rights in the CLARIN services

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN LRT deposition agreement: CP ↔ SP

Between each CP institution and the associated SP centre Preferably, the rights should permit the depositing of the

material in more than one CLARIN SP centres at the same time → back-up, mirroring etc.

The SP (or the SPs) must agree to allow users to access only materials for which they have an explicit authorization by the CP

The SP must also agree to destroy the copies of the materials at the possible termination of the agreement.

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Deposition agreement:CP ↔ SP

The materials, tools and services can be classified according to the limitations of their use to three general categories1. Materials which can be freely used by anyone,

2. materials to which the CP can grant a license automatically through an electronic signature by the user (unilaterally)

3. materials which can only be accessed according to an individual application by the user and after individual consideration by the CP (bilaterally)

License agreements typically impose limitations of usage to which the user commits itself upon receiving permission e.g. only for academic research and education.

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Deposition agreement: LRT metadata requirements

In addition to providing the actual content the CP is also responsible for supplying some metadata in a CLARIN standard format exact information about the authorization scheme for the

materiali. who is/are authorized to grant the permissions for users

ii. what qualifications the individual applicants must satisfy, and

iii.what license agreement the applicants must sign (including the license text which tells the exact conditions of use)

The CP may also have to indicate the level of trust needed for identifying the CUs

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Metadatafor M

Assurancesand

Licenses

MaterialM

Access DatabaseePPN@site,PIDIdP

ContentProvider

UserePPN@site

Service Provider

Authorization – Access

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Simple authorization workflow (1)

Category 2 – Resource available to users upon one-sided commitment to research use

1. Raymond Researcher from the MPI in Nijmegen wants to use language resource G, stored at CSC in Helsinki/Espoo

2. Raymond goes to CLARIN resource listing at www.clarin.eu as a new CLARIN user

3. Raymond selects resource G – with unique PID(G) – from a list Service informs Raymond that he has to agree to and

sign a CLARIN general End-user License Agreement (EULA) concerning research use

4. Raymond clicks link ”Apply for access to resource G”

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Simple authorization workflow (2)

5. Raymond is redirected to the AR service at CSC https/ar.csc.fi/licenses/request via logging in through his Dutch national IdF service SurfFederatie (specifically his local IdP: MPI/Nijmegen) Raymond is shown the general CLARIN terms of use

(EULA) for research purposes

6. Raymond ticks the box ”I have read and understood these terms of use for research and agree to abide by them” and presses the ”Agree” button

Raymond's Identity Attributes raymondr@mpi.nl (eduPersonPrincipalName@Domain) as provided by his IdP (MPI/Nijmegen) are now linked with the resource identifier PID(G) in Authorization Records (AR) at CSC

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Simple authorization workflow (3)

7. Raymond proceeds to get access to resource G

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Complex authorization workflow (1)

Category (3): User commitment to specific license terms and individual recommendation and consideration required

1. Raymond Researcher from the MPI/Nijmegen wants to use language resource S at CSC ”managed” by Kimmo Koskenniemi

2. Raymond goes to CLARIN resource listing at www.clarin.eu3. Raymond selects resource S – identified with unique PID(S)

– from a list Service informs Raymond that access to resource S

requires authorization granted personally by Kimmo Koskenniemi

4. Raymond clicks link ”Apply for access to resource S”

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Complex authorization workflow (2)

5. Raymond is redirected to the AR service at CSC https://ar.csc.fi/licenses/request/ via logging in through his national IdF service SurfFederatie (specifically his local IdP: MPI/Nijmegen)

6. Raymond writes an English motivation why he should be granted access to resource S. In addition, Raymond Includes his PhD research plan abstract Provides a link to his home page at his home university Selects Peter Wittenburg from a list of Dutch national

referees Reads and signs the general and resource specific terms Clicks the button 'Send application'

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Complex authorization workflow (3)

7. Peter Wittenburg receives an email from AR at CSC ”Raymond Researcher from the MPI/Nijmegen asks you

for a recommendation to use resource S. In order to give the recommendation, click the link https://ar.csc.fi/licenses/recommend

8. Peter clicks the link and logs into AR at CSC with the Dutch national IdF SurfFederatie (specifically his local IdP: MPI/Nijmegen)

9. Peter is presented with Raymond's application (along with the attachments), browses them, writes a few words of recommendation to Kimmo, and clicks the button 'Recommend'

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Complex authorization workflow (4)

10. Kimmo Koskenniemi at the University of Helsinki receives an email from AR at CSC– ”Raymond Researcher from the MPI/Nijmegen asks

you for permission to use resource S. Peter Wittenburg from MPI/Nijmegen supports Raymond's application. In order to grant the permission, click the link https://ar.csc.fi/licenses/grant/”

11. Kimmo clicks the link and logs into AR at CSC with the Finnish national IdF Haka (specifically via his local IdP: University of Helsinki)

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

Complex authorization workflow (5)

12. Kimmo is presented with Raymond's application (along with the attachments) as well as Peter's recommendation, browses them, and clicks to button 'Grant permission' Raymond's Identity Attributes (raymondr@mpi.nl) are linked

in AR at CSC with the data indicating that he is now authorized to access resource S – identified by the unique PID(S)

13. Raymond receives an email from AR at CSC: ”You have been granted permission to use resource S. You now have access to this resource.” Raymond may then access S at CSC by authenticating

himself via the Dutch SurfFederatie IdF (raymondr@mpi.nl) which has CSC as one of its many Service Providers

Thank you for your attention

CLARIN has received funding fromthe European Community's Seventh Framework Programme

under grant agreement number 212230

Consortium Meeting

Barcelona2009-05-12

www.clarin.eu

CLARIN players and their relationships

Content Provider

Service Provider

CLARIN User

Copyright Owner

AuthorizationRecords

AccessDatabase

• dashes red arrows: next talk by Marjut Salokannel