EOSC Authentication and Authorization Infrastructure (AAI) : Report from the EOSC Executive Board Working Group (WG) Architecture AAI Task Force (TF) (original) (raw)
Related papers
Federated Authentication & Authorisation for e-Science
2000
The Grid and Web service community are defining a range of stan- dards for a complete solution for security. The National e-Science Cen- tre (NeSC) at the University of Glasgow is investigating how the vari- ous pre-integration components work together in a variety of e-Science projects. The EPSRC-funded nanoCMOS project aims to allow elec- tronics designers and manufacturers to use
Authorisation and identity mapping services for the Open Science Grid
International Journal of High Performance Computing and Networking, 2008
An attribute-based authorisation infrastructure developed for the Open Science Grid (OSG) is presented. The infrastructure integrates existing identity-mapping and group-membership services using concepts prototyped in the PRIMA system. Authorisation scenarios for requests to compute and data resources are detailed. A new SAML obligated authorisation decision statement is introduced that attaches an XACML obligation to the authorisation decision. The use of obligations enables site-centralised, service-independent policy management. Authorisation decisions are enforced via a Workspace Service that creates constrained execution environments configured in accordance with the obligations and other attribute-based information. Finally, an experimental PRIMA authorisation service that extends and simplifies the infrastructure is described.
XACML profile and implementation for authorization interoperability between OSG and EGEE
Journal of Physics: Conference Series, 2010
The Open Science Grid (OSG) and the Enabling Grids for E-sciencE (EGEE) have a common security model, based on Public Key Infrastructure. Grid resources grant access to users because of their membership in a Virtual Organization (VO), rather than on personal identity. Users push VO membership information to resources in the form of identity attributes, thus declaring that resources will be consumed on behalf of a specific group inside the organizational structure of the VO. Resources contact an access policies repository, centralized at each site, to grant the appropriate privileges for that VO group. Before the work in this paper, despite the commonality of the model, OSG and EGEE used different protocols for the communication between resources and the policy repositories. Hence, middleware developed for one Grid could not naturally be deployed on the other Grid, since the authorization module of the middleware would have to be enhanced to support the other Grid's communication protocol. In addition, maintenance and support for different authorization call-out protocols represents a duplication of effort for our relatively small community. To address these issues, OSG and EGEE initiated a joint project on authorization interoperability. The project defined a common communication protocol and attribute identity profile for authorization call-out and provided implementation and integration with major Grid middleware. The activity had resonance with middleware development communities, such as the Globus Toolkit and Condor, who decided to join the collaboration and contribute requirements and software. In this paper, we discuss the main elements of the profile, its implementation, and deployment in EGEE and OSG. We focus in particular on the operations of the authorization infrastructures of both Grids.
Linking Authenticating and Authorising Infrastructures in the UK NGI (SARoNGS)
The UK NGS aims to provide simple trusted access to digital services for the UK's research community, in particular but not limited to Grid and Cloud provision. To achieve this we have to satisfy conditions laid down by three types of entities: individuals, resources, and the identification and attribute authorities who vouch for them. We have to set the bar high enough to satisfy resource owners, low enough to let most legitimate users in and yet also satisfy legal requirements. This makes it difficult if not impossible to fit one access mechanism to all stakeholders. SARoNGS was a JISC funded technical project that was developed in the UK to apply a federated access model (The UK Access Management Federation for Education and Research, based upon Shibboleth) to the grid environment. It resulted in a production service supported by the UK NGI to issue grid credentials, obtain Virtual Organisation Membership Service (VOMS) assertions and place them within reach of the user so to provide access these online digital services. We present the details of this service, the ways we joined the loose ends together, the remaining issues and future directions.
Journal of Physics: Conference Series, 2011
The Authorization Interoperability activity was initiated in 2006 to foster interoperability between middleware and authorization infrastructures deployed in the Open Science Grid (OSG) and the Enabling Grids for E-sciencE (EGEE) projects. This activity delivered a common authorization protocol and a set of libraries that implement that protocol. In addition, a set of the most common Grid gateways, or Policy Enforcement Points (Globus Toolkit v4 Gatekeeper, GridFTP, dCache, etc.) and site authorization services, or Policy Decision Points (LCAS/LCMAPS, SCAS, GUMS, etc.) have been integrated with these libraries. At this time, various software providers, including the Globus Toolkit v5, BeStMan, and the Site AuthoriZation service (SAZ), are integrating the authorization interoperability protocol with their products. In addition, as more and more software supports the same protocol, the community is converging on LCMAPS as a common module for identity attribute parsing and authorization call-out. This paper presents this effort, discusses the status of adoption of the common protocol and projects the community work on authorization in the near future.
Authentication and authorization infrastructures (AAIs): a comparative survey
Computers & Security, 2004
A very federal higher educational system with many universities and as many different student authentication systems exists in Switzerland. Initiated by the Swiss Virtual Campus and by the demand for more inter-university work and student mobility, SWITCH, the Swiss education and research network started to evaluate authentication and authorization architectures.
Common ELIXIR Service for Researcher Authentication and Authorisation
F1000Research, 2018
A common Authentication and Authorisation Infrastructure (AAI) that would allow single sign-on to services has been identified as a key enabler for European bioinformatics. ELIXIR AAI is an ELIXIR service portfolio for authenticating researchers to ELIXIR services and assisting these services on user privileges during research usage. It relieves the scientific service providers from managing the user identities and authorisation themselves, enables the researcher to have a single set of credentials to all ELIXIR services and supports meeting the requirements imposed by the data protection laws. ELIXIR AAI was launched in late 2016 and is part of the ELIXIR Compute platform portfolio. By the end of 2017 the number of users reached 1000, while the number of relying scientific services was 36. This paper presents the requirements and design of the ELIXIR AAI and the policies related to its use, and how it can be used for serving some example services, such as document management, socia...
Beyond X.509: Token-based authentication and authorization in practice
EPJ Web of Conferences
One of the key challenges identified by the HEP R&D roadmap for software and computing is the ability to integrate heterogeneous resources in support of the computing needs of HL-LHC. In order to meet this objective, a flexible Authentication and Authorization Infrastructure (AAI) has to be in place, to allow the secure composition of computing and storage resources provisioned across heterogeneous providers (e.g., Grid, private and commercial Clouds, HPC centers). At CHEP 2018, we presented how a flexible AAI based on modern, standard Web technologies (OpenID Connect, OAuth and JSON Web Tokens) and centered on the INDIGO Identity and Access Management (IAM) service could support the transition of the WLCG infrastructure to a token-based AAI. In the meanwhile, INDIGO IAM has been selected by the WLCG Management Board as the solution that will be adopted by LHC experiments, and is also at the core of the AAI envisioned to support the computing needs of the ESCAPE project. In this con...
Journal of Grid Computing, 2009
In order to ensure interoperability between middleware and authorization infrastructures used in the Open Science Grid (OSG) and the Enabling Grids for E-sciencE (EGEE) projects, an Authorization Interoperability activity was initiated in 2006. The interoperability goal was met in two phases: first, agreeing on a common authorization query interface and protocol with an associated profile that ensures standardized use of attributes and obligations; and second, implementing, testing, and deploying, on OSG and EGEE, middleware that supports the interoperability protocol and profile. The activity has involved people from OSG, EGEE, the Globus Toolkit project, and the Condor project. This paper presents a summary of the agreed-upon protocol, profile and the software components involved.