In AARC, partners from many organisations and countries meet regularly on all kinds of occasions, but there is seldom an opportunity to do hands-on work together. This, while deploying components, testing and gluing them together, is at the heart of the AARC pilots work. For this reason we met at SURFnet in Utrecht to join forces in a plugfest and work for two full days on several Authentication and Authorisation Infrastructure (AAI) integration pilots.
The plugfest started with a short pitch of five topics that had been pre-cooked online in the weeks before the meeting. After explaining the aims, required components and approaches, five interdisciplinary teams were created and the real work could start.
Two groups focused on cross-infrastructure integration, a top priority in the first AARC project, which will be even more relevant in the second AARC project – starting soon. By bridging the AAIs of EGI, EUDAT and PRACE, current and future collaboration scenarios can be better supported. How nice would it be if users of these e-infrastructures could transparently access the resources provided by the other e-infrastructures with a single institutional account?
EGI and EUDAT
The technical integration of the EGI and EUDAT AAIs was less complicated than expected, but we concluded that additional effort is needed to harmonise attributes and Level of Assurance (LoA) definitions. The team therefore continued to work on an earlier started joint proposal by AARC, EGI and EUDAT to harmonise the LoA of their identities for consumption by their internal services. Furthermore, social media identities are essential for the e-infrastructures – particularly for the support of guest identities and the long-tail of science – but they are not covered by the levels of assurance published by the REFEDS community (Cappuccino and Espresso). As a result, two new levels of assurance (LoAs) were introduced and will be submitted back to REFEDS. Identities that do not meet any of these two new LoAs, will not be assigned any LoA by EGI and EUDAT.
EUDAT and PRACE
The high-level goal of this pilot was to achieve AAI interoperability between EUDAT and PRACE and to examine how Unity technology may be used to accomplish this task.
The solution consists of two components. The first one automatically provisions accounts for selected PRACE users who authenticate with x.509 certificates. EUDAT accepts these certificates and PRACE users become registered users in the EUDAT authentication and authorisation service. This gives PRACE users access to non-x.509-based EUDAT services. The second component synchronises these accounts with EUDAT data services using certificate credentials. The developed integration was accepted as a suitable approach by EUDAT representatives attending the plugfest. This work will be further evaluated by EUDAT staff and possibly deployed in the production infrastructure.
In addition to these two cross-infrastructure pilots, three groups worked on extensions of existing AARC pilots.
COmanage has already been used in pilots to provide researchers with SSH-key-based access to servers and to link ORCID identities to a participant’s VO identity record. Work on two additional pilots was progressed during the plugfest:
1) The use of Application Specific Passwords (also known as Service Tokens) to provide ‘hidden’ or ‘random’ credentials to authenticate to services that do not support externalised authentication (such as federated identity, certificates, or SSH keys). The researcher logs into COmanage, generates a new ASP (which is then provisioned to LDAP for use by the application), and copies the ASP to their client. The initial use case targeted is iRODS.
2) Provisioning of COmanage-based identities to VOMS, allowing simplified access to certificate based services without requiring an additional enrolment process. Technical analysis has been completed to identify the preferred approach for integration, with further work on the pilot to be completed soon.
With these additions, COmanage fulfills even more of the requirements that had been identified earlier in the AARC project.
Guest access – Social IDs pilot and LoA enhancement
During the plugfest, we continued to work on the Social ID pilot to address the issue of LoA enhancement for identities that are processed by the EGI check in service. The linking of identities through ORCID ID has been assessed and analysed. We discovered that the public ORCID API provides the affiliation of users (given that users approve the release of this information). As the affiliation is not self-asserted, we see interesting opportunities to use this source to enhance the LoA of users. This work will be further explored and will be part of the proposed pilot architecture.
Attribute aggregation in a multi-VO scenario
In this effort we worked on attribute aggregation in a multi-Virtual Organisation (VO) scenario. Often, service providers (SPs) serve only a subset of the communities using the infrastructure. Therefore the proxy should limit queries only to those attribute authorities that are relevant for the communities supported by a specific SP. This feature is not available in off-the-shelf solutions for identity provider (IdP) proxies, but recent developments, for example in OpenConext, provide some clues. The AARC plugfest was a good opportunity to deploy an OpenConext instance and to integrate this component in the AARC-EGI pilot set-up.
To be repeated
With these five successful pilots finalised, the plugfest proved to be a a very effective format for collaboration in AARC. Having experts from different domains, partners and infrastructures in one room and assigning one clear target, significantly speeds up the deployment and testing of components. We had a lot of fun, created tangible results and all agreed that we should definitely repeat this in the second AARC project. A complete overview of all pilots performed in AARC is available here.
This article was originally written by Laura Durnford for the GÉANT Community Blog.
European webinar series on trust & identity launched.
The ability to use a trusted online identity to share data and access resources has been of growing importance to research and education. To support the spread of knowledge about how best to manage identities and federated access, a new series of ‘IAM Online’ webinars has been launched, to dovetail European-focused information with complementary materials that target the US research and education community.
The IAM Online Europe series is open to anyone with an interest in the developing landscape of federated identity, but is particularly relevant to research collaborations, infrastructure providers and campuses to join in.
The first IAM Online European webinar was recorded live on Wednesday 15th March and the recording was made available via the IAM Online channel on YouTube. 55 people from a range of organisations – universitites, research infrastructures and national research and education networks (NRENs) – joined the live session, which covered Sirtfi – the Security Incident Response Framework for Federation Identity.
IAM Online Europe will produce around 3 webinars per year on various topics and with various presenters. All webinars will take the form of live sessions and all recorded materials will be available on the IAM Online YouTube channel as a reference.
IAM Online Europe is jointly managed through the GÉANT Project, the AARC project and the REFEDS group and the webinars provide training and links to other resources related to their trust and identity activities. The YouTube channel links to IAM Online US; the concept originates in the US and GÉANT, AARC and REFEDS thank InCommon/Internet2 and eduCAUSE for their collaboration in this area.
This article was originally posted by Gerben Venekamp in SURF’s Innovation Blog
What are Federations and why does research need them?
Today, research for a number of disciplines is conducted more in collaborations and less in small individual projects. The European Commission stimulates this by encouraging collaborations between research institutes across Europe. Under this encouragement, large collaborations for research have been formed in the past. Within these collaborations, making use of each other services were done on a case by case situation. It usually came down to a user obtaining the necessary credentials for the services she needed. Although this approach is cumbersome, the number of people were quite small, making this approach acceptable.
Technical architects within research and e-infrastructures and scientific communities are invited to give feedback on technical recommendations and guidelines documents produced in the Authentication and Authorisation in Research Collaborations (AARC) project. The documents will remain open for comments until the end of February.
During the past months, the Blueprint Architecture team in the AARC project has been working on a set of guidelines and recommendations targeting the adoption of federated access in international research collaborations. These recommendations and guidelines will be included in the next version of the AARC Blueprint Architecture.
At the end of January 2017, AARC held an infoshare in which the Blueprint Architecture team provided the highlights of the upcoming work. Now, the final drafts of these recommendations and guidelines are available for feedback.
AAI implementers and technical architects from research and e-infrastructures and scientific communities are asked to review these drafts and give their inputs either within the (Google) documents or via the public AARC Connect mailing list.
Please, find the Google document drafts at the following locations:
Passionate and fruitful discussions during the AARC project’s final meeting of 2016 showed the value of face-to-face gatherings. Kindly hosted by CERN on 29 November to 1 December, the meeting agenda was packed with sessions reviewing the project’s strategic direction and its policy, pilots, architecture and training activities.
During the past 1,5 years, AARC has produced concrete results in the technical, policy and pilot activities. In this meeting, we reviewed progress and reflected on key aspects to focus on for the remainder of the project.
With results maturing, it is important to ensure that everybody in the project is aware of them, and to promote them outside the project. So more attention will be given to internal and external communications. A revision of the project website has started, to make material easier to find, and will continue until the end of the project. And AARC will enhance the materials it has collected about basic federated identity management (FIM), ensuring that it is more effective as training material to support scientific service providers to enable federated access. There will also be a focus on creating training modules about key AARC results, such as the blueprint architecture and policy developments – in synergy with other groups where possible.
The AARC remit and strategy had been agreed by the team at the start of the project, with the strategy implemented in two phases. In year one, effort was devoted to working with libraries and to defining the general AARC blueprint architecture (BPA). In year two, more effort is being invested in working closely with research collaborations, in finalising policy guidelines in specific areas, and in testing policy and components of the BPA with interested research- and e-infrastructures. In order to ensure everyone is aware of where we stand and where the project is heading, the AARC strategy document has been made publicly available.
The meeting actions list is available on the wrap up slides.
In more detail:
Significant progress has been made in the policy area:
- The deliverable “Recommendations and Template Policies for the Processing of Personal Data” led by Uros Stevanovic (KIT) is ready and has been submitted to the EC. The document was shared with the REFEDS list for feedback. The document’s purpose is to provide recommendations and template policies to resource providers and user communities that establish and operate infrastructures. These recommendations will facilitate their ability to collect, transfer, provide access to, and/or publish data related to the accounting, monitoring, logging, or any kind of processing of personal user data needed for the operation of their services. The team will get legal advice before promoting the document widely. Thanks to the whole team and also to Andrew Cormack (JISC) for reviewing it.
- Hannah Short (CERN) presented the first draft of the “Security Incident Response Procedure” deliverable. This triggered a lot of discussion regarding its focus in the context of AARC. It is clear that while AARC needs to define procedures that work for its main use cases (that is service providers in research and/or e-infrastructures), any procedure to be adopted by research and education (R&E) identity federations should be discussed in a broader forum.
- “Snctfi”, the work led by Dave Kelsey (STFC) to define a trust model for the proxy which is a core part of the BPA, prompted a very lively breakout session. This work is very critical as, on the one hand, the proxy makes it easy to provide federated access to multiple internal services operated by a research/e-infrastructure, but, on the other hand, poses some security challenges. A small editorial group was appointed to review the first draft document; an updated version is expected in January 2017.
Regarding the architecture work:
- Nicolas Liampotis (GRNET) presented the current status of work on the recommendations document for expressiong group memberships using eduPersonEntitlements. There was fruitful discussion on a few open topics.
- Peter Solagna (EGI Foundation) presented the current status of the guidelines document for attribute translation from SAML to X.509. He led discussion on best practices for expressing SAML attributes in X.509v3 proxy certificates.
- Nicolas Liampotis (GRNET) presented an updated proposal for attribute translation from SAML to OIDC. Using as a starting point the work that had been done in the past in the GN4 context, this took into account his experiences in implementing a SAML to OIDC translation bridge that is already used in production.
- Mikal Jankowski (PSNC) and Christos Kanellopoulos (GRNET) prompted a discussion about the plan for delivering an initial set of guidelines for federated access to non-browser services (e.g. HTTP APIs). The aim is to provide an initial set of guidelines about technologies that are already widespread and in demand by the research communities.
A number of pilots were demonstrated during the meeting. It is clear that this is a challenging area, particularly regarding the necessary engagement with different research and e-infrastructures, not all of which are equally represented in AARC. The following updates are worth noting:
- The deliverable “Pilots to support guest users’ solutions” led by Mario Reale (GARR), has been concluded and submitted. See more more information on this topic on the wiki page.
- The deliverable on “First report on the Pilots” led by Paul van Dijk (SURFnet) was undergoing proofreading at time of the meeting; the document has been finalised and submitted.
- An IGTF-eduGAIN bridge pilot was proposed – the aim being to take as input digital certificates issued by a certification authority that is accredited by the Interoperable Global Trust Federation (IGTF), and to generate a proper SAML assertion based on the certificate type. This approach would offer an additional way to link accounts; the use-case would foresee a special identity provider (IdP) operated by the IGTF community that takes as input IGTF certificates. Such an IdP would also support both RS entity categories and Sirtfi.
- eIDAS potential pilot – a discussion is ongoing with eIDAS to start a pilot that involves AARC, eduGAIN and some eIDAS member states (UK, Germany, possibly Greece and Italy). This pilot would address two use-cases: accessing services available via eduGAIN using eIDAS eID, and eIDAS eID’s use of eIDAS as a means to access services that require higher level of assurance.
The November meeting also heard reports on relevant work in other projects:
- Indigo-datacloud TTS pilot – the Indigo-datacloud project aims to develop an open-source platform for computing and data for the R&E community. One of the service components developed in that project is the Token Translation Service, INDIGO TTS. Uros Stevanovic demonstrated a pilot integration of INDIGO TTS with the EGI CheckIn service, in which he was able to access virtual machines available to a hypothetical project.
- eduTEAMS is the platform being built by the GN4 project to support the need of research groups for an additional specialised infrastructure built on top of eduGAIN, to manage group and authorisation information. The platform is being built to integrate with services provided by any e-infrastructure. An update was provided.