FIM4R v 2 - Indico · Research Community PerspecWves – CLARIN Dieter 20m Research Community PerspecWves – EUDAT Johannes 20m FIM4R v2 key points Hannah 10m Discussion & Next Steps

FIM4Rv2.0

Presenters

JohannesReetz• EUDAT• h<ps://www.rd-alliance.org/users/johannesreetz

DieterVanUytvanck• CLARIN• h<ps://www.rd-alliance.org/users/dietervu

HannahShort• CERN/WLCG• h<ps://www.rd-alliance.org/users/hannah-short

Agenda

BackgroundofFIM4R Hannah 10m

EvoluWonofFIMinthelast5years Hannah 10m

ResearchCommunityPerspecWves–CLARIN Dieter 20m

ResearchCommunityPerspecWves–EUDAT Johannes 20m

FIM4Rv2keypoints Hannah 10m

Discussion&NextSteps 20m

ObjecWves•  RaiseawarenessoftheupcomingFIM4Rv2whitepaper

•  GainfeedbackoncontentforFIM4Rv2whitepaper

Whatdoesyourresearchcommunityneed?Discussion

attheend

BACKGROUNDOFFIM4R

FederatedIdenWtyManagement•  FederatedIdenWtyMangement(FIM)istheconceptofgroupsofServiceProviders(SPs)andIdenWtyProviders(IdPs)agreeingtointeroperateunderasetofpolicies.

•  FederaWonsaretypicallyestablishednaWonallyandusetheSAML2protocolforinformaWonexchange

•  EachenWtywithinthefederaWonisdescribedbymetadata

6h<ps://www.switch.ch/aai/about/federaWon/

CredittoAlessandraScicchitano–GEANTforthisslide

•  eduGAINisaformofinterfederaWon•  ParWcipaWngfederaWonsshareinformaWon(metadata)aboutenWWesfromtheirown

federaWonwitheduGAIN•  eduGAINbundlesthismetadataandpublishesitinacentrallocaWon.

7

FederatedIdenWtyManagementWorldwide

CredittoAlessandraScicchitano–GEANTforthisslide

•  ResearchCommuniWestypicallyjointhroughanSP-IdPproxy–  Fromtheoutside(eduGAIN)

itlookslikeanSP–  Fromtheinsideitlookslike

anIdP•  Wedependonthestabilityof

eduGAINasanauthenWcaWoninfrastructure

8

OurInteracWonwithIdenWtyFederaWons

Source:GEANT,GN3PLUS13-642-23

•  The1stworkshopwasheldatCERNinJune2011(h<ps://indico.cern.ch/event/129364),•  the2ndatRALinNovember2011(h<ps://indico.cern.ch/event/157486),•  the3rdatISGCinFebruary2012(h<ps://indico.cern.ch/event/177418),•  the4thatMPIPsycholinguisWcsNijmegeninJune2012(h<p://www.clarin.eu/events/3501),•  the5thatPSIVilligeninMarch2013(h<p://indico.psi.ch/event/2230),•  the6thatCSCinHelsinkiinOctober2013(h<ps://refeds.org/meeWngs/oct13/index.html),•  the7thatESRINinFranscaWinApril2014(h<ps://indico.cern.ch/event/301888/),•  the8thatCERNon3-4thFebruary2015(h<ps://indico.cern.ch/event/358127).•  the9thFIM4RmeeWng30thNovember2015(h<ps://indico.cern.ch/event/450600/).•  the10thFIM4RmeeWng20thFebruary2017(h<ps://indico.cern.ch/event/605369/)Throughtheseworkshops,theresearchcommuniWeshaveconvergedonacommonvisionforFIM,enumeratedasetofrequirementsandproposedanumberofrecommendaWonsforensuringaroadmapfortheuptakeofFIMisachieved.Thesepointshavebeendocumentedinapaper(h<ps://cdsweb.cern.ch/record/1442597). 9

BackgroundofFIM4R

Requirementsdocumentpublishedin2012andnowdueanupdate

10

BackgroundofFIM4R

h<ps://cdsweb.cern.ch/record/1442597

2012Requirements

•  Userfriendliness(high)•  Browser&non-browserfederatedaccess(high).•  BridgingcommuniWes(medium).•  MulWpletechnologieswithtranslatorsincludingdynamicissueofcredenWals(medium).•  ImplementaGonsbasedonopenstandardsandsustainablewithcompaGblelicenses(high).•  DifferentLevelsofAssurancewithprovenance(high).•  AuthorisaGonundercommunityand/orfacilitycontrol(high).•  WelldefinedsemanWcallyharmoniseda<ributes(medium).•  FlexibleandscalableIdPa<ributereleasepolicy(medium).•  ANributesmustbeabletocrossnaGonalborders(high).•  A<ributeaggregaWonforauthorisaWon(medium).•  PrivacyanddataprotecWontobeaddressedwithcommunity-wideindividual

idenWWes(medium)

11

2012RecommendaWons

•  RecommendaWonstotheresearchcommuniWes–  ConductRiskAnalysis–  RunPilotStudiescoordinatedbyexperts

•  RecommendaWonstothetechnologyproviders–  SeparaWonofAuthorizaWonandAuthenWcaWon–  CredenWalsrevocaWon–  A<ributedelegaWontotheresearchcommunity–  StandardiseeffortsinLevelsofSecurity/Assurance

•  RecommendaWonstofundingagencies–  FundFIMtechnologiesthatarefocusedonsolvingthedescribedneedsoftheresearch

communiWes

12

EVOLUTIONOFFIMINTHELAST5YEARS

Summaryfrom10thFIM4RWorkshop•  Significantprogressmade

–  Strongsupportfromfundingbodies–  “WeareherehavingraWonaldiscussionsbetweenRCs,FedOps,eduGAINetc!”–  Manysuccesses

•  Somerequirementsremain,•  Somearesolved,•  Forotherswehavefoundwork-arounds,•  Somearebrandnew

2012RecommendaWons




communi=es

15

AARCI&II•  BuildingonexisGngtools,avoidingfragmentaGonandbringingFIMtoResearch

CollaboraWons•  Manypilotsproduced,toshowthatthetechnologyworks,andthenworktomakethem

sustainable,e.g.cerWficateprovisioning,tokentranslaWon•  LookingatmanypolicyaspectsandtheirinteracWonwithexisWnggroups•  AARC2approved2017-19

–  Supportmoreresearchcommunityusecases–  Communityengagement->conWnuouslytalkwithresearchcommuniWes,helpand

idenWfynewrequirements–  Competencecentreforlarger/e-infrastructurestoco-developnewsoluWons

•  FIM4Risakeycommunity

h<ps://aarc-project.eu

2012RecommendaWons


•  RecommendaWonstothetechnologyproviders–  Separa=onofAuthoriza=onandAuthen=ca=on–  CredenWalsrevocaWon–  A@ributedelega=ontotheresearchcommunity–  StandardiseeffortsinLevelsofSecurity/Assurance


communiWes

17

AARCBlueprintArchitecture•  AnalysisofexisWngarchitectures,andcommon

componentsplo<ed•  ProducWonreadyopWonsforcomponentsidenWfied•  AimstoaddressthespecificdifficulGesthatRCs

havewhenoperaWnginternaWonally•  BlueprintarchitectureproposesbestpracWces

–  AuthorisaGonlayerexplicitanddesignedtobeintegratedwithcommunitymembershiptools

–  FocusonpragmaGcguidelines,producWon-readysuggesWonsthatdon’trequire10yearsofdeploymenthistory(e.g.commandlineaccess,tokentranslaWonetc)

DeliverabledueMay2017ath<ps://aarc-project.eu

2012RecommendaWons




communiWes

19

Securityincidentresponse(Siroi)•  ProblemswithsecurityinfederaWons

–  Highlydistributed,e.g.logsaresplit–  Badguydoesn’tsleepbutIdPoperatorsdo–  NomandatetoinvesWgateexternalorganisaWons

•  SiroiREFEFDSWG,~2yearsdone,~2yearsleq–  Producedframeworktobuildtrustandsetabaseline

inoperaWonalsecuritybestpracWces•  FutureWorkplanincludes

–  HelpingfederaWonstoadoptprocedures–  ReachingouttocommuniGese.g.TF-CSIRT,REFEDS,FOG,FIM4R

h<ps://refeds.org/siroi

h<ps://aarc-project.eu/wp-content/uploads/2017/02/DNA3.2-Security-Incident-Response-Procedure-v1.0.pdf

MinimumLoA•  WorkinAARC,nowbeingextendedthroughREFEDS•  InterviewedCLARIN,DARIAH,ELIXIR,LIGO,Photon/Neutron,WLCG,EGI,PRACEandcameup

withaminimummutualsetofrequirements–  TheaccountsintheHomeOrganisaWonsmusteachbelongtoaknownindividualperson–  PersistentuseridenWfiers(i.e.,nore-assignmentofuseridenWfiers)–  DocumentedidenWtyvesngprocedures(notnecessarilyface-to-face)–  PasswordauthenWcaWon(withsomegoodpracWces)–  DeparWnguser’seduPersonAffiliaWonmustchangepromptly

h<ps://aarc-project.eu/wp-content/uploads/2015/11/MNA31-Minimum-LoA-level.pdf

2012Requirements

•  Userfriendliness(high)•  Browser&non-browserfederatedaccess(high).•  BridgingcommuniWes(medium).•  MulWpletechnologieswithtranslatorsincludingdynamicissueofcredenWals(medium).•  ImplementaGonsbasedonopenstandardsandsustainablewithcompaGblelicenses(high).•  DifferentLevelsofAssurancewithprovenance(high).•  AuthorisaGonundercommunityand/orfacilitycontrol(high).•  WelldefinedsemanWcallyharmoniseda<ributes(medium).•  FlexibleandscalableIdPa<ributereleasepolicy(medium).•  A@ributesmustbeabletocrossna=onalborders(high).•  A<ributeaggregaWonforauthorisaWon(medium).•  Privacyanddataprotec=ontobeaddressedwithcommunity-wideindividual

iden==es(medium)

22

PoliciesforProcessingPersonalData•  NewGDPRgoesintoforceMay2018–legallybindingformemberstates•  NotlegaladvicebuthasbeenreadbylawyersJ•  Scopeisrestrictedtodatacollectedonusage(logs),doesnotcovera<ributereleaseor

personaldatainresearchsets.•  BindingCorporateRules(BCRs)arearecommendedframeworktobindanorganisaWon,

thoughonlyapplicabletolegalenWWes(manyinfrastructuresarenot)•  Conclusions

–  InEUlegiGmateinterest&consentok–  OutsideEU,BCR-likeapproachmightwork.AnenforceableCoComightbealternaWve

togesngspecificauthorisaWon

h<ps://aarc-project.eu/wp-content/uploads/2016/12/AARC-DNA3.5_RecommendaWons-for-Processing-Personal-Data_2016_11_07_v4_DG.pdf

DataProtecWonCodeofConduct•  V1Released2013

–  ScopeisrestrictedtoaNributes–  106SPssupport(Feb‘17)–  112IdPsclaimtoreleasea<ributestothem(Feb’17)

•  AskedWP29forblessing.Results:–  WecanuseitJ–  ItcannotbeendorsedbyWP29sincedoesn’tprovideaddedvalue(e.g.explainingdata

minimisaWonincontextofFIM)L•  V2addressesWP29requirements,GDPRchanges,releaseoutsideEU(inc.internaWonal

organisaWons)–  2monthconsultaWonstarWngWednesdayatTIIME–  AimtosubmitforapprovalinMay2018

h<ps://wiki.refeds.org/display/CODE/Data+ProtecWon+Code+of+Conduct+Home

2012Requirements

•  Userfriendliness(high)•  Browser&non-browserfederatedaccess(high).•  BridgingcommuniWes(medium).•  MulWpletechnologieswithtranslatorsincludingdynamicissueofcredenWals(medium).•  ImplementaGonsbasedonopenstandardsandsustainablewithcompaGblelicenses(high).•  DifferentLevelsofAssurancewithprovenance(high).•  AuthorisaGonundercommunityand/orfacilitycontrol(high).•  Welldefinedseman=callyharmoniseda@ributes(medium).•  FlexibleandscalableIdPa<ributereleasepolicy(medium).•  ANributesmustbeabletocrossnaGonalborders(high).•  A<ributeaggregaWonforauthorisaWon(medium).•  PrivacyanddataprotecWontobeaddressedwithcommunity-wideindividual

idenWWes(medium)

25

Research&ScholarshipEnWtyCategory•  Mutuallyagreeda<ributebundle,widecommunityconsultaWon•  ResearchSPsencouragedtolimitrequirementstoR&S•  IdPsencouragedtoreleaseR&SaNributes•  “TheR&Sa>ributebundleconsists(abstractly)ofthefollowingrequireddataelements:

–  ShareduseridenNfier–  Personname–  Emailaddress

•  andoneopNonaldataelement:–  AffiliaNon”

h<ps://refeds.org/category/research-and-scholarship

CLARINPERSPECTIVE

EUDATPERSPECTIVE

FIM4RV2KEYPOINTS

CommunityUpdates•  Atthe10thworkshopweheardupdatesfrom

–  6ResearchCommuniWes(LIGO,WLCG,DARIAH,INAF,ELIXIR,Umbrella)

–  2Infrastructures(EUDAT,EGI)–  Slidesareinappendix

•  Excellentdiscussiononcommonthemesandchallenges•  Summaryat

h<ps://indico.cern.ch/event/605369/contribuWons/2440465/a<achments/1415673/2167445/FIM4R_Summary.pdf

CommonThemesfromCommuniWes

ProxyModel A<ributeEnrichment Outsourcing Off-the-shelf

components

ORCID SocialLoginCommunityControlled

AuthorisaWon

FederaWonGovernanceLimitaWons

CommunityPerspecNveSlidesinAppendix

•  Addresscommandlineandnon-webusecases•  IntegrateFIMwithexisWngCommunityMembershipManagementTools•  BuildoperaWonalsupportin(inter)federaWon(securityandoperaWons)•  SupportGDPRadequacycerWficaWonforintergovernmentalorganisaWons•  MakeFIMaproducWonserviceandacornerstoneoftheEuropeanOpen

ScienceCloud,includingcommercialIaaSinteracWon•  IntegraWonwitheID(GovernmentalIDprograms)•  GreatercollaboraWonwithnon-EUpartners(e.g.US)•  …

32

ExampleRecommendaWons2017

Whatwouldyouadd?

REQUIREMENTSDISCUSSION

NEXTSTEPS

FIM4RDocumentPlans–Proposal

• RepresentaWvesfromcommuniWes/infrastructures• DefinesurveyQs(firstdraqmadeinFebruary,spearheadedbyNikhef)• WritesummaryofprogresssinceFIM4Rv1• CombinecontribuWonsfromcommuniWes/infrastructures

Editorialboard

• Statementonownprogressandchallenges• Completesurvey

Community/Infrastructureinput

FIM4RDocumentPlans-Strategy

• Whitepaper• IncludetargetedrecommendaWonstoplayers,e.g.Fundingagencies,SPs,IdPs,FederaWonOperators

Output?

• Keepmomentum• Beawareofcallsforfunding

Timeline?

• Opendatapublisher• Communitydocumentrepository• Conferenceproceedings2018

Where?

Howtogetinvolved?•  Catchusthisweek•  Mailinglist

h<ps://e-groups.cern.ch/e-groups/EgroupsSubscripWon.do?egroupName=fim4r-members

•  Cometothenextworkshop,probablyUSA,probablyAutumn

CommunityNoWces•  Fim4r.orgcomingsoon!ThankstoLIGOandGEANT•  HighEnergyPhysicsSecurity&AccessManagementWhitepaper

–  LookingformoreparWcipants–  MoreinformaWonath<p://hepsoqwarefoundaWon.org

•  ThisRDAFIMIGislookingforasecondChair–knowsomeonewhocouldfitthepost?

QUESTIONS?

APPENDIX–ADDITIONALPERSPECTIVES

COMMUNITIES

LIGO(GravitaWonalWavePhysics)•  SPsindividuallyregisteredinincommon•  IdPoflastresort=Google,UnitedID,NCSA•  MovingtoCIlogon2(marriageofCILogonandComanage)– outsourceIDlayer•  ConsideringmovetoOIDCinsteadofSAML,howeverthecostisintegraWngwithfederaWons.•  Wantedtoencouragea<ributereleaseandavoiduseofaproxy,howeverthisdoesn’tseemto

work,mayhavetomovetoproxymodel•  HopingtomoveenWrelytoFIM,removeLIGOIdP•  Challenges

–  Budgetconstraints,pushedtoworkonvisualaspects,e.g.GraceDB–  SiroiadopWonstalledbyincommon’srequirementforClevelapproval–  SomeeduGAINpartnersnottotally“in”eduGAINe.g.,Australia,Japan–  NoroleforresearchcommuniGesingovernanceoffederaGons,perhapsthesoluWonistocreateanIGTFfederaGon

ELIXIR(Biosciences)•  ProxyIdP,SAML2plussupportforOIDC•  ORCIDasanIdP,plussocialopWons– researcherLoAenrichedseparately•  IfthechosenIdPdoesnotprovidea<ributebundle,helpfulmessageisdisplayed– userpassedto

localsupportgroup,e.g.ELIXIRGermany,whowillfollowupwiththeIdP•  GroupManagement

–  Perun–  UserdrivenwithcustomapplicaWonformspergroup–  BonaFidemanagementontoptograntaddiWonalaccess,e.g.checkORCIDIDagainstpublicaWon,userscan

endorseotherusers•  Example.BeaconNetwork(queryforDNAdatasets),requiresBonaFideResearchStatus•  VMscreatedbyuserscannotbetrusted,onlyallowmounWngofdatathatwasapprovedby

commi<ee

WLCG(HighEnergyPhysics)•  ExisWngcerWficatebasedfederaWon•  NewsoluWonfollowsproxymodelforauthenWcaWon,allWLCGservicesbehindCERNSSO.•  TokentranslaGononperservicebasis,notclassicalblueprintarchitecture•  Someprogressoverlastyear,includingoneexperimentmovingmonitoringportalbehindSSO•  DifficultyisgesnguserstoadoptnewtechnologieswhenexisWngsoluWon“works”,albeitina

clunkyfashion•  RequirementsforFIM

–  HelpdeskessenGal–  Siroirequirednow,restricttoknownresearchersregisteredwithVOMS–  CommandlinesoluWonwithminimalbrowserinteracWon

•  ImplementaWonusesSTS,notmaintainedandsubopWmal•  ReconsideringtheroleofVOMS,opWonsinc.AA,tokentranslator,etc

DARIAH(HumaniWes)•  3774users,idenWfiedbyEPPN(possibleweakpoint)•  SecondaryauthenWcaWontrackthatgetsOAuth2authorisaGontoken–  OAuth2chosenforinternalauthorizaWonratherthanECP,followingatrialinwhichanumberofproblemsemerged.OAuth2muchmoresimple(plusfuture-proof)

•  CentralPolicyDecisionPoint,withaccessrightscentrallymanaged

INAF(Astronomy)•  DistributedcommuniWes,rolebasedaccess,projectforseveraldecadessowant

simplicity&sustainability,useOTScomponents•  Fundamentalconstraint=opentoallastronomycommunity(achievedbyenabling

eduGAIN)•  MemberofAARC2 •  CTA

–  EnrichingaNributesthemselves,sinceIdPsinsufficient.Usinggrouperformembershipmanagement

–  InternallyaddingisMemberOfa<ributelist&enGtlementforaccesscontrol–  eduPersonUniqueIDchosen

•  Consentmanagement•  3mainexperimentsbuthavingseparatesoluWonsforeachexperimentseemed

simplerthancreaWngsinglesoluWon

Umbrella(Photon&NeutronPhysics)•  UsedbyphotonandneutronfaciliWesinEurope(14partners+2pending)–allbasicallyproducWonstatus

•  IntegraWngORCID&pushingumbrellaIDIdPineduGAIN–  Only3a<ributes->noproblemfordataprotecWonsinceitisallopaque–  willjoinJISCinsteadofSWITCHduetoregistraWonrequirements

•  MemberofAARC2•  UsingmoonshotatDiamond•  UsingeduTeamsforAAsinceusersspreadbetweenmulWplejurisdicWons•  PRpush,funded•  JustIdP,noSP–projectcallededuGAINbridgetoprovideeduGAINaccess

toumbrellaregisteredservices

INFRASTRUCTURES

EGI•  DiversityofVOsraisescomplicaWons•  Numberofservices&IdPsrequiressignificant,scalablepolicywork•  Checkin,soluWondeployedinEGIin2016

–  MulGpleIdPtypesthroughsingleendpoint(inc.social&x509)–  Minimiseoverheadforserviceproviders–  Notallservicesbehindproxybutmovingslowly–  Central,unique,opaque,persistentuserIDcreatedonfirstlogin.UniqueIDcanbefreelysharedsince

opaquebutremainsusefulforcentrallogs–  PreviouslyhadLoABirch(IGTF),nowLoAcalculatedbasedonuserinformaWon–  SteppedLoArequirementsfordifferentriskprofiles,incSiroiforPaaS–  CheckingovernslistoftrustedANributeAuthoriGes,thosetrustedareharmonised&communicatedwith

services–  UnityconnectortogetLToSVOmembershipinformaWon

•  CheckinintegratedwithRCAuthtoprovidex509–  UsersfromtrustedIdPsabletogeneratecerWficates

•  ExplicitaccountlinkingviaCOmanage

Documents

FIM4R v 2 - Indico · Research Community PerspecWves – CLARIN Dieter 20m Research Community PerspecWves – EUDAT Johannes 20m FIM4R v2 key points Hannah 10m Discussion & Next Steps